Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevDaysGermany_KubernetesOnAWS

 DevDaysGermany_KubernetesOnAWS

Kubernetes on AWS - DevDays Germany presentation. Deep Dive into Elastic Container Service for Kubernetes (EKS)

Christoph Kassen

April 10, 2018
Tweet

More Decks by Christoph Kassen

Other Decks in Technology

Transcript

  1. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kubernetes on AWS Christoph Kassen, Solutions Architect – AWS @christoph_k #AWSDevDay
  2. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. WHY DO WE LOVE CONTAINERS? Packaging Distribution Immutable infrastructure
  3. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Make AWS the BEST PLACE to run ANY containerized applications © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  4. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes?
  5. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. WHY DEVELOPERS LOVE KUBERNETES
  6. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. W h y d e v e l o p e r s l o v e K u b e r n e t e s Vibrant and growing community of users and contributors
  7. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why developers love Kubernetes Kubernetes can be run anywhere O N - P R E M I S E S C L O U D
  8. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why developers love Kubernetes A single extensible API S C A L E P E R F O R M A N C E B R E A D T H
  9. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud-native applications M I C R O S E R V I C E T O O L I N G N A T I V E A P P L I C A T I O N S
  10. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. But where you run K8s matters Q U A L I T Y O F T H E C L O U D P L A T F O R M Q U A L I T Y O F T H E A P P L I C A T I O N S Y O U R U S E R S
  11. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Let‘s deploy k8s with kops
  12. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes on AWS with kops 1. Install Binaries & Tools: kops, AWS CLI tools, kubectl 2. Set IAM User to kops 3. Allow kops user Full access to EC2, Route53, S3, IAM, VPC 4. Configure DNS or Deploy a gossip-based cluster: 5. Create a S3 bucket to save cluster config: my-kops-store 6. Set the kops environmental variables 7. Select cluster design and options for kops 1. HA, Networking, Instance types, AMI 8. Create cluster: kops create cluster and kops validate cluster
  13. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3x Kubernetes masters for HA Kubernetes on AWS
  14. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API server Cloud controller Controller manager Scheduler Add-ons KubeDNS Kubernetes master
  15. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 etcd Master etcd Master etcd Master Availability Zone 2 Availability Zone 3
  16. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 etcd Master etcd Master Availability Zone 2 Availability Zone 3 etcd Master
  17. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. “Run Kubernetes for me.”
  18. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. “Native AWS Integrations.”
  19. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ”An Open Source Kubernetes Experience.”
  20. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. E L A S T I C C O N TA I N E R S E RV I C E F O R K U B E R N E T E S
  21. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Tenet 1 EKS is a platform for enterprises to run production-grade workloads
  22. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Tenet 2 EKS provides a native and upstream Kubernetes experience
  23. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Tenet 3 If EKS customers want to use additional AWS services, the integrations are seamless and eliminate undifferentiated heavy lifting
  24. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Tenet 4 EKS team actively contributes to the Kubernetes project
  25. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. mycluster.eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 kubectl
  26. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Master Autoscaling
  27. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail Master
  28. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Metrics Nodes Node exporter Pod/Container Kube-state-metrics cAdvisor Application /metrics JMX Cluster-wide Aggregator Prometheus, Heapster Visualizer Grafana, Kibana, Dashboard Data Model InfluxDB, Graphite Alerting AlertManager, Kapacitor
  29. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Heptio IAM Authenticator An open source approach to integrating AWS IAM authentication with Kubernetes
  30. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access and Authentication IAM ROLE User X IAM ROLE Service Account Y kubectl → K8s APIs → CRUD Operations on K8s aws-cli → EKS Service APIs → CRUD Operations on Infra K8s Master Nodes K8s Master Nodes K8s Master Nodes API Server Controller Mgr kubelet etcd Cloud Controller Mgr. Scheduler Authentication Webhook Tokens Authorization RBAC Mode Admission Control NamespaceLifecyle,LimitRanger ServiceAccount,DefaultStorageClass, ResourceQuota AWS STS client side Heptio-aws-authenticator server side
  31. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. k u b e c t l A W S A u t h c o n f i g m a p & R B A C W o r k e r s R o l e R o l e config map
  32. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Native VPC networking with CNI plugin Pods have the same VPC address inside the pod as on the VPC Simple, secure networking Open source and on Github … { }
  33. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Nginx Pod Java Pod ENI Veth IP: 172.16.1.147 Veth IP: 172.16.1.224 Nginx Pod Java Pod ENI Veth IP: 172.16.1.38 Veth IP: 172.16.1.24 ec2.associateaddress() VPC Subnet – 172.16.1.0/24 Instance 1 Instance 2 Primary Private IP: 172.16.1.118 Secondary IPs: 172.16.1.147, 172.16.1.224, … Primary Private IP: 172.16.1.15 Secondary IPs: 172.16.1.38, 172.16.1.24, … 172.16.0.0/16
  34. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Networking with CNI plugin 172.16.0.0/16 User X Service Account Y Kubectl K8s Node 2 K8s Node 1 kubelet kube-proxy kubelet kube-proxy VPC Subnet per AZ 172.16.0.1/24 ENI ENI Primary Private IP: 172.16.1.118 Secondary IPs: 172.16.1.147, 172.16.1.224…. Service: Front end POD 2 POD 3 eth0 Service: Back end POD 1 POD 4 eth0 ec2.associateaddress() L3 RouteTable veth0 B veth0 A eth0 172.16.1.147/32 eth0 172.16.1.224/32 CNI K8s Master Nodes K8s Master Nodes K8s Master Nodes API Server Controller Manager kubelet etcd Scheduler kube-proxy Cloud Controller Mgr.
  35. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DNS, Services and ELB 172.16.0.0/16 User X Service Account Y K8s Node 2 K8s Node 1 kubelet kube-proxy kubelet kube-proxy VPC Subnet per AZ - 172.16.0.1/24 ENI ENI Service: Front end POD 2 POD 3 Service: Back end POD 1 POD 4 CNI K8s Master Nodes K8s Master Nodes K8s Master Nodes API Server Controller Manager kubelet etcd Scheduler kube-proxy Cloud Controller Mgr. DNS kubedns dnsmasq healthz DNS Service – Static IP POD 2 POD 2 kind: Service type: LoadBalancer
  36. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Network Policies enforce network security rules Calico is the leading implementation of the network policy API Open source, active development (>100 contributors) Commercial support available from Tigera
  37. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. S T A G E S E P A R A T I O N “ T E N A N T ” S E P A R A T I O N F I N E - G R A I N E D F I R E W A L L S C O M P L I A N C E Namespaces – without network policy, they are not network isolated Reduce attack surface within microservice-based applications Isolate dev, test, and prod E.g., PCI, HIPAA
  38. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. 1.9.3 1.9.4 Version 1.9 Version 1.10
  39. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubectl Workers PrivateLink Interface Amazon EKS
  40. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubelet on Fargate Run virtual-kubelet on Fargate https://www.contentful.com/blog/2018/04/10/sailing-into-infinity- seamlessly-managed-serverless-containers-using-kubernetes-and-aws- fargate/
  41. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Prioritizing open source
  42. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open source Kubernetes community C O D E R E V I E W S F I X I N G B U G S I M P L E M E N T I N G N E W F E AT U R E S
  43. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AMAZON CONTAINER SERVICES (coming 2018)
  44. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. THANK YOU https://aws.amazon.com/containers