oSC23 - Rancher integration with AWS services: possibilities, challenges, outlook.

Transcript

1. © 2023, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon Confidential and Trademark. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. Rancher integration with AWS services Dominik Wombacher Sr. Partner Solutions Architect [email protected] Possibilities, challenges, outlook

2. © 2023, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon Confidential and Trademark. Session Agenda Amazon Region Design Rancher on Amazon Elastic Kubernetes Service (EKS) Integration with AWS services Outlook Q&A 2

3. © 2023, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon Confidential and Trademark. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. Amazon Region Design 3

4. © 2023, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon Confidential and Trademark. AWS Regions & Availability Zones 3 1 L A U N C H E D R E G I O N S / 9 9 A V A I L A B I L I T Y Z O N E S / 4 0 0 + E D G E L O C A T I O N S 4

5. © 2023, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon Confidential and Trademark. AWS Region Design H O W A M A Z O N D E F I N E S R E G I O N S A N D A V A I L A B I L I T Y Z O N E S 5 AZ AZ AZ AZ Transit Transit Datacenter Datacenter Datacenter

6. © 2023, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon Confidential and Trademark. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. Rancher on Amazon EKS 6

7. © 2023, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon Confidential and Trademark. Rancher on Amazon EKS Architecture 7

8. © 2023, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon Confidential and Trademark. 8 Quick fire quiz High-Available, production ready, Rancher on AWS How many steps? How long does it take?

9. © 2023, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon Confidential and Trademark. 9 5 Steps Rancher Setup from AWS Marketplace 20 Minutes

10. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Rancher Setup from AWS Marketplace H I G H A V A I L A B L E , P R O D U C T I O N R E A D Y W I T H 5 S T E P S I N 2 0 M I N U T E S 10 IAM Role DNS Zone Marketplace EC2 SUSE Rancher Setup Rancher on Amazon EKS 1 2 3 4 5

11. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Go ahead and install Rancher on AWS! 11 https://go.aws/3KDHL0X

12. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. Integration with AWS services 12

13. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Rancher integration with AWS services 13

14. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Terminology AWS IAM Role Policy EC2 Instance IAM Role AWS Access key W H A T W A S A G A I N A … 14

15. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Terminology W H A T W A S A G A I N A A W S I A M R O L E A N D P O L I C Y ? 15 IAM Role IAM Permission policy IAM Trust relationship

16. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Terminology W H A T W A S A G A I N A A W S A C C E S S K E Y A N D E C 2 I N S T A N C E I A M R O L E ? 16 S3 Bucket Role EC2 Instance Container 1 Container 2 Container 3 EC2 Instance IAM Role Long-term security credential AWS access key

17. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. IAM Roles for Service Accounts (IRSA) AWS IAM Role associated to Kubernetes service account Available out-of-the-box on Amazon EKS Security best-practices Temporary credentials Least privilege principle Fully supported by AWS CLI and AWS SDK F I N E - G R A I N E D I A M R O L E S F O R K U B E R N E T E S S E R V I C E A C C O U N T S 17 AWS Identity and Access Management (IAM) AWS STS

18. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. IAM Roles for Service Accounts (IRSA) F I N E - G R A I N E D I A M R O L E S F O R K U B E R N E T E S S E R V I C E A C C O U N T S 18

19. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Backup Amazon S3 high available and resilient backup location Rancher provides the backup-restore-operator Backups can be scheduled and encrypted serviceAccount annotation During installation A U T O M A T E D B A C K U P S O F A L L R A N C H E R R E S O U R C E S 19 Amazon Simple Storage Service (Amazon S3)

20. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Backup A U T O M A T E D B A C K U P S O F A L L R A N C H E R R E S O U R C E S 20

21. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Logging AWS CloudWatch Central log location Helm chart rancher-logging Enhanced cloud provider logging Gathers EKS logs as well serviceAccount annotation need to be added after installation S I N G L E P A N E O F G L A S S F O R A L L C O N T A I N E R A N D A P P L I C A T I O N 21 Amazon CloudWatch

22. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Logging Resources rancher-logging-root rancher-logging-eks S I N G L E P A N E O F G L A S S F O R A L L C O N T A I N E R A N D A P P L I C A T I O N 22

23. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Authentication AWS Identity Center Single-Sign-On for hundreds of applications AWS Managed Microsoft AD Multi-AZ high availability Rancher includes provider for: LDAP, OAuth, OIDC, SAML C E N T R A L I Z E D U S E R M A N A G E M E N T A N D A U T H E N T I C A T I O N 23 AWS IAM Identity Center AWS Directory Service AWS Managed Microsoft AD

24. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Authentication C E N T R A L I Z E D U S E R M A N A G E M E N T A N D A U T H E N T I C A T I O N 24

25. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Monitoring Amazon Managed Grafana Amazon Managed Service for Prometheus Rancher Monitoring Provides Grafana, Alertmanager and Prometheus Based on kube-prometheus-stack Dedicated stack per Cluster I N S I G H T S A B O U T A L L E N V I R O N M E N T S 25 Amazon Managed Grafana Amazon Managed Service for Prometheus

26. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Monitoring I N S I G H T S A B O U T A L L E N V I R O N M E N T S 26

27. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Monitoring C E N T R A L I Z E D A C R O S S A L L E N V I R O N M E N T S 27

28. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. State of AWS service integration 28

29. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. Outlook 29

30. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 30 Seamless integration out-of-the-box, easy to use

31. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Goals AWS Reference Architectures Improved Rancher Documentation Officially supported AWS Authentication Provider IRSA for Rancher core components Centralized monitoring stack S E A M L E S S I N T E G R A T I O N B E T W E E N R A N C H E R A N D A W S S E R V I C E S 31

32. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. Q&A Ask me anything! 32 https://pulse.buildon.aws/survey/LHLGI5JU Please provide Feedback

33. © 2023, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. Thank you! Dominik Wombacher Sr. Partner Solutions Architect [email protected]