Kubernetes offers a powerful abstraction layer for managing containerized infrastructure. Amazon Elastic Container Service for Kubernetes (Amazon EKS) makes it easy to run Kubernetes on AWS without having to manage master nodes or the etcd operator. In this session, we cover how Amazon EKS makes deploying Kubernetes on AWS simple and scalable, including networking, security, monitoring, and logging. We discuss the key contributions we’re making to make AWS an even better place to run Kubernetes, and show a live demonstration of how AWS customers are starting to use Amazon EKS.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Brandon Chavis
Sr. Product Manager, Amazon EKS
SRV318
Running Kubernetes with Amazon
EKS

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
noun
noun: agenda; 1.
a list of items to be discussed at a formal meeting.
Housekeeping
Intro to EKS
What’s new?
Demo

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Speaker Intro
• 5 years at AWS
• Support Engineer, Solutions Architect,
Product Manager
• I’ve said “container” on stage a lot

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s cut to the chase:
Q: Is EKS still in Preview?
A: Yes.
Q: How much does it cost?
A: Pricing has not yet been announced.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Preview Customers

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intro to EKS

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Open-source container
management platform
Helps you run
containers at scale
Gives you primitives
for building
modern applications
What is Kubernetes?

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud-native applications
M I C R O S E R V I C E
T O O L I N G
C L O U D N AT I V E
A P P L I C AT I O N S

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
But where you run K8s matters
Q U A L I T Y O F T H E
C L O U D P L AT F O R M
Q U A L I T Y O F T H E
A P P L I C AT I O N S
Y O U R U S E R S

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
57% of Kubernetes workloads
run on AWS today
— Cloud Native Computing Foundation

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3x Kubernetes masters for HA
Kubernetes on AWS

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API
server
Cloud
controller
Controller
manager
Scheduler Add-onsKubeDNS
Kubernetes master

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3
Etcd
Master

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“Run Kubernetes for me.”

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“Native AWS Integrations.”

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
”An Open Source Kubernetes Experience.”

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
E L A S T I C C O N TA I N E R S E RV I C E F O R K U B E R N E T E S
(EKS)

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tenet 1
EKS is a platform for enterprises
to run production-grade workloads

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tenet 2
EKS provides a native and
upstream Kubernetes experience

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tenet 3
If EKS customers want to use additional
AWS services, the integrations are seamless
and eliminate undifferentiated heavy lifting

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tenet 4
EKS team actively contributes
to the Kubernetes project

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3
Etcd
Master

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability
Zone 1
Master Master
Availability
Zone 2
Availability
Zone 3
Master
Workers Workers Workers
Customer Account
AWS Managed

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
mycluster.eks.amazonaws.com
EKS Workers
Kubectl
Amazon EKS
AZ 1 AZ 2 AZ 3
Your AWS account

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Heptio IAM Authenticator
https://github.com/heptiolabs/kubernetes-aws-authenticator
An open-source approach to integrating
AWS IAM authentication with Kubernetes

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubectl
3) Authorizes AWS Identity with RBAC
K8s API
1) Passes AWS Identity
2) Verifies AWS Identity
4) K8s action
allowed/denied
AWS Auth
IAM Authentication + Kubectl

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM Auth Support == Upstream in 1.10

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Native VPC networking
with CNI plugin
Pods have the same VPC
address inside the pod
as on the VPC
Simple, secure networking
Open-source and
on GitHub
…{ }
https://github.com/aws/amazon-vpc-cni-k8s

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Nginx Pod
Java Pod
ENI
Secondary IPs:
10.0.0.1
10.0.0.2
Veth IP: 10.0.0.1
Veth IP: 10.0.0.2
Nginx Pod
Java Pod
ENI
Veth IP: 10.0.0.20
Veth IP: 10.0.0.22
Secondary IPs:
10.0.0.20
10.0.0.22
ec2.associateaddress()
VPC Subnet – 10.0.0.0/24
Instance 1 Instance 2

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes Network
Policies enforce network
security rules
Calico is the leading
implementation of the
network policy API
Open source, active
development (>100
contributors)
Commercial support
available from Tigera

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S T A G E
S E P A R A T I O N
“ T E N A N T ”
S E P A R A T I O N
F I N E - G R A I N E D
F I R E W A L L S
C O M P L I A N C E
E.g., typically use namespaces
for different teams within
a company—but without
network policy, they are
not network isolated
Reduce attack surface within
microservice-based applications
Isolate dev, test, and prod E.g., PCI, HIPAA

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Master access and visibility
Amazon
CloudWatch
AWS
CloudTrail
Master

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Upgrade Strategy: “On-Demand Updates”
Kubernetes Upgrades

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1.9.11.9.2
Version
1.9
Version
1.10
Kubernetes Upgrades

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application Scaling
• Horizontal Pod Autoscaler – scales pods in response to K8s
generated metrics (CPU)
• Has support for custom metrics

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cluster Scaling
• Two options: Native Auto Scaling, K8s Cluster Autoscaler
• Cluster Autoscaler is reactive
• AWS Auto Scaling groups work as usual

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubectl
Workers
PrivateLink
Interface Amazon EKS

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s new?

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS is Kubernetes Certified

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes Conformance
1. Guaranteed Portability and Interoperability
2. Timely Updates
3. Confirmability

48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1.9 upstream == 1.9 in EKS

49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Will $(thing) work on EKS?

50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Conformance Challenges:
Workers Masters
Kubernetes assumes a single
network for workers and masters
API Access
Kubectl
Exec/Logs

51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Conformance Challenges:
Workers Masters
EKS runs across multiple
networks and accounts
API Access
Kubectl
Exec/Logs
Customer VPC EKS VPC

52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ways to solve this
1: Require opening security groups to our IP range (Manual,
error-prone, gross)
2: Do something different

53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A different way: EKS Cross-Account Networking
Workers Masters
Customer VPC EKS VPC
Network Load
Balancer
ENI
API Access
Kubectl
Exec/Logs
TLS
Static IPs

54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS Cross-Account Networking: Availability
Zones
Availability
Zone 1
Master Master
Availability
Zone 2
Availability
Zone 3
Master
Workers Workers Workers
Customer VPC
EKS VPC
ENI ENI ENI

55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS Cross-Account Networking: PKI and TLS
EKS Worker EKS Master
Kubelet
Generates
public/private keys
Kubelet installs
server cert
Kubelet issues CSR
Certificate rotation

56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS Cross-Account Networking
• Pattern can be used by anyone running Kubernetes on AWS
• Hard to do on your own
• EKS customers now get secure cross-account networking
configuration by default

57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Load Balancing
CoreOS ALB Ingress Controller: Supported by AWS
Exposes ALB functionality to Kubernetes via Ingress
Resources
Layer 7 load balancing, supports content-based routing by
host or path

58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Load Balancing

59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Load Balancing
• Network Load Balancer: Alpha Feature in 1.9
• Layer 4 Load Balancer, used for services of
type=loadbalancer
• Replacement for Classic Load Balancer in many use cases

60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service Discovery with Amazon ECS and
Kubernetes
Contribution to ExternalDNS, a K8s Incubator project:
- Registers Kubernetes services and ingresses in the
Amazon Route 53 Auto Naming service registry
- Enables service discovery across Kubernetes and Amazon
ECS clusters via simple DNS queries to Amazon Route 53
- Supports services running in VPC or available publicly

61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo

62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in
the mobile app.

63. Submit Session Feedback
1. Tap the Schedule icon. 2. Select the session
you attended.
3. Tap Session
Evaluation to submit your
feedback.

64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!