Max Körbächer - AWS EKS and beyond – master your Kubernetes deployment on AWS - Codemotion Berlin 2018
1 like157 views
The document presents a comprehensive overview of deploying and managing Kubernetes (k8s) on AWS, particularly through the Amazon EKS service. It discusses essential components needed for a production-ready cluster, including infrastructure, authentication, CNI networking, and service mesh integration. Key takeaways emphasize simplicity in cluster design, the necessity of monitoring and logging, and leveraging 'as a service' backends for operational efficiency.
Max Körbächer - AWS EKS and beyond – master your Kubernetes deployment on AWS - Codemotion Berlin 2018
- 1. AWS EKS & beyond Master your Kubernetes deployment on AWS Max Körbächer Berlin | November 20 - 21, 2018
- 2. Max Körbächer Cloud Solution Architect @ Storm Reply Hey! ● Design and build cloud ready solutions ○ microservice & event driven apps ○ serverless & kubernetes based ○ ♥ for GO, GraphQL & NoSQL ● Background as Enterprise Architect & Founder ● Visit me at: max.koerbaecher.io
- 3. Kubernetes - 10.000 foot view
- 5. K8s & the cloud Two concepts collide into each other source: http://annesastronomynews.com
- 6. In theory K8s & cloud is a dream For a perfect K8s cluster you need: ● auto scaling server ● software defined storage ● redundancy / high availability ● managed databases ● reliable and fast file storage perfect match? However…on the fine grained level there are might be some differences which you get to feel the more complex you make your cluster
- 7. - Elastic Container Service for Kubernetes
- 8. Mainly deployments happen via kops, kubeadm or templates like heptio-quickstart Amazon contribute at the K8s AWS Special Interest Group Kubernetes @ AWS Over 62% of K8s workload runs on AWS
- 9. What is AWS EKS? Master Nodes and etcd are controlled and managed by AWS AWS ensure that there is always one node per Availability Zone running The worker nodes are up to your responsibility! source: https://docs.aws.amazon.com/eks/latest/
- 10. AWS EKS Endpoint EKS publish your endpoint which you can reach by CLI/CI-Tool This means you can use as usual the kubectl to control and manage your cluster source: https://docs.aws.amazon.com/eks/latest/
- 11. How EKS CP talk to your worker The EKS Control Plane and your worker run in different VPCs An ENI in you VPC is attached to the CP While a Load Balancer sits in front of the CP source: https://docs.aws.amazon.com/eks/latest/
- 12. What do you need for a production ready cluster?
- 13. A good basis for getting ready
- 14. Create the infrastructure Cloud level AWS managed VPC with 3 K8s master, one per each availability zone private & public subnets will be created per AZ (cannot span over multiple AZs) VPC will span over 3 AZ in EU-WEST-1 (Ireland) region One Auto Scaling Group for public and one ASG for private subnets
- 15. We need to create the EKS, a VPC for the worker as well as some subnets, security groups and auto scaling groups A Terraform template makes this easy Create the base infrastructure
- 16. Authorization & Authentication IAM manages the authentication RBAC the authorization After proving your identity you can use the K8s Endpoint as normal IAM authenticator plugin source: https://docs.aws.amazon.com/eks/latest/
- 17. Deploy IAM Auth Plugins IAM Auth Plugin: https://github.com/kubernetes-sigs/ aws-iam-authenticator 1. Create IAM roles which will be assumed later 2. Specify the configuration map & demon set 3. Tell your API server to talk the auth server plugin 4. Adjust the K8s config:
- 18. AWS EKS CNI Networking You can deploy a CNI plugin which bridges the gap between VPC and K8s Each pod will get an IP The maximum amount of pods per node depend on the node size e.g. m5.large can have max. 3 ENI, each with 10 IPv4 addresses VPC native networking through CNI plugin source: https://docs.aws.amazon.com/eks/latest/
- 19. The CNI plugin is easy to setup: Second, the long running node-Local IP Address Management (IPAM) needs a IAM role allowing the following: Seamless CNI integration CNI Plugin: https://github.com/aws/amazon-vpc-cni-k8s
- 20. The overlay network help you to secure and isolate the namespaces on cluster level Therefore Calico can block or allow dedicated communication paths between namespaces and pods Implement the Overlay Network Calico
- 21. Managing the overlay network
- 22. The service mesh secures the communication between services allows layer 7 routing Normally a sidecar injection deploy a proxy to each pod It brings also basic ingress controller Service Mesh
- 23. A default deployment with auto. sidecar injection looks like this However you still will need to care about security Deploy your Service Mesh
- 24. Finally you need some monitoring & logging Therefore you can use a elasticsearch on AWS as service endpoint for your beats or fluentd Configure the yaml and here you go Monitoring & Logging
- 25. Takeaways Keep clusters simple: Complexity doesn’t bring security, it just increase your effort First learn, then optimize: Do not try to predict the workload, observe it and adjust the instance types Utilize “as a Service” Backends: Many companies want to host their own DB or even run it on K8s; DBaaS are critical resources when you reach the point of data protection, availability and HA; also messaging and other resources can be helpful
- 26. Want to know more about Storm Reply? https://www.reply.com/ storm-reply Thank you!