Workshop Containers : EKS (Managed Kubernetes), ECS, Fargate: run your containers on AWS at scale

Transcript

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential Roberto Migli, AWS Solutions Architect Containers on AWS

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential $> whoami – rmigli@ • Solutions Architect for Financial Services • Developer at ❤ • Like to solve hard problems • Talk to me about • AWS • Containers • Space & Rocket Engines

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential Outcome – what should you expect to know at the end of this workshop? • Understand the basics of ECS • Compare Fargate and EC2 on ECS • Understand the basics of EKS • See in practice ECS and EKS • See integration with other AWS services

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential Why are enterprises adopting containers? • Accelerate software development • Build modern applications • Automate operations at web scale © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential But, what’s the problem ?

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential What if we have +1000s container ? Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS

7. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential Too many containers to manage?

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential Make AWS the BEST PLACE to run ANY containerized applications © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential AWS container services landscape Management Deployment, Scheduling, Scaling & Management of containerized applications Hosting Where the containers run Amazon Elastic Container Service Amazon Elastic Container Service for Kubernetes Amazon EC2 AWS Fargate Image Registry Container Image Repository Amazon Elastic Container Registry

10. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential CONTAINER REGISTRIES

11. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Public Repositories supported Allow IAM users, roles, other AWS accounts Amazon Elastic Container Registry (ECR) Managed AWS Docker registry service Containers registry Image Scanning with CoreOS Clair

12. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Amazon Elastic Container Service

13. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Helping customers scale containers 450+% growth Hundreds of millions of containers started each week of millions of container instances

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Customers Using Containers at Scale

15. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Why customers love AWS container services Containers are a first-class citizen of the AWS Cloud Deeply integrated with AWS Security and Compliance Broad selection of compute instances and IAM security, VPC networking, load balancing, and autoscaling ISO, HIPPA, PCI, SOC1, SOC2, SOC3 Infocomm Media Development Auth. DevOps Workflow Best place to build and operate a complete DevOps workflow for containers—AWS DevTools and Cloud9 DEV OPS

16. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential ECS Key Components Amazon Elastic Container Registry (Amazon ECR) Amazon Elastic Container Service (Amazon ECS) AWS Fargate Production cluster Container instance Container instance Container instance Development cluster Container instance Container instance Container instance Container Container Volume Task definition Task definition Load balancing Placement Deployment Service definition

17. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Define application containers: Image URL, CPU & Memory requirements, etc. register Task Definition create Cluster • Infrastructure Isolation boundary • IAM Permissions boundary run Task • A running instantiation of a task definition create Service Elastic Load Balancer • Maintain n running copies • Integrated with ELB • Unhealthy tasks automatically replaced Constructs

18. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential • Target Tracking Scaling Policies — Increase or decrease the number of tasks based on a target value for a specific CloudWatch metric. Example : ALBRequestCountPerTarget • Step Scaling Policies — Increase or decrease the number of tasks based on CloudWatch alarms. example: CW Alarm on CPUUtilization Service Autoscaling for ECS Services Scaling Policy

19. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Scheduling and Orchestration Cluster Manager Placement Engine Availability Zone #1 Availability Zone #2 Availability Zone #3 Running containers at scale with ECS

20. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Amazon ECS updates service registry based on naming convention, task registrations, de-registrations and health Amazon Route 53 provides Service Registry AWS Cloud Map keeps track of all task instances Service Discovery

21. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Service Discovery

22. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential AWS Fargate

23. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Managing Clusters Is Not Fun!

24. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Changing Compute Consumption Model No instances to manage Task native API Resource based pricing Simple, easy to use, powerful – and new consumption model

25. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Production Workloads on AWS AWS VPC networking mode Advanced task placement Deep integration with AWS platform ECS CLI … { } Global footprint Powerful scheduling engines Auto scaling CloudWatch metrics Load balancers

26. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential HOW DO I RUN CONTAINERS ON FARGATE?

27. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Running Fargate Containers with ECS

28. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Running Fargate Containers with ECS Use ECS APIs to launch Fargate Containers Easy migration – Run Fargate and EC2 launch type tasks in the same cluster Same Task Definition schema

29. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Service level agreement 99.99% Amazon ECS AWS Fargate

30. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential NETWORKING

31. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential • None : Disables all networking • Host : adds a container on the host’s network stack • Bridge : default Docker network mode • aws-vpc: AWS specific ecs-bridge: 169.254.172.1/30 eth0 10.1.1.11 vethxx ecs-eth0 169.254.172.2/30 Task 1 eth1 10.1.1.12 EC2 ECS networkMode

32. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Path-based routing Allows you to define rules that route traffic to different target groups based on the path of a URL. e.g. example.com/test , example.com/test/test1 Dynamic Port Mapping Provides the ability to load-balance across multiple ports on the same Amazon EC2 instance. This functionality specifically targets the use of containers and is integrated into Amazon ECS. HTTP/2 WebSockets Detailed Logging Routing via Application Load Balancer

33. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential SECURITY

34. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential PROD Cluster Infrastructure DEV Cluster Infrastructure BETA Cluster Infrastructure QA Cluster Infrastructure Web Web Shopping Cart Shopping Cart Notifications Notifications Web Shopping Cart Notifications Web Shopping Cart Shopping Cart Notifications Notifications Web Web PROD CLUSTER BETA CLUSTER DEV CLUSTER QA CLUSTER Cluster level isolation

35. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Cluster Permissions Application (task) Permissions Housekeeping Permissions Cluster Task Cluster Permissions: Who can run/see tasks in the cluster? Application (Task) Permissions: Which of my AWS resources can this application access? Housekeeping Permissions: What permissions do I want to grant ECS to perform? e.g. • ECR Image Pull • CloudWatch logs pushing • ENI creation • Register/Deregister targets into ELB Permission tiers

36. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential EC2 tasks • Docker Volumes (local instance storage, EBS, EFS) • Bind mounts Fargate tasks • Task storage is ephemeral ! • Container Storage Space – 10GB • Shared volume space for containers within the task – 4GB • Bind mounts Storage

37. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Service-level metrics available CloudWatch Logs CloudWatch Events supported Container Insights CPU, memory, disk, and network, tasks metrics Visibility and monitoring

38. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Use Fargate when • You don’t want to deal with the instances • You want to think « application first » ECS: EC2 or Fargate? Use EC2 when • You need control over the underlying instance (e.g. compliance) • You want to fine-tune instance-level features • Use GPU

39. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway EC2 Instance EC2 Instance Demo! Availability Zone 3 EC2 Instance Task Task Task Application LB Amazon ECS AWS Fargate Autoscaling Group

40. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential CONFIGURATIONS & PRICING

41. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential EC2 Launch Type Model No additional charge Pay for AWS resources (e.g. EC2 instances or EBS volumes) created to store and run your application Amazon EC2 Spot instances allow you to request spare Amazon EC2 computing capacity for up to 90% off the On-Demand price Amazon EC2 Reserved Instances (RI) provide a significant discount (up to 75%) Compute Savings Plans reduce your costs by up to 66%.

42. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Fargate Launch Type Model { "memory": “3GB ”, "cpu": “1 vCPU”, "networkMode": ”AWSVPC", "compatibilities": [”FARGATE", ”EC2"], "placementConstraints": [], "containerDefinitions": [ { <snip>….... Task level resources • Configurable independently (within a range) Dimensions: Task level CPU and memory Per-second billing Compute Savings Plans • reduce your costs by up to 66%.

43. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential

44. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential What is Kubernetes?

45. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential What is Kubernetes? Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications

46. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Where you run K8s matters Q U A L I T Y O F T H E C L O U D P L AT F O R M Q U A L I T Y O F T H E A P P L I C AT I O N S Y O U R U S E R S

47. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential 51%of Kubernetes workloads run on AWS today —CNCF survey https://www.cncf.io/blog/2018/08/29/cncf-survey-use-of-cloud-native-technologies-in-production-has-grown-over-200-percent/

48. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Kubernetes Architecture Kubectl kubelet Docker K8s Master Nodes K8s Master Nodes Master Nodes API Server Controller Manager etcd Scheduler Cloud Controller Mgr User X POD 1 POD 2 Node 1 kubelet Docker POD 3 POD 4 Node 2 Worker Nodes Control Plane

49. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Kubernetes Core Concepts Pod - Group of one or more containers with shred storage/network Manifest File - YAML/JSON used to deploy Kubernetes objects Deployment - Run specified # of Pods of your application Service - Maps a fixed IP address to a logical group of pods Annotation - Key/Value pairs to hold non-identifying information Label - Key/Value pair used for association and filtering DaemonSet - Implements a single instance of a pod on a worker node

50. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Amazon Elastic Container Service for Kubernetes (EKS) Managed Kubernetes on AWS Highly Available Automated Version Upgrades Integration with Other AWS services Etcd Master Managed Kubernetes Control Plane

51. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Availability Zone 1 Availability Zone 2 Availability Zone 3 AWS Managed Customer Managed

52. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential W o r k e r V P C M a s t e r V P C AZ1 AZ 2 AZ 2 AZ 1 Customer Account AWS Account EKS Architecture etcd API Server kubelet API Server Pod 1 Pod 1 Scheduler etcd Scheduler Docker kubelet Docker

53. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential M a s t e r V P C AZ1 AZ 2 NLB AWS Account Control Plane Networking etcd API Server API Server Scheduler etcd Scheduler kubectl Internet

54. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential W o r k e r V P C M a s t e r V P C AZ1 AZ 2 EKS-Owned ENI EKS-Owned ENI NLB X-ENI Attachment X-ENI Attachment AZ 2 AZ 1 Customer Account AWS Account Control Plane ßà Worker Nodes etcd API Server API Server Pod 1 Pod 1 kubectl Scheduler etcd Scheduler kubelet Docker kubelet Docker Internet

55. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Kubernetes Endpoint Private Access mycluster.eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 kubectl

56. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential EKS Security

57. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Kubectl 3) Authorizes AWS Identity with RBAC K8s API 1) Passes AWS Identity 2) Verifies AWS Identity 4) K8s action allowed/denied AWS Auth IAM Authentication + Kubectl

58. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Pod Security Policy Container is about to remove dependencies, but what if containers access resources that you don’t want them to? • Ex: root user is not recommeded inside the container, but… Feature: PodSecurityPolicy • Defines what accesses your pod can have(root, syscall, R/W etc…) • An EKS 1.13 cluster now has the PSP admission plugin enabled by default, you can use it directly • The default policy is still permissive to keep backbward compatibility

59. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential EKS Network

60. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Kubernetes Network Requirements W o r k e r V P C AZ 2 AZ 1 Customer Account Pod 1 Pod 1 kubelet Docker kubelet Docker • All containers can communicate with all other containers without NAT • All nodes can communicate with all containers (and vice-versa) without NAT • The IP address that a container sees itself as is the same IP address that others see it as

61. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Container Network Interface (CNI) Runtime Network Plugin Network Configuration

62. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Amazon VPC CNI Plugin Goals 1. Simplify networking options for customers 2. Support high throughput, high availability, low latency and minimal jitter 3. Allow customers to reuse AWS VPC networking and security best practices such as use of: • VPC flow logs for troubleshooting and compliance auditing • VPC routing polices for traffic engineering • Security groups for isolation and regulatory requirements 4. Setup Pod networking within seconds 5. Support cluster scale to a minimum of 5000+

63. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Amazon VPC CNI Plugin Native VPC networking with CNI plugin Pods have the same VPC address inside the pod as on the VPC Simple, secure networking Open source and on Github … { } https://github.com/aws/amazon-vpc-cni-k8s

64. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Nginx Pod Java Pod ENI Secondary IPs: 10.0.0.1 10.0.0.2 Veth IP: 10.0.0.1 Veth IP: 10.0.0.2 Nginx Pod Java Pod ENI Veth IP: 10.0.0.20 Veth IP: 10.0.0.22 Secondary IPs: 10.0.0.20 10.0.0.22 ec2.associateaddress() VPC Subnet – 10.0.0.0/24 Instance 1 Instance 2

65. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Amazon VPC CNI plugin – Understanding IP Allocation Primary CIDR range RFC 1918 addresses è 10/8, 172.16/12, 192.168/16 Publicly routable CIDR block (since May 2019) Used in EKS for: Pods X-account ENIs for (masters à workers) communication (exec, logs, proxy etc.) Internal Kubernetes services network (10.100/16 or 172.20/16) Secondary CIDR ranges non-RFC 1918 address blocks (100.64.0.0/10 and 198.19.0.0/16) Used in EKS for Pods only How? Amazon EKS custom network config è enable è create ENIConfig CRD è annotate nodes

66. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway EC2 Instance EC2 Instance Demo! Availability Zone 3 EC2 Instance ELB Amazon EKS Autoscaling Group

67. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential No matter what you choose, AWS got your back AWS X-Ray AWS App Mesh AWS Cloud Map Amazon CloudWatch AWS Tools and SDKs …and more

68. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Call to Action • Use public Workshops to practice at your own pace: • https://eksworkshop.com • https://ecsworkshop.com • Be ready for re:Invent announcements (did you know? In 2018 alone AWS launched 1957 new features): • Join AWS User Group event - re:Cap: https://t.co/Q6Bgcz3XtR • Book an office hour at Startup Hub: • https://aws-startuphub.com/

69. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential

70. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential Thank you