This document discusses Amazon Elastic Container Service for Kubernetes (EKS). It highlights how EKS can save time by managing the Kubernetes control plane and enabling the use of various node groups. It provides demonstrations of creating an EKS cluster and registering node groups, such as a general Auto Scaling group and spot fleet. It also covers tight integration with IAM for authentication and authorization and discusses community feedback about customizing worker node AMIs and streamlining access management.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bruce Chen, Business Development Manager, AWS Taiwan
Tom Tsai, Site Reliability Engineer, MaiCoin
Amazon Elastic Container
Services for Kubernetes (EKS)

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
?
•
•
•
•
•
•
Photo & Licence

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
•
•
•
• /
• ( Kernel)

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
:
ECS EKS
EC2 Fargate EC2 Fargate
1.
2.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes?

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud-native
C L O U D N A T I V E

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
K8S

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
57% Kubernetes AWS
— Cloud Native Computing Foundation

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3x Kubernetes masters for HA
AWS Kubernetes

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API
server
Cloud
controller
Controller
manager
Scheduler Add-onsKubeDNS
Kubernetes master

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3
Etcd
Master

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“ Kubernetes”

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS Production

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS Kubernetes

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS AWS

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS Kubernetes

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability
Zone 1
Master Master
Availability
Zone 2
Availability
Zone 3
Master
Workers Workers Workers
AWS

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
mycluster.eks.amazonaws.com
Availability
Zone 1
Availability
Zone 2
Availability
Zone 3
Kubectl

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS Kubernetes

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes
ü
ü
ü (Confirmability)

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
APIAPIAPIAPI
EKS

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
aws eks create-cluster –cluster-name reinvent2017 –desired-master-version 1.7
–role-arn arn:aws:iam::account-id:role/role-name

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
aws eks describe-cluster –cluster-name reinvent2017

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
HTTP/1.1 200 Content-type:
application/json
{ "cluster":
{
"clusterName": "string",
"createdAt": number,
"currentMasterVersion": "string",
"desiredMasterVersion": "string",
"masterEndpoint": "string",
"roleArn": "string",
"status": "string",
"statusMessage": "string"
}
}

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
aws eks list-clusters

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
aws eks delete-cluster –cluster-name
reinvent2017

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon
CloudWatch
AWS
CloudTrail
Master

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubectl
3) RBAC AWS Identity
K8s API
1) AWS Identity
2) AWS Identity
4) / K8S
AWS Auth
IAM + Kubectl

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
CNI
PODs
VPC
Github
…{ }
https://github.com/aws/amazon-vpc-cni-k8s

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Nginx Pod
Java Pod
ENI
Secondary IPs:
10.0.0.1
10.0.0.2
Veth IP: 10.0.0.1
Veth IP: 10.0.0.2
Nginx Pod
Java Pod
ENI
Veth IP: 10.0.0.20
Veth IP: 10.0.0.22
Secondary IPs:
10.0.0.20
10.0.0.22
ec2.associateaddress()
VPC Subnet – 10.0.0.0/24
Instance 1 Instance 2

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1.9.11.9.2
Version
1.9
Version
1.10
Kubernetes

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto Scaling –
ü Horizontal Pod Autoscaler – K8S (CPU)
pods
ü

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto Scaling –
ü Auto Scaling K8S Cluster Auto Scaler
ü Cluster Autoscaler
ü AWS Auto Scaling Groups

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ü CoreOS ALB Ingress Controller: AWS
ü Ingress ALB Kubernetes
ü Layer 7

39. EKS

40. EKS

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
HELLO!
I am Tom Tsai aka smalltown
- MaiCoin Site Reliability Engineer
- Former HTC Principal DevOps
- Former TrendMicro Senior DevOps
I am here because I want to share something with
you
You can find me at smalltown@awsug.tw

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
I Setup Kubernetes on AWS!

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
You Setup Kubernetes on AWS! (Before)

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why Not Just Use EKS? (Now)

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Outline
✓ How EKS Save The Time
✓ Pluggable Worker Node Group
✓ Demo! Demo! Demo!
✓ Permission Control in EKS
✓ Community Feedback

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Self-Hosted Kubernetes Master
✓ There are 3 Most Important Things
○ Complicated Master Component
○ Overlay Network
○ Very Important Etcd Cluster
✓ Not to Mention… Scalability, Upgrade, Configuration
Management, Log Centralize...

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to Setup EKS?
1. Create EKS IAM Role
- AmazonEKSClusterPolicy
- AmazonEKSServicePolicy
2. Create EKS Security Group
- Allow Worker Access
- Allow kubectl Communication
3. Create EKS Cluster
- Less 10 Mins
Don’t Need To Take Care It
Anymore

48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Register Worker Nodes Also Easy
1. Prepare EC2 instance, EC2 IAM role,
security group
2. Install Docker CE
3. Install aws-cli
4. Install kubelet
5. Install heptio authenticator
6. Install cni plugin
7. Prepare kubeconfig
8. Prepare kubelet systemd service file
9. Start kubelet server to register
- Of Course, This
Can be Automated
- Replace with Any
Linux Distribution

49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pluggable Worker Node Group
CPU Bound ASG Memory Bound ASG
...
Crazy Cheap Spot Fleet

50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo! Demo! Demo!
✓ Done
○ VPC Network
○ EKS Cluster
✓ To-Do
○ Register General ASG to EKS Cluster
○ Register Spot Fleet to EKS Cluster
Demo Script:
https://goo.gl/MwuATg

51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
HashiCrop Terraform
✓ Something Like CloudFormation
✓ Infrastructure As Code
✓ Cross Platform (AWS, Azure, GCP...)
✓ Demo VPC Network, EKS Cluster, Node
Group Created By it
✓ There will be a Workshop which
Cooperates with AWS This Year
http://bit.ly/taipei-hug

52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tightly Integrate With IAM
EC2 IAM Role
IAM User
heptio authenticator
1. Generate Signed
STS URL 2. Pass AWS Identity 3. Verify AWS Identity
4. K8S action allowed/denied

53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Community Feedback I
✓ Can’t find Official Document demonstrating ”How to Customize
Worker Node AMI with other Linux Distribution"
✓ AWS team quickly feedback my blog to Seattle EKS team to
address this issue
✓ We expect the community could quickly leverage this solution

54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Community Feedback II
✓ Only The IAM User Creating The EKS Cluster Can Access EKS
Cluster at First
✓ Need to Create Kubernetes ConfigMap aws-auth
○ Add The IAM User Want to Access EKS Cluster
○ Add The EC2 IAM Role Want to Register EKS Cluster
✓ Hope EKS team can streamline this process

55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.