In this three-part series, we will take a hard look at Amazon’s Elastic Kubernetes Service: how it helps organizations run Kubernetes on AWS, what insights can be gained in EKS and how it’s monitored, and finally, how organizations can get the most out of EKS with the help of Sumo Logic. For the first installment, we’ll learn how it works and how organizations can get started with Amazon’s Elastic Kubernetes Service.
When running a Kubernetes cluster, one of the foremost challenges is deciding which cloud or datacenter it’s going to be deployed to. After that, you still need to filter your options when selecting the right network, user, storage, and logging integrations for your use cases.
As a response to this challenge, Google Cloud has the Google Kubernetes Engine (GKE). However, despite this option being a good one, the issue is that around two-thirds of Kubernetes workloads are in AWS.
Here enters Amazon EKS.
What is Amazon EKS?
Amazon EKS is a managed service that helps make it easier to run Kubernetes on AWS. Through EKS, organizations can run Kubernetes without installing and operating a Kubernetes control plane or worker nodes. Simply put, EKS is a managed containers-as-a-service (CaaS) that drastically simplifies Kubernetes deployment on AWS.
To understand Amazon EKS better, let’s take a step back. Here’s a quick overview of Kubernetes.
What is Kubernetes?
Kubernetes is an open-source system that allows organizations to deploy and manage containerized applications like platforms as a service (PaaS), batch processing workers, and microservices in the cloud at scale. Through an abstraction layer created on top of a group of hosts, development teams can let Kubernetes manage a host of functions--including load balancing, monitoring and controlling resource consumption by team or application, limiting resource consumption and leveraging additional resources from new hosts added to a cluster, and other workflows.
Through Amazon EKS, organizations using AWS can get the full functions of Kubernetes without having to install or manage Kubernetes itself.
Benefits of Amazon EKS: Why use EKS?
Through EKS, normally cumbersome steps are done for you, like creating the Kubernetes master cluster, as well as configuring service discovery, Kubernetes primitives, and networking. Existing tools will more than likely work through EKS with minimal mods, if any.
With Amazon EKS, the Kubernetes control plane--including the backend persistence layer and the API servers--is provisioned and scaled across various AWS availability zones, resulting in high availability and eliminating a single point of failure. Unhealthy control plane nodes are detected and replaced, and patching is provided for the control plane. The result is a resilient AWS-managed Kubernetes cluster that can withstand even the loss of an availability zone.
Organizations can choose to run EKS using AWS Fargate--a serverless compute engine for containers. With Fargate, there’s no longer a need to provision and manage servers; organizations can specify and pay for resources per application. Fargate, through application isolation by design, also improves security.
And of course, as part of the AWS landscape, EKS is integrated with various AWS services, making it easy for organizations to scale and secure applications seamlessly. From AWS Identity Access Management (IAM) for authentication to Elastic Load Balancing for load distribution, the straightforwardness and convenience factor of using EKS can’t be understated.
How Amazon EKS Works
The simplest way to look at EKS is that it’s AWS’ offering for Kubernetes-as-a-service. As mentioned, EKS significantly simplifies the management and maintenance of highly-available Kubernetes clusters in AWS.
Amazon EKS: Two Main Components
In each EKS cluster are two main components: Control Plane and Worker Nodes.
The Control Plane consists of three Kubernetes master nodes that run in three different availability zones (AZs). All incoming traffic to Kubernetes API comes through the network load balancer (NLB). It runs on the virtual private cloud controlled by Amazon. Hence, the Control Panel can’t be managed directly by the organization and is fully managed by AWS.
Worner Nodes run on the Amazon EC2 instances in the virtual private cloud controlled by the organization. Any instance in AWS can be used as a worker node. These worker nodes can be accessed through SSH or provisioned without automation.
A cluster of worker nodes runs an organization’s containers while the control plane manages and monitors when and where containers are started.
Due to the flexibility of the EKS layout, organizations can deploy a Kubernetes cluster (an EKS cluster) for each application. Organizations can also use just one EKS cluster to run more than one application via Kubernetes namespaces and AWS IAM configurations.
Without EKS, organizations would have to run the Control Plane and Worker Nodes. Through EKS, worker nodes are provisioned through a single command in the EKS console, CLI, or API, while AWS provisions, scales, and manages the Control Plane securely. The result is that organizations are freed from the operational burden of running Kubernetes and maintaining the infrastructure.
Amazon EKS: How It Works
Through a collaboration with Heptio, Amazon EKS integrates Kubernetes RBAC with IAM authentication.
Organizations can granularly control access permissions to Kubernetes masters by assigning RBAC roles directly to IAM entities. By doing this, you can easily manage Kubernetes clusters through standard tools like kubectl.
Another option is to use PrivateLink for those who want to access Kubernetes masters via Amazon VPC. The Amazon EKS endpoint and Kubernetes masters will appear as an elastic network interface with private IPs in the Amazon VPC when using PrivateLink.
This will allow orgs to access Kubernetes masters and Amazon EKS directly from the Amazon VPC.
With EKS, AWS also built an open-source CNI plugin for Kubernetes clusters running on AWS. The CNI plugin allows organizations to use Amazon VPC networking natively with Kubernetes pods.
Amazon EKS allows users to launch a K8s cluster in a few clicks from the AWS console.
History of Amazon EKS
Based on data released by the Cloud Native Computing Foundation, the majority of organizations running Kubernetes do so on AWS. Kubernetes stood as the core of these AWS customers’ IT strategy, running hundreds of millions of containers on AWS.
As a response to this, in June 2018, AWS announced the general availability of Amazon EKS to help customers who run Kubernetes simplify the whole process by simply ridding them the burden of setting up Kubernetes clusters from scratch.
Before EKS was generally available, AWS customers who operate Kubernetes clusters with high availability needed specialized expertise and a significant amount of dedicated work in managing clusters. Organizations had to provision a K8s management infrastructure on various AZs. With EKS, this complexity is eliminated by delivering a production-ready architecture that automatically runs and manages Kubernetes clusters across multiple AZs, among other benefits.
Amazon EKS Features
The main benefit of using Amazon EKS is that organizations can take full advantage of the reliability, availability, performance, and scale of the AWS platform, essential to which are integrations with AWS security and networking services.
Managed Control Plane
With the Amazon EKS comes a highly-available and scalable control plane that runs on multiple AWS AZs. EKS automatically manages the scalability and availability of Kubernetes API services and the etcd persistence layer of all clusters. By running the K8s control plane on three AZs, high availability is ensured while also detecting and replacing unhealthy masters.
Managed Worker Nodes
Organizations can create, update, or terminate worker nodes on EKS with just a single command. Nodes are run using the latest optimized Amazon Machine Images (AMIs) in AWS by managed node groups while nodes are drained by updates and terminations.
Launch using eksctl
Through the open-source command eksctl, EKS can be up and running in minutes. When eksctl create cluster is executed, an EKS cluster is created, ready to run your application.
Network and Security Features of Amazon EKS
Securing Kubernetes clusters is very straightforward on EKS, thanks essentially to the advanced features, integrations, and partner solutions in the larger AWS environment.
Cloud Map is a cloud resource discovery service in AWS. With it, organizations can define names for application resources and updated locations for dynamic resources are maintained. Because of this, application availability is increased as an organization’s web service will always discover the most updated locations for resources.
EKS also provides an open-source connector that auto-propagates internal service registry locations while K8s services launch and remove them upon termination. K8s-based services can be discovered via Cloud Map, providing a unified service registry for container workloads.
By standardizing the way each microservice in an application communicates, AWS App Mesh makes building and running complex microservices applications easy. App Mesh simplifies the configuration of part of an application for high-availability and end-to-end visibility.
Since Kubernetes clusters (EKS clusters) run in an Amazon VPC, you can use your VPC security groups and network ACLs. Your clusters won’t share compute resources with other orgs. This setup allows for a high level of isolation, helping organizations use EKS to build reliable and very secure applications.
AWS IAM Authenticator
Kubernetes RBAC is integrated with IAM Authenticator through Amazon EKS. Orgs can assign RBAC roles to each IAM entity, which allows granular control of access permissions to K8s masters.
IAM for Service Accounts
By using EKS, organizations can easily assign IAM permission to service accounts. Access to containerized services, AWS resources outside the cluster, and third-party apps can be controlled by the IAM role.
Adding Windows nodes as worker nodes and scheduling Windows containers are supported by EKS. Organizations can run Windows worker nodes with Linux worker nodes on EKS, which means having the ability to manage applications on each operating system right on the same cluster.
Elastic Load Balancing -- Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer (CLB) -- is supported on EKS. Standard Kubernetes load balancing or other supported ingress controllers can be run with an Amazon EKS cluster.
AWS CloudTrail provides general visibility and history of user and cluster activity. API calls to the EKS API are also documented via the CloudTrail.
Managed Cluster Updates
Since EKS allows Kubernetes version updates to be done in place, creating new clusters or migrating resources to a new cluster is not required anymore. Organizations can update running clusters without managing the whole process. Details on Kubernetes updates and new versions are also sent out via SDK, CLI, or the AWS Console.
6 Steps to Set Up Amazon EKS
Getting started with Amazon EKS is straightforward, but it does come with a short list of prerequisites. If you’ve been running on AWS for quite a while, chances are you already have the prerequisite components set up. To make sure EKS set up goes off without a hitch, let’s go over the prerequisites as the first step.
Step 1: Check the prerequisites
The following components must be installed and set up on your AWS account before you can get started with Amazon EKS:
Step 2: Create the IAM Role
- Open the IAM console.
- Choose Roles > Create role.
- Select EKS from the list > choose Allows Amazon EKS to manage your clusters on your behalf for your use case> Next: Permissions.
- Click Next: Tags.
- Click Next: Review.
- Fill out Role name with a unique and descriptive name for your role, such as EKS-Service > click Create role.
Step 3: Create a Virtual Private Cloud in EKS
- Open the AWS CloudFormation console.
- Select an EKS-supported region and click Create stack.
At this point, you will see a prompt to Specify an Amazon S3 template URL. What you input next depends on the network architecture you prefer. AWS recommends the use of private subnets for workers nodes, and public subnets for Kubernetes for load balancing.
- In the URL area, paste the appropriate URL:
- Fill out the Specify Details area. For Stack name and VpcBlock, input your prefered VPC name and CIDR range. You can leave the rest of the configurations in their default settings.
- When you reach the Review page, click Create.
- CloudFormation will now create the VPC for your Amazon EKS. When it’s done, click on the Outputs tab and take note of the SecurityGroups, Vpcld, and SubnetIds values as you will need them in the next steps.
Step 4: Create Your Amazon EKS Cluster
- Open the Amazon EKS console and choose Create cluster.
- In the Create cluster view, fill out the following:
- Cluster name: Choose a name for your cluster.
- Kubernetes version: The default Kubernetes version is selected and is recommended.
- Role name: Select the IAM role that you created in Step 2.
- VPC: Select the VPC you created in Step 3 from the drop-down list. Fill in the corresponding values for Subnets and Security Groups from the previous step.
- Enable/disable Endpoint private access and Endpoint public access.
- Click Create.
- On the Clusters page, check the status of this step by choosing the cluster name. The Status field will show CREATING for around 10 to 15 minutes while AWS provisions the cluster. You can also ping the status via your terminal.
- Once the cluster’s status changes to ACTIVE, you’re done.
Step 5: Update kubeconfig for Your EKS Cluster
- Use AWS CLI’s update-kubeconfig command to update kubeconfig for the EKS cluster. Make sure to change the cluster name and region.
aws eks --region region update-kubeconfig --name cluster_name
- Test the configuration using kubectl get svc.
- The output should show:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc/kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 1m
Step 6: Launch a Managed Kubernetes Node group
- Open the Amazon EKS console and choose your EKS cluster.
- In the cluster view, click Add node group.
- In the Configure node group view, fill out the following fields and click Next:
- Name — Choose a name for the managed node group.
- Node IAM role name — Select the node instance role for your node group. Read more: Amazon EKS Worker Node IAM Role.
- Subnets — Choose the subnets to launch your managed nodes into.
- From this view, you can also enable Remote Access via SSH, tag your node group using Tags, and use Kubernetes labels.
- In the Set compute configuration view, fill out the following fields and click Next.
- AMI type — Select Amazon Linux 2 (AL2_x86_64) for non-GPU instances, or Amazon Linux 2 GPU Enabled (AL2_x86_64_GPU) for GPU instances.
- Instance type — Select the instance type for the node group. More pods can be accommodated by larger instance types.
- Disk size — Input the disk size in GiB for your worker node root volume.
- In the Setup scaling policies page, fill out the following fields and click Next.
- Minimum size — Minimum number of worker nodes to scale in to.
- Maximum size — Maximum number of worker nodes to scale out to.
- Desired size —Current number of worker nodes at launch.
- Review the configurations in the Review and create view. When done, click Create.
- Ping status of your nodes using kubectl get nodes --watch. READY means it’s done.
Now, you have a working EKS cluster with worker nodes. At this point, you can start installing K8s add-ons and deploying applications.
Integrating ELB with Sumo Logic
While Amazon EKS gives you full access to logging functionality in AWS, the importance of increased visibility and monitoring capabilities for your Kubernetes clusters can’t be understated.
Since EKS is part of the larger AWS landscape, you have access to third-party tools that work seamlessly with your set up. Among the most valuable and critical integrations that will give you the deepest and most accurate insights into your EKS Control Plane is Sumo Logic. In the next installment of this series, we will look at how monitoring works in Amazon EKS and expand on the role of Sumo Logic in managing Amazon EKS clusters.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.