20180504 talk 4
20180504_talk_4
AWS EKS
Intro
Managed k8s
* Managed master, secured with encrypted ETCD
* HA accross 3 AZ
* Upgrades
Features
- Enterprise workload support
- Upstram k8s experience
- AWS services integration seamless
- AWS will contribute to k8s
Workflow
Steps:
1. Create the Cluster (Control Plane)
2. Provision the Workers
3. Launch Addons
4. Launch workload
1 - Create cluster
- HA masters
- HA Etcds (Not collocated)
- IAM Integration
- PKI
- Autoscale
- LB endpoint for API server
2 - Workers Node
- Preconfigured AMI provided
- Using Packer scripts (Will be OpenSourced)
3 - Addons
- Heptio IAM Authenticator
- IAM Auth support in Upstream 1.10
- OpenSouce CNI Plugins:
amazon-vpc-cni-k8s - Flat network address space (Pods and instances at the sane level)
- Use ENIs + Secondary IPs (From EC2 perspective)
Conrformance challenge
K8s assumption:
* Masters and Workers are on the same network
AWS approach:
* EKS VPC -> ELB with Static IP for API server reference for Kubelets [x]
* Client VPC -> Additionnal ENI on workers connected to EKS VPC
PKI and TLS
* Use native k8s pki mechanism
Demo
aws eks describe-cluster --cluster-name
{
"cluster":
{
"subnet": XXXX,
"subnet": XXXX
}
....
}
2 subnets:
* 1 from worker VPC
* 1 for EKS vpc
FAQ
Kops / EKS
With EKS, Master are managed you won’t see the EC2 instances in your console
* You can not ssh into it
* Only Stable API are activated
* You can not deploy Daemonsets on the masters
FareGate
Supports:
* ECS
* K8s jobs and deployments
Masters API Server config
NO
GA ?
Soon
ETCD access
NO
IAM integration
- kube2iam: Not so great
- Heptio integration: Cool
- SPIFFE & SPIRE: The direction
CNI plugins ?
For now only amazon-vpc-cni
Will work with other solutions to integrate UX
PVC and EBS resizing
For now, nothing new compared to Upstream, waiting for CSI
Service catalog ?
Work on integration with OpenBrokage initiative to declare AWS Managed resources as k8s resources