© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Christoph Kassen Solutions Architect – Amazon Web Services @christoph_k Introducing Amazon EKS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k AWS container services landscape Management Deployment, Scheduling, Scaling & Management of containerized applications Hosting Where the containers run Amazon Elastic Container Service Amazon Elastic Kubernetes Service Amazon EC2 AWS Fargate Image Registry Container Image Repository Amazon Elastic Container Registry

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Upstream Kubernetes Use standard Kubernetes APIs. Works with community tools. Highly available Built for production workloads, all clusters are highly available. Backed by a 99.9% SLA. Integrated with the AWS ecosystem: VPC Networking, Elastic Load Balancing, IAM Permissions, CloudWatch and more Amazon Elastic Kubernetes Service

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Transparent roadmap https://github.com/aws/containers-roadmap/

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Components EKS Control Plane Worker Nodes

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Amazon EKS Architecture https://00000000000000000000000000000000.xyz.eu-central-1.eks.amazonaws.com EKS workers kubectl AZ 1 AZ 2 AZ 3 Your AWS account VPC Amazon EKS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k CLI to provision EKS clusters - Manages worker node groups - Configures k8s CLI https://eksctl.io – Official open-source CLI tool for EKS eksctl create cluster --name=eks-patterns --nodes=4 --region=eu-central-1

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k eksctl customizations kubeletExtraConfig: kubeReserved: cpu: "300m" memory: "300Mi" ephemeral-storage: "1Gi" kubeReservedCgroup: "/kube- reserved" systemReserved: cpu: "300m" memory: "300Mi" ephemeral-storage: "1Gi" evictionHard: memory.available: "200Mi" nodefs.available: "10%" YAML based configuration kubelet parameters Resource reservations Labels & Tains Custom VPC setups Autoscaling Multiple Node Groups Spot & GPU node support Windows worker IAM Policies gitops

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Components EKS Control Plane Worker Nodes

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Managed Node Groups EKS APIs to provision and manage worker nodes • Easy to provision: One-click deploy of multi-AZ node groups backed by EC2 ASG and the latest EKS AMIs. • Easy to manage: All nodes in a single API call or console, integrated health monitoring. • Easy to update: Minor or patch version upgrades with zero downtime. • Scaling controls: Automatic tagging for cluster-autoscaler, pass- through ASG controls.

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Managed by AWS No EC2 Instances to provision, scale or manage Elastic Scale up & down seamlessly. Pay only for what you use Integrated with the AWS ecosystem: VPC Networking, Elastic Load Balancing, IAM Permissions, CloudWatch and more. Run Kubernetes pods or ECS tasks. AWS Fargate

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Make Kubernetes Pods serverless Bring existing pods Production ready Right-Sized and Integrated Fargate runs tens of millions of containers for AWS customers every week

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Components EKS Control Plane Worker Nodes

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k IAM Roles for ServiceAccounts

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Step 1: Create an IAM policy { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sqs:GetQueueUrl", "sqs:ListDeadLetterSourceQueues", "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:ListQueueTags”, "sqs:ListQueues" ], "Resource": ”*" } ] } IAM Roles for ServiceAccount

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Step 2: Create ServiceAccount, IAM Role and correct association eksctl create iamserviceaccount \ --name sqs-orderservice \ --namespace default \ --cluster eks-patterns-demo \ --attach-policy-arn IAM_policy_ARN \ --approve \ --override-existing-serviceaccounts Note: Cluster name is required but namespace and service account are optional IAM Roles for ServiceAccounts

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Step 3: Use ServiceAccount in Pod definition apiVersion: apps/v1 kind: Deployment metadata: name: orderservice spec: replicas: 1 selector: matchLabels: app: orderservice template: metadata: labels: app: orderservice spec: serviceAccountName: sqs-orderservice containers: - name: orderservice image: .../eks-patterns-demo:latest IAM Roles for ServiceAccount https://github.com/aws/amazon-eks-pod-identity-webhook

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k ALB Ingress Controller AWS Resources Kubernetes Cluster Node Node Kubernetes API Server ALB Ingress Controller Node HTTPS Listener HTTP Listener Rule: /recommend Rule: /cart TargetGroup (IP Mode) TargetGroup (Instance Mode) NodePort NodePort

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k CloudWatch Container Insights

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Prometheus & Grafana Well-known open source monitoring & dashboarding Commonly used by our customers Long Term Storage Options Cortex -> DynamoDB / S3 Thanos -> S3 Install adapter to expose metrics to metrics-server https://github.com/DirectXMan12/k8s-prometheus-adapter

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Container Storage Interface (CSI) for EFS and EBS EBS • Static Provisioning / Dynamic Provisioning • Mount Option • Block Volume • Volume Snapshot • NVMe Integrated k8s support CSI Driver EFS NFS shared filesystem Shared mount Single or Multiple Container Support only via CSI driver https://github.com/kubernetes-sigs/aws-ebs-csi-driver https://github.com/kubernetes-sigs/aws-efs-csi-driver

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Resources

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – @christoph_k Resources AWS Containers Blog - https://aws.amazon.com/blogs/containers/ Public Roadmap - https://github.com/aws/containers- roadmap/projects/1?card_filter_query=label%3Aeks Workshop - https://eksworkshop.com EKS Helm Charts - https://github.com/aws/eks-charts

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Thank You! Christoph Kassen Solutions Architect @christoph_k