Professional Documents
Culture Documents
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Intro to Kubernetes
• Kubernetes & EKS Architecture
• Networking
• Monitoring
• Logging
• Storage
• Authentication and Security
• AutoScaling in EKS
• Hybrid your cluster (Spot)
• Best Practices
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda continued..
• EKS Managed Worker Nodes
• EKS with Fargate
• Elastic Container Registery (ECR)
• Q/A
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Kubernetes?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Community, contribution, choice
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical use cases
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Stats
80% 82%
of all containerized of all Kubernetes
applications running in applications running in
the cloud run on AWS* the cloud run on AWS*
* https://nucleusresearch.com/research/single/guidebook-containers-and-kubernetes-on-aws/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes Architecture
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
(Amazon Elastic Container Service for Kubernetes)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Elastic Kubernetes Service
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS Overview
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS Architecture
AWS Cloud
EKS VPC
etcd
api
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS Architecture
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Objects
Kubernetes objects are entities that are used to represent the state of the cluster (SPEC).
An object is a “record of intent” – once created, the cluster does its best to ensure
it exists as defined. This is known as the cluster’s “desired state.”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Object…Cntd
Deployment - Details how to roll out (or roll back) across versions of your application
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud Native Security: API-server Endpoint Access
Control
prod-cluster-
Master VPC (AWS account) 123.eks.amazonaws.com
AZ
2
Worker Worker
node node
Kubelet Kubelet
AZ AZ
1 2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API-server Endpoint Access Control
prod-cluster-
Master VPC (AWS account) 123.eks.amazonaws.com
etcd
Kubectl
public == true API Server
etcd
AZ
1 API Server
private == true
AZ
2
Worker Worker
node node
Kubelet Kubelet
Kube-proxy Kube-proxy
AZ AZ
1 2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API-server Endpoint Access Control
Master VPC (AWS account)
etcd
public == false etcd
private == true AZ AZ
1 2
Kubectl
Worker Worker
node node
Kubelet Kubelet
Kube-proxy Kube-proxy
AZ AZ
1 2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS is Kubernetes Certified
You can use existing tooling and plugins from partners and the Kubernetes community
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Flexibility focused
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EKS is ready for sensitive and regulated
workloads
HIPAA-eligible
PCI DSS
SOC 1,2,3
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rich partner ecosystem
Monitoring &
Foundation DevOps Logging Security Networking
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes Networking
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The three rules of Kubernetes networking…
• All the pods can communicate with each other directly without
NAT
• All the nodes can communicate with all pods (and vice versa)
without NAT
• The IP that a pod sees itself as is the same IP that others see it as
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes ServiceType: ClusterIP
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes ServiceType: NodePort
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes ServiceType: LoadBalancer
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service load balancer: NLB
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: default
labels:
app: nginx
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: LoadBalancer
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes ServiceType: ExternalName
kind: Service
• Maps: service => apiVersion: v1
CNAME(externalName field) metadata:
• No proxying name: my-service
• Accessing my-service works in the namespace: prod
same way as other Services spec:
• redirection happens at the DNS level type: ExternalName
(rather than via proxying or externalName:
forwarding)
my.database.example.com
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS VPC CNI plugin - configurability
https://github.com/aws/amazon-vpc-cni-k8s
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes Ingress Object
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ALB Ingress Controller
HTTPS Listener HTTP Listener
AWS Resources
TargetGroup:
Blue (Instance TargetGroup:
Mode) Green (IP Mode)
NodePort NodePort
Kubernetes Cluster
Node Node Node
Kubernetes
API Server ALB Ingress
Controller
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring in k8s | EKS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to
monitor k8s
cluster
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudWatch
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Container Insights
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Images on DockerHub
Logs – Fluentd
https://hub.docker.com/r/fluent/fluentd-kubernetes-daemonset
• Tag: v1.3.3-debian-cloudwatch-1.4
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container Insights
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Logging in k8s | EKS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS Logging
Internet
Customer Account EKS Managed
AWS
CloudTrail
Amazon
CloudWatch
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloudwatch and EKS integration: Logging
• Logging to CloudWatch
https://eksworkshop.com/logging/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS Logging
CloudWatch Fluentd
Logs Master Worker Worker DaemonSet
Region
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container logging architecture
• Logging at the node level
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container logging architecture
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container logging architecture
• Streaming sidecar container
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container logging architecture
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container logging architecture
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring EKS API calls in Cloudtrail
• CreateCluster
• DeleteCluster
• UpdateClusterConfig
• UpdateClusterVersion
• DescribeCluster, DescribeUpdate, ListClusters, ListUpdates
Note: CloudTrail would not capture the events such as creation / deletion of deployments, services
etc. Enable EKS control plane logging to get audit and diagnostic logs from EKS control plane.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Storage in k8s | EKS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
k8s Storage in AWS
Persistent Volume (PV)
PV Claims (PVC)
• Dynamic
• Abstraction to underlying storage
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container Storage Interface (CSI)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What if I need specific volume type?
2) End user requests for 3) Control loop watches 4) End user creates
specific volume types PVC request and stateful workload
(For ex, encrypted allocates volume if
io1 volume) PV exists
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AutoScaling in k8s | EKS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auto Scaling with Amazon EKS
Two dimensions to scaling
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HPA (Horizontal Pod Autoscaler)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The “how” part..
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HPA in Action
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CA (Cluster Autoscaler)
https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid Your Cluster K8 | EKS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid Your Cluster
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HPA Scaling Out
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cluster Autoscaling
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cluster Autoscaling
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pod and Cluster both Scaled
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Spot Termination Handling
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Node Draining and Pod Rescheduled
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASG Maintaining the Desired Capacity
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reference Architecture
https://eksworkshop.com/spotworkers/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Authentication & Security
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How IAM authentication works with EKS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Authentication + Kubectl
1) When a Kubectl call is made- IAM identity is passed along with the
kubernetes call.
2) On the backend, Kubernetes verifies the IAM identity with AWS
auth
3) The auth response is sent back to Kubernetes, and K8s checks it’s
internal RBAC mapping for authz. This determines if API call was
allowed or denied.
4) The K8s API approves or denies the request.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container security onion model: defense in depth
} {
• full blown distro (Ubuntu, AL) vs. minimal • runtime/standards (OCI)
environment (container-optimized • immutability of images
distribution) • all containers share a kernel (mitigation: Firecracker)
• multi-tenancy requirements • gotchas: unnecessary privileged users, no scans, trust
• gotchas: Linux packages/CVEs,
leaks, GDPR (in Europe)
host
} {
• code analysis • sensitive config (passwords,
• source available? API keys, etc.)
container • gotchas: commits-to-source,
• gotchas: big surface,
many languages non-separated access (dev has
cleartext password)
dependencies
code
}
• sanitizing user input config
{
• static code analysis • business core data
• gotchas: log-leaking • Personal Identifiable
Information (PII)
user data • gotchas: leaks, GDPR
(in Europe)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Tooling
AWS
AWS Security Hub
AWS IAM
Certificate Manager
dependencies
code
AWS KMS AWS
Secrets Manager
config
user data
AWS CloudHSM
Amazon
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Macie
k8s Best Practices
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Health Checks
Readiness and liveness probes can help maintain the health of applications
running inside Kubernetes. By default, Kubernetes only knows whether or not a
process is running, not if it's healthy.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Optimizing your container
• Optimize for smaller size, use a multistage Docker build to reduce the size of
the
• runtime container.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
When not configured / not correctly configured
• Each container has sufficient access to compute resources. Without resource
requests, a pod may be scheduled on a node that is already overutilized.
• Without resource limits, a single poorly behaving pod could utilize the
majority of resources on a node, significantly impacting the performance of
other pods on the same node.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes Upgrades
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migration between versions
Check if the version can be upgraded
https://kubernetes.io/docs/setup/release/version-skew-policy/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container Security Best Practices
Use trusted base images
Use non-root user inside container
Make the file system read only
One process per container
Don’t restart on failure, crash cleanly instead
Log to stdout & stdderr
Ensure That Images Are Free of Vulnerabilities
Perform automated CVE scans (on push and/or periodically)
Use private registries (ECR, for example)
Ensure That Only Authorized Images are used in your environment
Limit Direct Access to Kubernetes Nodes
Create Administrative Boundaries between Resources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container Best Practices
https://kubernetes-security.info/
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS Managed Node Groups
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EKS Managed Node Groups
Use EKS Console, APIs, Launch with the latest EKS- Run across multiple availability zones
eksctl, Cloudformation or optimized AMIs.
Tagged for cluster autoscaler discovery
Terraform.
Get the latest updates with a single
Integrated configuration health checks
Add Kubernetes labels directly command and rolling updates.
to nodes. Nodes automatically cordon and drain
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS Cluster Architecture
AWS Cloud
EKS VPC
AZ-1 AZ-2 AZ-3
etcd
EKS Managed
Control Plane
api
Customer VPC
Data Plane
ec2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pricing & Availability
Pay standard EC2 prices for any EC2 infrastructure you provision
using managed node groups.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EKS on Fargate
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EKS on Fargate
You don’t need to change your Launch pods quickly. Easily run pods Only pay for the resources you need to run
existing pods. across multiple AZs for high availability. your pods.
Fargate works with existing Includes native AWS integrations for
workflows and services that run Each pod runs in an isolated compute networking and security.
on Kubernetes. environment.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What matters for Fargate
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How EKS works on EC2
AWS Run a container on EC2 Customer Account
for me, please
VPC
Control Plane
ENI
Service Pod
Control Plane
ENI
Service Pod
Kubernetes components
This
CPU Memory
256 (.25 vCPU) 512MB, 1GB, 2GB
512 (.5 vCPU) 1GB, 2GB, 3GB, 4GB
1024 (1 vCPU) 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB
2048 (2 vCPU) Between 4GB and 16GB in 1GB increments
4096 (4 vCPU) Between 8GB and 30GB in 1GB increments
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are the key benefits of Fargate Spot?
1. Fully managed – no provisioning, patching or diversifying clusters
of instances to optimize for pricing option
https://github.com/aws/containers-roadmap/projects/1
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Elastic Container Registry
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Elastic Container Registry
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access Control
{ {
“ecr:PutImage”, “ecr:BatchCheckLayerAvailability”,
“ecr:InitiateLayerUpload”, “ecr:BatchGetImage”,
“ecr:UploadLayerPart”, “ecr:GetDownloadUrlForLayer”,
“ecr:CompleteLayerUpload”, “ecr:GetAuthorizationToken”
“ecr:GetAuthorizationToken” }
}
Production/web-app
instance
Developer
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Image Scanning
• Automated vulnerability assessment
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Image Scanning
• Images can be scanned manually
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.