© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes on AWS Christoph Kassen, Solutions Architect – AWS @christoph_k #AWSDevDay

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WHY DO WE LOVE CONTAINERS? Packaging Distribution Immutable infrastructure

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Make AWS the BEST PLACE to run ANY containerized applications © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes?

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WHY DEVELOPERS LOVE KUBERNETES

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. W h y d e v e l o p e r s l o v e K u b e r n e t e s Vibrant and growing community of users and contributors

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why developers love Kubernetes Kubernetes can be run anywhere O N - P R E M I S E S C L O U D

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why developers love Kubernetes A single extensible API S C A L E P E R F O R M A N C E B R E A D T H

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud-native applications M I C R O S E R V I C E T O O L I N G N A T I V E A P P L I C A T I O N S

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. But where you run K8s matters Q U A L I T Y O F T H E C L O U D P L A T F O R M Q U A L I T Y O F T H E A P P L I C A T I O N S Y O U R U S E R S

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let‘s deploy k8s with kops

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes on AWS with kops 1. Install Binaries & Tools: kops, AWS CLI tools, kubectl 2. Set IAM User to kops 3. Allow kops user Full access to EC2, Route53, S3, IAM, VPC 4. Configure DNS or Deploy a gossip-based cluster: 5. Create a S3 bucket to save cluster config: my-kops-store 6. Set the kops environmental variables 7. Select cluster design and options for kops 1. HA, Networking, Instance types, AMI 8. Create cluster: kops create cluster and kops validate cluster

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3x Kubernetes masters for HA Kubernetes on AWS

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API server Cloud controller Controller manager Scheduler Add-ons KubeDNS Kubernetes master

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 etcd Master etcd Master etcd Master Availability Zone 2 Availability Zone 3

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 etcd Master etcd Master Availability Zone 2 Availability Zone 3 etcd Master

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Run Kubernetes for me.”

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Native AWS Integrations.”

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ”An Open Source Kubernetes Experience.”

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. E L A S T I C C O N TA I N E R S E RV I C E F O R K U B E R N E T E S

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenet 1 EKS is a platform for enterprises to run production-grade workloads

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenet 2 EKS provides a native and upstream Kubernetes experience

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenet 3 If EKS customers want to use additional AWS services, the integrations are seamless and eliminate undifferentiated heavy lifting

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenet 4 EKS team actively contributes to the Kubernetes project

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. mycluster.eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 kubectl

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo!

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Master Autoscaling

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail Master

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Metrics Nodes Node exporter Pod/Container Kube-state-metrics cAdvisor Application /metrics JMX Cluster-wide Aggregator Prometheus, Heapster Visualizer Grafana, Kibana, Dashboard Data Model InfluxDB, Graphite Alerting AlertManager, Kapacitor

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Heptio IAM Authenticator An open source approach to integrating AWS IAM authentication with Kubernetes

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access and Authentication IAM ROLE User X IAM ROLE Service Account Y kubectl → K8s APIs → CRUD Operations on K8s aws-cli → EKS Service APIs → CRUD Operations on Infra K8s Master Nodes K8s Master Nodes K8s Master Nodes API Server Controller Mgr kubelet etcd Cloud Controller Mgr. Scheduler Authentication Webhook Tokens Authorization RBAC Mode Admission Control NamespaceLifecyle,LimitRanger ServiceAccount,DefaultStorageClass, ResourceQuota AWS STS client side Heptio-aws-authenticator server side

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. k u b e c t l A W S A u t h c o n f i g m a p & R B A C W o r k e r s R o l e R o l e config map

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Native VPC networking with CNI plugin Pods have the same VPC address inside the pod as on the VPC Simple, secure networking Open source and on Github … { }

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nginx Pod Java Pod ENI Veth IP: 172.16.1.147 Veth IP: 172.16.1.224 Nginx Pod Java Pod ENI Veth IP: 172.16.1.38 Veth IP: 172.16.1.24 ec2.associateaddress() VPC Subnet – 172.16.1.0/24 Instance 1 Instance 2 Primary Private IP: 172.16.1.118 Secondary IPs: 172.16.1.147, 172.16.1.224, … Primary Private IP: 172.16.1.15 Secondary IPs: 172.16.1.38, 172.16.1.24, … 172.16.0.0/16

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Networking with CNI plugin 172.16.0.0/16 User X Service Account Y Kubectl K8s Node 2 K8s Node 1 kubelet kube-proxy kubelet kube-proxy VPC Subnet per AZ 172.16.0.1/24 ENI ENI Primary Private IP: 172.16.1.118 Secondary IPs: 172.16.1.147, 172.16.1.224…. Service: Front end POD 2 POD 3 eth0 Service: Back end POD 1 POD 4 eth0 ec2.associateaddress() L3 RouteTable veth0 B veth0 A eth0 172.16.1.147/32 eth0 172.16.1.224/32 CNI K8s Master Nodes K8s Master Nodes K8s Master Nodes API Server Controller Manager kubelet etcd Scheduler kube-proxy Cloud Controller Mgr.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DNS, Services and ELB 172.16.0.0/16 User X Service Account Y K8s Node 2 K8s Node 1 kubelet kube-proxy kubelet kube-proxy VPC Subnet per AZ - 172.16.0.1/24 ENI ENI Service: Front end POD 2 POD 3 Service: Back end POD 1 POD 4 CNI K8s Master Nodes K8s Master Nodes K8s Master Nodes API Server Controller Manager kubelet etcd Scheduler kube-proxy Cloud Controller Mgr. DNS kubedns dnsmasq healthz DNS Service – Static IP POD 2 POD 2 kind: Service type: LoadBalancer

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Network Policies enforce network security rules Calico is the leading implementation of the network policy API Open source, active development (>100 contributors) Commercial support available from Tigera

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. S T A G E S E P A R A T I O N “ T E N A N T ” S E P A R A T I O N F I N E - G R A I N E D F I R E W A L L S C O M P L I A N C E Namespaces – without network policy, they are not network isolated Reduce attack surface within microservice-based applications Isolate dev, test, and prod E.g., PCI, HIPAA

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1.9.3 1.9.4 Version 1.9 Version 1.10

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubectl Workers PrivateLink Interface Amazon EKS

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubelet on Fargate Run virtual-kubelet on Fargate https://www.contentful.com/blog/2018/04/10/sailing-into-infinity- seamlessly-managed-serverless-containers-using-kubernetes-and-aws- fargate/

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prioritizing open source

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open source Kubernetes community C O D E R E V I E W S F I X I N G B U G S I M P L E M E N T I N G N E W F E AT U R E S

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AMAZON CONTAINER SERVICES (coming 2018)

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU https://aws.amazon.com/containers