More Related Content
Similar to Amazon Elastic Container Service for Kubernetes (Amazon EKS) (20)
More from Amazon Web Services (20)
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
- 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS
Kubernetes on AWS
- 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ric Harvey, Technical Developer Evangelist
Amazon Web Services
Ric Harvey, Technical Developer Evangelist
@ric__Harvey
https://gitlab.com/ric_harvey/
- 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
57%of Kubernetes workloads
run on AWS today
— Cloud Native Computing Foundation
- 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://github.com/kubernetes/kops
- 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Make this easier for me”
- 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Native AWS Integrations.”
- 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
”An Open Source Kubernetes Experience.”
- 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
E L A S T I C C O N TA I N E R S E RV I C E F O R K U B E R N E T E S
(EKS)
- 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS is Kubernetes Certified
- 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Architecture
- 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3
Etcd
Master
AWS Managed
Customer Account
- 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
mycluster.eks.amazonaws.com
EKS Workers
kubectl
Amazon EKS
AZ 1 AZ 2 AZ 3
Your AWS account
- 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cross-account Kubernetes
Workers Masters
Customer VPC EKS VPC
Network Load
Balancer
ENI
API Access
Kubectl
Exec/Logs
TLS
Static IPs
ENI Attachment
- 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS Cross-Account Networking: Availability Zones
Availability
Zone 1
Master Master
Availability
Zone 2
Availability
Zone 3
Master
Workers Workers Workers
Customer VPC
EKS VPC
ENI ENI ENI
- 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Versions and Upgrades
- 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Semantic Versioning (semver)
v1.10.0
Major Minor Patch
Breaking
Changes
New
Features
Bug fixes
Security
- 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1.9.11.9.2
Version
1.9
Version
1.10
Kubernetes Upgrades
- 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EKS Networking
- 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Native VPC networking
with CNI plugin
Pods have the same VPC
address inside the pod
as on the VPC
Simple, secure networking
Open source and
on Github
https://github.com/aws/amazon-vpc-cni-k8s
- 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nginx Pod
Java Pod
ENI
Secondary IPs:
10.0.0.1
10.0.0.2
Veth IP: 10.0.0.1
Veth IP: 10.0.0.2
Nginx Pod
Java Pod
ENI
Veth IP: 10.0.0.20
Veth IP: 10.0.0.22
Secondary IPs:
10.0.0.20
10.0.0.22
ec2.associateaddress()
VPC Subnet – 10.0.0.0/24
Instance 1 Instance 2
- 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How do I provision EKS nodes?
- 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Integrations
- 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity and Access Management (IAM)
- 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
I want to use AWS accounts to operate Kubernetes
An open source approach to integrating
AWS IAM authentication with Kubernetes
- 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
kubectl
3) Authorizes AWS Identity with RBAC
K8s API
1) Passes AWS Identity
2) Verifies AWS Identity
4) K8s action
allowed/denied
AWS Auth
IAM Authentication with kubectl
- 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
I want to give a pod permissions to an AWS service
• Runs as a DaemonSet on your workers
• Creates iptables rules to redirect metadata service to kube2iam
• Add annotations to your pods to grant them AWS IAM Roles
- 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
kube2iam example
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3
template:
metadata:
annotations:
iam.amazonaws.com/role: arn:aws:iam:123567989012/role/nginx-role
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.9.1
ports:
- containerPort: 80
- 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container Registry: Amazon ECR
- 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon ECR
• Simple to create
• High Availibility
by default
• IAM permissions
• Lifecycle rules
• Encrypted at rest
• Billed on storage
- 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Load Balancers
- 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Services: LoadBalancer
$ kubectl run nginx --image=nginx --replicas 3 --port=80
$ kubectl expose deployment nginx --type=LoadBalancer
$ kubectl get services -o=wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
nginx LoadBalancer 100.70.217.164 a5cefe533ac1d11e7a38f0a67818e472-1987464052.eu-west-1.elb.amazonaws.com 80:31108/TCP
- 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configure your load balancers via annotations
aws-load-balancer-type
aws-load-balancer-internal
aws-load-balancer-proxy-protocol
aws-load-balancer-access-log-emit-interval
aws-load-balancer-access-log-enabled
aws-load-balancer-access-log-s3-bucket-name
aws-load-balancer-access-log-s3-bucket-prefix
aws-load-balancer-connection-draining-enabled
aws-load-balancer-connection-draining-timeout
aws-load-balancer-connection-idle-timeout
aws-load-balancer-cross-zone-load-balancing-enabled
aws-load-balancer-extra-security-groups
aws-load-balancer-ssl-cert
aws-load-balancer-ssl-ports
aws-load-balancer-ssl-negotiation-policy
aws-load-balancer-backend-protocol
aws-load-balancer-additional-resource-tags
aws-load-balancer-healthcheck-healthy-threshold
aws-load-balancer-healthcheck-unhealthy-threshold
aws-load-balancer-healthcheck-timeout
aws-load-balancer-healthcheck-interval
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
service.beta.kubernetes.io/
• Draining
• Logging
• SSL Certs
• Tagging
• Security groups
• Health checks
- 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Load Balancer (layer 4)
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: default
labels:
app: nginx
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: 'Name=nginx'
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
- 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Load Balancer (layer 7)
CoreOS ALB Ingress Controller: Supported by AWS
Exposes ALB functionality to Kubernetes via Ingress
Resources
Layer 7 load balancing, supports content-based routing
by host or path
- 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Load Balancing
- 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DNS
- 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automatic Route53 DNS creation for services
apiVersion: v1
kind: Service
metadata:
name: nginx
annotations:
external-dns.alpha.kubernetes.io/hostname: nginx.demothe.cloud.
spec:
type: LoadBalancer
ports:
- port: 80
name: http
targetPort: 80
selector:
app: nginx
- 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
…works with ingress too
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: nginx.demothe.cloud
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
- 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Orchestration
- 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deploying AWS resources with K8s (operator)
apiVersion: cloudformation.linki.space/v1alpha1
kind: Stack
metadata:
name: my-bucket
spec:
template: |
---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3Bucket:
Type::AWS::S3::Bucket
Properties:
BucketName: my-bucket
Deploy AWS resources right
from your K8s YAML files.
User's don't need AWS
permissions, the IAM Role for
the host(s) running the
operator do.
https://github.com/linki/cloudformation-operator
- 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
Cluster auto scaler
https://github.com/kubernetes/autoscaler
- 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap
- 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap
• EKS runs the control plane for you (just bring nodes)
• EKS is upstream open source Kubernetes
• All integrations are open source
• The master nodes are HA (across 3 AZ’s)
- 44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
One more thing
- 45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ok another thing!
awsdevelopers.slack.com
Preview
@ric__harvey
DM me and send me your email address
- 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Ric Harvey, Technical Developer Evangelist
@ric__Harvey
https://gitlab.com/ric_harvey/