Slide 1
Slide 1 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Rancher integration with AWS services
Dominik Wombacher
Sr. Partner Solutions Architect
[email protected]
Possibilities, challenges, outlook
Slide 2
Slide 2 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Session Agenda
Amazon Region Design
Rancher on Amazon Elastic Kubernetes Service (EKS)
Integration with AWS services
Outlook
Q&A
2
Slide 3
Slide 3 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Amazon Region Design
3
Slide 4
Slide 4 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Regions & Availability Zones
3 1 L A U N C H E D R E G I O N S / 9 9 A V A I L A B I L I T Y Z O N E S / 4 0 0 + E D G E L O C A T I O N S
4
Slide 5
Slide 5 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Region Design
H O W A M A Z O N D E F I N E S R E G I O N S A N D A V A I L A B I L I T Y Z O N E S
5
AZ
AZ
AZ AZ
Transit
Transit
Datacenter
Datacenter
Datacenter
Slide 6
Slide 6 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Rancher on Amazon EKS
6
Slide 7
Slide 7 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Rancher on Amazon EKS Architecture
7
Slide 8
Slide 8 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 8
Quick fire quiz
High-Available, production ready, Rancher on AWS
How many steps? How long does it take?
Slide 9
Slide 9 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 9
5
Steps
Rancher Setup from AWS Marketplace
20
Minutes
Slide 10
Slide 10 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Rancher Setup from AWS Marketplace
H I G H A V A I L A B L E , P R O D U C T I O N R E A D Y W I T H 5 S T E P S I N 2 0 M I N U T E S
10
IAM Role DNS Zone Marketplace EC2
SUSE
Rancher
Setup
Rancher on Amazon EKS
1 2 3 4 5
Slide 11
Slide 11 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Go ahead and install Rancher on AWS!
11
https://go.aws/3KDHL0X
Slide 12
Slide 12 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Integration with AWS
services
12
Slide 13
Slide 13 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Rancher integration with AWS services
13
Slide 14
Slide 14 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Terminology
AWS IAM
Role
Policy
EC2 Instance IAM Role
AWS Access key
W H A T W A S A G A I N A …
14
Slide 15
Slide 15 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Terminology
W H A T W A S A G A I N A A W S I A M R O L E A N D P O L I C Y ?
15
IAM Role
IAM Permission policy
IAM Trust relationship
Slide 16
Slide 16 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Terminology
W H A T W A S A G A I N A A W S A C C E S S K E Y A N D E C 2 I N S T A N C E I A M R O L E ?
16
S3 Bucket
Role
EC2
Instance
Container 1
Container 2
Container 3
EC2 Instance IAM Role
Long-term security
credential
AWS access key
Slide 17
Slide 17 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
IAM Roles for Service Accounts (IRSA)
AWS IAM Role associated to Kubernetes service account
Available out-of-the-box on Amazon EKS
Security best-practices
Temporary credentials
Least privilege principle
Fully supported by AWS CLI and AWS SDK
F I N E - G R A I N E D I A M R O L E S F O R K U B E R N E T E S S E R V I C E A C C O U N T S
17
AWS Identity
and Access
Management (IAM)
AWS STS
Slide 18
Slide 18 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
IAM Roles for Service Accounts (IRSA)
F I N E - G R A I N E D I A M R O L E S F O R K U B E R N E T E S S E R V I C E A C C O U N T S
18
Slide 19
Slide 19 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Backup
Amazon S3
high available and resilient backup location
Rancher provides the backup-restore-operator
Backups can be scheduled and encrypted
serviceAccount annotation
During installation
A U T O M A T E D B A C K U P S O F A L L R A N C H E R R E S O U R C E S
19
Amazon Simple Storage
Service (Amazon S3)
Slide 20
Slide 20 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Backup
A U T O M A T E D B A C K U P S O F A L L R A N C H E R R E S O U R C E S
20
Slide 21
Slide 21 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Logging
AWS CloudWatch
Central log location
Helm chart rancher-logging
Enhanced cloud provider logging
Gathers EKS logs as well
serviceAccount annotation
need to be added after installation
S I N G L E P A N E O F G L A S S F O R A L L C O N T A I N E R A N D A P P L I C A T I O N
21
Amazon CloudWatch
Slide 22
Slide 22 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Logging
Resources
rancher-logging-root
rancher-logging-eks
S I N G L E P A N E O F G L A S S F O R A L L C O N T A I N E R A N D A P P L I C A T I O N
22
Slide 23
Slide 23 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Authentication
AWS Identity Center
Single-Sign-On for hundreds of applications
AWS Managed Microsoft AD
Multi-AZ high availability
Rancher includes provider for:
LDAP, OAuth, OIDC, SAML
C E N T R A L I Z E D U S E R M A N A G E M E N T A N D A U T H E N T I C A T I O N
23
AWS IAM
Identity Center
AWS Directory
Service
AWS Managed
Microsoft AD
Slide 24
Slide 24 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Authentication
C E N T R A L I Z E D U S E R M A N A G E M E N T A N D A U T H E N T I C A T I O N
24
Slide 25
Slide 25 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Monitoring
Amazon Managed Grafana
Amazon Managed Service for Prometheus
Rancher Monitoring
Provides Grafana, Alertmanager and Prometheus
Based on kube-prometheus-stack
Dedicated stack per Cluster
I N S I G H T S A B O U T A L L E N V I R O N M E N T S
25
Amazon Managed Grafana
Amazon Managed Service
for Prometheus
Slide 26
Slide 26 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Monitoring
I N S I G H T S A B O U T A L L E N V I R O N M E N T S
26
Slide 27
Slide 27 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Monitoring
C E N T R A L I Z E D A C R O S S A L L E N V I R O N M E N T S
27
Slide 28
Slide 28 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
State of AWS service integration
28
Slide 29
Slide 29 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Outlook
29
Slide 30
Slide 30 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 30
Seamless integration
out-of-the-box, easy to use
Slide 31
Slide 31 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Goals
AWS Reference Architectures
Improved Rancher Documentation
Officially supported AWS Authentication Provider
IRSA for Rancher core components
Centralized monitoring stack
S E A M L E S S I N T E G R A T I O N B E T W E E N R A N C H E R A N D A W S S E R V I C E S
31
Slide 32
Slide 32 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Q&A
Ask me anything!
32
https://pulse.buildon.aws/survey/LHLGI5JU
Please provide Feedback
Slide 33
Slide 33 text
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Thank you!
Dominik Wombacher
Sr. Partner Solutions Architect
[email protected]