Operationalizing Amazon EKS
- 2. 2
Kubernetes is the new Cloud OS
Use Containers
& Microservices
Leverage Open
Source Innovation
Adopt a
Dev-Ops Culture
- 3. 3
…but remains complex to manage at scale!
Source: Market Pulse Survey of Kubernetes Adoption
Management complexity is
the biggest hurdle overall
to wider adoption
- 5. 5
About me
• Founder and CEO at Nirmata
• Developing large-scale distributed
systems since the early 90’s (Go,
Java, JS, C++)
• Core focus on centralized
management for complex systems
@JimBugwadia
jim@nirmata.com
- 6. Multi-Cloud Kubernetes Management with Nirmata!
6
Service Mgmt VisibilityGovernance Compliance Optimization
The Nirmata Platform
Change Mgmt. Audit Logs Health Capacity Isolation Policies TuningDiscovery
Managed Kubernetes
GKE AKS EKS PKS
Custom Kubernetes
Bare Metal vSphere GPUs
Cloud-Native Applications
Cluster Services
Traditional Applications
Cluster Services
Your Cloud
Nirmata Cloud
or
Private Edition
Your Apps
- 10. 10
EKS Install
1. eksctl
o Command line that creates a new VPC and EKS
o eksctl.io
2. Terraform, etc.
o AWS provider (https://learn.hashicorp.com/terraform/aws/eks-intro)
3. Nirmata
o Policy based cluster and add-on management
o https://try.nirmata.io
- 13. 13
EKS Core Features
• Networking
o VPC networking support
o Elastic Load Balancing
o Service Mesh (AWS AppMesh)
o Service Registry (AWS CloudMap)
• Managed Control Plane
• Integrated with IAM
• Logging (AWS CloudTrail)
• Storage
o GP2 (AWS EBS)
o CSI drivers for EFS and FSx
(Lustre) in alpha
- 19. 19
The Enterprise-Wide Kubernetes Stack
Compute
Kubernetes
StorageNetwork
Version
Control
Image
Registry
Ingress
Build
Tools
Logging
Monitoring
Security
Policy Management
- 20. 20
The Enterprise-Wide Kubernetes Stack
Compute
Kubernetes
StorageNetwork
Version
Control
Image
Registry
Ingress
Build
Tools
Logging
Monitoring
Security
Policy Management
- 21. 21
The Enterprise-Wide Kubernetes Stack
Compute
Kubernetes
StorageNetwork
Version
Control
Image
Registry
Ingress
Build
Tools
Logging
Monitoring
Security
Policy Management
- 25. 25
Namespaces
Kubernetes supports multiple virtual clusters backed by the
same physical cluster. These virtual clusters are called
namespaces.
https://kubernetes.io/docs/concepts/over
view/working-with-objects/namespaces/
- 26. 26
Role-based access control (RBAC)
• Users are authenticated via OIDC, X.509 certificates,
tokens, etc.
• The auth result provides user information. However, Users
and User Groups are managed externally.
• Kubernetes has a fine grained permission model
• Role (namespace) / ClusterRole
• Roles are mapped to users or groups via role bindings
• RoleBinding (namespace) / ClusterRoleBinding
- 27. 27
Network Policies
• By default, Kubernetes pods are
“non-isolated”
• They accept network connections from any
source and can initiate connection requests
to any destination
• Network Policies define traffic rules
for Kubernetes pods
• ingress (inbound traffic)
• egress (outbound traffic)
Network Policy
Pod Selector
Ingress
Ingress Rule
Ingress Rule
Ingress Rule
Egress
Ingress Rule
Ingress Rule
Egress Rule
- 28. 28
Resource Management
• Pods can have resource requests and limits
• This allows three quality of service models
GuaranteedBurstable
• A namespace can have limits and default allocations
https://opensource.com/article/18/12/optimizing-
kubernetes-resource-allocation-production
- 32. 32
One more thing…
Pod Security Policy (PSP)
o Controls runtime security
settings for pods
o Enabled at the API Controller
o Requires a role binding between
pod Service Account and the
PSP
- 33. 33
Policy Management
• Policies can provide common
configurations and enforce best
practices
• Kyverno is a open source policy
management tool designed for
Kubernetes
• Kyverno allows you to validate,
generate, and enforce
configurations per namespace /
workload
kyverno.io
- 34. 34
Challenges (recap)
1. Cluster Management
• Consistent configuration of clusters
• Version control and upgrades all each tool
• Security and governance
2. Usage and Workload management
• Providing teams with virtual clusters
• Providing shared services per virtual cluster
• Securing workloads
- 36. 36
Summary
• Amazon EKS provide a reliable way of provisioning and
managing the Kubernetes control plane
• For production enterprise Kubernetes managing cluster
add-ons, shared services, and Kubernetes configurations is
essential
• Nirmata provide an easy way to build self-service secure
virtual clusters on EKS (or any other managed K8s service).