SlideShare a Scribd company logo

Operationalizing Amazon EKS

Jim Bugwadia
Jim Bugwadia

Kubernetes can be complex to manage at enterprise scale! Cloud provider services like Amazon EKS solves the challenge of bringing up a Kubernetes control plane. However, production Kubernetes requires multi-layer security, access controls, load-balancing, monitoring, logging, governance, secrets management, policy management, and several other considerations. In this fast paced talk, we will cover how enterprises can address each of these areas and discuss best practices to fast track deployments.

Related slideshows

Containers and OpenStack - A Happy Marriage - Madhuri - Intel - CC18
Containers and OpenStack - A Happy Marriage - Madhuri - Intel - CC18Containers and OpenStack - A Happy Marriage - Madhuri - Intel - CC18
Containers and OpenStack - A Happy Marriage - Madhuri - Intel - CC18
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Kubernetes Architecture with Components
Kubernetes Architecture with Components Kubernetes Architecture with Components
Kubernetes Architecture with Components
 
1 of 37
Download to read offline
Operationalizing Amazon EKS Jim Bugwadia - @JimBugwadia
2 Kubernetes is the new Cloud OS Use Containers & Microservices Leverage Open Source Innovation Adopt a Dev-Ops Culture
3 …but remains complex to manage at scale! Source: Market Pulse Survey of Kubernetes Adoption Management complexity is the biggest hurdle overall to wider adoption
4 Agenda • Overview • What Amazon EKS provides • What else is needed • Demo & discussion
5 About me • Founder and CEO at Nirmata • Developing large-scale distributed systems since the early 90’s (Go, Java, JS, C++) • Core focus on centralized management for complex systems @JimBugwadia jim@nirmata.com
Multi-Cloud Kubernetes Management with Nirmata! 6 Service Mgmt VisibilityGovernance Compliance Optimization The Nirmata Platform Change Mgmt. Audit Logs Health Capacity Isolation Policies TuningDiscovery Managed Kubernetes GKE AKS EKS PKS Custom Kubernetes Bare Metal vSphere GPUs Cloud-Native Applications Cluster Services Traditional Applications Cluster Services Your Cloud Nirmata Cloud or Private Edition Your Apps
Amazon EKS 7
8 Amazon EKS https://eksworkshop.com/
9 EKS worker node connectivity https://eksworkshop.com/
10 EKS Install 1. eksctl o Command line that creates a new VPC and EKS o eksctl.io 2. Terraform, etc. o AWS provider (https://learn.hashicorp.com/terraform/aws/eks-intro) 3. Nirmata o Policy based cluster and add-on management o https://try.nirmata.io
11 Sample EKS install steps…
Install demo 12
13 EKS Core Features • Networking o VPC networking support o Elastic Load Balancing o Service Mesh (AWS AppMesh) o Service Registry (AWS CloudMap) • Managed Control Plane • Integrated with IAM • Logging (AWS CloudTrail) • Storage o GP2 (AWS EBS) o CSI drivers for EFS and FSx (Lustre) in alpha
Operationalizing Kubernetes 14
15 Areas to address 1. Cluster Management 2. Usage and Workload management
16 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork
17 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Security
18 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Logging Monitoring Security
19 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Version Control Image Registry Ingress Build Tools Logging Monitoring Security Policy Management
20 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Version Control Image Registry Ingress Build Tools Logging Monitoring Security Policy Management
21 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Version Control Image Registry Ingress Build Tools Logging Monitoring Security Policy Management
Multi-Cluster Management 22 K8s Management Cluster K8s K8s K8s Kubernetes Clusters Infrastructure Data and Shared Services
23 Challenges 1. Cluster Management • Consistent configuration of clusters • Version control and upgrades all each tool • Security and governance 2. Usage and Workload management
24
25 Namespaces Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. https://kubernetes.io/docs/concepts/over view/working-with-objects/namespaces/
26 Role-based access control (RBAC) • Users are authenticated via OIDC, X.509 certificates, tokens, etc. • The auth result provides user information. However, Users and User Groups are managed externally. • Kubernetes has a fine grained permission model • Role (namespace) / ClusterRole • Roles are mapped to users or groups via role bindings • RoleBinding (namespace) / ClusterRoleBinding
27 Network Policies • By default, Kubernetes pods are “non-isolated” • They accept network connections from any source and can initiate connection requests to any destination • Network Policies define traffic rules for Kubernetes pods • ingress (inbound traffic) • egress (outbound traffic) Network Policy Pod Selector Ingress Ingress Rule Ingress Rule Ingress Rule Egress Ingress Rule Ingress Rule Egress Rule
28 Resource Management • Pods can have resource requests and limits • This allows three quality of service models GuaranteedBurstable • A namespace can have limits and default allocations https://opensource.com/article/18/12/optimizing- kubernetes-resource-allocation-production
29 Kubernetes Virtual Clusters Namespace Limits & Quotas Network Policies Access Controls Workload
30 Kubernetes Virtual Clusters Namespace Limits & Quotas Network Policies Access Controls Workload Security Backups / DR Logging Monitoring Change Mgmt. Ingress Service MeshSecrets
31 Kubernetes Virtual Clusters Namespace Limits & Quotas Network Policies Access Controls Workload
32 One more thing… Pod Security Policy (PSP) o Controls runtime security settings for pods o Enabled at the API Controller o Requires a role binding between pod Service Account and the PSP
33 Policy Management • Policies can provide common configurations and enforce best practices • Kyverno is a open source policy management tool designed for Kubernetes • Kyverno allows you to validate, generate, and enforce configurations per namespace / workload kyverno.io
34 Challenges (recap) 1. Cluster Management • Consistent configuration of clusters • Version control and upgrades all each tool • Security and governance 2. Usage and Workload management • Providing teams with virtual clusters • Providing shared services per virtual cluster • Securing workloads
Virtual Cluster Demo 35
36 Summary • Amazon EKS provide a reliable way of provisioning and managing the Kubernetes control plane • For production enterprise Kubernetes managing cluster add-ons, shared services, and Kubernetes configurations is essential • Nirmata provide an easy way to build self-service secure virtual clusters on EKS (or any other managed K8s service).
Thank-You! https://try.nirmata.io

More Related Content

Operationalizing Amazon EKS

  • 1. Operationalizing Amazon EKS Jim Bugwadia - @JimBugwadia
  • 2. 2 Kubernetes is the new Cloud OS Use Containers & Microservices Leverage Open Source Innovation Adopt a Dev-Ops Culture
  • 3. 3 …but remains complex to manage at scale! Source: Market Pulse Survey of Kubernetes Adoption Management complexity is the biggest hurdle overall to wider adoption
  • 4. 4 Agenda • Overview • What Amazon EKS provides • What else is needed • Demo & discussion
  • 5. 5 About me • Founder and CEO at Nirmata • Developing large-scale distributed systems since the early 90’s (Go, Java, JS, C++) • Core focus on centralized management for complex systems @JimBugwadia jim@nirmata.com
  • 6. Multi-Cloud Kubernetes Management with Nirmata! 6 Service Mgmt VisibilityGovernance Compliance Optimization The Nirmata Platform Change Mgmt. Audit Logs Health Capacity Isolation Policies TuningDiscovery Managed Kubernetes GKE AKS EKS PKS Custom Kubernetes Bare Metal vSphere GPUs Cloud-Native Applications Cluster Services Traditional Applications Cluster Services Your Cloud Nirmata Cloud or Private Edition Your Apps
  • 9. 9 EKS worker node connectivity https://eksworkshop.com/
  • 10. 10 EKS Install 1. eksctl o Command line that creates a new VPC and EKS o eksctl.io 2. Terraform, etc. o AWS provider (https://learn.hashicorp.com/terraform/aws/eks-intro) 3. Nirmata o Policy based cluster and add-on management o https://try.nirmata.io
  • 13. 13 EKS Core Features • Networking o VPC networking support o Elastic Load Balancing o Service Mesh (AWS AppMesh) o Service Registry (AWS CloudMap) • Managed Control Plane • Integrated with IAM • Logging (AWS CloudTrail) • Storage o GP2 (AWS EBS) o CSI drivers for EFS and FSx (Lustre) in alpha
  • 15. 15 Areas to address 1. Cluster Management 2. Usage and Workload management
  • 16. 16 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork
  • 17. 17 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Security
  • 18. 18 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Logging Monitoring Security
  • 19. 19 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Version Control Image Registry Ingress Build Tools Logging Monitoring Security Policy Management
  • 20. 20 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Version Control Image Registry Ingress Build Tools Logging Monitoring Security Policy Management
  • 21. 21 The Enterprise-Wide Kubernetes Stack Compute Kubernetes StorageNetwork Version Control Image Registry Ingress Build Tools Logging Monitoring Security Policy Management
  • 22. Multi-Cluster Management 22 K8s Management Cluster K8s K8s K8s Kubernetes Clusters Infrastructure Data and Shared Services
  • 23. 23 Challenges 1. Cluster Management • Consistent configuration of clusters • Version control and upgrades all each tool • Security and governance 2. Usage and Workload management
  • 24. 24
  • 25. 25 Namespaces Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. https://kubernetes.io/docs/concepts/over view/working-with-objects/namespaces/
  • 26. 26 Role-based access control (RBAC) • Users are authenticated via OIDC, X.509 certificates, tokens, etc. • The auth result provides user information. However, Users and User Groups are managed externally. • Kubernetes has a fine grained permission model • Role (namespace) / ClusterRole • Roles are mapped to users or groups via role bindings • RoleBinding (namespace) / ClusterRoleBinding
  • 27. 27 Network Policies • By default, Kubernetes pods are “non-isolated” • They accept network connections from any source and can initiate connection requests to any destination • Network Policies define traffic rules for Kubernetes pods • ingress (inbound traffic) • egress (outbound traffic) Network Policy Pod Selector Ingress Ingress Rule Ingress Rule Ingress Rule Egress Ingress Rule Ingress Rule Egress Rule
  • 28. 28 Resource Management • Pods can have resource requests and limits • This allows three quality of service models GuaranteedBurstable • A namespace can have limits and default allocations https://opensource.com/article/18/12/optimizing- kubernetes-resource-allocation-production
  • 29. 29 Kubernetes Virtual Clusters Namespace Limits & Quotas Network Policies Access Controls Workload
  • 30. 30 Kubernetes Virtual Clusters Namespace Limits & Quotas Network Policies Access Controls Workload Security Backups / DR Logging Monitoring Change Mgmt. Ingress Service MeshSecrets
  • 31. 31 Kubernetes Virtual Clusters Namespace Limits & Quotas Network Policies Access Controls Workload
  • 32. 32 One more thing… Pod Security Policy (PSP) o Controls runtime security settings for pods o Enabled at the API Controller o Requires a role binding between pod Service Account and the PSP
  • 33. 33 Policy Management • Policies can provide common configurations and enforce best practices • Kyverno is a open source policy management tool designed for Kubernetes • Kyverno allows you to validate, generate, and enforce configurations per namespace / workload kyverno.io
  • 34. 34 Challenges (recap) 1. Cluster Management • Consistent configuration of clusters • Version control and upgrades all each tool • Security and governance 2. Usage and Workload management • Providing teams with virtual clusters • Providing shared services per virtual cluster • Securing workloads
  • 36. 36 Summary • Amazon EKS provide a reliable way of provisioning and managing the Kubernetes control plane • For production enterprise Kubernetes managing cluster add-ons, shared services, and Kubernetes configurations is essential • Nirmata provide an easy way to build self-service secure virtual clusters on EKS (or any other managed K8s service).