rights reserved. New: AWS Application management services Service discovery for all your cloud resources Increase developer productivity Integration with Amazon container services AWS Cloud Map Observability & traffic control Works across clusters and container services AWS built and run
rights reserved. Amazon Confidential and Trademark “Run Kubernetes for me.” 51%of Kubernetes workloads run on AWS today — Cloud Native Computing Foundation
rights reserved. Amazon Confidential and Trademark Kubernetes on AWS Highly available Scalable Secure 3x Kubernetes API Servers for HA 3x Kubernetes etcd Servers for HA
rights reserved. Availability Zone 1 Availability Zone 2 Availability Zone 3 API Server API Server API Server etcd etcd etcd Worker nodes Worker nodes Worker nodes EKS Overview AWS Managed Customer Managed
rights reserved. Amazon Confidential and Trademark eksctl Tooling to provision EKS clusters - Manages worker node groups - Configures CLI https://eksctl.io - Open source project - started by Weaveworks eksctl create cluster --name=cluster-1 --nodes=4 --region=eu-central-1
rights reserved. Amazon Confidential and Trademark Kubernetes version 1.11 available, 1.12 coming soon. Amazon EKS will support up to three versions of Kubernetes at once “Deprecation” will prevent new cluster creation on old versions
rights reserved. Amazon Confidential and Trademark Amazon EKS platform version Platform version revisions represent API server configuration changes or Kubernetes patches Platform versions increment within a Kubernetes version only
rights reserved. Amazon Confidential and Trademark • All the pods can communicate with each other directly without NAT • All the nodes can communicate with all pods (and vice versa) without NAT • The IP that a pod sees itself as is the same IP that others see it as The three rules of Kubernetes networking…
rights reserved. Amazon Confidential and Trademark Typical 3-tier application : Traffic flow constraints Web server pods Application server pods Reporting server pods DB instance read replica X Hello app Users X
rights reserved. Amazon Confidential and Trademark STAGE SEPARATION “TENANT” SEPARATION FINE-GRAINED FIREWALLS COMPLIANCE Namespaces – without network policy, they are not network isolated Reduce attack surface within microservice-based applications Isolate dev, test, and prod E.g., PCI, HIPAA
rights reserved. Amazon Confidential and Trademark • exposes HTTP/HTTPS routes to services within the cluster • Many implementations: ALB, Nginx, F5, HAProxy etc • Default Service Type: ClusterIP Kubernetes Ingress Object
rights reserved. Amazon Confidential and Trademark I want to give a pod permissions to an AWS service kube2iam kiam iam4kube kube-aws- iam- controller method instance profile (metadata) credentials pod mounted secrets race conditions yes causing app to get invalid creds – yes no leading app to access to node creds - no prefetch no yes yes by design Annotation on pod pod service account pod production good mediocre minimal minimal Read more: