Professional Documents
Culture Documents
Nathan Peck
Sr. Developer Advocate
AWS Container Services
Amazon Web Services
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
We’re making AWS the best place to run containers
and Kubernetes
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS container services landscape
Management
Deployment, scheduling, scaling Amazon Elastic Amazon Elastic
& management of containerized Container Service Kubernetes Service
applications (Amazon ECS) (Amazon EKS)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Kubernetes?
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Community, contribution, choice
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
But where you run Kubernetes matters
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
51%
of Kubernetes workloads run
on AWS today
—CNCF
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How are customers using Amazon EKS?
PaaS
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customers adopting Kubernetes on AWS
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer example: Snap
More detailed talk: AWS New York Summit 2018 - Run Kubernetes with Amazon EKS (SRV318)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Who is using Amazon EKS?
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Who is using Amazon EKS?
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Which customers are using Amazon EKS?
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rich partner ecosystem
Monitoring &
Foundation DevOps Security Networking
logging
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our tenets
1. Amazon EKS is a platform to run production-grade workloads. Security and reliability are our first
priority. After that we focus on doing the heavy lifting for you in the control plane, including lifecycle-
related things like version upgrades.
2. Amazon EKS provides a native and upstream Kubernetes experience. Amazon EKS provides vanilla,
un-forked Kubernetes. In keeping with our first tenet, we ensure the Kubernetes versions we run
have security-related patches—even for older, supported versions—as quickly as possible. But
there’s no special sauce and no lock-in.
3. If you want to use additional AWS services, integrations are as seamless as possible.
4. The Amazon EKS team at AWS actively contributes to the upstream Kubernetes project and the
wider CNCF activities, both on the technical level as well as community, from communicating good
practices to participation in SIGs and working groups.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS, a year in review
June – December 2018:
Amazon EKS achieves K8s conformance, HIPAA-eligibility, generally available
Amazon EKS AMI build scripts and AWS CloudFormation templates available in GitHub
Support for GPU-enabled EC2 instances, support for HPA with custom metrics
Amazon EKS launches in Dublin, Ireland
Amazon EKS simplifies cluster setup with update-kubeconfig CLI command
Amazon EKS adds support for Dynamic Admission Controllers (Istio), ALB Support with the AWS ALB ingress controller
Amazon EKS launches in Ohio, Frankfurt, Singapore, Sydney, and Tokyo
Amazon EKS adds Managed Cluster Updates and Support for Kubernetes Version 1.11, CSI Driver for Amazon Elastic
Block Store (Amazon EBS)
2019:
Amazon EKS launches in Seoul, Mumbai, London, and Paris
Amazon EKS achieves ISO and PCI compliance, announces 99.9% SLA, cluster creation limit raised to 50
API server endpoint access control, AWS App Mesh controller
Windows support (preview), Kubernetes version 1.12
CSI drivers for Amazon Elastic File System (Amazon EFS), Amazon FSx for Lustre, control plane logs, A1 (ARM) instance support
(preview)
Deep Learning Benchmark Utility, public IP address support
Simplified cluster authentication, SOC compliance, Kubernetes 1.13, PodSecurityPolicies
Container Insights, CNI 1.5.0, Amazon ECR, AWS PrivateLink support
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Open-source roadmap
https://github.com/aws/containers-roadmap/
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS services roadmap: Highlights
Shipped Shipped Working on it
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS deep dive
• Configuration & setup
• Availability
• Storage
• Operations
• Security
• Networking
• Logging
• Monitoring
• Application communication
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS is Kubernetes-certified
Kubernetes conformance
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Open-source and Amazon EKS
Amazon EKS runs 100% upstream Kubernetes
Key components of Amazon EKS are
open source
• Amazon VPC CNI plugin
• AWS Identity and Access Management (IAM) authenticator
• Amazon EKS AMI
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes versions
Latest: 1.14
Amazon EKS will support up to three versions of Kubernetes at once
Deprecation in line with the community stopping support for older versions
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
eksctl—a CLI for Amazon EKS
• Single command cluster creation
eksctl create cluster --nodes=4
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bring your own instances
Instance flexibility
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bring your own OS
Amazon EKS AMI build scripts
https://github.com/awslabs/amazon-eks-ami
Amazon
Amazon
Amazon
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Windows containers
Run Windows containers and Windows Server nodes with Amazon EKS
Developer preview:
https://github.com/aws/containers-roadmap
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Provisioning worker nodes
Terraform
Pulumi
Rancher
. . . and more
AWS CloudFormation eksctl Partners
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS-optimized GPU AMI
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Global availability
Americas
Virginia, Ohio, Oregon
EMEA
Ireland, Frankfurt, London, Paris, Stockholm
Asia Pacific
Bahrain, Hong Kong, Singapore, Tokyo, Sydney, Seoul, Mumbai
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service level Service
agreement commitment
AWS will use commercially reasonable efforts
to make the endpoint for an Amazon EKS
cluster available with a monthly uptime
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Container storage interface (CSI)
A flexible standard for orchestration
and storage provider connections
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Storage volume lifecycle
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What if I need a specific volume type?
2) End user requests for 3) Control loop watches 4) User creates stateful
specific volume types PVC request and workload
(e.g., encrypted io1 allocates volume if PV
volume) exists
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS operational capability
- Architecture
- CI/CD for applications deployed on Amazon EKS
- Infrastructure elasticity
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubectl [mycluster].eks.amazonaws.com
infrastructure
API Servers
Etcd
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes continuous deployment
1
Developers continuously integrate
6 changes into a main branch hosted
within a repo
2
Triggers an execution of the pipeline
Amazon ECR
when a new version is found, builds a
new image with build id
3 5 3
Pushes the newly built image
tagged with build id to ECR repo
4
Invokes a Lambda function to
trigger application deployment
1 2 4
5
Leverages Kubernetes Python SDK
Developer AWS CodeCommit AWS CodeBuild AWS Lambda to update a deployment
6
Fetches new container image
and performs a rolling update
AWS CodePipeline of deployment
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Supported CI/CD platforms
• AWS CodeBuild/AWS CodePipeline
• Jenkins
• Spinnaker
• JFrog
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS worker node provisioning with
Amazon EC2 Spot
• Recommend using the node labels to identify Amazon EC2 Spot Instances
• Use Amazon EC2 Spot Instances best practice of mixed instance types
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automatic scaling with Amazon EKS
Two dimensions to scaling
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS supports sophisticated and scalable infrastructure
Instance
https://eksworkshop.com/spot/man
Availability Availability Availability
Zone 1 Zone 2 Zone 3 agespot/deployhandler
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS is ready for sensitive and regulated
workloads
HIPAA-eligible
PCI DSS
SOC 1,2,3
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS container security: Principled and peculiar
Epics
Tenets
• All-encompassing
• Shared responsibility
• Cloud-native
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Container security onion model: Defense in depth
}
• full blown distro (Ubuntu, AL) vs. minimal • runtime/standards (OCI)
•
•
environment (container-optimized
distribution)
multi-tenancy requirements
gotchas: Linux packages/CVEs,
{ •
•
•
immutability of images
all containers share a kernel (mitigation: Firecracker)
gotchas: unnecessary privileged users, no scans, trust
host
{
• code analysis
•
•
source available?
gotchas: big surface,
many languages } container •
API keys, etc.)
gotchas: commits-to-source,
non-separated access (dev has cleartext
password)
dependencies
code
}
• sanitizing user input config
• static code analysis • business core data
• gotchas: log-leaking
user data
{ •
•
Personal Identifiable Information
(PII)
gotchas: leaks, GDPR
(in Europe)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security tooling
AWS
Security Hub
AWS Certificate Manager
IAM
(ACM)
host
dependencies
code
AWS KMS AWS
Secrets Manager
config
user data
AWS CloudHSM
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon
Macie
IAM authentication
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PKI configuration
Kubelet
Kubelet installs
Generates
server cert
public/private keys
Certificate rotation
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM for pods
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API-server endpoint access control
prod-cluster-123.eks.amazonaws.com
Master VPC (AWS account)
etcd
Public == true Kubectl
API Server
etcd
AZ 1
API Server
AZ 2
Worker Worker
node node
Kubelet Kubelet
AZ 1 AZ 2
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API-server endpoint access control
prod-cluster-123.eks.amazonaws.com
Master VPC (AWS account)
etcd
Kubectl
Public == true API Server
etcd
AZ 1
API Server
Private == true AZ 2
Worker Worker
node node
Kubelet Kubelet
Kube-proxy Kube-proxy
AZ 1 AZ 2
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API-server endpoint access control
Master VPC (AWS account)
etcd etcd
Public == false
API Server API Server
Private == true AZ 1 AZ 2
Kubectl
Worker Worker
node node
Kubelet Kubelet
Kube-proxy Kube-proxy
AZ 1 AZ 2
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC CNI plugin
{…}
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC CNI plugin
VPC
ec2.associateaddress()
Elastic
network
interface
10.0.0.20
10.0.0.1
10.0.0.2 10.0.0.22
Elastic
Instance 1 network Instance 2
interface
VPC Subnet – 10.0.0.0/24 Secondary IPs:
Secondary IPs:
10.0.0.1 10.0.0.20
10.0.0.2 10.0.0.22
https://github.com/aws/amazon-vpc-cni-k8s
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS supports advanced networking architectures
On-premises 10.1.0.0/16
Corporate data Customer VPN or DX Primary elastic Pod Outbound Pod – Pod Secondary
center gateway network Traffic SNAT 100.64.0.200 elastic network
interface interface
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Load balancing
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes ServiceType: LoadBalancer
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Load balancing
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
service.beta.kubernetes.io/aws-load-balancer-type: nlb
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service load balancer: Network Load Balancer
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: default
labels:
app: nginx
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: LoadBalancer
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service load balancer: Network Load Balancer (NLB)
• Nodes with no matching pods will be removed by specified NLB’s health check
.spec.healthCheckNodePort
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes Ingress object
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ALB Ingress controller
HTTPS Listener HTTP Listener
AWS Resources
TargetGroup:
Blue (Instance TargetGroup:
Mode) Green (IP Mode)
NodePort NodePort
Kubernetes Cluster
Node Node Node
Kubernetes
API Server ALB Ingress
Controller
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ALB Ingress controller
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS logging
Internet
Customer account EKS managed
CloudTrail
Amazon
CloudWatch
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS logging
Region
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logging with FluentBit
• New AWS Fluent Bit container
plugin
• Open source
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudWatch Container Insights
A fully managed observability service for monitoring, troubleshooting, and
alarming on your containerized applications and microservices
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Images on DockerHub
Performance Metrics—CloudWatch Agent:
https://hub.docker.com/r/amazon/cloudwatch-agent
• Tag: latest
Logs—Fluent Bit:
https://hub.docker.com/r/amazon/aws-for-fluent-bit
• Tag: latest
Logs—Fluentd:
https://hub.docker.com/r/fluent/fluentd-kubernetes-daemonset
• Tag: v1.3.3-debian-cloudwatch-1.4
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Container Insights available now
1. Fully managed, AWS-native observability service providing automated
summary and analysis of compute capacity
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why AWS App Mesh?
http/tcp
• How to observe (logs, metrics, traces)
• How to load balance E/W traffic
• How to shift traffic between deployments
• How to decouple service teams
Service Service • How to minimize impact to app code
team A team B
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
App Mesh uses Envoy proxy
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why App Mesh?
Control plane
Control plane
Translates logical intent to proxy config
HTTP / TCP Distributes proxy config
Proxy
Sits between all services
Service Service Manages and observes traffic
team A team B
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
App Mesh: App-level communication across AWS
Amazon ECS
Fargate
Amazon EKS
App Mesh
Amazon EC2
Kubernetes on EC2
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
App Mesh: Application observability
Logging
HTTP access logging
Amazon CloudWatch Logs
Available as container logs on
Amazon ECS, Amazon EKS, Fargate
Metrics
CloudWatch metrics
StatsD (with tags)
Prometheus
Tracing
AWS X-Ray
Other Envoy tracing drivers
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
App Mesh: Client-side traffic management
Traffic shaping
Load balancing
Weight targets
Service discovery (DNS + AWS Cloud Map)
Health checks
Retries*
Timeouts*
Circuit breakers*
Routing controls
Protocols support (HTTP, TCP, gRPC*)
Path-based
Header-based*
Cookie-based*
Host-based*
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
*Coming soon
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Nathan Peck
@nathankpeck
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.