Amazon Elastic Container Service for Kubernetes (Amazon EKS) is a new managed service for running Kubernetes on AWS. Get a sneak peek into how Amazon EKS works, from provisioning nodes, launching pods, and integrations with AWS services such as Elastic Load Balancing and Auto Scaling.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CON409: Amazon Elastic Container
Services for Kubernetes Deep Dive
E s w a r B a l a , S o f t w a r e D e v e l o p m e n t M a n a g e r , A W S
D e c e m b e r 1 , 2 0 1 7

2. Agenda
• Amazon EKS Introduction
• Kubernetes and Amazon VPC Networking
• Kubernetes and IAM
• Demo

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Elastic Container Service for Kubernetes

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
It i s K ub e r ne te s U p str e am Pr o duc ti o n
wo r kl o ads
Se r v i c e
i nte g r ati o ns
EKS Tenets

5. EKS
• Manage masters
• Highly available
setup
• Upgrades

6. EKS Customers
C r e a t e E K S c l u s t e r
P r o v i s i o n w o r k e r n o d e s
L a u n c h a d d - o n s
L a u n c h w o r k l o a d s

7. EKS – Kubernetes masters
C r e a t e H A m a s t e r s
C e r t i f i c a t e m a n a g e m e n t
I A M i n t e g r a t i o n
S e t u p L BC r e a t e H A e t c d
A u t o s c a l e
C r e a t e c l u s t e r

8. EKS networking plugin
• New CNI plugin
• Integrates VPC networking into K8s
• AWS routable IP addresses

9. VPC CNI plugin
• Bridge between the K8s land – Amazon VPC
• Thin layer – no performance impact
• Pod IP ENI secondary IP

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CNI Infrastructure
R u n t i m e
N e t w o r k
p l u g i n
N e t w o r k
c o n f i g u r a t i o n

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How do I use it?
• Any K8s cluster on AWS.
• EKS
• BYOK8s
• Daemonset deployment.
kubectl create –f eks-cni.yaml

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC CNI networking internals
K u b e l e t
V P C C N I
p l u g i n
1 . C N I A d d / D e l e t e
A m a z o n
E C 2
E N I E N I E N I
P o d P o d P o d P o d
V P C
N e t w o r k
.........
0 . C r e a t e E N I
2 . S e t u p v e t h

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC CNI plugin architecture
K u b e l e t
V P C C N I
p l u g i n
N e t w o r k l o c a l
c o n t r o l p l a n e
E N I s /
S e c o n d a r y I P s
C N I A d d / D e l e t e
g R P C
A m a z o n
E C 2

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Packet flow : pod - to - pod
E C 2
Default namespace
Pod namespace
veth veth
Route Table
Main RT
E C 2
Default namespace
Pod namespace
veth
Route Table
Main RT
ENI RT
veth
VPC
fabric
ENI RT

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Packet flow : pod - to external
E C 2
Default namespace
Pod namespace
veth
Route Table
Main RT
ENI RT
veth
IPTables
External
Network

16. Open source
• GitHub – h t t p s : / / g i t h u b . c o m / a w s / a m a z o n - v p c - c n i - k 8 s
• Contributions

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes Network
Policies enforce network
security rules
Calico is the leading
implementation of the
network policy API
Open source, active
development (>100
contributors)
Commercial support
available from Tigera

18. Kubernetes + IAM
• AWS native access management
• In collaboration with Heptio
• Kubectl and worker nodes
• Works with Kubernetes RBAC

19. User authentication and authorization
k u b e c t l
AW S A u t h
K u b e r n e t e s R B A C

20. Worker provisioning
k u b e c t l
AW S A u t h
c o n f i g m a p & R B A C
Wo r k e r s
R o l e
R o l e

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DEMO