Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kubernetes on AWS with Amazon EKS

0 views

Published on

Kubernetes on AWS with Amazon EKS

  • Be the first to comment

Kubernetes on AWS with Amazon EKS

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Paul Maddox Developer Technologies, AWS April 2018 Kubernetes on AWS with Amazon EKS Twitter: @paulmaddox Email: pmaddox@amazon.com
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. noun noun: agenda; 1. a list of items to be discussed at a formal meeting. Housekeeping Intro to EKS What’s new? Demo
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. About me Paul Maddox Developer Technologies Amazon Web Services • 16 years of dev, SRE, and systems architecture background • 7 of 7 AWS certifications • Developer: Go/Java/C/Node Twitter: @paulmaddox Email: pmaddox@amazon.com@paulmaddox
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s cut to the chase: Q: Is EKS still in Preview? A: Yes. Q: How much does it cost? A: Pricing has not yet been announced.
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Preview Customers
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Intro to Amazon EKS
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes?
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. M I C R O S E R V I C E T O O L I N G C L O U D N A T I V E A P P L I C A T I O N S Cloud-native applications
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. But where you run K8s matters Q U A L I T Y O F T H E C L O U D P L A T F O R M Q U A L I T Y O F T H E A P P L I C A T I O N S Y O U R U S E R S
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 57%of Kubernetes workloads run on AWS today — Cloud Native Computing Foundation
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3x Kubernetes masters for HA Kubernetes on AWS
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API server Cloud controller Controller manager Scheduler Add-onsKubeDNS Kubernetes Master
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 Etcd Master Etcd Master Etcd Master Availability Zone 2 Availability Zone 3
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 Etcd Master Etcd Master Availability Zone 2 Availability Zone 3 Etcd Master
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Run Kubernetes for me.”
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Native AWS Integrations.”
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ”An Open Source Kubernetes Experience.”
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. E L A S T I C C O N T A I N E R S E R V I C E F O R K U B E R N E T E S (EKS)
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 Etcd Master Etcd Master Availability Zone 2 Availability Zone 3 Etcd Master
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 Master Master Availability Zone 2 Availability Zone 3 Master Workers Workers Workers Customer Account AWS Managed
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. mycluster.eks.amazonaws.com EKS Workers kubectl Amazon EKS AZ 1 AZ 2 AZ 3 Your AWS account
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Architecture
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Heptio IAM Authenticator https://github.com/heptiolabs/kubernetes-aws-authenticator An open source approach to integrating AWS IAM authentication with Kubernetes
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. kubectl 3) Authorizes AWS Identity with RBAC K8s API 1) Passes AWS Identity 2) Verifies AWS Identity 4) K8s action allowed/denied AWS Auth IAM Authentication with kubectl
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Auth Support == Upstream in Kubernetes 1.10
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Native VPC networking with CNI plugin Pods have the same VPC address inside the pod as on the VPC Simple, secure networking Open source and on Github https://github.com/aws/amazon-vpc-cni-k8s
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nginx Pod Java Pod ENI Secondary IPs: 10.0.0.1 10.0.0.2 Veth IP: 10.0.0.1 Veth IP: 10.0.0.2 Nginx Pod Java Pod ENI Veth IP: 10.0.0.20 Veth IP: 10.0.0.22 Secondary IPs: 10.0.0.20 10.0.0.22 ec2.associateaddress() VPC Subnet – 10.0.0.0/24 Instance 1 Instance 2
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Network Policies enforce network security rules Calico is the leading implementation of the network policy API Open source, active development (>100 contributors) Commercial support available from Tigera
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. S T A G E S E P A R A T I O N “ T E N A N T ” S E P A R A T I O N F I N E - G R A I N E D F I R E W A L L S C O M P L I A N C E E.g., typically use namespaces for different teams within a company—but without network policy, they are not network isolated Reduce attack surface within microservice-based applications Isolate dev, test, and prod E.g., PCI, HIPAA
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Master access and visibility Amazon CloudWatch AWS CloudTrail Master
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Upgrades Upgrade Strategy: “On-Demand Updates”
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1.9.11.9.2 Version 1.9 Version 1.10 Kubernetes Upgrades
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling - Application • Horizontal Pod Autoscaler – scales pods in response to K8s generated metrics (CPU) • Has support for custom metrics
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling – Cluster • Two options: Native Auto Scaling, K8s Cluster Auto Scaler • Cluster Autoscaler is reactive • AWS Auto Scaling Groups work as usual
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubectl Workers PrivateLink Interface Amazon EKS
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What's new
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS is Kubernetes Certified
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Conformance 1. Guaranteed Portability and Interoperability 2. Timely Updates 3. Confirmability
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1.9 upstream == 1.9 in EKS
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Will $(thing) work on EKS?
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Conformance Challenges: Workers Masters Kubernetes assumes a single network for workers and masters API Access Kubectl Exec/Logs
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Conformance Challenges: Workers Masters EKS runs across multiple networks and accounts API Access Kubectl Exec/Logs Customer VPC EKS VPC
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ways to solve this 1: Require opening security groups to our IP range (Manual, error-prone, gross) 2: Do something different
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A different way: EKS Cross-Account Networking Workers Masters Customer VPC EKS VPC Network Load Balancer ENI API Access Kubectl Exec/Logs TLS Static IPs
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Cross-Account Networking: Availability Zones Availability Zone 1 Master Master Availability Zone 2 Availability Zone 3 Master Workers Workers Workers Customer VPC EKS VPC ENI ENI ENI
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Cross-Account Networking: PKI and TLS EKS Worker EKS Master Kubelet Generates public/private keys Kubelet installs server cert Kubelet issues CSR Certificate rotation
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Cross-Account Networking • Pattern can be used by anyone running Kubernetes on AWS • Hard to do on your own • EKS customers now get secure cross-account networking configuration by default
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Load Balancing CoreOS ALB Ingress Controller: Supported by AWS Exposes ALB functionality to Kubernetes via Ingress Resources Layer 7 load balancing, supports content-based routing by host or path
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Load Balancing
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Load Balancing • Network Load Balancer: Alpha Feature in 1.9 • Layer 4 Load Balancer, used for services of type=loadbalancer • Replacement for Classic Load Balancer in many use cases
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service Discovery with Amazon ECS and Kubernetes Contribution to ExternalDNS, a K8s Incubator project: - Registers Kubernetes services and ingresses in the Route 53 Auto Naming service registry - Enables service discovery across Kubernetes and Amazon ECS clusters via simple DNS queries to Route 53 - Supports services running in VPC or available publicly
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Twitter: @paulmaddox Email: pmaddox@amazon.com@paulmaddox

×