SlideShare a Scribd company logo

Scaling production grade EKS Multi-Cluster environments using GitOps

Download as PPTX, PDF
Carlos Santana, profile picture
Carlos Santana

The document discusses strategies for scaling production-grade Kubernetes multi-cluster environments using GitOps practices, emphasizing the orchestration and management of workloads, security, and configuration. It outlines the importance of defining boundaries between teams, automating deployments, and harnessing tools within the Kubernetes ecosystem to enhance operational efficiency. Additionally, it highlights GitOps principles for maintaining an immutable and version-controlled desired state of the system, ultimately facilitating reliable and reproducible deployments.

Technology
1 of 45
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scaling production grade Kubernetes Multi-Cluster environments using GitOps Rodrigo Bersa EKS Specialist Solutions Architect AWS Carlos Santana EKS Specialist Solutions Architect AWS KCD Washington, DC
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. I have chosen to use Kubernetes – now what?
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. What customers are building Apps and services Mobile IoT Static websites Complex web apps .NET apps Legacy homegrown Linux apps Monoliths Autonomous vehicles (object tracking, sensor fusion) Robotics (vision, grasping, motion control) Modeling, training, and inference Real-time MapReduce Batch
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforce security standards and best practices across clusters to automate deployments Define boundaries between multiple teams Provision multiple workloads at scale Cluster management Team management Workload management Install add-ons and their dependencies Add-on management Configuration management Automate configuration and upgrade lifecycle from a single source of truth Challenges and Goals
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. CNCF Cloud Map “There is no shortage of amazing tooling in the K8s ecosystem, but there is no guide for how to put all the tools together”
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Journey Choose an orchestrator Decisions
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Journey Choose an orchestrator Data Plane Compute Decisions
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Journey Choose an orchestrator Data Plane Compute Cluster Addons Decisions
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Journey Choose an orchestrator Data Plane Compute Cluster Addons Decisions Day 2 Operations
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cluster add-ons Security Cilium Gatekeeper Kyverno Observability Prometheus Fluent Bit OTEL Reliability Karpenter Autoscaler Keda Delivery ArgoCD Flux Crossplane Other
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principle of GitOps A system managed by GitOps must have its desired state expressed declaratively Desired state is stored in a way that enforces immutability, versioning and retains a complete version history Software agents continuously observe actual system state and attempt to apply the desired state Software agents automatically pull the desired state declarations from the source Enforces Consistency Reduces Business Risk Enhances Auditability Boosts Security
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Continuously Reconcile Build Test Scan Operate/Fix Deploy/Verify Observe/Alert Immutability Firewall Git becomes the single source of truth for the system’s desired state, enabling reproducible automated deployments, cluster management, and monitoring.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure environments
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Private environments Corporate datacenter Kubernetes Cluster Build Infrastructure deployment Corporate Network
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Public repositories Corporate datacenter Kubernetes Cluster Build Deploy Corporate Network Infrastructure deployment
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Private repositories Corporate datacenter Kubernetes Cluster Repository Scan Scan Store Deploy Corporate Network Build Pull Grype Clair Infrastructure deployment
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Trusted repositories Corporate datacenter Kubernetes Cluster Repository Scan Scan Store Deploy Corporate Network Build Grype Clair Infrastructure deployment Pull Image replication
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud environment AWS Cloud Amazon Inspector Amazon EKS Amazon ECR VPC Private subnet VPN connection Scan Deploy AWS Direct Connect Secured Network Endpoints AWS PrivateLink Store Build Infrastructure deployment Image replication AWS CodeCommit
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team management
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity & Access Management Policy Management Namespace as a Service Multi-team considerations
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Separation of concerns Platform engineers Platform builders – build and integrate tools that provision, manage and secure the cloud computing infrastructure Software engineers Application builders – free to focus on building applications that deliver business value to customers
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Teams management (k8s) Dev Team A Dev Team B Platform Team Audit Team Kubernetes Cluster Control Plane Data Plane Instances Instances Developer RBAC Temp RBAC Admin RBAC
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Teams management (cloud) Developer Role Admin Role Dev Team A Dev Team B Platform Team Audit Team Temporary Role VPC Availability Zone 1 Availability Zone 2 Managed Node Group Karpenter “Groupless” Amazon EKS AWS Cloud
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev/Test Cluster Teams management (ArgoCD) Dev Team A Dev Team B Platform Team Audit Team Apps ArgoCD Projects Apps Repository Audit ArgoCD Project Policy Repository Platform ArgoCD Project Platform Repository Production Cluster workloads policies addons
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated cluster deployment
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated deployment (k8s) Build Git push IaC repository Trigger IaC Pipeline Control Plane Data Plane Instances Instances Dev/Test Cluster Control Plane Data Plane Instances Instances Production Cluster Dev Team A Dev Team B Platform Team Audit Team Corporate datacenter Teams Repository Scanning Pull Corporate Network Push
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated deployment (Cloud) Build Git push IaC repository Trigger Dev Team A Dev Team B Platform Team Audit Team Teams Scan Pull Push IaC Pipeline AWS Cloud Production account Dev/Test account Availability Zone 2 Availability Zone 2 Amazon EKS Managed Node Group Karpenter “Groupless” Amazon EKS Managed Node Group Karpenter “Groupless” Amazon EKS VPC VPC Availability Zone 2 Availability Zone 2 VPC Managed Node Group Karpenter “Groupless” Development tools Secured Network
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure as Code with Terraform and CDK Based on AWS best practices and recommendations Integrated with popular K8s tools and services Fully extensible and customizable Amazon EKS Blueprints An open-source framework that allows you to configure and deploy complete Amazon EKS clusters across accounts and Regions
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cluster creation with Amazon EKS Blueprints • Infrastructure as Code (IaC) • AWS CDK • HashiCorp Terraform • Addons • OSS • AWS • Partner • GitOps • ArgoCD - (New GitOps-Bridge) EKS Blueprints
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-Cluster Management with GitOps (Topologies)
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Standalone/distributed GitOps Namespace Tenant AWS account Amazon EKS Tenant AWS account Amazon EKS Namespace On premises Kubernetes Namespace On premises Kubernetes Namespace Full ArgoCD UI/CLI API Server Redis Server Repo Controllers
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralized/Hub-Spoke (Push) Central Amazon EKS cluster Central AWS account Namespace Tenant AWS account On premises Amazon EKS Tenant AWS account Kubernetes On premises Kubernetes Amazon EKS Full ArgoCD UI/CLI API Server Redis Server Repo Controllers
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralized/Hub-Spoke (Shared) Central Amazon EKS cluster Central AWS account Namespace Tenant AWS account On premises Amazon EKS Tenant AWS account Kubernetes On premises Kubernetes Amazon EKS App-2 repo App-1 repo App-4 repo Platform Config App-3 repo Full ArgoCD UI/CLI API Server Redis Server Repo Controllers
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralized/Hub-Spoke (Agent) Central Amazon EKS cluster Central AWS account Namespace Tenant AWS account On premises Amazon EKS Tenant AWS account Kubernetes On premises Kubernetes Amazon EKS App-2 repo App-1 repo App-4 repo Platform Config App-3 repo Core ArgoCD UI/CLI API Server Redis Server Repo Controllers https://argo-cd.readthedocs.io/en/stable/operator-manual/core https://akuity.io/blog/reducing-argocd-operational-burden https://github.com/open-cluster-management-io/argocd-pull-integration Full ArgoCD UI/CLI API Server Redis Server Repo Controllers
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reliability and Performance
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. ArgoCD Scaling Challenges 37 Image: https://colocatedeventseu2023.sched.com/event/1JoAP/scaling-argo-security-and-multi-tenancy-in-aws-eks-at-the-new-york-times-david-grizzanti-luke-philips-the-new-york-times
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scaling ArgoCD 38 • Enable HPA (API, Repo, Redis) • Controller Replica shards (random, round-robin) • Tunning (timeouts, processors queues) • Reconcile Optimization  ignoreResourceUpdates vs. ignoreDifferences https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability https://argo-cd.readthedocs.io/en/stable/operator-manual/reconcile
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring ArgoCD 39 Prometheus Use Operator or Setup service labels OpenTelemetry/ADOT Alerts AMP (Amazon Managed Service for Prometheus) Grafana ArgoCD Dashboard (tweak) Sync time Work queue AMG (Amazon Managed Grafana) Logging Find k8s resources properties to ignore
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge: IaC and Addons https://github.com/gitops-bridge-dev ack terraform kops ansible pulumi cdk capa crossplane IaC Virtual private cloud (VPC) Subnet Kubernetes Amazon EKS IAM Role NAT gateway Instances Infrastructure Kubernetes CR (ArgoCD Cluster) metadata: annotations: aws_alb_role_arn: arn…. labels: enable_aws_alb: true 1 2 3 ./aws/aws-cloudwatch-metrics-appset.yaml ./aws/aws-csi-ebs-resources-appset.yaml ./aws/aws-csi-efs-driver-appset.yaml ./aws/aws-csi-fsx-driver-appset.yaml ./aws/aws-fluentbit-appset.yaml ./aws/aws-gateway-api-controller-appset.yaml ./aws/aws-load-balancer-controller-appset.yaml ./aws/aws-node-termination-handler-appset.yaml ./aws/aws-oss-cert-manager-appset.yaml ./aws/aws-oss-cluster-autoscaler-appset.yaml ./aws/aws-oss-crossplane-providers-appset.yaml ./aws/aws-oss-external-dns-appset.yaml ./aws/aws-oss-external-secrets-appset.yaml ./aws/aws-oss-karpenter-appset.yaml ./aws/aws-oss-privateca-issuer-appset.yaml ./aws/aws-oss-velero-appset.yaml ./aws/aws-secrets-store-csi-appset.yaml ./oss/argo-cd-appset.yaml ./oss/argo-events-appset.yaml ./oss/argo-rollouts-appset.yaml ./oss/argo-workflows-appset.yaml GitOps
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge: ApplicationSet (Addon versions) version in dev is 1.6.0 version in staging is 1.5.5 version in production is 1.5.4 Cluster opt-in for the addon Chart name and repo in a single place Merge generator Prevent Outages
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge: ApplicationSet (overrides) Metadata based on IaC Namespace based on IaC Override values files Value files in git
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge Configuration Platform team Platform Repo Region Kubernetes Account Control Plane Addons App Of AppSet Addon-1 charts/ environments/ Addon-2 App Of ApplicationSets Addon-1 ApplicationSet Addon-3 ApplicationSet Addon-2 ApplicationSet clusters/ Kubernetes CR (ArgoCD Cluste) metadata: annotations: aws_alb_role_arn: arn…. labels: enable_aws_alb: true Addon-1 Application Addon-3 Application Addon-2 Application
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Carlos Santana carrlos@amazon.com Rodrigo Bersa bersr@amazon.com @csantanapr csantanapr bersa

More Related Content

PDF
Kubernetes 101
Crevise Technologies
 
PDF
Amazon EKS multi-cluster gitops-bridge
Carlos Santana
 
PDF
Kubernetes Secrets Management on Production with Demo
Opsta
 
PDF
Introduction to Kubernetes Workshop
Bob Killen
 
PDF
An Introduction to Kubernetes
Imesh Gunaratne
 
PDF
Kubernetes
erialc_w
 
PDF
vmware-need-to-migrate-thousands-of-workloads-no-problem.pdf
EricChan470448
 
PPTX
Containers and workload security an overview
Krishna-Kumar
 
Kubernetes 101
Crevise Technologies
 
Amazon EKS multi-cluster gitops-bridge
Carlos Santana
 
Kubernetes Secrets Management on Production with Demo
Opsta
 
Introduction to Kubernetes Workshop
Bob Killen
 
An Introduction to Kubernetes
Imesh Gunaratne
 
Kubernetes
erialc_w
 
vmware-need-to-migrate-thousands-of-workloads-no-problem.pdf
EricChan470448
 
Containers and workload security an overview
Krishna-Kumar
 

What's hot (20)

PPTX
Kubernetes Introduction
Martin Danielsson
 
PPTX
Kubernetes
Henry He
 
PDF
Istio service mesh introduction
Kyohei Mizumoto
 
PDF
Kubernetes security
Thomas Fricke
 
PDF
Helm 3
Matthew Farina
 
PPTX
Kubernetes PPT.pptx
ssuser0cc9131
 
PPTX
Terraform Basics
Mohammed Fazuluddin
 
PDF
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
PDF
Introduction to kubernetes
Raffaele Di Fazio
 
PPTX
Kubernetes 101 for Beginners
Oktay Esgul
 
PDF
GitHub Actions in action
Oleksii Holub
 
PDF
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
Edureka!
 
PDF
Kubernetes - Security Journey
Jerry Jalava
 
PDF
Introduction to GitHub Actions
Bo-Yi Wu
 
PDF
Terraform introduction
Jason Vance
 
PDF
Kubernetes
Meng-Ze Lee
 
PDF
Observability
Diego Pacheco
 
PDF
GitOps and ArgoCD
Omar Fathy
 
PDF
DevOps with GitHub Actions
Nilesh Gule
 
PPTX
Introduction to helm
Jeeva Chelladhurai
 
Kubernetes Introduction
Martin Danielsson
 
Kubernetes
Henry He
 
Istio service mesh introduction
Kyohei Mizumoto
 
Kubernetes security
Thomas Fricke
 
Helm 3
Matthew Farina
 
Kubernetes PPT.pptx
ssuser0cc9131
 
Terraform Basics
Mohammed Fazuluddin
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Introduction to kubernetes
Raffaele Di Fazio
 
Kubernetes 101 for Beginners
Oktay Esgul
 
GitHub Actions in action
Oleksii Holub
 
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
Edureka!
 
Kubernetes - Security Journey
Jerry Jalava
 
Introduction to GitHub Actions
Bo-Yi Wu
 
Terraform introduction
Jason Vance
 
Kubernetes
Meng-Ze Lee
 
Observability
Diego Pacheco
 
GitOps and ArgoCD
Omar Fathy
 
DevOps with GitHub Actions
Nilesh Gule
 
Introduction to helm
Jeeva Chelladhurai
 
Ad

Similar to Scaling production grade EKS Multi-Cluster environments using GitOps (20)

PDF
Julia Furst Morgado Managing EKS Clusters at Scale using Blueprints and Infra...
AWS Chicago
 
PDF
From Zero to Production with Amazon EKS Blueprints for Terraform
Tal Hibner
 
PDF
Introduction to EKS (AWS User Group Slovakia)
Vladimir Simek
 
PPTX
AWS User Group 5/12 meetup - ECS
Shimon Tolts
 
PDF
Control Planes on Kubernetes and Policy Validation
Carlos Santana
 
PDF
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
All Things Open
 
PDF
Modern Applications Web Day | Container Workloads on AWS
AWS Germany
 
PPTX
How Zalando integrates Kubernetes with AWS
Uri Savelchev
 
PDF
Building internal developer platform with EKS and GitOps
Weaveworks
 
PDF
Aws container services overview
Patricio Vazquez
 
PDF
Getting Started with DevOps on AWS [Mar 2020]
Dhaval Nagar
 
PDF
Containers on AWS - State of the Union
AWS Germany
 
PDF
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Sonja Schweigert
 
PDF
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Weaveworks
 
PPTX
Amazon Elastic Container Service for Kubernetes (Amazon EKS) I AWS Dev Day 2018
AWS Germany
 
PDF
EKS Workshop
AWS Germany
 
PDF
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵
Amazon Web Services Korea
 
PDF
Running Open Source Platforms on AWS (November 2016)
Julien SIMON
 
PDF
Securing Container-Based Applications at the Speed of DevOps
DevOps.com
 
PDF
Presentation ING for ISC2 Secure Summits EMEA
Thijs Ebbers
 
Julia Furst Morgado Managing EKS Clusters at Scale using Blueprints and Infra...
AWS Chicago
 
From Zero to Production with Amazon EKS Blueprints for Terraform
Tal Hibner
 
Introduction to EKS (AWS User Group Slovakia)
Vladimir Simek
 
AWS User Group 5/12 meetup - ECS
Shimon Tolts
 
Control Planes on Kubernetes and Policy Validation
Carlos Santana
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
All Things Open
 
Modern Applications Web Day | Container Workloads on AWS
AWS Germany
 
How Zalando integrates Kubernetes with AWS
Uri Savelchev
 
Building internal developer platform with EKS and GitOps
Weaveworks
 
Aws container services overview
Patricio Vazquez
 
Getting Started with DevOps on AWS [Mar 2020]
Dhaval Nagar
 
Containers on AWS - State of the Union
AWS Germany
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Sonja Schweigert
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Weaveworks
 
Amazon Elastic Container Service for Kubernetes (Amazon EKS) I AWS Dev Day 2018
AWS Germany
 
EKS Workshop
AWS Germany
 
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵
Amazon Web Services Korea
 
Running Open Source Platforms on AWS (November 2016)
Julien SIMON
 
Securing Container-Based Applications at the Speed of DevOps
DevOps.com
 
Presentation ING for ISC2 Secure Summits EMEA
Thijs Ebbers
 
Ad

More from Carlos Santana (7)

PDF
Building a Bridge between Terraform and ArgoCD
Carlos Santana
 
PPTX
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Carlos Santana
 
PDF
NodeJS Serverless backends for your frontends
Carlos Santana
 
PDF
OpenWhisk Meetup - Austin, TX 07/2017
Carlos Santana
 
PDF
Shark Tank OpenWhisk Incubating at ApacheCon 2017
Carlos Santana
 
PPTX
OpenWhisk: Where Did My Servers Go?
Carlos Santana
 
PDF
How to contribute to Serverless Apache OpenWhisk OpenSource101 NCSU
Carlos Santana
 
Building a Bridge between Terraform and ArgoCD
Carlos Santana
 
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Carlos Santana
 
NodeJS Serverless backends for your frontends
Carlos Santana
 
OpenWhisk Meetup - Austin, TX 07/2017
Carlos Santana
 
Shark Tank OpenWhisk Incubating at ApacheCon 2017
Carlos Santana
 
OpenWhisk: Where Did My Servers Go?
Carlos Santana
 
How to contribute to Serverless Apache OpenWhisk OpenSource101 NCSU
Carlos Santana
 

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Teaching material agriculture food technology
LiaRayya
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Encapsulation theory and applications.pdf
gurumoop
 

Scaling production grade EKS Multi-Cluster environments using GitOps

  • 1. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scaling production grade Kubernetes Multi-Cluster environments using GitOps Rodrigo Bersa EKS Specialist Solutions Architect AWS Carlos Santana EKS Specialist Solutions Architect AWS KCD Washington, DC
  • 2. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. I have chosen to use Kubernetes – now what?
  • 3. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. What customers are building Apps and services Mobile IoT Static websites Complex web apps .NET apps Legacy homegrown Linux apps Monoliths Autonomous vehicles (object tracking, sensor fusion) Robotics (vision, grasping, motion control) Modeling, training, and inference Real-time MapReduce Batch
  • 4. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforce security standards and best practices across clusters to automate deployments Define boundaries between multiple teams Provision multiple workloads at scale Cluster management Team management Workload management Install add-ons and their dependencies Add-on management Configuration management Automate configuration and upgrade lifecycle from a single source of truth Challenges and Goals
  • 5. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. CNCF Cloud Map “There is no shortage of amazing tooling in the K8s ecosystem, but there is no guide for how to put all the tools together”
  • 6. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Journey Choose an orchestrator Decisions
  • 7. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Journey Choose an orchestrator Data Plane Compute Decisions
  • 8. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Journey Choose an orchestrator Data Plane Compute Cluster Addons Decisions
  • 9. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes Journey Choose an orchestrator Data Plane Compute Cluster Addons Decisions Day 2 Operations
  • 10. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cluster add-ons Security Cilium Gatekeeper Kyverno Observability Prometheus Fluent Bit OTEL Reliability Karpenter Autoscaler Keda Delivery ArgoCD Flux Crossplane Other
  • 11. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principle of GitOps A system managed by GitOps must have its desired state expressed declaratively Desired state is stored in a way that enforces immutability, versioning and retains a complete version history Software agents continuously observe actual system state and attempt to apply the desired state Software agents automatically pull the desired state declarations from the source Enforces Consistency Reduces Business Risk Enhances Auditability Boosts Security
  • 12. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Continuously Reconcile Build Test Scan Operate/Fix Deploy/Verify Observe/Alert Immutability Firewall Git becomes the single source of truth for the system’s desired state, enabling reproducible automated deployments, cluster management, and monitoring.
  • 13. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure environments
  • 14. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Private environments Corporate datacenter Kubernetes Cluster Build Infrastructure deployment Corporate Network
  • 15. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Public repositories Corporate datacenter Kubernetes Cluster Build Deploy Corporate Network Infrastructure deployment
  • 16. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Private repositories Corporate datacenter Kubernetes Cluster Repository Scan Scan Store Deploy Corporate Network Build Pull Grype Clair Infrastructure deployment
  • 17. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Trusted repositories Corporate datacenter Kubernetes Cluster Repository Scan Scan Store Deploy Corporate Network Build Grype Clair Infrastructure deployment Pull Image replication
  • 18. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 19. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud environment AWS Cloud Amazon Inspector Amazon EKS Amazon ECR VPC Private subnet VPN connection Scan Deploy AWS Direct Connect Secured Network Endpoints AWS PrivateLink Store Build Infrastructure deployment Image replication AWS CodeCommit
  • 20. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team management
  • 21. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity & Access Management Policy Management Namespace as a Service Multi-team considerations
  • 22. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Separation of concerns Platform engineers Platform builders – build and integrate tools that provision, manage and secure the cloud computing infrastructure Software engineers Application builders – free to focus on building applications that deliver business value to customers
  • 23. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Teams management (k8s) Dev Team A Dev Team B Platform Team Audit Team Kubernetes Cluster Control Plane Data Plane Instances Instances Developer RBAC Temp RBAC Admin RBAC
  • 24. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Teams management (cloud) Developer Role Admin Role Dev Team A Dev Team B Platform Team Audit Team Temporary Role VPC Availability Zone 1 Availability Zone 2 Managed Node Group Karpenter “Groupless” Amazon EKS AWS Cloud
  • 25. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev/Test Cluster Teams management (ArgoCD) Dev Team A Dev Team B Platform Team Audit Team Apps ArgoCD Projects Apps Repository Audit ArgoCD Project Policy Repository Platform ArgoCD Project Platform Repository Production Cluster workloads policies addons
  • 26. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated cluster deployment
  • 27. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated deployment (k8s) Build Git push IaC repository Trigger IaC Pipeline Control Plane Data Plane Instances Instances Dev/Test Cluster Control Plane Data Plane Instances Instances Production Cluster Dev Team A Dev Team B Platform Team Audit Team Corporate datacenter Teams Repository Scanning Pull Corporate Network Push
  • 28. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated deployment (Cloud) Build Git push IaC repository Trigger Dev Team A Dev Team B Platform Team Audit Team Teams Scan Pull Push IaC Pipeline AWS Cloud Production account Dev/Test account Availability Zone 2 Availability Zone 2 Amazon EKS Managed Node Group Karpenter “Groupless” Amazon EKS Managed Node Group Karpenter “Groupless” Amazon EKS VPC VPC Availability Zone 2 Availability Zone 2 VPC Managed Node Group Karpenter “Groupless” Development tools Secured Network
  • 29. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure as Code with Terraform and CDK Based on AWS best practices and recommendations Integrated with popular K8s tools and services Fully extensible and customizable Amazon EKS Blueprints An open-source framework that allows you to configure and deploy complete Amazon EKS clusters across accounts and Regions
  • 30. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cluster creation with Amazon EKS Blueprints • Infrastructure as Code (IaC) • AWS CDK • HashiCorp Terraform • Addons • OSS • AWS • Partner • GitOps • ArgoCD - (New GitOps-Bridge) EKS Blueprints
  • 31. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-Cluster Management with GitOps (Topologies)
  • 32. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Standalone/distributed GitOps Namespace Tenant AWS account Amazon EKS Tenant AWS account Amazon EKS Namespace On premises Kubernetes Namespace On premises Kubernetes Namespace Full ArgoCD UI/CLI API Server Redis Server Repo Controllers
  • 33. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralized/Hub-Spoke (Push) Central Amazon EKS cluster Central AWS account Namespace Tenant AWS account On premises Amazon EKS Tenant AWS account Kubernetes On premises Kubernetes Amazon EKS Full ArgoCD UI/CLI API Server Redis Server Repo Controllers
  • 34. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralized/Hub-Spoke (Shared) Central Amazon EKS cluster Central AWS account Namespace Tenant AWS account On premises Amazon EKS Tenant AWS account Kubernetes On premises Kubernetes Amazon EKS App-2 repo App-1 repo App-4 repo Platform Config App-3 repo Full ArgoCD UI/CLI API Server Redis Server Repo Controllers
  • 35. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralized/Hub-Spoke (Agent) Central Amazon EKS cluster Central AWS account Namespace Tenant AWS account On premises Amazon EKS Tenant AWS account Kubernetes On premises Kubernetes Amazon EKS App-2 repo App-1 repo App-4 repo Platform Config App-3 repo Core ArgoCD UI/CLI API Server Redis Server Repo Controllers https://argo-cd.readthedocs.io/en/stable/operator-manual/core https://akuity.io/blog/reducing-argocd-operational-burden https://github.com/open-cluster-management-io/argocd-pull-integration Full ArgoCD UI/CLI API Server Redis Server Repo Controllers
  • 36. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reliability and Performance
  • 37. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. ArgoCD Scaling Challenges 37 Image: https://colocatedeventseu2023.sched.com/event/1JoAP/scaling-argo-security-and-multi-tenancy-in-aws-eks-at-the-new-york-times-david-grizzanti-luke-philips-the-new-york-times
  • 38. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scaling ArgoCD 38 • Enable HPA (API, Repo, Redis) • Controller Replica shards (random, round-robin) • Tunning (timeouts, processors queues) • Reconcile Optimization  ignoreResourceUpdates vs. ignoreDifferences https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability https://argo-cd.readthedocs.io/en/stable/operator-manual/reconcile
  • 39. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring ArgoCD 39 Prometheus Use Operator or Setup service labels OpenTelemetry/ADOT Alerts AMP (Amazon Managed Service for Prometheus) Grafana ArgoCD Dashboard (tweak) Sync time Work queue AMG (Amazon Managed Grafana) Logging Find k8s resources properties to ignore
  • 40. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge
  • 41. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge: IaC and Addons https://github.com/gitops-bridge-dev ack terraform kops ansible pulumi cdk capa crossplane IaC Virtual private cloud (VPC) Subnet Kubernetes Amazon EKS IAM Role NAT gateway Instances Infrastructure Kubernetes CR (ArgoCD Cluster) metadata: annotations: aws_alb_role_arn: arn…. labels: enable_aws_alb: true 1 2 3 ./aws/aws-cloudwatch-metrics-appset.yaml ./aws/aws-csi-ebs-resources-appset.yaml ./aws/aws-csi-efs-driver-appset.yaml ./aws/aws-csi-fsx-driver-appset.yaml ./aws/aws-fluentbit-appset.yaml ./aws/aws-gateway-api-controller-appset.yaml ./aws/aws-load-balancer-controller-appset.yaml ./aws/aws-node-termination-handler-appset.yaml ./aws/aws-oss-cert-manager-appset.yaml ./aws/aws-oss-cluster-autoscaler-appset.yaml ./aws/aws-oss-crossplane-providers-appset.yaml ./aws/aws-oss-external-dns-appset.yaml ./aws/aws-oss-external-secrets-appset.yaml ./aws/aws-oss-karpenter-appset.yaml ./aws/aws-oss-privateca-issuer-appset.yaml ./aws/aws-oss-velero-appset.yaml ./aws/aws-secrets-store-csi-appset.yaml ./oss/argo-cd-appset.yaml ./oss/argo-events-appset.yaml ./oss/argo-rollouts-appset.yaml ./oss/argo-workflows-appset.yaml GitOps
  • 42. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge: ApplicationSet (Addon versions) version in dev is 1.6.0 version in staging is 1.5.5 version in production is 1.5.4 Cluster opt-in for the addon Chart name and repo in a single place Merge generator Prevent Outages
  • 43. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge: ApplicationSet (overrides) Metadata based on IaC Namespace based on IaC Override values files Value files in git
  • 44. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. GitOps Bridge Configuration Platform team Platform Repo Region Kubernetes Account Control Plane Addons App Of AppSet Addon-1 charts/ environments/ Addon-2 App Of ApplicationSets Addon-1 ApplicationSet Addon-3 ApplicationSet Addon-2 ApplicationSet clusters/ Kubernetes CR (ArgoCD Cluste) metadata: annotations: aws_alb_role_arn: arn…. labels: enable_aws_alb: true Addon-1 Application Addon-3 Application Addon-2 Application
  • 45. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Carlos Santana carrlos@amazon.com Rodrigo Bersa bersr@amazon.com @csantanapr csantanapr bersa