AWS EKS & beyond - master your Kubernetes deployment on AWS

A presentation at Codemotion Berlin in November 2018 in Berlin, Germany by Max Körbächer

Slide 1

Slide 1

Berlin | November 20 - 21, 2018 AWS EKS & beyond Master your Kubernetes deployment on AWS Max Körbächer

Slide 2

Slide 2

Hey! Max Körbächer Cloud Solution Architect @ Storm Reply ● Design and build cloud ready solutions ○ microservice & event driven apps ○ serverless & kubernetes based ○ ♥ for GO, GraphQL & NoSQL ● Background as Enterprise Architect & Founder ● Visit me at: max.koerbaecher.io

Slide 3

Slide 3

Kubernetes - 10.000 foot view

Slide 4

Slide 4

K8s foundation … source:https://kubernetes.io/docs/concepts/archite cture/cloud-controller/

Slide 5

Slide 5

K8s & the cloud Two concepts collide into each other source: http://annesastronomynews.com

Slide 6

Slide 6

In theory K8s & cloud is a dream For a perfect K8s cluster you need: ● ● ● ● ● auto scaling server software defined storage redundancy / high availability managed databases reliable and fast file storage However…on the fine grained level there are might be some differences which you get to feel the more complex you make your cluster perfect match?

Slide 7

Slide 7

Elastic Container Service for Kubernetes

Slide 8

Slide 8

Kubernetes @ AWS Mainly deployments happen via kops, kubeadm or templates like heptio-quickstart Amazon contribute at the K8s AWS Special Interest Group Over 62% of K8s workload runs on AWS

Slide 9

Slide 9

What is AWS EKS? Master Nodes and etcd are controlled and managed by AWS AWS ensure that there is always one node per Availability Zone running The worker nodes are up to your responsibility! source: https://docs.aws.amazon.com/eks/latest/

Slide 10

Slide 10

AWS EKS Endpoint EKS publish your endpoint which you can reach by CLI/CI-Tool This means you can use as usual the kubectl to control and manage your cluster source: https://docs.aws.amazon.com/eks/latest/

Slide 11

Slide 11

How EKS CP talk to your worker The EKS Control Plane and your worker run in different VPCs An ENI in you VPC is attached to the CP While a Load Balancer sits in front of the CP source: https://docs.aws.amazon.com/eks/latest/

Slide 12

Slide 12

What do you need for a production ready cluster?

Slide 13

Slide 13

A good basis for getting ready

Slide 14

Slide 14

Create the infrastructure Cloud level AWS managed VPC with 3 K8s master, one per each availability zone One Auto Scaling Group for public and one ASG for private subnets private & public subnets will be created per AZ (cannot span over multiple AZs) VPC will span over 3 AZ in EU-WEST-1 (Ireland) region

Slide 15

Slide 15

Create the base infrastructure We need to create the EKS, a VPC for the worker as well as some subnets, security groups and auto scaling groups A Terraform template makes this easy

Slide 16

Slide 16

Authorization & Authentication IAM authenticator plugin IAM manages the authentication RBAC the authorization After proving your identity you can use the K8s Endpoint as normal source: https://docs.aws.amazon.com/eks/latest/

Slide 17

Slide 17

Deploy IAM Auth Plugins 1. 2. 3. 4. Create IAM roles which will be assumed later Specify the configuration map & demon set Tell your API server to talk the auth server plugin Adjust the K8s config: IAM Auth Plugin: https://github.com/kubernetes-sigs/ aws-iam-authenticator

Slide 18

Slide 18

AWS EKS CNI Networking VPC native networking through CNI plugin You can deploy a CNI plugin which bridges the gap between VPC and K8s Each pod will get an IP The maximum amount of pods per node depend on the node size e.g. m5.large can have max. 3 ENI, each with 10 IPv4 addresses source: https://docs.aws.amazon.com/eks/latest/

Slide 19

Slide 19

Seamless CNI integration The CNI plugin is easy to setup: Second, the long running node-Local IP Address Management (IPAM) needs a IAM role allowing the following: CNI Plugin: https://github.com/aws/amazon-vpc-cni-k8s

Slide 20

Slide 20

Implement the Overlay Network Calico The overlay network help you to secure and isolate the namespaces on cluster level Therefore Calico can block or allow dedicated communication paths between namespaces and pods

Slide 21

Slide 21

Managing the overlay network

Slide 22

Slide 22

Service Mesh The service mesh secures the communication between services allows layer 7 routing Normally a sidecar injection deploy a proxy to each pod It brings also basic ingress controller

Slide 23

Slide 23

Deploy your Service Mesh A default deployment with auto. sidecar injection looks like this However you still will need to care about security

Slide 24

Slide 24

Monitoring & Logging Finally you need some monitoring & logging Therefore you can use a elasticsearch on AWS as service endpoint for your beats or fluentd Configure the yaml and here you go

Slide 25

Slide 25

Takeaways Keep clusters simple: Complexity doesn’t bring security, it just increase your effort First learn, then optimize: Do not try to predict the workload, observe it and adjust the instance types Utilize “as a Service” Backends: Many companies want to host their own DB or even run it on K8s; DBaaS are critical resources when you reach the point of data protection, availability and HA; also messaging and other resources can be helpful

Slide 26

Slide 26