Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018

252 views

Published on

This session covers how a Kubernetes cluster can be run over multiple AWS accounts to separate the control plane from the worker nodes and increase security, separate concerns, and isolate workloads. Amazon Elastic Container Service for Kubernetes (Amazon EKS) manages the Kubernetes control plane and recommends that customers launch worker nodes in their accounts. We cover in detail how we made this topology possible, the challenges we faced, and how we solved it.

  • Be the first to comment

  • Be the first to like this

Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018

  1. 1. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Running Kubernetes Across Multiple AWS Accounts Bryce Carman Sr. Software Dev Engineer Amazon EKS C O N 4 0 9
  2. 2. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Kubernetes on Amazon Web Services (AWS) Node Lifecycle Amazon Elastic Container Service for Kubernetes (Amazon EKS) Architecture
  3. 3. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  4. 4. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes on AWS Kubernetes Control Plane Worker Nodes VPC kubectl Kubelet
  5. 5. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pod to Kubernetes Kubernetes Control Plane VPC Worker Node Pod
  6. 6. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. User to Pod Kubernetes Control Plane VPC kubectl Kubelet Pod 2Pod 1
  7. 7. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  8. 8. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Node Lifecycle Cluster Discovery How are the Control Plane and the Node able to securely communicate? TLS Bootstrap Secure Kubelet API Node AWS Identity and Access Management (IAM) Authentication
  9. 9. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Node Cluster Discovery Kubernetes Control Plane Worker Nodes VPC Kubelet
  10. 10. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Authentication K8s Control Plane STS get-caller- identity Kubectl/kubelet Kubectl/kubelet
  11. 11. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure Kubelet API Kubernetes Control Plane VPC kubectl Kubelet Pod 2Pod 1
  12. 12. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  13. 13. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes on Amazon EKS Worker Nodes VPC kubectl VPC
  14. 14. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Control Plane Split VPC Kubernetes Worker Nodes VPC kubectl VPC Elastic network interface
  15. 15. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability zone Cross VPC Availability Zones VPC kubectl VPC Availability zone Worker Node Kubernetes Control Plane Kubernetes Control Plane Elastic network interface Elastic network interface
  16. 16. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Best Practices Treat your Kubernetes Control Plane as a service Know how data flows in the cluster Secure Kubelet API!
  17. 17. Thank you! � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bryce Carman brycecar@amazon.com
  18. 18. � 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×