Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

게임 고객사를 위한 ‘AWS 컨테이너 교육’ 자료 - 유재석 솔루션즈 아키텍트, AWS :: Gaming Immersion Day 2019/04/30

669 views

Published on

본 게시물은 2019년 4월 30일에 AWS Game Team에서 진행한 컨테이너 교육입니다. AWS 컨테이너 서비스들을 이해하여 손쉽게 컨테이너를 실행하세요.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

게임 고객사를 위한 ‘AWS 컨테이너 교육’ 자료 - 유재석 솔루션즈 아키텍트, AWS :: Gaming Immersion Day 2019/04/30

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jaeseok Yoo Container, Container, Container …
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 13:00 – 14:00 Container Orchestration, EKS 14:00 – 14:15 HoL : Create a EKS cluster 14:15 – 14:30 Break 14:30 – 15:45 HoL : Run an application, EKS Logging and Monitoring 15:45 – 16:00 Break 16:00 – 16:30 ECS 16:30 – 17:00 Closing Time
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common Questions • How do I deploy my containers to hosts? • How do I do zero downtime or blue green deployments? • How do I keep my containers alive? • How can my containers talk to each other? • Linking? Service Discovery? • How can I configure my containers at runtime? • What about secrets? • How do I best optimize my "pool of compute”?
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How do we make this work at scale?
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. We need to • start, stop, and monitor lots of containers running on lots of hosts • decide when and where to start or stop containers • control our hosts and monitor their status • manage rollouts of new code (containers) to our hosts • manage how traffic flows to containers and how requests are routed
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container Orchestration Instance Instance Instance OS OS OS Container Runtime Container Runtime Container Runtime App Service App App Service Service Container Orchestration
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container Orchestration myJob: { Cpu: 10 Mem: 256 } Orchestrator Schedule Run “myJob”
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container Orchestration Instance/OS Instance/OS Instance/OS App Service App App Service Service Service Management Scheduling Resource Management OrchestrationService Management §Availability §Lifecycle §Discovery
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container Orchestration Instance/OS Instance/OS Instance/OS App Service App App Service Service Service Management Scheduling Resource Management Orchestration Scheduling §Placement §Scaling §Upgrades §Rollbacks
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container Orchestration Instance/OS Instance/OS Instance/OS App Service App App Service Service Service Management Scheduling Resource Management Orchestration Resource Management § Memory § CPU § Ports
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What are container orchestration tools?
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Container Services Landscape MANAGEMENT Deployment, Scheduling, Scaling & Management of containerized applications HOSTING Where the containers run Amazon Elastic Container Service Amazon Elastic Container Service for Kubernetes Amazon EC2 AWS Fargate IMAGE REGISTRY Container Image Repository GA : June 6, 2018 Seoul : Jan 11, 2019 Amazon Elastic Container Registry
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run a (managed) container on AWS AMAZON CONTAINER SERVICES Choose your orchestration tool1 Choose your launch type2 ECS EKS EC2 Fargate EC2 Fargate
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is Kubernetes? Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes(K8s) Components Control Plane (Controller) Etcd Lightweight, open source Key-Value store containing the cluster API Server Serves the APIs required to manage the cluster Scheduler Determines where (on which nodes) pods will run in the cluster Controller Manager The “worker on the controller” that actually manages the cluster (e.g. replication) Kubernetes Node kubelet Runs the node, starts and stops containers kube-proxy Acts as a network proxy – routes traffic based upon IP and Port. Each service is assigned a unique port on the nodes it runs across, kube-proxy allows that port to be mapped to whatever the service expects. cAdvisor Agent that monitors node health and statistics
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes(K8s) Architecture
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes(K8s) Objects • kubectl • Pods • Labels • Deployments • Replication Controllers • Services
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. kubectl • Command line interface for running commands against the k8s API • Intuitive familiar commands (get, create, describe, delete, etc.) that are simple to learn and easy to use ~/.kube/config k8s master kube-api scheduler
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pods • A group of one or more containers • Shared: • Data volumes • cgroup • Namespace – network, IPC, etc. node pod1 pod2
  22. 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Labels • Key/Value Pairs • Used to query specific resources within your cluster pod1 pod2 dev prod app001 app001
  23. 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ReplicaSets • Ensure that a specified number of pod “replicas” exist in the cluster 23
  24. 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deployments • Declarative updates for Pods and ReplicaSets 23
  25. 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services • Abstraction which defines a logical set of pods and policy by which to access them
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services • Service Discovery: • Environment variables • DNS • Publishing Services: • LoadBalancer (ELB) • ClusterIP, NodePort, External Name (DNS)
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. kubectl $ kubectl get nodes NAME STATUS ROLES AGE VERSION ip-172-31-24-193.ec2.internal Ready <none> 2m v1.10.3 ip-172-31-36-113.ec2.internal Ready <none> 2m v1.10.3 ip-172-31-65-97.ec2.internal Ready <none> 2m v1.10.3 $ kubectl get pods --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE kube-system aws-node-5blrq 1/1 Running 0 3m kube-system aws-node-btn9b 1/1 Running 0 3m kube-system aws-node-wvd92 1/1 Running 1 3m kube-system kube-dns-64b69465b4-gnzpz 3/3 Running 0 1h kube-system kube-proxy-5prxp 1/1 Running 0 3m kube-system kube-proxy-86q8k 1/1 Running 0 3m kube-system kube-proxy-89stl 1/1 Running 0 3m
  28. 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dashboard Deploy the dashboard to your cluster $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kub ernetes-dashboard.yaml secret "kubernetes-dashboard-certs" created serviceaccount "kubernetes-dashboard" created role.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" created rolebinding.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" created deployment.apps "kubernetes-dashboard" created service "kubernetes-dashboard" created Create an eks-admin Account and Cluster Role Binding
  29. 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dashboard $ vi eks-admin-service-account.yaml apiVersion: v1 kind: ServiceAccount metadata: name: eks-admin namespace: kube-system $ kubectl apply -f eks-admin-service- account.yaml $ eks-admin-cluster-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: eks-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: eks-admin namespace: kube-system $ kubectl apply -f eks-admin-cluster-role- binding.yaml
  30. 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dashboard Retrieve an authentication token $ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}') $ kubectl proxy Starting to serve on 127.0.0.1:8001 Access at http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes- dashboard:/proxy/ copy and paste token for login
  31. 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dashboard
  32. 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Nginx $ kubectl run my-nginx --image nginx --port 80 $ kubectl get deployments NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE my-nginx 1 1 1 1 13s $ kubectl get pods NAME READY STATUS RESTARTS AGE my-nginx-77f56b88c8-dmvtg 1/1 Running 0 33s $ kubectl describe pod/my-nginx-77f56b88c8-dmvtg Name: my-nginx-77f56b88c8-dmvtg Namespace: default Node: ip-172-31-24-193.ec2.internal/172.31.24.193 Start Time: Fri, 29 Jun 2018 22:04:37 +0900 Labels: pod-template-hash=3391264474 run=my-nginx Annotations: <none> Status: Running IP: 172.31.28.55 Controlled By: ReplicaSet/my-nginx-77f56b88c8
  33. 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Nginx - expose within cluster $ kubectl expose deployment my-nginx --target-port=80 [--type=LoadBalancer] $ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 1h my-nginx ClusterIP 10.100.211.73 <none> 80/TCP 11s $ kubectl edit svc/my-nginx apiVersion: v1 kind: Service … spec: clusterIP: 10.100.211.73 ports: - port: 80 protocol: TCP targetPort: 80 selector: run: my-nginx sessionAffinity: None type: ClusterIP -> LoadBalancer (replace and save) status: loadBalancer: {} add --type=LoadBalancer if you want expose to internet
  34. 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Nginx - expose to internet $ watch -n 1 “kubectl get services“ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 2h my-nginx LoadBalancer 10.100.211.73 <pending> 80:31743/TCP 7m … NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 2h my-nginx LoadBalancer 10.100.211.73 a60e942cbd32d... 80:31743/TCP 7m $ curl http:// a60e942cbd32d11e7992202c08f5229f-284158314.ap-northeast- 2.elb.amazonaws.com * clean up $ kubectl delete svc/my-nginx deployment/my-nginx
  35. 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Nginx w/ YAML $ vi my-nginx.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-nginx spec: replicas: 2 template: metadata: labels: run: my-nginx spec: containers: - name: my-nginx image: nginx ports: - containerPort: 80 $ kubectl create -f ./my-nginx.yaml $ kubectl get deployments NAME DESIRED CURRENT UP-TO- DATE AVAILABLE AGE my- nginx 2 2 2 1 6s $ kubectl delete pod my-nginx
  36. 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Nginx w/ YAML $ vi my-nginx-app.yaml apiVersion: v1 kind: Service metadata: name: my-nginx labels: app: nginx spec: type: LoadBalancer ports: - port: 80 selector: app: nginx --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-nginx spec: replicas: 3 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 ports: - containerPort: 80 $ kubectl create -f ./my-nginx-app.yaml $ kubectl get deployments $ kubectl get services
  37. 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Using Labels $ kubectl label pods -l app=nginx tier=webserver pod "my-nginx-431080787-0fqx9" labeled pod "my-nginx-431080787-d8g3q" labeled pod "my-nginx-431080787-k2r4m" labeled $ kubectl get pods -l app=nginx -L tier NAME READY STATUS RESTARTS AGE TIER my-nginx-431080787-0fqx9 1/1 Running 0 1m webserver my-nginx-431080787-d8g3q 1/1 Running 0 1m webserver my-nginx-431080787-k2r4m 1/1 Running 0 1m webserver
  38. 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling Application $ kubectl get deployment NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE my-nginx 3 3 3 3 4m $ kubectl get pods -l app=nginx NAME READY STATUS RESTARTS AGE my-nginx-431080787-0fqx9 1/1 Running 0 4m my-nginx-431080787-d8g3q 1/1 Running 0 4m my-nginx-431080787-k2r4m 1/1 Running 0 4m $ kubectl scale deployment/my-nginx --replicas=2 $ kubectl get pods -l app=nginx NAME READY STATUS RESTARTS AGE my-nginx-431080787-0fqx9 1/1 Running 0 4m my-nginx-431080787-d8g3q 1/1 Running 0 4m $ kubectl delete -f my-nginx-app.yaml
  39. 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. and more … In-place updates of resources $ kubectl apply $ kubectl edit $ kubectl patch $ kubectl annotate … Disruptive updates $ kubectl replace $ kubectl rolling-update … $ kubectl autoscale $ kubectl rolling-update … http://kubernetes.io/docs/user-guide/ https://github.com/kubernetes/ku bernetes/tree/master/examples
  40. 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run 2048 w/ YAML $ vi my-2048.yaml apiVersion: v1 kind: Service metadata: name: my-2048 labels: app: my-2048 spec: type: LoadBalancer ports: - port: 80 selector: app: my-2048 --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-2048 spec: replicas: 1 template: metadata: labels: app: my-2048 spec: containers: - name: my-2048 image: sdscello/2048:1 ports: - containerPort: 80 $ kubectl create -f ./my-2048.yaml $ kubectl get deployments $ kubectl get services * open a browser and connect to the ELB
  41. 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run 2048 w/ CI and CD Source Code Github Jenkins Registry Kubernetes Clusterpush trigger build run Enduser ELB
  42. 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Storage
  43. 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lifecycle of a storage volume Provisioning Binding Using Reclaiming • Static • Dynamic* • Control loop watches for PVC requests and satisfies if PV is available. • For Dynamic, PVC will provision PV • PVC to PV binding is one-to-one mapping • Cluster mounts volume based on PVC • Retain (default) • Recycle • Delete
  44. 44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What if I need specific volume type? StorageClass gp2 io1 sc1 encrypted io1 st1 1) Admin pre-provisions StorageClass based on workload needs 2) End user requests for specific volume types (For ex, encrypted io1 volume) 3) Control loop watches PVC request and allocates volume if PV exists MySQL Pods 4) End user creates stateful workload
  45. 45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Storage : Storage Class $ vi gp2-storage-class.yaml kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: gp2 provisioner: kubernetes.io/aws-ebs parameters: type: gp2 reclaimPolicy: Retain mountOptions: - debug $ kubectl create -f gp2-storage-class.yaml $ kubectl get storageclass Set gp2 as default storage $ kubectl patch storageclass gp2 -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is- default-class":"true"}}}’ $ kubectl get storageclass NAME PROVISIONER AGE gp2 (default) kubernetes.io/aws-ebs 24s
  46. 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Storage : Persistent Volume $ kubectl get pv NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE * Create 5Gi EBS volume $ aws ec2 create-volume --size 5 --region ap-northeast-2 --availability-zone ap-northeast-2c -- volume-type gp2 { "AvailabilityZone": "us-east-1d", "CreateTime": "2018-07-02T06:29:50.000Z", "Encrypted": false, "Size": 5, "SnapshotId": "", "State": "creating", "VolumeId": "vol-0e9bda6cdc69834a7", "Iops": 100, "Tags": [], "VolumeType": "gp2" } Replace it to your zone
  47. 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Storage : Persistent Volume and Claim $ vi my-aws-pv.yaml apiVersion: "v1" kind: "PersistentVolume" metadata: name: "pv0001" spec: capacity: storage: "5Gi" accessModes: - "ReadWriteOnce" awsElasticBlockStore: fsType: "ext4" volumeID: " vol-0e9bda6cdc69834a7" $ kubectl create -f my-aws-pv.yaml $ vi my-aws-pvc.yaml apiVersion: v1 kind : PersistentVolumeClaim metadata: name: pvc0001 spec: storageClassName: "" volumeName: pv0001 accessModes: - ReadWriteOnce resources: requests: storage: 5G $ kubectl create -f my-aws-pvc.yaml
  48. 48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Storage : Persistent Volume and Claim $ vi my-aws-pvc-pod.yaml apiVersion: v1 kind: Pod metadata: name: redis spec: containers: - name: redis image: redis volumeMounts: - name: pvdemo mountPath: /data volumes: - name: pvdemo persistentVolumeClaim: claimName: pvc0001 $ kubectl create -f my-aws-pvc-pod.yaml $ kubectl describe pods redis Name: redis Namespace: default Node: ip-172-31-36- 113.ec2.internal/172.31.36.113 Start Time: Mon, 02 Jul 2018 17:03:26 +0900 Labels: <none> Annotations: <none> Status: Running IP: 172.31.34.41 Containers: redis: Mounts: /data from pvdemo (rw) /var/run/secrets/kubernetes.io/serviceaccount from default-token-wtfrw (ro) Volumes: pvdemo: Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace) ClaimName: pvc0001 ReadOnly: false
  49. 49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Storage : Persistent Volume * log into the worker instance that is running redis pod $ kubectl get pods NAME READY STATUS RESTARTS AGE Redis 1/1 Running 0 5s $ kubectl exec -it redis -- /bin/bash root@redis:/data# df -h Filesystem Size Used Avail Use% Mounted on overlay 20G 2.8G 18G 14% / tmpfs 998M 0 998M 0% /dev tmpfs 998M 0 998M 0% /sys/fs/cgroup /dev/xvdbw 4.8G 20M 4.6G 1% /data /dev/xvda1 20G 2.8G 18G 14% /etc/hosts shm 64M 0 64M 0% /dev/shm tmpfs 998M 12K 998M 1% /run/secrets/kubernetes.io/serviceaccount tmpfs 998M 0 998M 0% /sys/firmware
  50. 50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services
  51. 51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services • A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them - sometimes called a micro-service. The set of Pods targeted by a Service is (usually) determined by a Label Selector. • Let’s talk about what are the differences between LoadBalancer, NodePort and Ingress
  52. 52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services : ClusterIP • Exposes the service on a cluster- internal IP • Only reachable from within the cluster • Access possible via kube-proxy • Useful for debugging services, connecting from your laptop or displaying internal dashboards
  53. 53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services : LoadBalancer • Exposes the service externally using a cloud provider’s load balancer. • NodePort and ClusterIP services (to which LB will route) automatically created. • Each service exposed with a LoadBalancer (ELB or NLB) will get its own IP address • Exposes L4 (TCP) or L7 (HTTP) services
  54. 54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : LoadBalancer - Sample $ vi my-nginx-lb.yaml apiVersion: v1 kind: Service metadata: name: my-nginx-lb labels: app: nginx-lb spec: type: LoadBalancer ports: - port: 80 selector: app: nginx-lb --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-nginx-lb spec: replicas: 3 template: metadata: labels: app: nginx-lb spec: containers: - name: nginx-lb image: nginx:1.7.9 ports: - containerPort: 80 $ kubectl create -f ./my-nginx-lb.yaml $ kubectl get deployments $ kubectl get services -o wide // Find ELB name and connect for test * clean up $ kubectl delete –f ./my-nginx-lb.yaml
  55. 55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services : LoadBalancer - NLB apiVersion: v1 kind: Service metadata: name: nginx namespace: default labels: app: nginx annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" spec: externalTrafficPolicy: Local ports: - name: http port: 80 protocol: TCP targetPort: 80 selector: app: nginx type: LoadBalancer
  56. 56. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services : NodePort • Exposes the service on each Node’s IP at a static port. • Routes to a ClusterIP service, which is automatically created. • from outside the cluster: <NodeIP>:<NodePort> • 1 service per port • Uses ports 30000-32767
  57. 57. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : NodePort - Sample $ vi my-nginx-np.yaml apiVersion: v1 kind: Service metadata: name: my-nginx-np labels: app: nginx-np spec: type: NodePort ports: - port: 80 selector: app: nginx-np --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-nginx-np spec: replicas: 3 template: metadata: labels: app: nginx-np spec: containers: - name: nginx-np image: nginx:1.7.9 ports: - containerPort: 80 $ kubectl create -f ./my-nginx-np.yaml $ kubectl get deployments $ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL- IP PORT(S) AGE SELECTOR my-nginx- np NodePort 10.100.90.163 <none> 80:31923/ TCP 4s app=nginx-np
  58. 58. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : NodePort - Sample $ kubectl describe services my-nginx-np Name: my-nginx-np Namespace: default Labels: app=nginx-np Annotations: <none> Selector: app=nginx-np Type: NodePort IP: 10.100.90.163 Port: <unset> 80/TCP TargetPort: 80/TCP NodePort: <unset> 31923/TCP Endpoints: 172.31.31.134:80,172.31.41.219:80,172.31.76.169:80 Session Affinity: None External Traffic Policy: Cluster Events: <none> ClusterIP can be accessible from any Pods are running in the cluster 31923 is the port that listen in the workers. You can access the Pod from internet if you open a firewall for workers’ security group
  59. 59. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : NodePort - Sample $ kubectl run -i --tty --image busybox test --restart=Never --rm /bin/sh # wget -qO- 10.100.90.163 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> </html> # exit
  60. 60. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : NodePort - Sample * Update security group to allow the access to the workers from outside of internet * Note Public IP of all the workers and try to connect each of nodes with same port $ curl 54.89.86.193:31923 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> * clean up $ kubectl delete –f ./my-nginx-np.yaml
  61. 61. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services : Ingress • Unlike all the above examples, Ingress is actually NOT a type of service. Instead, it sits in front of multiple services and act as a “smart router” or entrypoint into your cluster. • Demo is at the end of the page as it requires helm for ingress controller
  62. 62. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Helm
  63. 63. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Helm from DEIS
  64. 64. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is Helm? • Helm helps you manage Kubernetes applications • Helm Charts helps you define, install, and upgrade even the most complex Kubernetes application. • Charts are easy to create, version, share, and publish • so start using Helm and stop the copy-and-paste madness. https://github.com/kubernetes/helm
  65. 65. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Preparation - helm $ kubectl create serviceaccount --namespace kube-system tiller $ kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin -- serviceaccount=kube-system:tiller $ helm init --service-account tiller $ kubectl get pods --all-namespaces kube-system tiller-deploy-f5597467b-z6vrm 1/1 Running 0 7m
  66. 66. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wordpress - helm $ helm search NAME VERSION DESCRIPTION stable/acs-engine-autoscaler 2.1.1 Scales worker nodes within agent pools stable/aerospike 0.1.5 A Helm chart for Aerospike in Kubernetes stable/artifactory 6.2.0 Universal Repository Manager supporting all maj... stable/aws-cluster-autoscaler 0.3.1 Scales worker nodes within autoscaling groups. stable/buildkite 0.2.0 Agent for Buildkite stable/centrifugo 2.0.0 Centrifugo is a real-time messaging server. stable/chaoskube 0.6.0 Chaoskube periodically kills random pods in you... stable/chronograf 0.3.0 Open-source web application written in Go and R... stable/cluster-autoscaler 0.2.1 Scales worker nodes within autoscaling groups. stable/cockroachdb 0.5.1 CockroachDB is a scalable, survivable, strongly... … stable/testlink 0.4.15 Web-based test management system that facilitat... stable/traefik 1.14.2 A Traefik based Kubernetes ingress controller w... stable/uchiwa 0.2.2 Dashboard for the Sensu monitoring framework stable/voyager 2.0.0 Voyager by AppsCode - Secure Ingress Controller... stable/weave-cloud 0.1.2 Weave Cloud is a add-on to Kubernetes which pro... stable/wordpress 0.7.4 Web publishing platform for building blogs and ... stable/zeppelin 1.0.0 Web-based notebook that enables data-driven, in... stable/zetcd 0.1.4 CoreOS zetcd Helm chart for Kubernetes
  67. 67. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wordpress - helm $ helm install stable/wordpress RESOURCES: ==> v1/Secret NAME TYPE DATA AGE lumpy-mandrill-mariadb Opaque 2 2s lumpy-mandrill-wordpress Opaque 2 2s ==> v1/PersistentVolumeClaim NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE lumpy-mandrill-mariadb Bound pvc-883cf38a-d348-11e7-9922-02c08f5229fc 8Gi RWO gp2 2s lumpy-mandrill-wordpress Bound pvc-883da980-d348-11e7-9922-02c08f5229fc 10Gi RWO gp2 2s ==> v1/Service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE lumpy-mandrill-mariadb ClusterIP 10.100.235.4 <none> 3306/TCP 2s lumpy-mandrill-wordpress LoadBalancer 10.100.33.99 a88484869d348... 80:30079/TCP,443:32070/TCP 2s
  68. 68. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wordpress - helm $ helm install stable/wordpress NOTES: 1. Get the WordPress URL: NOTE: It may take a few minutes for the LoadBalancer IP to be available. Watch the status with: 'kubectl get svc --namespace default -w lumpy-mandrill-wordpress' export SERVICE_IP=$(kubectl get svc --namespace default lumpy-mandrill-wordpress -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo http://$SERVICE_IP/admin 2. Login with the following credentials to see your blog echo Username: user echo Password: $(kubectl get secret --namespace default lumpy-mandrill-wordpress -o jsonpath="{.data.wordpress- password}" | base64 --decode)
  69. 69. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wordpress - helm $ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 1d zooming-frog-mariadb ClusterIP 10.100.160.162 <none> 3306/TCP 8m zooming-frog-wordpress LoadBalancer 10.100.209.213 a4e9a5ae47c61... 80:32573/TCP,443:32191/TCP 8m $ kubectl describe service lumpy-mandrill-wordpress Name: zooming-frog-wordpress Namespace: default Labels: app=zooming-frog-wordpress chart=wordpress-1.0.9 heritage=Tiller release=zooming-frog Annotations: <none> Selector: app=zooming-frog-wordpress Type: LoadBalancer IP: 10.100.209.213 LoadBalancer Ingress: a4e9a5ae47c6111e8a86112fe8484ed4-1956022530.us-east-1.elb.amazonaws.com Port: http 80/TCP TargetPort: http/TCP NodePort: http 32573/TCP
  70. 70. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wordpress - helm $ kubectl get secret --namespace default lumpy-mandrill-wordpress –o jsonpath="{.data.wordpress-password}" | base64 –decode * Open a browser and connect to the Wordpress Site and Admin Site
  71. 71. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wordpress - helm $ ls -al ~/.helm/cache/archive total 64 drwxr-xr-x 4 kimsaeho ANTDomain Users 136 Jun 1 11:58 . drwxr-xr-x 3 kimsaeho ANTDomain Users 102 May 11 17:36 .. -rw-r--r-- 1 kimsaeho ANTDomain Users 15532 Jun 30 21:29 wordpress-1.0.9.tgz $ tar xvfz ~/.helm/cache/archive/wordpress-1.0.6.tgz -C . $ helm ls NAME REVISION UPDATED STATUS CHART NAMESPACE zooming-frog 1 Sat Jun 30 21:30:00 2018 DEPLOYED wordpress-1.0.9 default * clean up $ helm delete --purge zooming-frog look at the some important files (Chart.yaml, values.yaml) that defines how the package is deploying the applications
  72. 72. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services : Ingress
  73. 73. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services : Ingress • exposes HTTP/HTTPS routes to services within the cluster • Many implementations: ALB, Nginx, F5, HAProxy etc • Default Service Type: ClusterIP
  74. 74. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ALB Ingress Controller AWS Resources Kubernetes Cluster Node Node Kubernetes API Server ALB Ingress Controller Node HTTP ListenerHTTPS Listener Rule: /cheesesRule: /charcuterie TargetGroup: Green (IP Mode) TargetGroup: Blue (Instance Mode) NodePort NodePort
  75. 75. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : Ingress - Sample - Extended ELBingress-*.popori.net Nginx Ingress ingress-nginx.popori.net Ingress-tutum.popori.net Jenkins Github Registry build push pull run
  76. 76. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : Ingress - Sample $ helm install stable/nginx-ingress --name=nginx-ingress --namespace=kube-system --set rbac.create=true NAME: nginx-ingress LAST DEPLOYED: Sun Jul 1 00:35:45 2018 NAMESPACE: kube-system STATUS: DEPLOYED ==> v1/Service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-ingress-controller LoadBalancer 10.100.198.62 <pending> 80:30396/TCP,443:30752/TCP 1s nginx-ingress-default-backend ClusterIP 10.100.170.212 <none> 80/TCP 1s ==> v1/Pod(related) NAME READY STATUS RESTARTS AGE nginx-ingress-controller-67b9bf4c56-plhgf 0/1 Running 0 1s nginx-ingress-default-backend-d676cbb5f-xcbzf 0/1 ContainerCreating 0 1s NOTES: The nginx-ingress controller has been installed. It may take a few minutes for the LoadBalancer IP to be available. You can watch the status by running 'kubectl --namespace kube-system get services -o wide -w nginx-ingress- controller'
  77. 77. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : Ingress - Sample $ vi my-nginx-ingress.yaml apiVersion: v1 kind: Service metadata: name: my-nginx labels: app: nginx spec: type: ClusterIP ports: - port: 80 selector: app: nginx --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-nginx spec: replicas: 3 template: metadata: labels: app: nginx spec: containers: - name: nginx image: sdscello/nginx ports: - containerPort: 80 $ kubectl create -f ./my-nginx-ingress.yaml $ kubectl get deployments $ kubectl get services -o wide
  78. 78. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : Ingress - Sample $ vi my-nginx-ingress-expose.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: my-nginx-ingress spec: rules: - host: ingress.popori.net http: paths: - path: / backend: serviceName: my-nginx servicePort: 80 * If you don’t have your own domain, you can use ELB DNS Name instead $ kubectl create -f ./my-nginx-ingress- expose.yaml $ kubectl get services -o wide $ kubectl describe services my-nginx-ingress Name: my-nginx-ingress Namespace: default Address: Default backend: default-http-backend:80 (<none>) Rules: Host Path Backends ---- ---- -------- ingress.popori.net / my-nginx:80 (<none>) Annotations: … * Connect to your domain and make sure you can see the nginx index page
  79. 79. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : Ingress - Sample Let’s run another pod $ vi my-tutum-ingress.yaml apiVersion: v1 kind: Service metadata: name: my-tutum labels: app: tutum spec: type: ClusterIP ports: - port: 80 selector: app: tutum --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-tutum spec: replicas: 3 template: metadata: labels: app: tutum spec: containers: - name: tutum image: tutum/hello-world ports: - containerPort: 80 $ kubectl create -f ./my-tutum-ingress.yaml $ kubectl get deployments $ kubectl get services -o wide
  80. 80. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : Ingress - Sample $ kubectl edit ingress my-nginx-ingress apiVersion: extensions/v1beta1 kind: Ingress metadata: name: my-nginx-ingress namespace: default spec: rules: - host: ingress.popori.net http: paths: - backend: serviceName: my-nginx servicePort: 80 path: / - backend: serviceName: my-tutum servicePort: 80 path: /tutum status: loadBalancer: ingress: - {} Add this lines, so it rewrites /tutum requests to the appropriate pod
  81. 81. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service : Ingress - Sample $ curl http://ingress.popori.net <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> … <p><em>Thank you for using nginx.</em></p> </body> </html> $ curl http://ingress.popori.net/tutum <html> <head> <title>Hello world!</title> <link href='http://fonts.googleapis.com/css?family=Open+Sans:4 00,700' rel='stylesheet' type='text/css’> … </head> <body> <img id="logo" src="logo.png" /> <h1>Hello world!</h1> <h3>My hostname is my-tutum-8479747799-8jqks</h3> <h3>Links found</h3> <b>MY_TUTUM</b> listening in 80 available at tcp://10.100.253.39:80<br /> <b>MY_NGINX</b> listening in 80 available at tcp://10.100.50.246:80<br /> <b>KUBERNETES</b> listening in 443 available at tcp://10.100.0.1:443<br /> </body> </html>
  82. 82. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet
  83. 83. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Statefulset Properties • Network identifiers • Persistent Storage • Ordered graceful deployment and scaling • Ordered graceful termination • Ordered rolling updates • If none of these fit your portfolio, use Deployment or Replicaset
  84. 84. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet 1) Define headless service, statefulset and PVC 2) Control loop allocates PV based on PVC request StorageClass gp2 io1 sc1 encrypted io1 st1 3) Kubernetes creates statefulset MySQL Pods mysql-0 mysql-1 mysql-2 mysql-3 Network Identifiers Ordered Deployment
  85. 85. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet 1) Define headless service, statefulset and PVC 2) Control loop allocates PV based on PVC request 3) Kubernetes creates statefulset MySQL Pods mysql-0 mysql-1 mysql-2 mysql-3 Ordered Scaling mysql-4
  86. 86. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet • StatefulSets are intended to be used with stateful applications and distributed systems. • Like a Deployment, a StatefulSet manages Pods that are based on an identical container spec. Unlike a Deployment, a StatefulSet maintains a sticky identity for each of their Pods. These pods are created from the same spec, but are not interchangeable: each has a persistent identifier that it maintains across any rescheduling.
  87. 87. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet - Sample $ vi my-nginx-ss.yaml apiVersion: v1 kind: Service metadata: name: my-nginx labels: app: my-nginx spec: ports: - port: 80 clusterIP: None selector: app: my-nginx --- apiVersion: apps/v1 kind: StatefulSet metadata: name: my-web spec: serviceName: "my-nginx" replicas: 2 selector: matchLabels: app: my-nginx template: metadata: labels: app: my-nginx spec: containers: - name: my-nginx image: nginx:1.7.9 ports: - containerPort: 80 volumeMounts: - name: my-pv mountPath: /usr/share/nginx/html volumeClaimTemplates: - metadata: name: my-pv spec: accessModes: [ "ReadWriteOnce" ] resources: requests: storage: 1Gi
  88. 88. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet - Sample $ kubectl get pods -w NAME READY STATUS RESTARTS AGE my-web-0 0/1 Pending 0 7s my-web-0 0/1 Pending 0 15s my-web-0 0/1 ContainerCreating 0 15s my-web-0 1/1 Running 0 24s my-web-1 0/1 Pending 0 0s my-web-1 0/1 Pending 0 0s my-web-1 0/1 Pending 0 6s my-web-1 0/1 ContainerCreating 0 6s my-web-1 1/1 Running 0 16s * StatefulSet with N replicas, when Pods are being deployed, they are created sequentially, in order from {0..N-1}. * Notice that the my-web-1 Pod is not launched until the my-web-0 Pod is Running and Ready
  89. 89. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet - Sample $ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 6d my-nginx ClusterIP None <none> 80/TCP 1m $ kubectl get statefulset NAME DESIRED CURRENT AGE my-web 2 2 1m $ kubectl get pods NAME READY STATUS RESTARTS AGE my-web-0 1/1 Running 0 2m my-web-1 1/1 Running 0 2m $ kubectl exec -it my-web-0 -- /bin/bash root@my-web-0:/# df -h Filesystem Size Used Avail Use% Mounted on overlay 20G 3.0G 18G 15% / tmpfs 998M 0 998M 0% /dev /dev/xvdbp 976M 2.6M 907M 1% /usr/share/nginx/html
  90. 90. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet - Sample $ for i in 0 1; do kubectl exec my-web-$i -- sh -c 'hostname'; done my-web-0 my-web-1 $ for i in 0 1; do kubectl exec my-web-$i -- sh -c 'echo $(hostname) > /usr/share/nginx/html/index.html'; done $ for i in 0 1; do kubectl exec my-web-$i -- sh -c 'apt-get -qq update; apt-get -y install curl'; done $ for i in 0 1; do kubectl exec -it my-web-$i -- sh -c 'curl localhost'; done my-web-0 my-web-1
  91. 91. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet - Sample $ kubectl run -i --tty --image busybox test --restart=Never --rm /bin/sh # nslookup my-web-0.my-nginx Server: 10.100.0.10 Address 1: 10.100.0.10 kube-dns.kube-system.svc.cluster.local Name: my-web-0.my-nginx Address 1: 172.31.34.41 my-web-0.my-nginx.default.svc.cluster.local # wget -qO- my-web-0.my-nginx.default.svc.cluster.local my-web-0
  92. 92. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet - Sample $ kubectl get pods -w -l app=my-nginx NAME READY STATUS RESTARTS AGE my-web-0 1/1 Running 0 2d my-web-1 1/1 Running 0 2d my-web-0 1/1 Terminating 0 2d my-web-1 1/1 Terminating 0 2d my-web-0 0/1 Terminating 0 2d my-web-1 0/1 Terminating 0 2d my-web-0 0/1 Terminating 0 2d my-web-0 0/1 Terminating 0 2d my-web-0 0/1 Pending 0 1s my-web-0 0/1 Pending 0 1s my-web-0 0/1 ContainerCreating 0 1s my-web-1 0/1 Terminating 0 2d my-web-1 0/1 Terminating 0 2d my-web-0 1/1 Running 0 11s my-web-1 0/1 Pending 0 1s my-web-1 0/1 Pending 0 1s my-web-1 0/1 ContainerCreating 0 1s my-web-1 1/1 Running 0 1m $ kubectl delete pods -l app=my-nginx pod "my-web-0" deleted pod "my-web-1" deleted
  93. 93. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StatefulSet - Sample $ for i in 0 1; do ../../kubectl exec -it my-web-$i -- sh -c 'df -h | grep html'; done /dev/xvdbp 976M 2.6M 907M 1% /usr/share/nginx/html /dev/xvdcv 976M 2.6M 907M 1% /usr/share/nginx/html $ for i in 0 1; do ../../kubectl exec -it my-web-$i -- sh -c 'curl localhost'; done sh: 1: curl: not found command terminated with exit code 127 sh: 1: curl: not found command terminated with exit code 127 $ for i in 0 1; do kubectl exec my-web-$i -- sh -c 'apt-get -qq update; apt-get -y install curl'; done $ for i in 0 1; do kubectl exec -it my-web-$i -- sh -c 'curl localhost'; done my-web-0 my-web-1 Because new pods has launched, manually installed curl is no longer exists in the pods. But, the contents (index.html) that stored in EBS volume is still available.
  94. 94. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 57%of Kubernetes workloads run on AWS today — Cloud Native Computing Foundation
  95. 95. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  96. 96. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is Amazon EKS? • Amazon Elastic Container Service for Kubernetes (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on AWS without needing to stand up or maintain your own Kubernetes control plane. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications.
  97. 97. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes on AWS Managed Kubernetes on AWS Highly available Automated version upgrades Integration with other AWS services Etcd Master Managed Kubernetes control plane CloudTrail, CloudWatch, ELB, IAM, VPC, PrivateLink
  98. 98. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes on AWS 3x Kubernetes masters for HA
  99. 99. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 Master Master Availability Zone 2 Availability Zone 3 Master Workers Workers Workers Customer Account AWS Managed
  100. 100. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Control Plane
  101. 101. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Architecture mycluster.eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 Kubectl
  102. 102. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Architecture EKS VPCCustomer VPC Worker Nodes EKS-Owned ENI Kubernetes API calls Exec, Logs, Proxy Internet
  103. 103. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Architecture
  104. 104. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Integration
  105. 105. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Architecture EKS VPCCustomer VPC Worker Nodes EKS-Owned ENI Kubernetes API calls Exec, Logs, Proxy Internet
  106. 106. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Control Plane Highly available and single tenant infrastructure All “native AWS” components Fronted by an NLB VPC API Server ASG Etcd ASG NLB AZ-1 AZ-2 AZ-3 ELB Instances Instances
  107. 107. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Control Plane Master Node Scheduler Controller Manager Cloud Controller Manager API Server etcd
  108. 108. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What happens when I run ‘kubectl create –f pods.yaml’?
  109. 109. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Authentication Kubectl 3) Authorizes AWS Identity with RBAC K8s API 1) Passes AWS Identity 2) Verifies AWS Identity 4) K8s action allowed/denied AWS Auth
  110. 110. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Control Plane Master Node Scheduler Controller Manager Cloud Controller Manager API Server etcd Kubectl
  111. 111. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Control Plane API Server Kubectl Authorization Webhook RBACaws-iam- authenticator Authentication Admission Controllers Mutating Webhook Validation Webhook
  112. 112. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. kubectl configuration # [...] users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 command: aws-iam-authenticator args: - "token" - "-i" - "CLUSTER_ID" - "-r" - "ROLE_ARN" # no client certificate/key needed here!
  113. 113. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cluster Authentication and Authorization • User or IAM role who creates EKS cluster gains Admin privileges • This {“super”} user/role can then add additional users or IAM roles and configure RBAC permissions • To add, configure aws-auth Configmap kubectl edit -n kube-system configmap/aws-auth
  114. 114. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws-auth configuration apiVersion: v1 data: mapRoles: | - rolearn: arn:aws:iam::555555555555:role/devel-worker-nodes-NodeInstanceRole-74RF4UBDUKL6 username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes mapUsers: | - userarn: arn:aws:iam::555555555555:user/admin username: admin groups: - system:masters - userarn: arn:aws:iam::555555555555:user/john username: john groups: - pod-admin # k8s RBAC group
  115. 115. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Data Plane
  116. 116. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Architecture EKS VPCCustomer VPC Worker Nodes EKS-Owned ENI Kubernetes API calls Exec, Logs, Proxy Internet
  117. 117. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Data Plane Worker Node kube-dnsKubelet aws- node Container runtime Control Plane API kube- proxy
  118. 118. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. [Unit] Description=Kubernetes Kubelet Documentation=https://github.com/kubernetes/kubernetes After=docker.service Requires=docker.service [Service] ExecStartPre=/sbin/iptables -P FORWARD ACCEPT ExecStart=/usr/bin/kubelet --cloud-provider aws --config /etc/kubernetes/kubelet/kubelet-config.json --allow-privileged=true --kubeconfig /var/lib/kubelet/kubeconfig --container-runtime docker --network-plugin cni $KUBELET_ARGS $KUBELET_EXTRA_ARGS Restart=on-failure RestartForceExitStatus=SIGPIPE RestartSec=5 KillMode=process [Install] WantedBy=multi-user.target
  119. 119. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS AMI Build Scripts https://github.com/awslabs/amazon-eks-ami Source of truth for EKS Optimized AMI Easily build your own EKS AMI Build assets for EKS AMI for each supported Kubernetes version
  120. 120. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Optimized AMI with GPU Support Easily run Tensorflow/Kubeflow on Amazon EKS Includes NVIDIA packages to support Amazon P2 and P3 instances Available on AWS Marketplace
  121. 121. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Worker Node Setup – Bootstrapping /etc/eks/bootstrap.sh <cluster-name> [options] Uses UserData for configuring System resources and extra Kubelet config Reserve compute resources for System Daemons (Kubelet, Container runtime) and Pod eviction thresholds
  122. 122. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Upgrades
  123. 123. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Version Versions supported: 1.10.11, 1.11.5 EKS will support up to 3 versions of Kubernetes at once ”Deprecation” will prevent new cluster creation on old version
  124. 124. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container Services Roadmap https://github.com/aws/containers-roadmap
  125. 125. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Platform Version Platform Version revisions represent API server configuration changes or Kubernetes patches Platform Versions increment within a Kubernetes version only
  126. 126. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Platform Version
  127. 127. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Kubernetes Version Updates New UpdateClusterVersion API – supports in place updates of Kubernetes version Introduces an ”update” EKS API object ListUpdates and DescribeUpdate APIs to provide visibility into the status of a given update
  128. 128. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Updating Worker Nodes Two options: 1) Create new node group with latest EKS AMI >> taint old nodes >> drain old nodes >> terminate old CFN template 2) Simply update AMI in CFN template; “rolling” replacement policy terminates nodes (Downsides: un-graceful termination of applications)
  129. 129. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes 1.12 Release
  130. 130. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Networking & Load Balancing
  131. 131. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS VPC CNI Plugin ENI Secondary IPs: 10.0.0.1 10.0.0.2 10.0.0.1 10.0.0.2 ENI 10.0.0.20 10.0.0.22 Secondary IPs: 10.0.0.20 10.0.0.22 ec2.associateaddress() VPC Subnet – 10.0.0.0/24 Instance 1 Instance 2 VPC
  132. 132. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS VPC CNI plugin – understanding IP allocation Primary CIDR range è RFC 1918 addresses è 10/8, 172.16/12, 192.168/16 Used in EKS for: • Pods • X-account ENIs for (masters à workers) communication (exec, logs, proxy etc.) • Internal Kubernetes services network (10.100/16 or 172.20/16 – chosen based on your VPC range) Setup: • EKS cluster creation è provide list of subnets (in at least 2 AZs!) è tagging
  133. 133. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS VPC CNI plugin – understanding IP allocation Secondary CIDR ranges (new!) è non-RFC 1918 address blocks (100.64.0.0/10 and 198.19.0.0/16) Used in EKS for: • Pods only How? • EKS custom network config è enable è create ENIConfig CRD è annotate nodes CNI 1.2.1+
  134. 134. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Load Balancing All three AWS Elastic Load Balancing products are supported NLB and CLB supported by Kubernetes Service type=LoadBalancer Internal and External Load Balancer support
  135. 135. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Load Balancing Want to use an Internal Load Balancer? Use annotation: service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 Want to use an NLB? Use annotation: service.beta.kubernetes.io/aws-load-balancer-type: nlb
  136. 136. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ALB Ingress Controller Production-Ready 1.0 Release Supported by Amazon EKS Team Open Source Development: https://github.com/kubernetes- sigs/aws-alb-ingress-controller Customers are using it in production today!
  137. 137. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ALB Ingress Controller AWS Resources Kubernetes Cluster Node Node Kubernetes API Server ALB Ingress Controller Node HTTP ListenerHTTPS Listener Rule: /cheesesRule: /charcuterie TargetGroup: Green (IP Mode) TargetGroup: Blue (Instance Mode) NodePort NodePort Ingress Resource Creation via Kubectl or API
  138. 138. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Windows Support
  139. 139. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CSI Drivers for EFS and FSx Lustre
  140. 140. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS App Mesh GA
  141. 141. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get Started https://eksworkshop.com Modules: • Health Checks • Logging with Elasticsearch, Fluentd, and Kibana (EFK) • Monitoring using Prometheus and Grafana • Servicemesh with Istio • Stateful Containers using StatefulSets
  142. 142. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Integration Launch your Fargate Tasks into subnets Under the hood : • We create an Elastic Network Interface (ENI) • The ENI is allocated a private IP from your subnet • The ENI is attached to your task • Your task now has a private IP from your subnet! You can assign public IPs to your tasks Configure security groups to control inbound & outbound traffic 172.31.0.0/16 Subnet 172.31.1.0/24 Other Entities in VPC EC2 LB DB etc. Private IP 172.31.1.164 ENI Fargate TaskPublic / 208.57.73.13 /
  143. 143. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Configuration { "family": "scorekeep", "cpu": "1 vCpu", "memory": "2 gb", "networkMode": "awsvpc", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe", "cpu": 256, "memoryReservation": 512 }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api", "cpu": 768, "memoryReservation": 512 } ] } $ aws ecs run-task ... -- task-definition scorekeep:1 -- network-configuration “awsvpcConfiguration = { subnets=[subnet1-id, subnet2-id], securityGroups=[sg-id] }” Enables ENI creation & attachment to Task Run Task Task Definition
  144. 144. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Private Task Setup Public subnet Private subnet Fargate TaskENI Private IP 172.31.1.164 NAT Gateway Public EIP 34.214.162.237 Internet Gateway 172.31.0.0/16 172.31.2.0/24 172.31.1.0/24 Destination Target 172.31.0.0/16 local 0.0.0.0/0 NAT Gateway Destination Target 172.31.0.0/16 local 0.0.0.0/0 Internet Gateway Route Tables Internet Attach Internet Gateway to VPC Setup a Public Subnet with • Route to Internet Gateway • NAT Gateway Setup Private Subnet with • Fargate Task • Route to NAT Gateway Security Group to allow outbound traffic Type Port Destination All Traffic ALL 0.0.0.0/0 Outbound Security Group Rules
  145. 145. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Public Task Setup Outbound Inbound Public subnet Fargate Task Public IP 54.191.135.66 Internet Gateway 172.31.0.0/16 172.31.2.0/24 Destination Target 172.31.0.0/16 local 0.0.0.0/0 Internet Gateway Route Table Internet ENI $ aws ecs run-task ... -- network-configuration “awsvpcConfiguration = { subnets=[public-subnet], securityGroups=[sg-id], }” Launch the task into a Public subnet Give it a public IP address Security Group to allow the expected inbound traffic Type Port Source HTTP 8080 0.0.0.0/0 Inbound Security Group Rule Type Port Destination All Traffic ALL 0.0.0.0/0 Outbound Security Group Rules assignPublicIp=ENABLED Run Task
  146. 146. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Internet Facing ELB VPC Setup Public subnet Private subnet Fargate TaskENI Private IP 172.31.1.16 :8080 ALB 172.31.0.0/16 172.31.2.0/24 172.31.1.0/24 Task in private subnet with private IP Task Security GroupALB Security Group Type Port Source HTTP 80 0.0.0.0/0 Inbound Rule Type Port Source Custom TCP 8080 ALB Security Group Inbound Rule Destination Target 172.31.0.0/16 local 0.0.0.0/0 NAT G/W Destination Target 172.31.0.0/16 local 0.0.0.0/0 Internet G/W Public Subnet route table Private Subnet route table ALB in public subnet ALB Security group to allow inbound traffic from internet Task security group to allow inbound traffic from ALB security group
  147. 147. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fargate Storage Layer Storage Space : • 10 GB layer storage available per task across all containers in a single task • Includes image layers Ephemeral storage backed by Amazon EBS Fargate volume Storage : • 4 GB volume space per task • Visible across containers • Configure via task definitions Image Layers Writable Layer Image Layers Writable Layer Container 1 Container 2 10 GB per Task Container 1 Container 2 4 GB Volume Storage mount /var/container1/data /var/container2/data
  148. 148. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PERMISSION TIERS Cluster Permissions Application Permissions Task Housekeeping Permissions Cluster Fargate Task Cluster Permissions: Who can run/see tasks in the cluster? Application (Task) Permissions: Which of my AWS resources can this application access? Housekeeping Permissions: What permissions do I want to grant ECS to perform? e.g. • ECR Image Pull • CloudWatch Logs pushing • ENI creation • Register/Deregister targets into ELB
  149. 149. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. COMPLIANCE 9001/27001/27017/27018
  150. 150. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Fargate Customers ”We don't want to babysit any clusters. That has nothing to do with us” Shimon Tolts CTO, DATREE “We moved to Fargate because we need the ability to scale quickly up from baseline and get fine-grained network control, without having to manage our own infrastructure” Product Hunt
  151. 151. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Entire website runs as microservices. Ruby & GraphQL backend with node.js frontend Needed ability to scale quickly, schedule multi- container workloads, network layer control All in on AWS—Moved entire infrastructure to AWS and Fargate in Jan 2018 Fargate scales quickly with traffic spikes, running multiple services in production Product Hunt: AWS Fargate
  152. 152. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  153. 153. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  154. 154. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon ECS ALB ALB AZ 1 AZ 2 user/scheduler Scheduler Cluster State Service Placement Engine Event Stream Internet ECS agent ECS agent ECS agent EC2 instance EC2 instance EC2 instance
  155. 155. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon ECS EC2 INSTANCES LOAD BALANCER Internet ECS AGENT TASK Container TASK Container ECS AGENT TASK Container TASK Container AGENT COMMUNICATION SERVICE Amazon ECS API CLUSTER MANAGEMENT ENGINE KEY/VALUE STORE ECS AGENT TASK Container TASK Container LOAD BALANCER
  156. 156. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon ECS : Cluster EC2 INSTANCES LOAD BALANCER Internet ECS AGENT TASK Container TASK Container ECS AGENT TASK Container TASK Container AGENT COMMUNICATION SERVICE Amazon ECS API CLUSTER MANAGEMENT ENGINE KEY/VALUE STORE ECS AGENT TASK Container TASK Container LOAD BALANCER
  157. 157. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon ECS : Task EC2 INSTANCES LOAD BALANCER Internet ECS AGENT TASK Container TASK Container ECS AGENT TASK Container TASK Container AGENT COMMUNICATION SERVICE Amazon ECS API CLUSTER MANAGEMENT ENGINE KEY/VALUE STORE ECS AGENT TASK Container TASK Container LOAD BALANCER
  158. 158. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tasks are defined via Task Definitions { "containerDefinitions": [ { "name": "simple-app", "image": "httpd:2.4", "cpu": 10, "memory": 300, "portMappings": [ { "hostPort": 80, "containerPort": 80, "protocol": "tcp" } ], "essential": true, "mountPoints": [ { "containerPath": "/usr/local/apache2/htdocs", "sourceVolume": "my-vol" } ] }, { "name": "busybox", "image": "busybox", "cpu": 10, "memory": 200, "volumesFrom": [ { "sourceContainer": "simple-app" } ], "command": [ "/bin/sh -c "..."" ], "essential": false } ], "volumes": [ { "name": “my-vol" } ] }
  159. 159. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tasks are defined via Task Definitions { "containerDefinitions": [ { "name": "simple-app", "image": "httpd:2.4", "cpu": 10, "memory": 300, "portMappings": [ { "hostPort": 80, "containerPort": 80, "protocol": "tcp" } ], "essential": true, "mountPoints": [ { "containerPath": "/usr/local/apache2/htdocs", "sourceVolume": "my-vol" } ] }, 10 CPU units (1024 is a full CPU) 300 MB of memory Expose port 80 in container to port 80 on host Create and mount volumes Essential to our task
  160. 160. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tasks are defined via Task Definitions { "name": "busybox", "image": "busybox", "cpu": 10, "memory": 200, "volumesFrom": [ { "sourceContainer": "simple-app" } ], "command": [ "/bin/sh -c "..."" ], "essential": false } ], "volumes": [ { "name": “my-vol" } ] } From Docker Hub Mount volume from other container Command to exec Volumes
  161. 161. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Task log to CloudWatch Logs CloudWatch Logs Amazon S3 Amazon Kinesis AWS Lambda Amazon ElasticSearch Amazon ECS Store Stream Process Search CloudWatch Logs CloudWatch Logs CloudWatch Logs
  162. 162. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Task Role AWS IAM Amazon DynamoDB S3 AWS IAM DynamoDBRole S3Role Amazon ECS IAM Task Role Identity Access Management (IAM) ECS Task
  163. 163. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Task Placement Constraints Name Example AMI ID attribute:ecs.ami-id == ami- eca289fb Availability Zone attribute:ecs.availability- zone == us-east-1a Instance Type attribute:ecs.instance-type == t2.small Distinct Instances type=“distinctInstance” Custom attribute:stack == prod Cluster Constraints Custom Constraints Placement Strategies Apply Filter CPU, memory, port requirements AZ, EC2 type, AMI, or custom constraints Spread or Binpack placement strategy Select final instances for task deployment
  164. 164. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Task Placement Strategies Binpacking Spread Affinity Distinct Instance
  165. 165. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example : Instance type and Zone g2.2xlarge t2.small t2.micro t2.medium t2.medium t2.small g2.2xlarge t2.small t2.small t2.medium us-east-1aus-east-1d
  166. 166. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon ECS : Service EC2 INSTANCES LOAD BALANCER Internet ECS AGENT TASK Container TASK Container ECS AGENT TASK Container TASK Container AGENT COMMUNICATION SERVICE Amazon ECS API CLUSTER MANAGEMENT ENGINE KEY/VALUE STORE ECS AGENT TASK Container TASK Container LOAD BALANCER
  167. 167. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Task and Service • Split an application that only runs with necessary bin/libs • IAM task role must be set • Restricted use of privileged users within a container • Configure LogDriver (awslogs, fluentd, gelf, journald, splunk, syslog .. ) S e r v i c e sT a s k s • Configure task placement to distribute equally across multiple availability zones • Service Auto Scaling • Application Load Balancer
  168. 168. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch ECS Metric 2 Dimensions • ClusterName • ServiceName 4 metrics • CPUReservation • MemoryReservation • CPUUtilization • MemoryUtilization Container Instance … Cluster Task definition Task Service CloudWatch ECS Metrics CloudWatch EC2 Metrics Container Instance Container Instance
  169. 169. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ECS Cluster (EC2 Instance) Auto Scale out Event: Per cluster CPU, memory reservation, or usage New services ECS ECS cluster CloudWatch Developers CloudWatch event
  170. 170. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ECS Cluster (EC2 Instance) Auto Scale in Draining ECS ECS cluster CloudWatch Event: Per cluster CPU, memory reservation, or usage
  171. 171. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service Auto Scaling Amazon EC2 Service Resource buffer (+~15%)
  172. 172. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling Target Tracking Only need to set the target value for the metric (ex: CPU utilization 50%) Auto Scaling automatically adjusts the Task DesiredCount in Service CloudWatch metric ECSServiceAverageCPUUtilization ECSServiceAverageMemoryUtilization ALBRequestCountPerTarget CPUTraffic DesiredCount Time 100% 0% 50% 10% 20% 30% 40% 60% 70% 80% 90% 5 30 10 15 20 25 Target CPU Utilization DesiredCount
  173. 173. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get Started https://ecsworkshop.com Modules: • Introduction • Platform • Frontend Rails App • Node.js Backend API • Crystal Backend API
  174. 174. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  175. 175. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Fargate : Only focus on tasks! Simple, Easy, efficient Serverless Container! =No EC2 Instances to provision, scale or manage ECS Native API , Integrated with VPC, ELB, IAM, CloudWatch and more Pay for CPU, Memory Usage
  176. 176. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Fargate AWS VPC networking mode Advanced task placement Deep integration with AWS platform ECS CLI…{ } Global footprint (in 2018) Powerful scheduling engines Auto scaling CloudWatch metrics Load balancers
  177. 177. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Fargate Scheduling and Orchestration Cluster Manager Placement Engine ECS AMI Docker agent ECS agent EC2 Instance ECS AMI Docker agent ECS agent EC2 Instance ECS AMI Docker agent ECS agent EC2 Instance
  178. 178. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 and AWS Fargate Hybrid cluster 3 / FG 3 / FG 3 / FG 3 / FG3 / FG 3 / FG 2. 4 1CG G C F A C 3 0 34 2 I G 7C I G 7C I G 7C 3 G # 3 G # 3 G # 3 C EG
  179. 179. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cluster level isolation PROD Cluster Infrastructure DEV Cluster Infrastructure BETA Cluster Infrastructure QA Cluster Infrastructure Web Web Shopping Cart Shopping Cart Notifications NotificationsWeb Shopping Cart NotificationsWeb Shopping Cart Shopping Cart Notifications NotificationsWeb Web PROD CLUSTER BETA CLUSTER DEV CLUSTER QA CLUSTER
  180. 180. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fargate Define application containers: Image URL, CPU & Memory requirements, etc. register Task Definition create Cluster • Infrastructure Isolation boundary • IAM Permissions boundary run Task • A running instantiation of a task definition • Use Fargate launch type create Service Elastic Load Balancing
  181. 181. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CPU & Memory specification Task Level Resources: • Total CPU/memory across all containers • Required fields • Billing dimensions Units • CPU: cpu-units. 1 vCPU = 1024 cpu-units • Memory: MB Container Level Resources: • Defines sharing of task resources among containers • Optional fields { "family": "scorekeep", "cpu": "1 vCpu", "memory": "2 gb", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe“, "cpu": 256, "memoryReservation": 512 }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api", "cpu": 768, "memoryReservation": 512 } ] } Task Level Resources Container Level Resources Task Definition Snippet
  182. 182. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fargate pricing CPU Memory 256 (.25 vCPU) 512MB, 1GB, 2GB 512 (.5 vCPU) 1GB to 4GB 1024 (1 vCPU) 2GB to 8GB 2048 (2 vCPU) 4GB to 16GB 4096 (4 vCPU) 8GB to 30GB 1 vCPU = $0.04656/hour 1 GB Mem = $0.00511/hour 50 different CPU/memory configurations
  183. 183. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×