Find out more about how to run Kubernetes on AWS

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Paul Maddox - @paulmaddox
Developer Technologies, AWS
January 2018 (Nordic Dev Days)
Kubernetes on AWS
with Amazon EKS

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
About me
Paul Maddox
Specialist Solutions Architect
Amazon Web Services
• 16 years of dev, SRE, and systems architecture background
• 7 of 7 8 AWS certifications
• Developer: Go/Java/C/Node
Twitter: @paulmaddox
Email: pmaddox@amazon.com
@paulmaddox

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect
• Amazon Elastic Container Service for Kubernetes (EKS)
• Why?
• Deploying K8s on AWS today
• What does Amazon EKS solve?
• What actually is Amazon EKS?
• Master nodes / etcd
• How do upgrades work?
• What about visibility?
• Networking
• Security
• Looking to the future…

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
63%of Kubernetes workloads
run on AWS today
—CNCF survey

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
”Lets look an excellent Community Tool,
KOPS, to build a K8s Cluster on AWS”
https://youtu.be/tA6lf7UVgoA

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1 . I n s t a l l B i n a r i e s & T o o l s : k o p s , A W S C L I t o o l s , k u b e c t l
2 . S e t I A M U s e r t o “ k o p s ”
3 . A l l o w “ k o p s ” u s e r F u l l a c c e s s t o E C 2 , R o u t e 5 3 , S 3 , I A M , V P C
4 . C o n f i g u r e A W S c l i e n t t o n e w I A M u s e r “ k o p s ”
5 . C o n f i g u r e D N S ( o r ) D e p l o y a g o s s i p - b a s e d c l u s t e r :
• W e h o s t e d t h e s u b d o m a i n “ d n i s h i . k 8 s d e m o l a b s . c o m ” i n R o u t e 5 3
6 . C r e a t e a S 3 b u c k e t t o s a v e c l u s t e r c o n f i g : “ d n i s h i - k o p s - s t o r e ”
7 . S e t t h e “ k o p s e n v i r o n m e n t a l v a r i a b l e s ”
8 . C r e a t e c l u s t e r : ” k o p s c r e a t e c l u s t e r ” a n d “ k o p s v a l i d a t e c l u s t e r ”

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Run Kubernetes for me.”

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
E L A S T I C C O N T A I N E R S E R V I C E F O R K U B E R N E T E S
(EKS)

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3
Etcd
Master

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
mycluster.eks.amazonaws.com
Availability
Zone 1
Availability
Zone 2
Availability
Zone 3
Kubectl

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
APIAPIAPIAPI
EKS
Create
Cluster
Describe
Cluster
Delete
Cluster
List
Clusters

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Native VPC networking
with CNI plugin
Pods have the same VPC
address inside the pod
as on the VPC
Simple, secure
networking
Open source and
on Github
…{ }
https://github.com/aws/amazon-vpc-cni-k8s

23. Nginx Pod
Rails Pod
ENI
Secondary IPs:
10.0.0.1
10.0.0.2
Veth IP: 10.0.0.1
Veth IP: 10.0.0.2
Nginx Pod
Rails Pod
ENI
Veth IP: 10.0.0.20
Veth IP: 10.0.0.22
Secondary IPs:
10.0.0.20
10.0.0.22
ec2.associateaddress()
VPC Subnet – 10.0.0.0/24
Instance 1 Instance 2

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes Network
Policies enforce network
security rules
Calico is the leading
implementation of the
network policy API
Open source, active
development (>100
contributors)
Commercial support
available from Tigera
https://github.com/ahmetb/kubernetes-network-policy-recipes

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubectl
3) Authorizes AWS Identity with RBAC
K8s API
1) Passes AWS Identity
2) Verifies AWS Identity
4) K8s action
allowed/denied
AWS Auth

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Open Source Kubernetes Workshop
https://github.com/aws-samples/aws-workshop-for-kubernetes

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you