oSC23 - Rancher integration with AWS services: possibilities, challenges, outlook.

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Rancher integration with AWS services
Dominik Wombacher
Sr. Partner Solutions Architect
[email protected]
Possibilities, challenges, outlook

View Slide

Session Agenda
Amazon Region Design
Rancher on Amazon Elastic Kubernetes Service (EKS)
Integration with AWS services
Outlook
Q&A
2

View Slide

Amazon Region Design
3

View Slide

AWS Regions & Availability Zones
3 1 L A U N C H E D R E G I O N S / 9 9 A V A I L A B I L I T Y Z O N E S / 4 0 0 + E D G E L O C A T I O N S
4

View Slide

AWS Region Design
H O W A M A Z O N D E F I N E S R E G I O N S A N D A V A I L A B I L I T Y Z O N E S
5
AZ
AZ
AZ AZ
Transit
Transit
Datacenter
Datacenter
Datacenter

View Slide

Rancher on Amazon EKS
6

View Slide

Rancher on Amazon EKS Architecture
7

View Slide

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 8
Quick fire quiz
High-Available, production ready, Rancher on AWS
How many steps? How long does it take?

View Slide

5
Steps
Rancher Setup from AWS Marketplace
20
Minutes

View Slide

Rancher Setup from AWS Marketplace
H I G H A V A I L A B L E , P R O D U C T I O N R E A D Y W I T H 5 S T E P S I N 2 0 M I N U T E S
10
IAM Role DNS Zone Marketplace EC2
SUSE
Rancher
Setup
Rancher on Amazon EKS
1 2 3 4 5

View Slide

Go ahead and install Rancher on AWS!
11
https://go.aws/3KDHL0X

View Slide

Integration with AWS
services
12

View Slide

Rancher integration with AWS services
13

View Slide

Terminology
AWS IAM
Role
Policy
EC2 Instance IAM Role
AWS Access key
W H A T W A S A G A I N A …
14

View Slide

Terminology
W H A T W A S A G A I N A A W S I A M R O L E A N D P O L I C Y ?
15
IAM Role
IAM Permission policy
IAM Trust relationship

View Slide

Terminology
W H A T W A S A G A I N A A W S A C C E S S K E Y A N D E C 2 I N S T A N C E I A M R O L E ?
16
S3 Bucket
Role
EC2
Instance
Container 1
Container 2
Container 3
EC2 Instance IAM Role
Long-term security
credential
AWS access key

View Slide

IAM Roles for Service Accounts (IRSA)
AWS IAM Role associated to Kubernetes service account
Available out-of-the-box on Amazon EKS
Security best-practices
Temporary credentials
Least privilege principle
Fully supported by AWS CLI and AWS SDK
F I N E - G R A I N E D I A M R O L E S F O R K U B E R N E T E S S E R V I C E A C C O U N T S
17
AWS Identity
and Access
Management (IAM)
AWS STS

View Slide

IAM Roles for Service Accounts (IRSA)
F I N E - G R A I N E D I A M R O L E S F O R K U B E R N E T E S S E R V I C E A C C O U N T S
18

View Slide

Backup
Amazon S3
high available and resilient backup location
Rancher provides the backup-restore-operator
Backups can be scheduled and encrypted
serviceAccount annotation
During installation
A U T O M A T E D B A C K U P S O F A L L R A N C H E R R E S O U R C E S
19
Amazon Simple Storage
Service (Amazon S3)

View Slide

Backup
A U T O M A T E D B A C K U P S O F A L L R A N C H E R R E S O U R C E S
20

View Slide

Logging
AWS CloudWatch
Central log location
Helm chart rancher-logging
Enhanced cloud provider logging
Gathers EKS logs as well
serviceAccount annotation
need to be added after installation
S I N G L E P A N E O F G L A S S F O R A L L C O N T A I N E R A N D A P P L I C A T I O N
21
Amazon CloudWatch

View Slide

Logging
Resources
rancher-logging-root
rancher-logging-eks
S I N G L E P A N E O F G L A S S F O R A L L C O N T A I N E R A N D A P P L I C A T I O N
22

View Slide

Authentication
AWS Identity Center
Single-Sign-On for hundreds of applications
AWS Managed Microsoft AD
Multi-AZ high availability
Rancher includes provider for:
LDAP, OAuth, OIDC, SAML
C E N T R A L I Z E D U S E R M A N A G E M E N T A N D A U T H E N T I C A T I O N
23
AWS IAM
Identity Center
AWS Directory
Service
AWS Managed
Microsoft AD

View Slide

Authentication
C E N T R A L I Z E D U S E R M A N A G E M E N T A N D A U T H E N T I C A T I O N
24

View Slide

Monitoring
Amazon Managed Grafana
Amazon Managed Service for Prometheus
Rancher Monitoring
Provides Grafana, Alertmanager and Prometheus
Based on kube-prometheus-stack
Dedicated stack per Cluster
I N S I G H T S A B O U T A L L E N V I R O N M E N T S
25
Amazon Managed Grafana
Amazon Managed Service
for Prometheus

View Slide

Monitoring
I N S I G H T S A B O U T A L L E N V I R O N M E N T S
26

View Slide

Monitoring
C E N T R A L I Z E D A C R O S S A L L E N V I R O N M E N T S
27

View Slide

State of AWS service integration
28

View Slide

Outlook
29

View Slide

Seamless integration
out-of-the-box, easy to use

View Slide

Goals
AWS Reference Architectures
Improved Rancher Documentation
Officially supported AWS Authentication Provider
IRSA for Rancher core components
Centralized monitoring stack
S E A M L E S S I N T E G R A T I O N B E T W E E N R A N C H E R A N D A W S S E R V I C E S
31

View Slide

Q&A
Ask me anything!
32
https://pulse.buildon.aws/survey/LHLGI5JU
Please provide Feedback

View Slide

Thank you!
Dominik Wombacher
Sr. Partner Solutions Architect
[email protected]

View Slide

oSC23 - Rancher integration with AWS services: possibilities, challenges, outlook.

oSC23 - Rancher integration with AWS services: possibilities, challenges, outlook.

Dominik Wombacher

More Decks by Dominik Wombacher

Other Decks in Technology

Featured

Transcript