K8s on AWS: Introducing Amazon EKS

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing Amazon EKS
F e b r u a r y 7 t h , 2 0 1 8
O m a r L a r i , P a r t n e r S o l u t i o n s A r c h i t e c t , A W S

Open source container
management platform
Helps you run
containers at scale
Gives you primitives
for building
modern applications
What is Kubernetes?

W h y d e v e l o p e r s l o v e K u b e r n e t e s
Kubernetes can be run anywhere
O N - P R E M I S E S C L O U D

W h y d e v e l o p e r s l o v e K u b e r n e t e s
A single extensible API
S C A L E P E R F O R M A N C E B R E A D T H

Cloud-native applications
M I C R O S E R V I C E
T O O L I N G
N A T I V E
A P P L I C A T I O N S

But where you run K8s matters
Q U A L I T Y O F T H E
C L O U D P L A T F O R M
Q U A L I T Y O F T H E
A P P L I C A T I O N S
Y O U R U S E R S

63%of Kubernetes workloads
run on AWS today
—CNCF survey

3x Kubernetes masters for HA
Kubernetes on AWS

API
server
Cloud
controller
Controller
manager
Scheduler Add-onsKubeDNS
Kubernetes master

Availability
Zone 1
Etcd
Master
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3

Availability
Zone 1
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3
Etcd
Master

“Run Kubernetes for me.”

“Native AWS Integrations.”

”An Open Source Kubernetes Experience.”

E L A S T I C C O N T A I N E R S E R V I C E F O R K U B E R N E T E S
(EKS)

mycluster.eks.amazonaws.com
Availability
Zone 1
Availability
Zone 2
Availability
Zone 3
Kubectl

EKS Customers
C r e a t e E K S c l u s t e r
P r o v i s i o n w o r k e r n o d e s
L a u n c h a d d - o n s
L a u n c h w o r k l o a d s

EKS – Kubernetes masters
C r e a t e H A m a s t e r s
C e r t i f i c a t e
m a n a g e m e n t
I A M i n t e g r a t i o n
S e t u p L BC r e a t e H A e t c d
A u t o s c a l e
C r e a t e c l u s t e r

DEMO

APIAPIAPIAPI
EKS

aws eks create-cluster –cluster-name reinvent2017 –desired-master-version 1.7
–role-arn arn:aws:iam::account-id:role/role-name

aws eks describe-cluster –cluster-name reinvent2017

aws eks list-clusters

aws eks delete-cluster –cluster-name
reinvent2017

HTTP/1.1 200 Content-type:
application/json
{ "cluster":
{
"clusterName": "string",
"createdAt": number,
"currentMasterVersion": "string",
"desiredMasterVersion": "string",
"masterEndpoint": "string",
"roleArn": "string",
"status": "string",
"statusMessage": "string"
}
}

Amazon
CloudWatch
AWS
CloudTrail
Master

Metrics
Nodes
Node exporter
Pod/Container
Kube-state-metrics
cAdvisor
Application
/metrics
JMX
Cluster-wide Aggregator
Prometheus, Heapster
Visualizer
Grafana, Kibana, Dashboard
Data Model
InfluxDB, Graphite
Alerting
AlertManager, Kapacitor

Native VPC networking
with CNI plugin
Pods have the same VPC
address inside the pod
as on the VPC
Simple, secure
networking
Open source and
on Github
…{ }

VPC CNI plugin
• Bridge between the K8s land – AWS VPC
• A WS R o u tab le I Ps
• Thin layer – no performance impact
• Pod IP ENI secondary IP

CNI Infrastructure
R u n t i m e
N e t w o r k
p l u g i n
N e t w o r k
c o n f i g u r a t i o n

How do I use it?
• Any K8s cluster on AWS.
• EKS
• BYOK8s
• Daemonset deployment.
kubectl create –f eks-cni.yaml

VPC CNI networking internals
K u b e l e t
V P C C N I
p l u g i n
1 . C N I A d d / D e l e t e
E C 2
E N I E N I E N I
P o d P o d P o d P o d
V P C
N e t w o r k
.........
0 . C r e a t e E N I
2 . S e t u p v e t h

VPC CNI plugin architecture
K u b e l e t
V P C C N I
p l u g i n
N e t w o r k l o c a l
c o n t r o l p l a n e
E N I s /
S e c o n d a r y I P s
C N I A d d / D e l e t e
g R P C
E C 2

Packet flow : pod - to - pod
E C 2
Default namespace
Pod namespace
veth veth
Route
Table
Main RT
E C 2
Default namespace
Pod namespace
veth
Route
Table
Main RT
ENI RT
veth
VPC
fabric
ENI RT

Packet flow : pod - to external
E C 2
Default namespace
Pod namespace
veth
Route
Table
Main RT
ENI RT
veth
IPTables
External
Network

Open source
• Github – h t t p s : / / g i t h u b . c o m / a w s / a m a z o n - v p c - c n i - k 8 s
• Contributions

Kubernetes Network
Policies enforce network
security rules
Calico is the leading
implementation of the
network policy API
Open source, active
development (>100
contributors)
Commercial support
available from Tigera

S T A G E
S E P A R A T I O N
“ T E N A N T ”
S E P A R A T I O N
F I N E - G R A I N E D
F I R E W A L L S
C O M P L I A N C E
E.g., typically use namespaces
for different teams within
a company—but without
network policy, they are
not network isolated
Reduce attack surface within
microservice-based applications
Isolate dev, test, and prod E.g., PCI, HIPAA

Kubernetes + AWS IAM
• AWS native access management
• In collaboration with Heptio
• Kubectl and worker nodes
• Works with Kubernetes RBAC

Kubectl
3) Authorizes AWS Identity with RBAC
K8s API
1) Passes AWS Identity
2) Verifies AWS Identity
4) K8s action
allowed/denied
AWS Auth

Worker provisioning
k u b e c t l
A W S A u t h
c o n f i g m a p & R B A C
W o r k e r
s
R o l e
R o l e
configmap

Heptio IAM Authenticator
h t t p s : / / g i t h u b . c o m / h e p t i o l a b s / k u b e r n e t e s - a w s - a u t h e n t i c a t o r
An open source approach to integrating
AWS IAM authentication with Kubernetes

1.7.41.7.5
Version
1.7
Version
1.8

Kubectl
Workers
PrivateLink
Interface Amazon EKS

CNI plugin
Allow Kubernetes users to take advantage of native
VPC networking in their Kubernetes pods

Open source Kubernetes community
C O D E
R E V I E W S
F I X I N G
B U G S
I M P L E M E N T I N G
N E W F E A T U R E S

What’s next?
B E T A S I G N - U P
S T A R T S N O W !
G E N E R A L L Y
A V A I L A B L E 2 0 1 8
L E A R N M O R E :
A W S . A M A Z O N .
C O M / E K S /
P R E V I E W

THANK YOU!

K8s on AWS: Introducing Amazon EKS

More Related Content

K8s on AWS: Introducing Amazon EKS