Amazon EKS multi-cluster gitops-bridge

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A M A Z O N E K S M U L T I - C L U S T E R T O P O L O G I E S
Amazon EKS Multi-Cluster
The Gitops Bridge Pattern
Carlos Santana
Sr. Kubernetes Solutions Architect
AWS
CNCF Ambassador
Isaac Mosquera
Principal Containers Specialist
AWS
Christina Andonov
Sr. Specialist Solutions Architect
AWS

1. What are customers building
2. Key challenges
3. Proposed solution
4. How we solved the problem
5. How to use
Agenda

What are customers building
AI/ML
Autonomous Vehicles
Robotics
Modeling, Training, and
Inference
Legacy Apps
.NET Apps
Homegrown Apps
Monolith
Analytics
Streaming
MapReduce
Batch
Web
Static
Dynamic
Backend
DB
IoT
Mobile

Enforce security standards and best practices
across clusters to automate deployments
Define boundaries between multiple teams
Provision multiple workloads at scale
Cluster management
Team management
Workload management
Install add-ons and their dependencies
Add-on management
Configuration management
Automate configuration and upgrade
lifecycle from a single source of truth
Key challenges

Proposed solution
G I T O P S
Build
Test
Scan
Operate/Fix
Deploy/Verify
Observe/Alert
Immutability Firewall
Git becomes the single
source of truth for the
system’s desired state,
enabling reproducible
automated deployments,
cluster management, and
monitoring.

What is GitOps
P R I N C I P L E S
A system managed by
GitOps must have its
desired state expressed
declaratively
Desired state is stored in a
way that enforces
immutability, versioning
and retains a complete
version history
Software agents
continuously observe
actual system state and
attempt to apply the
desired state
Software agents
automatically pull the
desired state declarations
from the source
Enforces Consistency
Reduces Business Risk Enhances Auditability Boosts Security

Cluster Management

Multi-cluster challenges
Enforcing best
practices
across clusters
Consistent cluster
lifecycle
management
Supporting multiple
teams with
guardrails in place
Easily onboarding
new applications

Multi-Cluster Kubernetes
9
Cloud (prod)
Cloud (pre-prod)
1.22
1.23
1.24
1.25
1.26

EKS Blueprints

Cluster management
EKS Blueprints
AWS Cloud
Virtual private cloud
Internet gateway
Public subnet Private subnet
Amazon EKS
NAT gateway
AWS account
Instances Instances Instances
Role Permissions

Infrastructure as
Code with
Terraform and CDK
Based on AWS best
practices and
recommendations
Integrated with
popular K8s tools
and services
Fully extensible
and
customizable
Amazon EKS Blueprints
An open-source framework that allows you to configure and deploy complete
Amazon EKS clusters across accounts and Regions

Cluster Deployment

Challenges with IaC and GitOps
• Terraform
§ Great for setting up underlying infrastructure
§ Not design to work with Kubernetes
§ Imperative, can lead to drift configuration
• GitOps
§ Designed for Kubernetes resources
§ Declarative and convergence, minimizing drift
§ Limited scope, focused on app deployment rather than infrastructure

GitOps Bridge: IaC -> GitOps
IaC
Internet gateway
Virtual private
cloud (VPC)
NAT gateway
Private
subnet
Public
subnet
AWS KMS key Role Amazon EKS
Security
group
Kubernetes
Gatekeeper Karpenter Cert-manager
Instances
GitOps
cluster.yaml

IaC
Internet gateway
Virtual private
cloud (VPC)
NAT gateway
Private
subnet
Public
subnet
Security
group
Instances
GitOps
cluster.yaml
Kubernetes
Cert-manager
Gatekeeper Karpenter
cluster
config
Addons
Apps

IaC
Internet gateway
Virtual private
cloud (VPC)
NAT gateway
Private
subnet
Public
subnet
Security
group
GitOps
cluster.yaml
Kubernetes
Cert-manager
cluster
config
Addons
Apps
Instances

GitOps
cluster.yaml
Kubernetes
Cert-manager
cluster
config
Addons
Apps
Instances
ack terraform kops
ansible pulumi cdk
capa crossplane

Cluster Topologies

Standalone/distributed
Namespace
Tenant AWS account
Amazon EKS
Tenant AWS account
Amazon EKS
Namespace
On premises
Kubernetes
Namespace
On premises
Kubernetes
Namespace
Full ArgoCD
UI/CLI
API Server
Redis Server
Repo
Controllers
Addons + Apps

Centralized/Hub-Spoke (Push)
Central Amazon EKS cluster
Central AWS account
Namespace
Tenant AWS account On premises
Amazon EKS
Tenant AWS account
Kubernetes
On premises
Kubernetes
Amazon EKS
Addons + Apps
Full ArgoCD
UI/CLI
API Server
Redis Server
Repo
Controllers

Centralized/Hub-Spoke (Shared)
Central AWS account
Namespace
Amazon EKS
Tenant AWS account
Kubernetes
On premises
Kubernetes
Amazon EKS
App-2 repo
App-1 repo
App-4 repo
Addons
App-3 repo
Full ArgoCD
UI/CLI
API Server
Redis Server
Repo
Controllers

Centralized/Hub-Spoke (Agent)
Central AWS account
Namespace
Amazon EKS
Tenant AWS account
Kubernetes
On premises
Kubernetes
Amazon EKS
App-2 repo
App-1 repo
App-4 repo
App-3 repo
Core ArgoCD
UI/CLI
API Server
Redis Server
Repo
Controllers
https://argo-cd.readthedocs.io/en/stable/operator-manual/core
https://akuity.io/blog/reducing-argocd-operational-burden
https://github.com/open-cluster-management-io/argocd-pull-integration
Full ArgoCD
UI/CLI
API Server
Redis Server
Repo
Controllers
Addons

Teams

Separation of concerns
I would like to standardize the
deployment process for application
teams while enforcing
organizational standards
Platform team Development teams
I would like to have full
control of my application
and its dependencies
deployment lifecycle

Identity & Access
Management
Policy
Management
Namespace as a
Service
Multi-Team Considerations

Amazon EKS (Prod)
Teams management
Frontend
Team
Backend
Team
Platform
Team
Frontend
Repository
Platform
Repository
Frontend
ArgoCD Projects
Platform
ArgoCD Projects
Backend
Repository
Backend
ArgoCD Projects
Amazon EKS (Staging)
workloads
addons

Add-Ons

Add-Ons
Security
Cilium Gatekeeper
Kyverno
Observability
Prometheus Fluent Bit OTEL
Reliability
Karpenter Autoscaler Keda
Delivery
ArgoCD Flux Crossplane
Others

Add-ons management
G I T O P S B R I D G E C O N F I G U R A T I O N
Control Plane
Addons
App Of
ApplicationSet
Addon-1
charts/
environments/
Addon-2
App Of
ApplicationSets
Addon-1
ApplicationSet
Addon-2
ApplicationSet
clusters/
Addon-1
Application
Addon-2
Application
Platform repo
Platform
team
Amazon EKS
AWS account
OTEL

Configuration Management

Amazon EKS
(Central)
AWS account (Central)
AWS account (Tenant A)
Amazon EKS (Prod)
ui
v1.0
dynamodb
v1.0
ui
v1.0
dynamodb
v1.0
frontend backend
frontend backend
apps
ui
base
prod
dynamodb/
Apps repo
Apps
teams
staging
clusters/
base
prod
staging
E N V I R O N M E N T S ( S T A G I N G V S . P R O D )

D E P L O Y A N D S C A L E
Amazon EKS
(Central)
ui
v2.0
dynamodb
v1.0
frontend backend
apps
ui
base
prod
dynamodb/
Apps repo
Apps teams
staging
clusters/
base
prod
staging
Amazon EKS (Prod)
ui
v1.0
dynamodb
v1.0
frontend backend

A W S S E R V I C E S W I T H G I T O P S
Amazon EKS (Central)
Amazon EKS (Prod)
ui
v2.0
ui
v2.0
frontend
frontend
Amazon
DynamoDB
(Staging)
apps
ui
base
prod
clusters/
Apps repo
staging
Apps
teams
Amazon
DynamoDB
(Production)
Control Plane
addons
aws
ack
clusters/
Platforms repo
environment/
Platform
team

GitOps Bridge: ApplicationSet (Addon versions)
version in dev is 1.6.0
version in staging is 1.5.5
version in production is 1.5.4
Cluster opt-in for the addon
Chart name and repo in a single place
Merge generator
Prevent Outages

GitOps Bridge: ApplicationSet (overrides)
Metadata based on IaC
Namespace based on IaC
Override values files
Value files in git

Resources
https://github.com/gitops-bridge-dev
https://aws-ia.github.io/terraform-aws-eks-blueprints/patterns/gitops-getting-started-argocd/
https://aws-ia.github.io/terraform-aws-eks-blueprints/patterns/gitops-multi-cluster-hub-spoke-argocd/

Thank you!

Amazon EKS multi-cluster gitops-bridge

In this document

More Related Content

What's hot

Similar to Amazon EKS multi-cluster gitops-bridge

More from Carlos Santana

Recently uploaded

Amazon EKS multi-cluster gitops-bridge