Amazon Elastic Container Service for Kubernetes (Amazon EKS) I AWS Dev Day 2018
•
5 recomendaciones•804 vistas
Containers are an increasingly important way for developers to package and deploy their applications and AWS offers multiple container products to help you deploy, manage, and scale containers in production. In this session we dive deep into Amazon Elastic Container Service for Kubernetes (Amazon EKS), a new managed service for running Kubernetes on AWS. Learn how Amazon EKS works, from provisioning nodes, launching pods, and integrations with AWS services such as Elastic Load Balancing and Auto Scaling. Learn more about containers here: https://aws.amazon.com/containers/
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Amazon Elastic Container Service for Kubernetes (Amazon EKS) I AWS Dev Day 2018
Similar a Amazon Elastic Container Service for Kubernetes (Amazon EKS) I AWS Dev Day 2018 (20)
Más de AWS Germany
Más de AWS Germany (20)
Último
Último (20)
Amazon Elastic Container Service for Kubernetes (Amazon EKS) I AWS Dev Day 2018
- 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes on AWS Christoph Kassen, Solutions Architect – AWS @christoph_k #AWSDevDay
- 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WHY DO WE LOVE CONTAINERS? Packaging Distribution Immutable infrastructure
- 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Make AWS the BEST PLACE to run ANY containerized applications © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes?
- 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WHY DEVELOPERS LOVE KUBERNETES
- 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. W h y d e v e l o p e r s l o v e K u b e r n e t e s Vibrant and growing community of users and contributors
- 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why developers love Kubernetes Kubernetes can be run anywhere O N - P R E M I S E S C LO U D
- 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why developers love Kubernetes A single extensible API S C A L E P E R F O R M A N C E B R E A D T H
- 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud-native applications M I C R O S E R V I C E T O O L I N G N A T I V E A P P L I C A T I O N S
- 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. But where you run K8s matters Q U A L I T Y O F T H E C L O U D P L A T F O R M Q U A L I T Y O F T H E A P P L I C A T I O N S Y O U R U S E R S
- 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let‘s deploy k8s with kops
- 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes on AWS with kops 1. Install Binaries & Tools: kops, AWS CLI tools, kubectl 2. Set IAM User to kops 3. Allow kops user Full access to EC2, Route53, S3, IAM, VPC 4. Configure DNS or Deploy a gossip-based cluster: 5. Create a S3 bucket to save cluster config: my-kops-store 6. Set the kops environmental variables 7. Select cluster design and options for kops 1. HA, Networking, Instance types, AMI 8. Create cluster: kops create cluster and kops validate
- 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3x Kubernetes masters for HA Kubernetes on AWS
- 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API server Cloud controller Controller manager Scheduler Add-onsKubeDNS Kubernetes master
- 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 etcd Master etcd Master etcd Master Availability Zone 2 Availability Zone 3
- 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 etcd Master etcd Master Availability Zone 2 Availability Zone 3 etcd Master
- 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Run Kubernetes for me.”
- 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Native AWS Integrations.”
- 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ”An Open Source Kubernetes Experience.”
- 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. E L A S T I C C O N TA I N E R S E RV I C E F O R K U B E R N E T E S
- 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenet 1 EKS is a platform for enterprises to run production-grade workloads
- 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenet 2 EKS provides a native and upstream Kubernetes experience
- 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenet 3 If EKS customers want to use additional AWS services, the integrations are seamless and eliminate undifferentiated heavy lifting
- 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tenet 4 EKS team actively contributes to the Kubernetes project
- 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. mycluster.eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 kubectl
- 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo!
- 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EKS Master Autoscaling
- 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail Master
- 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Metrics Nodes Node exporter Pod/Container Kube-state-metrics cAdvisor Application /metrics JMX Cluster-wide Aggregator Prometheus, Heapster Visualizer Grafana, Kibana, Dashboard Data Model InfluxDB, Graphite Alerting AlertManager, Kapacitor
- 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Heptio IAM Authenticator An open source approach to integrating AWS IAM authentication with Kubernetes
- 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access and Authentication IAM ROLE User X IAM ROLE Service Account Y kubectl → K8s APIs → CRUD Operations on K8s aws-cli → EKS Service APIs → CRUD Operations on Infra K8s Master Nodes K8s Master Nodes K8s Master Nodes API Server Controller Mgr kubelet etcd Cloud Controller Mgr. Scheduler Authentication Webhook Tokens Authorization RBAC Mode Admission Control NamespaceLifecyle,LimitRanger ServiceAccount,DefaultStorageClass, ResourceQuota AWS STS client side Heptio-aws-authenticator server side
- 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. k u b e c t l A W S A u t h c o n f i g m a p & R B A C Wo r k e r s R o l e R o l e
- 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Native VPC networking with CNI plugin Pods have the same VPC address inside the pod as on the VPC Simple, secure networking Open source and on Github …{ }
- 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nginx Pod Java Pod ENI Veth IP: 172.16.1.147 Veth IP: 172.16.1.224 Nginx Pod Java Pod ENI Veth IP: 172.16.1.38 Veth IP: 172.16.1.24 ec2.associateaddress() VPC Subnet – 172.16.1.0/24 Instance 1 Instance 2 Primary Private IP: 172.16.1.118 Secondary IPs: 172.16.1.147, 172.16.1.224, … Primary Private IP: 172.16.1.15 Secondary IPs: 172.16.1.38, 172.16.1.24, … 172.16.0.0/16
- 44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Networking with CNI plugin 172.16.0.0/16 User X Service Account Y Kubectl K8s Node 2K8s Node 1 kubelet kube-proxy kubelet kube-proxy VPC Subnet per AZ 172.16.0.1/24 ENI ENIPrimary Private IP: 172.16.1.118 Secondary IPs: 172.16.1.147, 172.16.1.224…. Service: Front end POD 2 POD 3 eth0 Service: Back end POD 1 POD 4 eth0 ec2.associateaddress() L3 RouteTable veth0 Bveth0 A eth0 172.16.1.147/32 eth0 172.16.1.224/32 CNI K8s Master NodesK8s Master NodesK8s Master Nodes API Server Controller Manager kubelet etcd Scheduler kube-proxy Cloud Controller Mgr.
- 45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DNS, Services and ELB 172.16.0.0/16 User X Service Account Y K8s Node 2K8s Node 1 kubelet kube-proxy kubelet kube-proxy VPC Subnet per AZ - 172.16.0.1/24 ENI ENI Service: Front end POD 2 POD 3 Service: Back end POD 1 POD 4 CNI K8s Master NodesK8s Master NodesK8s Master Nodes API Server Controller Manager kubelet etcd Scheduler kube-proxy Cloud Controller Mgr. DNS kubedns dnsmasq healthz DNS Service – Static IP POD 2 POD 2 kind: Service type: LoadBalancer
- 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Network Policies enforce network security rules Calico is the leading implementation of the network policy API Open source, active development (>100 contributors) Commercial support available fromTigera
- 48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. S T A G E S E P A R A T I O N “ T E N A N T ” S E P A R A T I O N F I N E - G R A I N E D F I R E W A L L S C O M P L I A N C E Namespaces – without network policy, they are not network isolated Reduce attack surface within microservice-based applications Isolate dev, test, and prod E.g., PCI, HIPAA
- 49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1.9.31.9.4 Version 1.9 Version 1.10
- 51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubectl Workers PrivateLink Interface Amazon EKS
- 53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubelet on Fargate Run virtual-kubelet on Fargate https://www.contentful.com/blog/2018/04/10/sailing-into-infinity-seamlessly- managed-serverless-containers-using-kubernetes-and-aws-fargate/
- 55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prioritizing open source
- 56. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open source Kubernetes community C O D E R E V I E W S F I X I N G B U G S I M P L E M E N T I N G N E W F E AT U R E S
- 57. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AMAZON CONTAINER SERVICES (coming 2018)
- 58. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
- 59. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. https://aws.amazon.com/containers
Notas del editor
- Dive Deep!! Keep intro short!!
- We’ve learned that customers love containers. Why? Packaging – simple to think about, easy to model out applications at the component-level, eases the journey to running microservices or 12-factor apps Distribution – generally the container image, which encapsulates everything you need to run your application, is stored in a small, light-weight image that can be run on nearly any machine in a repeatable way Immutable Infrastructure – with the packaging and distribution come a simple way to run immutable infrastructure where you can scale up or down based on requirements
- Again, our mission, as mentioned at the outset was to make AWS the best place to run ANY containerized application => APPLICATIONS! not infra
- The first thing we need to do is introduce Kubernetes. Kubernetes has been around for a few years now, but it has absolutely taken the world by storm, especially over the past 12 months. It’s also rapidly gained traction amongst AWS customers. So, strip away the hype, and at its core, Kubernetes is an open-source container management platform. It’s built to help you run your containers at scale and comes equipped with features and functions to build proper distributed applications using the 12-factor app pattern.
- The first thing we need to do is introduce Kubernetes. Kubernetes has been around for a few years now, but it has absolutely taken the world by storm, especially over the past 12 months. It’s also rapidly gained traction amongst AWS customers. So, strip away the hype, and at its core, Kubernetes is an open-source container management platform. It’s built to help you run your containers at scale and comes equipped with features and functions to build proper distributed applications using the 12-factor app pattern.
- If you’re not a developer yourself and you know about Kubernetes already, chances are you learned about Kubernetes from a developer. This is generally not software someone sells you, but rather it’s something your developers pick up because it helps them solve problems. So, what is it that’s interesting here?
- Top5 on Github The repository has 35k stars, almost 65k commits, 1600 contributors.
- Kubernetes can be run anywhere- on premise or in the cloud. Many customers that use Kubernetes today like it precisely for that reason. Either they can make investments on premise now, moving legacy applications into containers, building new apps in a cloud native way, running all of this in Kubernetes and move these applications onto the cloud when they are ready, or they can run the same orchestration framework across multiple environments.
- And last but not least, the Kubernetes API can be thought of as a single extensible API that can be used to abstract resources both within AWS and on premise. When using Kubernetes on AWS, you can take advantage of the scale, performance, and breadth of features of the AWS platform via Kubernetes cloud integrations, and use the same familiar Kubernetes API when deploying containers on premise.
- At the end of the day, though, all of the functionality packaged together here are the building blocks for microservices. Kubernetes was designed to allow you to build Could Native applications.
- And, the quality of the underlying cloud platform – the speed, stability, scalability, and the integrations with the platform, all impact the quality of the applications you build, and how much work you have to do yourself, and ultimately- how happy your customers are. Your customers perceive the performance of your application; how quickly new features are introduced, if your app is down when they need it most.
- Customers generally run 3 Kubernetes masters across three availability zones to provide a highly available Kubernetes control plane. Each Kubernetes master runs a copy of the same components. There are some customers that run single-AZ control planes, as well.
- The Kubernetes masters run several components within them- the API Server, which is fairly self explanatory, the controller manager, which runs various system processes for the cluster, and the scheduler, which assigns work to nodes, are some of the main ones. These are the components that allow you to interact with the Kubernetes system. This is also where add-ons like KubeDNS and the dashboard can run.
- In addition to the Kubernetes masters, you also need to run etcd, the core persistence layer for Kubernetes. Etcd is a distributed key value store- this is where the critical data for the cluster is stored. You can optionally co-locate the masters and etcd on the same instances, so you only need to run three instances instead of six to support the control plane. This makes tradeoffs in the operational burden when upgrading your cluster, though. This is one of the many complexities you will encounter when standing up your own kubernetes insfrastructure.
- You then need to run the actual worker nodes- this is where your applications run. Worker nodes are generally deployed in autoscaling groups.
- Our customers told us, “Hey, running Kubernetes isn’t trivial work, and we think we can better spend our cycles focusing on our applications.” “if we had things our way, we wouldn’t have to think about the nuances of kubernetes deployments or configuration, we wouldn’t have to worry about managing etcd or the masters”
- and we want the freedom to choose top notch aws integrations
- But also to continue using the open source tooling we’re using today.
- We listened, and that’s why we’ve built Elastic Container Service for Kubernetes- or EKS. We know how important a well-functioning service is to our customers. So we didn't build Amazon EKS haphazardly. There are a core set of tenets that we followed which guided our decision-making for how Amazon EKS should work.
- Let’s talk about the tenants that anchor our design decisions for EKS. Tenant 1: EKS is a platform for enterprises to run production-grade workloads. EKS aims to provide features and management capabilities to allow enterprises to run real workloads at real scale. Reliability, visibility, scalability, and ease of management are our priorities. One of the areas where we are putting in a lot of effort is to availability. By default, EKS is multi-master – we run masters across multiple availability zones and we manage your persistence layer for you.
- Tenant 2: EKS provides a native and upstream Kubernetes experience. Any modifications or improvements that we make in our service must be transparent to the Kubernetes end user. This means that your existing Kubernetes experience and know how applies directly to EKS. Your existing applications and investments in Kubernetes work right out of the box with EKS.
- Tenant 3: EKS customers are not forced to use additional AWS services, but if they want to, the integrations are seamless and eliminate undifferentiated heavy lifting. We are focused on making contributions to projects that allow customers to use the AWS components they currently know and love with their applications in Kubernetes. The other thing our customers care about is integration into the rest of AWS and this is another area where we plan to focus and contribute upstream.
- Tenant 4: The EKS team actively contributes to the Kubernetes project to improve the Kubernetes experience for all AWS customers.
- Things necessary to run AWS in a good way. Stability, Backups, etc…
- Now, with EKS, the complexity of standing up your own Kubernetes control plane is simplified. Instead of running the Kubernetes control plane in your account, you connect to a managed Kubernetes endpoint in the AWS cloud. This endpoint abstract the complexity of the Kubernetes control plane- your worker nodes can check into a cluster, and you can interact with your Kubernetes cluster through the tooling you already know and love.
- Sizing hard to get right, what happens when the cluster grows. So we Monitor control plane…
- https://github.com/heptiolabs/kubernetes-aws-authenticator - this is the project I’ll be talking about
- Because we’re hosting Kubernetes as a service, we need to provide authentication on the API endpoint with IAM. IAM isn’t currently supported as a built-in authentication mechanism, so let’s dig into how this works.
- When setting up a kubernetes cluster, a cluster admin is to make access and authorization design decisions: specifically, what mechanisms to use to authenticate the http request made by a user/groups against the API server. once TLS is established based on the chosen authentication mechanism, whether to authorize the action requested by the user as allowed on the policy associated with the user/group When a client attempts to authenticate with the API server using a bearer token, the authentication webhook POSTs a JSON-serialized authentication.k8s.io/v1beta1 TokenReview object containing the token to the remote service. Webhook is an authenticating hook for verifying bearer tokens
- VPC will span all Azs in the region.
- Services and Endpoints, and maintains in-memory lookup structures to serve DNS requests DNS caching to improve performance --cluster-dns=<dns-service-ip> --cluster-domain=<default-local-domain>
- A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. Optionally extends K8s API with more policy capabilities, and host protection (protecting the K8s infrastructure not just pods, and standalone instances not running K8s) Yes, Calico and amazon-vpc-cni-k8s will work together to provide ingress/egress rules of K8s network policies. You can think of SGs as providing the underlying cluster (VM oriented) security and Kubernetes network policy providing the fine-grained micro-service (container oriented) security.
- CNI Plugin networking
- HPA – Horizontal Pod Autoscaler, Cluster Autoscaler
- We are super excited about the ecosystem of services that we now have enabling AWS to be the best place to run containers securely, at scale, and for production workloads.
- We want to keep making it easier for you to run your applications. This means work on ECS, work on EKS, and work with the open source community to make sure that common patterns are easy to run on AWS. Load Balancer Health Check Initialization [December 2017] ECS and ECR Available in Asia Pacific (Mumbai) Region [December 2017] ECS and ECR Available in South America (Sao Paulo) Region [December 2017] ECS and ECR Available in EU (France) Region [December 2017] Docker 17.09 Support [December 2017] Service Discovery for Amazon ECS [January 2018] ECS and ECR Available in GovCloud (US) Region [January 2018] AWS Fargate for ECS Available in US East (Ohio) Region [January 2018] AWS Fargate for ECS Available in EU (Dublin) Region [February 2018] Cost Allocation for Amazon ECS (including AWS Fargate tasks) and Amazon ECR [February 2018] AWS Fargate for ECS Available in US West (Oregon) Region [March 2018] Custom Domains for Amazon ECR [March 2018] Secret Management for Amazon ECS [March 2018] Blox Daemon Scheduler [March 2018]
- Thank you very much for listening to our session and looking forward to continued feedback from our customers in the coming weeks and months.