Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit

1,650 views

Published on

Containers are a lightweight and very fast alternative to virtual machines. But keeping track of and coordinating a vast array of individual containers is no small feat and requires orchestration for all of the components to act as one. Amazon Elastic Container Service for Kubernetes (Amazon EKS) is the tool to handle this task. In this session, learn about this service’s latest new features.

Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Kubernetes on AWS with Amazon EKS Nathan Taber Sr. Product Manager AWS Container Services M A D 3 0 1
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T • Create a culture of innovation by organizing into small DevOps teams • Continually evaluate your security posture by automating security • Componentize applications using microservices • Update applications & infrastructure quickly by automating CI/CD • Standardize and automate operations by modeling infrastructure as code • Simplify infrastructure management with serverless technologies • Improve application performance by increasing observability AWS best practices for building modern applications
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T We’re making AWS the best place to run containers and Kubernetes
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS container services landscape Management Deployment, Scheduling, Scaling & Management of containerized applications Hosting Where the containers run Amazon Elastic Container Service Amazon Elastic Kubernetes Service Amazon EC2 AWS Fargate Image Registry Container Image Repository Amazon Elastic Container Registry
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Balancing flexibility and simplicity: Workload-by-workload Flexibility focused Low level of opinion Low level of abstraction Focus on infrastructure and configuration Installing, configuring, and managing my compute environment is critical to achieving my goals Value simplicity High level of opinion High level of abstraction Focus only on app and primitive Having a standardized and on-demand compute environment is critical to achieving my goals
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon Elastic Container Service for Kubernetes
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Helps you run containers at scale Open source container management platform Gives you primitives for building modern applications What is Kubernetes? © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Community, contribution, choice
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T But where you run Kubernetes matters Quality of the cloud platform Quality of the applications Your users
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T 51% of Kubernetes workloads run on AWS today — CNCF
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T How are customer using Amazon EKS? Microservices PaaS Platform as a service Enterprise App Migration Machine Learning
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Customers adopting Kubernetes on AWS
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Customer example: Snap Undifferentiated Heavy Lifting is work that we have to do that doesn’t directly benefit our customers. It’s just work. Amazon EKS frees us up to worry about delivering customer value and allows developers without operational experience to innovate without having to know where their code runs. More detailed talk: AWS New York Summit 2018 - Run Kubernetes with Amazon EKS (SRV318) “
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Who is using Amazon EKS? We built the next generation of our PaaS using Amazon EKS for large enterprise workloads. We manage thousands of applications and have hundreds of DevOps teams. “
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Who is using Amazon EKS? Kubernetes is fast becoming the preferred solution for container orchestration. Its biggest downside is that it is not simple to set up and operate. Amazon EKS gives us all the benefits of Kubernetes, but takes care of managing the hard stuff. We can dedicate less resources to deployment and operations as result. “
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Which customers are using Amazon EKS? The performance from Amazon EKS makes it feasible to effectively manage large-scale databases delivering over a million queries per second. Amazon EKS also helps with our cluster management and scalability challenges. “
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Rich partner ecosystem DevOpsFoundation Security Networking Monitoring & logging
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Our tenets 1. Amazon EKS is a platform to run production-grade workloads. Security and reliability are our first priority. After that we focus on doing the heavy lifting for you in the control plane, including life cycle-related things like version upgrades. 2. Amazon EKS provides a native and upstream Kubernetes experience. Amazon EKS provides vanilla, un-forked Kubernetes. In keeping with our first tenant, we ensure the Kubernetes versions we run have security-related patches, even for older, supported versions as quickly as possible. But there’s no special sauce and no lock in. 3. If you want to use additional AWS services, integrations are as seamless as possible. 4. The Amazon EKS team in AWS actively contributes to the upstream Kubernetes project and the wider CNCF activities, both on the technical level as well as community, from communicating good practices to participation in SIGs and working groups.
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Happy Birthday Amazon EKS!
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS, a year in review June – December 2018: Amazon EKS achieves K8s conformance, HIPAA-eligibility, Generally available Amazon EKS AMI build scripts and AWS CloudFormation templates available in GitHub. Support for GPU-enabled EC2 instances, support for HPA with custom metrics. Amazon EKS launches in Dublin, Ireland Amazon EKS simplifies cluster setup with update-kubeconfig CLI command Amazon EKS adds support for Dynamic Admission Controllers (Istio), ALB Support with the AWS ALB ingress controller Amazon EKS launches in Ohio, Frankfurt, Singapore, Sydney, and Tokyo Amazon EKS adds Managed Cluster Updates and Support for Kubernetes Version 1.11, CSI Driver for Amazon EBS 2019: Amazon EKS launches in Seoul, Mumbai, London, and Paris Amazon EKS achieves ISO and PCI compliance, announces 99.9% SLA, cluster creation limit raised to 50 API Server Endpoint Access Control, AWS App Mesh controller Windows support (preview), Kubernetes version 1.12, CSI Drivers for Amazon EFS, Amazon FSx for Lustre, Control Plane Logs, A1 (ARM) instance support (preview) Deep Learning Benchmark Utility, Public IP Address Support, Simplified cluster authentication, SOC compliance, Kubernetes 1.13, PodSecurityPolicies, Container Insights, CNI 1.5.0, Amazon ECR, AWS PrivateLink Support
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Open-source roadmap https://github.com/aws/containers-roadmap/
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS services roadmap: Highlights Shipped - Amazon EKS control plane logs - Support for public IP space in VPC - SOC compliance - Amazon EKS: Deep Learning Benchmarking Utility - New Amazon EKS Region: Paris, London, Mumbai - CNI v1.5.0 Coming soon - Service linked role for Amazon EKS - EKS Support for K8s version 1.13 + ECR AWS PrivateLink - EKS-optimized AMI metadata SSM parameter - IAM for Pods - New Amazon EKS Regions: Beijing, Ningxia, Hong Kong Working on it - Amazon EKS on Fargate - Managed Nodes - Managed add-ons - DNS resolution of Amazon EKS private endpoints - New Amazon EKS Regions: Sao Paulo, Canada Central - Next-generation CNI plugin
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS deep dive • Configuration & setup • Availability • Storage • Operations • Security • Networking • Logging • Monitoring • Application communication
  24. 24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS is Kubernetes-certified Kubernetes conformance • Guaranteed portability and interoperability • Timely updates • Confirmability
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Open-source and Amazon EKS Amazon EKS runs 100% upstream Kubernetes Key components of Amazon EKS are open source • Amazon VPC CNI plugin • AWS IAM authenticator • Amazon EKS AMI Team contributes to or manages 20+ OSS projects • /kubernetes • /kubernetes/autoscaler • /aws-labs/aws-service-operator • /weaveworks/eksctl • Amazon EBS, Amazon EFS, Amazon FSx CSI drivers
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Kubernetes versions Latest: 1.13 Coming soon: 1.14 Amazon EKS will support up to three versions of Kubernetes at once Deprecation in line with the community stopping support for older versions Version 1.10 deprecation on July 22, 2019
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T eksctl - a CLI for Amazon EKS • Single command cluster creation eksctl create cluster --nodes=4 • Open source and on GitHub • Built by Weave and AWS • Official Amazon EKS CLI
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Standard EC2 compute instance types P2 and P3 accelerated instances i3 bare metal Spot Instances Bring your own instances Instance flexibility
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Bring your own OS Amazon EKS AMI build scripts https://github.com/awslabs/amazon-eks-ami Amazon Amazon Amazon
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Windows containers Run Windows containers and Windows Server nodes with Amazon EKS Supports heterogeneous (mixed) clusters. Kubernetes version 1.11+ Available in all Amazon EKS Regions Developer preview: https://github.com/aws/containers-roadmap
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Provisioning worker nodes AWS CloudFormation eksctl Partners …more Terraform Pulumi Rancher
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Now supporting P3dn.24xlarge instances CUDA 10 with NVIDIA v410 coming soon! Amazon EKS-optimized GPU AMI
  34. 34. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Global availability Americas Virginia, Ohio, Oregon EMEA Ireland, Frankfurt, London, Paris, Stockholm Asia Pacific Singapore, Tokyo, Sydney, Seoul, Mumbai
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Service level agreement 99.9% Service commitment AWS will use commercially reasonable efforts to make the endpoint for an Amazon EKS Cluster available with a Monthly Uptime Percentage of at least 99.9% during any monthly billing cycle In the event Amazon EKS does not meet the Monthly Uptime Percentage commitment, you will be eligible to receive a Service Credit.
  37. 37. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Container storage interface (CSI) A flexible standard for orchestration and storage provider connections We support the CSI standard through following drivers: Amazon Elastic Block Store: Amazon EBS CSI Driver Amazon Elastic File System: Amazon EFS CSI Driver Amazon FSx for Lustre: Amazon FSx CSI Driver
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Storage volume lifecycle Provisioning Binding Using Reclaiming • Static • Dynamic* • Control loop watches for PVC requests and satisfies if PV is available. • For Dynamic, PVC will provision PV • PVC to PV binding is one- to-one mapping • Cluster mounts volume based on PVC • Retain (default) • Recycle • Delete
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What if I need specific volume type? StorageClass gp2 io1 sc1 encrypted io1st1 1) Admin pre-provisions StorageClass based on workload needs 2) End user requests for specific volume types (e.g., encrypted io1 volume) 3) Control loop watches PVC request and allocates volume if PV exists MySQL Pods 4) User creates stateful workload
  41. 41. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS operational capability - Architecture - CI/CD for applications deployed on Amazon EKS - Infrastructure elasticity
  43. 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Architecture
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T [mycluster].eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 Kubectl Your AWS account
  45. 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC Kubernetes control plane Highly available and single tenant infrastructure All “native AWS” components Fronted by a Network Load Balancer NLB Amazon EKS Availability Zone 1 Availability Zone 2 Availability Zone 3 Etcd API Servers
  46. 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T CI/CD
  47. 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Kubernetes continuous deployment AWS CodePipeline AWS CodeCommit AWS CodeBuild AWS Lambda Amazon ECR 1 2 4 3 5 6 1 Developers continuously integrate changes into a main branch hosted within a repo 2 Triggers an execution of the pipeline when a new version is found, builds a new image with build id 3 Pushes the newly built image tagged with build id to ECR repo 4 Invokes a Lambda function to trigger application deployment 5 Leverages Kubernetes Python SDK to update a deployment 6 Fetches new container image and performs a rolling update of deployment Developer
  48. 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Supported CI/CD platforms • AWS CodeBuild / AWS CodePipeline • Jenkins • Spinnikar • Jfrog • …any others that work with Kubernetes on AWS!
  49. 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Infrastructure elasticity
  50. 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS worker node provisioning with Amazon EC2 Spot • Recommend using the node labels to identify Amazon EC2 Spot Instances • Launch Amazon EC2 Spot Instances as part of Auto Scaling group • Use Amazon EC2 Spot Instances best practice of mixed instance types
  51. 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automatic scaling with Amazon EKS Two dimensions to scaling • Amazon EC2 instance through cluster-autoscaler → Scale out Amazon EC2 Spot Instances • Pods through HPA → Scale out pods
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS support sophisticated and scalable infrastructure [mycluster].eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 Kubectl VPC Instance Auto Scaling group for m4.large Spot Instances Auto Scaling group for t2.medium Spot Instances Auto Scaling group for On-Demand Instances Cluster Autoscaler Daemonset Spot Interruption handler Daemonset https://eksworkshop.com/spot/man agespot/deployhandler
  53. 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS is ready for sensitive and regulated workloads HIPAA-eligible ISO 9001, 27001, 27017, 27018 PCI DSS SOC 1,2,3
  54. 54. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  55. 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS container security: principled and peculiar Tenets • All-encompassing • Shared responsibility • Cloud native Epics
  56. 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Container security onion model: Defense in depth • full blown distro (Ubuntu, AL) vs. minimal environment (container-optimized distribution) • multi-tenancy requirements • gotchas: Linux packages/CVEs, leaks, GDPR (in Europe) • runtime/standards (OCI) • immutability of images • all containers share a kernel (mitigation: Firecracker) • gotchas: unnecessary privileged users, no scans, trust • code analysis • source available? • gotchas: big surface, many languages {} } • sanitizing user input • static code analysis • gotchas: log-leaking } • sensitive config (passwords, API keys, etc.) • gotchas: commits-to-source, non-separated access (dev has cleartext password) { • business core data • Personal Identifiable Information (PII) • gotchas: leaks, GDPR (in Europe) { host container dependencies code config user data
  57. 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security tooling Amazon Inspector AWS KMS AWS Secrets Manager AWS WAF AWS IAM Amazon GuardDuty Amazon Macie AWS Security Hub AWS CloudHSM AWS Certificate Manager AWS CloudTrail host container dependencies code config user data
  58. 58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Identity and Access Management (IAM) Authentication Kubectl 3) Authorizes AWS identity with RBAC K8s API 1) Passes AWS identity 2) Verifies AWS identity 4) K8s action allowed/denied
  59. 59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T PKI configuration Kubelet Generates public/private keys Kubelet installs server cert Kubelet issues CSR Certificate rotation Amazon EKS API serverEKS worker Each Amazon EKS cluster is a unique CA
  60. 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T IAM for pods Roadmap Set IAM access permissions at the pod level Enables multiple applications with different permission sets to share the same nodes Built using Kubernetes primitives, minimal user configuration https://github.com/aws/containers-roadmap/issues/23
  61. 61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T API-server endpoint access control Worker VPC (your account) Kubectl Master VPC (AWS account) etcd AZ 1 API Server etcd API Server prod-cluster-123.eks.amazonaws.com EKS-owned ENI Kubelet AZ 1 Worker node EKS-owned ENI Kubelet AZ 2 Worker node Public == true AZ 2 Kube-proxy Kube-proxy
  62. 62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T API-server endpoint access control Worker VPC (your account) Kubectl Master VPC (AWS account) etcd AZ 1 AZ 2 API Server etcd API Server prod-cluster-123.eks.amazonaws.com EKS-owned ENIs Public == true Private == true prod-cluster-123.eks.amazonaws.com Private hosted zone Kubelet AZ 1 Worker node Kube-proxy Kubelet AZ 2 Worker node Kube-proxy
  63. 63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T API-server endpoint access control Worker VPC (your account) Kubectl Master VPC (AWS account) etcd AZ 1 AZ 2 API Server etcd API Server EKS-owned ENIs Public == false Private == true prod-cluster-123.eks.amazonaws.com Private hosted zone Kubelet AZ 1 Worker node Kube-proxy Kubelet AZ 2 Worker node Kube-proxy
  64. 64. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  65. 65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Native VPC networking with CNI plugin Pods have the same VPC address inside the pod as on the VPC Simple, secure networking Open source and on GitHub …{ } Amazon VPC CNI plugin
  66. 66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon VPC CNI plugin Elastic network interface Secondary IPs: 10.0.0.1 10.0.0.2 10.0.0.1 10.0.0.2 Elastic network interface 10.0.0.20 10.0.0.22 Secondary IPs: 10.0.0.20 10.0.0.22 ec2.associateaddress() VPC Subnet – 10.0.0.0/24 Instance 1 Instance 2 VPC https://github.com/aws/amazon-vpc-cni-k8s
  67. 67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS supports advanced networking architectures VPC - Multiple IP ranges Subnet 1 – 10.0.0.0/16 Subnet 2 – 100.64.0.0/10 Customer gateway Corporate data center On-premises 10.1.0.0/16 VPN or DX Pod Outbound Traffic SNAT EKS worker node Primary elastic network interface Pod Secondary elastic network interface Pod – 100.64.0.200
  68. 68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Load balancing All three Elastic Load Balancing products are supported NLB and CLB supported by Kubernetes Service type=LoadBalancer Internal and External Load Balancer support
  69. 69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T • Exposes the service externally using a cloud provider’s load balancer • NodePort and ClusterIP services (to which LB will route) automatically created • Each service exposed with a LoadBalancer (ELB or NLB) will get its own IP address • Exposes L4 (TCP) or L7 (HTTP) services Kubernetes ServiceType: LoadBalancer
  70. 70. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Load balancing Want to use an Internal Load Balancer? Use annotation: service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 Want to use an NLB? Use annotation: service.beta.kubernetes.io/aws-load-balancer-type: nlb
  71. 71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Service load balancer: Network Load Balancer apiVersion: v1 kind: Service metadata: name: nginx namespace: default labels: app: nginx annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" spec: externalTrafficPolicy: Local ports: - name: http port: 80 protocol: TCP targetPort: 80 selector: app: nginx type: LoadBalancer
  72. 72. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Service load balancer: Network Load Balancer (NLB) • NLB supports forwarding the client’s IP through to the node .spec.externalTrafficPolicy = Local ➔ client ip passed to pod • Nodes with no matching pods will be removed by specified NLB’s health check .spec.healthCheckNodePort • Use DaemonSet or pod anti-affinity to verify even traffic split
  73. 73. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T • exposes HTTP/HTTPS routes to services within the cluster • Many implementations: ALB, NGINX, F5, HAProxy etc. • Default service type: ClusterIP Kubernetes Ingress object
  74. 74. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T ALB Ingress controller AWS Resources Kubernetes Cluster Node Node Kubernetes API Server ALB Ingress Controller Node HTTP ListenerHTTPS Listener Rule: /cheesesRule: /charcuterie TargetGroup: Green (IP Mode) TargetGroup: Blue (Instance Mode) NodePort NodePort
  75. 75. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T ALB Ingress controller Production-ready 1.0 release Supported by Amazon EKS team Open source development: https://github.com/kubernetes-sigs/aws- alb-ingress-controller Customers are using it in production today!
  76. 76. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  77. 77. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon EKS logging EKS managedCustomer account Internet Amazon CloudWatch AWS CloudTrail
  78. 78. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T WorkerWorkerMaster WorkerWorkerMaster Auto Scaling group AZ1 Region AZ2 Auto Scaling group CloudWatch Logs Elasticsearch Kibana Fluentd DaemonSet Kubectl logs Elasticsearch (index), Fluentd (store), and Kibana (visualize) Amazon EKS logging
  79. 79. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Logging with FluentBit • New AWS FluentBit container plugin • Optimize costs. Route logs from Amazon EKS and Amazon ECS clusters directly to Amazon S3 and query with Amazon Athena • Open source • More resource-efficient than Fluentd. Tests show Fluentd uses 4x more CPU and 6x more memory https://aws.amazon.com/blogs/opensource/centra lized-container-logging-fluent-bit/
  80. 80. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  81. 81. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon CloudWatch Container Insights Gives you complete visibility into your cloud resources and applications so you can monitor, troubleshoot, and remediate issues Collect logs & metrics Monitor, troubleshoot & set alarms Act AnalyzeAmazon CloudWatch
  82. 82. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T ✓ Collects, aggregates, and summarizes ✓ Reliable, secure metrics and logs collection ✓ Automated dashboards and analysis ✓ Observability experience across metrics, logs, traces ✓ Ad hoc analytics CloudWatch Container Insights A fully managed observability service for monitoring, troubleshooting, and alarming on your containerized applications and microservices
  83. 83. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Images on DockerHub Performance Metrics – CloudWatch Agent: https://hub.docker.com/r/amazon/cloudwatch-agent • Tag: latest Logs – FluentBit: https://hub.docker.com/r/amazon/aws-for-fluent-bit • Tag: latest Logs – Fluentd: https://hub.docker.com/r/fluent/fluentd-kubernetes-daemonset • Tag: v1.3.3-debian-cloudwatch-1.4
  84. 84. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Container Insights available now 1. Fully managed, AWS native observability service providing automated summary and analysis of compute capacity 2. Reliable and secure collection of application logs with built-in analytics capabilities 3. Prebuilt visualization to summarize cluster and node errors 4. Application & microservice tracing - Troubleshoot and debug application & microservice
  85. 85. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  86. 86. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why AWS App Mesh? http/tcp Service team A Service team B Common need: Manage interservice traffic • How to observe (logs, metrics, traces) • How to load balance E/W traffic • How to shift traffic between deployments • How to decouple service teams • How to minimize impact to app code
  87. 87. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T App Mesh uses Envoy proxy OSS community project Wide community support, numerous integrations Stable and production-proven Graduated Project in Cloud Native Computing Foundation Started at Lyft in 2016
  88. 88. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why App Mesh? HTTP / TCP Service team A Service team B Control plane Translates logical intent to proxy config Distributes proxy config Proxy Sits between all services Manages and observes traffic Control plane
  89. 89. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T App Mesh: App-level communication across AWS Amazon ECS AWS Fargate Amazon EKS Amazon EC2 AWS App Mesh Kubernetes on EC2
  90. 90. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T App Mesh: Application observability Logging HTTP access logging Amazon CloudWatch Logs Available as container logs on Amazon ECS, Amazon EKS, AWS Fargate Metrics CloudWatch metrics StatsD (with tags) Prometheus Tracing AWS X-Ray Other Envoy tracing drivers
  91. 91. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T App Mesh: Client-side traffic management Traffic shaping Load balancing Weight targets Service discovery (DNS + AWS Cloud Map) Health checks Retries* Timeouts* Circuit breakers* Routing controls Protocols support (HTTP, TCP, gRPC*) Path-based Header-based* Cookie-based* Host-based* *coming soon
  92. 92. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  93. 93. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×