rights reserved. Amazon Confidential Introductions Paul Lewis Specialist Solutions Architect Container Technologies • 15 years infrastructure experience • 11 years system and solutions architecture experience Email: [email protected]
rights reserved. Amazon Confidential It worked on my machine, why not in prod? Local Laptop Staging / QA Production On-Prem v6.0.0 v7.0.0 v4.0.0 v7.0.0
rights reserved. Amazon Confidential What is Docker? Lightweight container virtualization platform. Tools to manage and deploy your applications. Licensed under the Apache 2.0 license. First released March 2013 Built by Docker, Inc.
rights reserved. Amazon Confidential Docker container image Read only image that is used as a template to launch a container. Start from base images that have your dependencies, add your custom code. Docker file for easy, reproducible builds. bootfs kernel Base image Image Image W ritable Container add ngix add nodejs Ubuntu References parent image
rights reserved. Amazon Confidential Containers vs Virtual Machines Server (Host) Hypervisor Guest OS Bins/Libs App 2 Guest OS Bins/Libs App 3 Guest OS Bins/Libs App 1 Server (Host) Operating System (OS) Guest OS App 2 Guest OS App 3 Guest OS App 1 Docker Engine Bins/Libs Bins/Libs Bins/Libs Server (Host) Operating System (OS) Guest OS Guest OS Guest OS Libraries App 1, 2, 3 Bare Metal Virtual Machine Containers
rights reserved. Amazon Confidential Container & Docker Benefits Portable application artifact that runs reliably everywhere Run different applications or application versions with different dependencies simultaneously Better resource utilization by running multiple lightweight containers per host
rights reserved. Amazon Confidential …but managing many containers is difficult Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS
rights reserved. Amazon Confidential Why customers love AWS container services Containers are a first-class citizen of the AWS Cloud Deeply integrated with AWS Security and Compliance Broad selection of compute instances and IAM security, VPC networking, load balancing, and autoscaling ISO, HIPPA, PCI, SOC1, SOC2, SOC3 Infocomm Media Development Auth. DevOps Workflow Best place to build and operate a complete DevOps workflow for containers—AWS DevTools and Cloud9 DEV OPS
rights reserved. Amazon Confidential Typical use cases • Microservices: Java, Node.js, Go, Web Apps, etc. • Continuous Integration and Continuous Deployment (CICD) • Batch Processing and ETL jobs • Common PaaS Stack for Application Deployment • Legacy Application Migration to the Cloud • Hybrid Workloads • AI/ML • Scale Testing • Backend for IoT use cases
rights reserved. Amazon Confidential Amazon ECS: What’s New In 2019 https://aws.amazon.com/containers/new/ January: Fargate Price Reduction By Up To 50% January: 99.9% SLA for ECR January: PrivateLink support for ECS and ECR February: ECS provides enhanced support for GPU-enabled instances February: PrivateLink support for Fargate March: ECS and Fargate support external Deployment Controllers for ECS services March: New local testing tools available for ECS April: Fargate PV1.3 adds secrets and enhanced container dependency mgmt. May: ECS console support for ECS-optimized AL2 AMI and A1 instance family June: ECS Support for Windows Server 2019 Containers is Generally Available June: ECS now supports increased (ENI) limits for tasks in awsvpc Networking Mode
rights reserved. Amazon Confidential Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes?
rights reserved. Amazon Confidential Amazon EKS Control Plane • Highly available and single tenant infrastructure • All “native AWS” components • Fronted by an NLB VPC NLB Amazon EKS ELB etcd ASG API Servers ASG
rights reserved. Amazon Confidential Kubernetes Versions • Minor versions controlled by customers • 1.10, 1.11, 1.12, 1.13 currently available • Patch versions automatically applied to control plane • Current versions are 1.10.13, 1.11.8, 1.12.6, 1.13.7 • Platform Version defines Kubernetes version and other key control plane capabilities v1.12.0 Major Minor Patch Breaking Changes New Features Bug fixes Security
rights reserved. Amazon Confidential EKS Cluster Upgrades UpdateClusterVersion API – trigger an in-place upgrade of the Kubernetes minor version ListUpdates and DescribeUpdate APIs provide visibility into the status of a given cluster update
rights reserved. Amazon Confidential Kubernetes v1.13 is now available for EKS! New features in K8s v1.13: • ECR PrivateLink endpoints are supported • CoreDNS as default DNS provider • PodSecurityPolicy admission controller is now enabled • Topology Aware Volume Scheduling • DryRun feature is in beta and enabled in EKS • TaintBasedEvictions feature is in beta and enabled in EKS • Raw block volume support is in beta and enabled in EKS NEW!
rights reserved. Amazon Confidential Pod Security Policies – What Do I Need To Know? • Enable fine-grained authorization of pod creation and updates, e.g. • Prevent pods running as root • Prevent pods using host networking mode • Ensure a pod’s security context is correctly enforced • EKS includes default eks.permissive PSP which is equivalent to having the PSP admission controller disabled • More details in our Blog Post!
rights reserved. Amazon Confidential How are customer using Amazon EKS? Microservices PaaS Platform-as-a-Service Enterprise App Migration Machine Learning
rights reserved. Amazon Confidential Amazon EKS: What We Did In 2018 April: EKS achieved K8s conformance June: EKS is HIPAA eligible July: EKS AMI build scripts available in GitHub August: New EKS-optimized AMI and updated CloudFormation template for provisioning worker nodes August: EKS supports GPU-enabled EC2 instances August: EKS platform version 2 launched August: EKS supports HPA with custom metrics September: EKS launches in Dublin, Ireland September: EKS simplifies cluster setup with update-kubeconfig CLI command October: EKS adds support for Dynamic Admission Controllers (Istio) November: EKS launches in Ohio November: EKS Adds ALB Support with AWS ALB Ingress Controller December: EKS Adds Managed Cluster Updates and Support for Kubernetes Version 1.11 December: Stockholm Region launches with EKS available December: EKS Available in Frankfurt, Singapore, Sydney, and Tokyo https://aws.amazon.com/containers/new/
rights reserved. Amazon Confidential Amazon EKS: What’s New In 2019 January: EKS available in Seoul Region January: 99.9% SLA for EKS January: EKS achieves ISO and PCI compliance February: EKS available in London, Mumbai, and Paris Regions February: VPC CNI plugin v1.3.2 with Enhancements for P3dn Instances March: EKS adds Kubernetes API Server Endpoint Access Control March: EKS opens Public Preview of Windows Container Support March: EKS adds support for Kubernetes version 1.12 March: EKS adds Cluster Version Updates Via CloudFormation April: AWS introduces CSI Drivers for Amazon EFS and Amazon FSx for Lustre April: EKS now delivers Kubernetes control plane logs to Amazon CloudWatch April: EKS open Public Preview support of EC2 A1 Instances May: EKS Releases Deep Learning Benchmarking Utility May: EKS Adds Support for Public IP Addresses Within Cluster VPCs May: EKS Simplifies Kubernetes Cluster Authentication June: EKS adds support for Kubernetes version 1.13 https://aws.amazon.com/containers/new/
rights reserved. Amazon Confidential New: AWS Cloud Map Service discovery for all your cloud resources Constantly monitor the health of every resource Dynamically update the location of each microservice Increase developer productivity Single registry for all app resources Define resources with user-friendly names Integration with Amazon container services AWS Fargate Amazon ECS Amazon EKS AWS Cloud Map
rights reserved. Amazon Confidential New: AWS App Mesh Observability & traffic control Easily export logs, metrics, and traces Client side traffic policies—circuit breaking, retries Routes for deployments Works across clusters and container services Amazon ECS Amazon EKS Kubernetes on EC2 AWS Fargate (coming soon!) AWS built and run No control plane to manage Ease of operations High scale
rights reserved. Amazon Confidential AWS Fargate Roadmap • CloudWatch Metrics for Number of running/ pending Tasks per Service and Cluster (#282) • Fargate Ephemeral Volume Encryption (#314) • EFS Support for Fargate (#53) https://github.com/aws/containers-roadmap/projects/1
rights reserved. Amazon Confidential Amazon EKS Roadmap • Managed worker nodes (#139) • Support for Kubernetes v1.14 (#212) • Support for Kubernetes v1.15 (#380) • IAM Roles for Pods (#23) • High-density pod scheduling (#138) • Fargate for EKS (#32) https://github.com/aws/containers-roadmap/projects/1
steamhaus
kazukihayase
yusuke
smt7174
honyanya
hariby
kozy4324
shirayanagiryuji
kawaguti
tagomoris
operando
tjun
nari_ex
jonyablonski
garrettdimon
trallard
geoffreycrofte
tammielis
scottboms
panda_program
colly
addyosmani
danielanewman
tanoku
bkeepers
