Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS DevDay Berlin July 2018 - AWS EKS

AWS DevDay Berlin July 2018 - AWS EKS

Presentation from the July 2018 AWS DevDay in Berlin at Kulturbrauerei about the AWS Elastic Container Service for Kubernetes (EKS)

Christoph Kassen

July 03, 2018
Tweet

More Decks by Christoph Kassen

Other Decks in Technology

Transcript

  1. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Elastic Container Service for Kubernetes Christoph Kassen – Solutions Architect, Amazon Web Services @christoph_k
  2. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Containers Packaging Distribution Immutable infrastructure
  3. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  4. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is kubernetes?
  5. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. A single extensible API SCALE PERFORMANCE BREADTH
  6. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Vibrant and growing community of users and contributors © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. @ C H R I S T O P H _ K @ T I F F A N Y F A Y J
  7. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ON-PREMISES CLOUD © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes can be run anywhere!
  8. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ELASTIC CONTAINER SERVICE FOR KUBERNETES
  9. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Container Services
  10. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. EKS is Kubernetes Certified
  11. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Open Source Kubernetes Community Kubernetes https://github.com/kubernetes/kubernetes CNI plugin https://github.com/aws/amazon-vpc-cni-k8s Heptio AWS Authenticator https://github.com/heptio/authenticator Virtual Kubelet https://github.com/virtual-kubelet/virtual-kubelet/ SIG AWS https://github.com/kubernetes/community/tree/master/sig-aws Cloud Provider Working Group https://github.com/kubernetes/community/tree/master/wg-cloud-provider External-DNS https://github.com/kubernetes-incubator/external-dns AWS ALB Ingress Controller https://github.com/kubernetes-sigs/aws-alb-ingress-controller CODE REVIEWS FIXING BUGS IMPLEMENTING NEW FEATURES
  12. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. EKS Architecture
  13. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. mycluster.eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 Kubectl Workers EKS Architecture
  14. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. EC2 Worker Nodes EKS Control Plane Customer VPC EKS VPC Network Load Balancer ENI API Access kubectl Exec/Logs TLS Static IPs ENI Attachment Autoscaling Group EKS Architecture
  15. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kubectl 3) Authorizes AWS Identity with RBAC K8s API 1) Passes AWS Identity 2) Verifies AWS Identity 4) K8s action allowed/denied AWS Auth IAM Authentication + kubectl https://github.com/heptiolabs/kubernetes-aws-authenticator
  16. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. EKS Worker Nodes
  17. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. kubectl AWS Auth config map & RBAC Workers Role Role config map Worker provisioning
  18. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Networking
  19. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Native VPC networking with CNI plugin Pods have the same VPC address inside the pod as on the VPC Simple, secure networking Open source and on Github … { } https://github.com/aws/amazon-vpc-cni-k8s
  20. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Nginx Pod Java Pod ENI Veth IP: 172.16.1.147 Veth IP: 172.16.1.224 Nginx Pod Java Pod ENI Veth IP: 172.16.1.38 Veth IP: 172.16.1.24 ec2.associateaddress() VPC Subnet – 172.16.1.0/24 Instance 1 Instance 2 Primary Private IP: 172.16.1.118 Secondary IPs: 172.16.1.147, 172.16.1.224, … Primary Private IP: 172.16.1.15 Secondary IPs: 172.16.1.38, 172.16.1.24, … 172.16.0.0/16
  21. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kubernetes Network Policies enforce network security rules Calico is the leading implementation of the network policy API Open source, active development (>100 contributors) Commercial support available from Tigera https://www.projectcalico.org/
  22. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. STAGE SEPARATION “TENANT” SEPARATION FINE-GRAINED FIREWALLS COMPLIANCE Namespaces – without network policy, they are not network isolated Reduce attack surface within microservice-based applications Isolate dev, test, and prod E.g., PCI, HIPAA
  23. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Network Policy kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: web-allow-prod spec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: purpose: production Select affected Pods Define traffic that is allowed
  24. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. What version of Kubernetes does EKS support? 1.10.3 currently © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. @ C H R I S T O P H _ K @ T I F F A N Y F A Y J
  25. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Auto Scaling Two options AWS AutoScaling k8s Cluster Auto Scaler Cluster Autoscaler Reactive Aware of Pod / Cluster state Utilizes AWS AutoScaling AWS AutoScaling Scaling on CloudWatch Metrics Pods Horizontal Pod Autoscaler Scales pods in response to k8s generated metrics (CPU) Cluster
  26. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❯ helm search mysql > helm search mysql NAME CHART VERSION APP VERSION DESCRIPTION stable/mysql 0.6.0 5.7.14 Fast, reliable, sc stable/prometheus-mysql-exporter 0.1.0 v0.10.0 A Helm chart for p stable/percona 0.3.2 5.7.17 free, fully compat ... ❯ helm install stable/mysql [displays README + information about deployment] ❯ helm list NAME REVISION UPDATED STATUS CHART NAMESPACE nobby-cow 1 Wed Jun 6 12:54:00 2018 DEPLOYED mysql-0.6.0 default Package manager that allows you to bundle up deployment resources and publish them https://github.com/kubernetes/helm
  27. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Hosting Helm repositories • Anywhere that serves HTTP can host a helm repo • Host private Helm Repo with Chartmuseum https://github.com/kubernetes-helm/chartmuseum • There’s also a handy plugin for S3! • This means IAM Role = auth for your repo • https://github.com/hypnoglow/helm-s3
  28. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Deploying Helm on EKS Helm 2.9+ works with EKS RBAC permissions required kubectl -n kube-system create serviceaccount tiller kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller helm init --service-account tiller
  29. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo
  30. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deployment Strategies
  31. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Rolling Update apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-app labels: app: my-app spec: replicas: 10 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 # Numeric or percentage based value maxUnavailable: 0 [...]
  32. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Blue / Green Deployment apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-app-blue labels: app: my-app spec: replicas: 3 template: metadata: labels: app: my-app version: blue [...] Blue apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-app-green labels: app: my-app spec: replicas: 3 template: metadata: labels: app: my-app version: green [...] Green
  33. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Blue / Green Deployment kind: Service metadata: name: my-app labels: app: my-app spec: type: LoadBalancer ports: - name: http port: 80 targetPort: http selector: app: my-app version: blue Blue kind: Service metadata: name: my-app labels: app: my-app spec: type: NodePort ports: - name: http port: 80 targetPort: http selector: app: my-app version: green Green kubectl patch service my-app -p '{"spec":{"selector":{"version":"green"}}}'
  34. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Canary Deployment apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-app-prod labels: app: my-app spec: replicas: 9 template: metadata: labels: app: my-app spec: containers: - name: my-app image: images/container:v1 [...] Production apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-app-canary labels: app: my-app spec: replicas: 1 template: metadata: labels: app: my-app spec: containers: - name: my-app image: images/container:v2 [...] More examples at https://container-solutions.com/kubernetes-deployment-strategies/ Canary
  35. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Load Balancing
  36. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Nginx Pods EC2 instances kube-proxy :32002 nginx-service :32001 Internet 10001:8080 10002:8080 10003:8080 Request to NGINX Pod {NLB}:443 NLB NLB Forwards to the node {node:32001} Service Type – LoadBalancer (NLB) k8s service ClusterIP receives request kube-proxy load balances to pods
  37. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Network Load Balancer apiVersion: v1 kind: Service metadata: name: nginx namespace: default labels: app: nginx annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" spec: type: LoadBalancer externalTrafficPolicy: Local ports: - name: http port: 80 protocol: TCP targetPort: 80 selector: app: nginx More options: • Draining • Logging • SSL Certs • Tagging • Security groups • Health checks https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/aws /aws.go
  38. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Nginx Pods EC2 instances kube-proxy :32001 nginx-service :32003 Internet Request to NGINX Pod {ALB}:443 ALB ALB Routes based on the path. /api /home 10002:8080 Webapp Pods 10002:8080 Installation: https://github.com/pahud/eks-alb-ingress Ingress Type – CoreOS ALB Ingress kube-proxy :32002 webapp-service :32004 Load Balances to pods Proxies request to the k8s service ClusterIP
  39. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. DNS
  40. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Automatic Route53 DNS creation for services apiVersion: v1 kind: Service metadata: name: nginx annotations: # Uses https://github.com/kubernetes-incubator/external-dns external-dns.alpha.kubernetes.io/hostname: nginx.highlyavailable.systems. spec: type: LoadBalancer ports: - port: 80 name: http targetPort: 80 selector: app: nginx
  41. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Automatic Route53 DNS creation for Ingress apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: nginx.highlyavailable.systems http: paths: - backend: serviceName: nginx servicePort: 80
  42. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scheduling
  43. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Controlling scheduling Resource requirements Resource filters
  44. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Limit resource usage Container A Container B limit request 900m 600m limit request 800m 400m ⎲ ⎳ Pod CPU and memory resources
  45. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Resource Quotas apiVersion: v1 kind: Pod metadata: name: production spec: containers: - name: nginx-pod image: nginx resources: limits: memory: "800Mi" cpu: "800m" # 0.8 vCPU requests: memory: "600Mi" cpu: "400m“ # 0.4 vCPU apiVersion: v1 kind: ResourceQuota metadata: name: production spec: hard: requests.cpu: "1" requests.memory: 1Gi limits.cpu: "2" limits.memory: 2Gi Applied per Namespace ResourceQuota defined both, so Pod must define both Pod Resource Request
  46. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Controlling scheduling Resource requirements Constraints • Taints Node-level • Tolerations Pod-level Topology filters
  47. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Taints and Tolerations # Taint node $ kubectl taint nodes ip-10-0-32-12.us-west-2.compute.internal \ skynet=false:NoSchedule # Tolerations kind: Pod spec: tolerations: - key: skynet operator: Equal value: “false” effect: NoSchedule [...] Match taint to schedule onto tainted node
  48. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Controlling scheduling Resource requirements Constraints • Taints Node-level • Tolerations Pod-level Affinity/Anti-Affinity Topology filters
  49. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Affinity / Anti-Affinity • Control scheduling onto nodes ◦ Combine with Taints & Tolerations • Distribute Pods across cluster affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "beta.kubernetes.io/instance-type" operator: In values: [“r4.large",“r4.xlarge"]
  50. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Want to learn more?
  51. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Tooling and Ecosystem https://github.com/ramitsurana/awesome-kubernetes https://discuss.kubernetes.io/ http://slack.k8s.io/ TGIK Playlist: https://www.youtube.com/playlist?list=PLvmPtYZtoXOENHJiAQ c6HmV2jmuexKfrJ
  52. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. EKS – Getting started https://aws.amazon.com/eks https://aws.amazon.com/getting-started/projects/deploy-kubernetes-app- amazon-eks/ https://aws.amazon.com/blogs/aws/amazon-eks-now-generally-available/ https://aws.amazon.com/blogs/compute/ https://aws.amazon.com/blogs/opensource/category/compute/amazon- elastic-container-service-for-kubernetes/ https://medium.com/containers-on-aws
  53. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Questions?
  54. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. https://aws.amazon.com/containers @christoph_k Special thanks to: Paul Maddox, Abby Fuller, Nishi Davidson, Brandon Chavis, Arun Gupta, Chris Hein, Omar Lari and many more... Thank You
  55. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Date Training Location Duration Language August 28-30 Developing on AWS Berlin 3 days English September 5 Running Container-Enabled Microservices on AWS Berlin 1 day English September 6 Deep Learning on AWS Berlin 1 day English September 18 Building a Serverless Data Lake on AWS Berlin 1 day English October 09-11 Systems Operations on AWS Berlin 3 days English October 23-25 DevOps Engineering on AWS Berlin 3 days English Build your cloud skills with AWS Use the discount code when booking online and get 20 % off: MKBERSUM18-1-19P6OP0XN6D3Y Upcoming Trainings: Terms & Conditions: Please note that this discount only applies to Public Schedule Classes sold by AWS in Germany. The promotion expires on 30.09.2018