S U M M I TB e r l i n

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Extending EKS with open source tools

Ric HarveyTechnical Developer EvangelistAmazon Web Services

S e s s i o n I D

rjh@amazon.com@ric__Harveyhttps://gitlab.com/ric_harvey/bl_eks_opensource

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Agenda

• Introduction and use cases

• What’s new

• Amazon EKS Control Plane basics

• Bringing in open source components

• Demo *4

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

E L A S T I C C O N TA I N E R S E RV I C E F O R K U B E R N E T E S

(EKS)

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Which customers are using Amazon EKS?

“We built the next generation of our PaaS using EKS for large enterprise workloads. We manage thousands of applications and have hundreds of DevOps teams.”

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Which customers are using Amazon EKS?

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Which customers are using Amazon EKS?

“Kubernetes is fast becoming the preferred solution for container orchestration. Its biggest downside is that it is not simple to set up and operate. EKS gives us all the benefits of Kubernetes, but takes care of managing the hard stuff. We can dedicate less resources to deployment and operations as result.”

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Which customers are using Amazon EKS?

“The performance from Amazon EKS makes it feasible to effectively manage large-scale databases delivering over a million queries per second. EKS also helps with our cluster management and scalability challenges.”

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

What’s new?

April: Amazon EKS achieved K8s conformanceJune: Amazon EKS is HIPAA-eligibleJuly: Amazon EKS AMI build scripts available in GitHubAugust: New EKS-optimized AMI and updated AWS CloudFormation template for provisioning worker nodesAugust: Amazon EKS supports GPU-enabled Amazon Elastic Compute Cloud (Amazon EC2) instancesAugust: Amazon EKS platform version 2 launchedAugust: Amazon EKS supports HPA with custom metricsSeptember: Amazon EKS launches in Dublin, IrelandSeptember: Amazon EKS simplifies cluster setup with update-kubeconfig CLI commandOctober: Amazon EKS adds support for Dynamic Admission Controllers (Istio)November: Amazon EKS launches in Ohio

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

“Native AWS Integrat ions.”

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Amazon EKS Architecture

mycluster.eks.amazonaws.com

EKS workers

Kubectl

AZ 1 AZ 2 AZ 3

Your AWS account

VPC

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Kubernetes control plane

Highly available and single tenant infrastructure

All “native AWS” components

Fronted by an NLB

VPC

API Server ASG

Etcd ASG

NLB

AZ-1 AZ-2 AZ-3

ELB

Instances

Instances

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

EKS is Kubernetes Certified

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

”An Open Source Kubernetes Experience.”

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Bring your own OS

Amazon Amazon

Amazon

https://github.com/awslabs/amazon-eks-ami

EKS AMI build scripts

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

AWS Identity and Access Management (IAM) Authentication

Kubectl

3) Authorizes AWS identity with RBAC

K8s API

1) Passes AWS identity

2) Verifies AWS identity

4) K8s action allowed/denied

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Lets talk container security

https://github.com/uswitch/kiam

IAM RoleApp 1 App 1 App 1App 2

kiam kiamkiam

• No client SDK modifications are needed: Kiam intercepts Metadata API requests

• Denies access to all other AWS Metadata API paths by default

• Multi-account IAM support.

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Amazon EKS Architecture

mycluster.eks.amazonaws.com

EKS workers

Kubectl

AZ 1 AZ 2 AZ 3

Your AWS account

VPC

Autoscale

https://github.com/kubernetes/autoscaler

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Cluster AutoScaler

https://github.com/kubernetes/autoscaler

VPC

API + ETCD Servers

NLB

AZ-1 AZ-2 AZ-3

ELB

Instances

Instances

InstancesInstances

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Helm

https://helm.sh/

Tiller

https://andrewlock.net/how-to-create-a-helm-chart-repository-using-amazon-s3/

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Ric HarveyTechnical Developer EvangelistAmazon Web Services

rjh@amazon.com@ric__Harveyhttps://gitlab.com/ric_harvey/bl_eks_opensource