Weitere ähnliche Inhalte Ähnlich wie K8s on AWS: Introducing Amazon EKS (20) Mehr von Amazon Web Services (20) K8s on AWS: Introducing Amazon EKS1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing Amazon EKS
F e b r u a r y 7 t h , 2 0 1 8
O m a r L a r i , P a r t n e r S o l u t i o n s A r c h i t e c t , A W S
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Open source container
management platform
Helps you run
containers at scale
Gives you primitives
for building
modern applications
What is Kubernetes?
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
W h y d e v e l o p e r s l o v e K u b e r n e t e s
Kubernetes can be run anywhere
O N - P R E M I S E S C L O U D
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
W h y d e v e l o p e r s l o v e K u b e r n e t e s
A single extensible API
S C A L E P E R F O R M A N C E B R E A D T H
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud-native applications
M I C R O S E R V I C E
T O O L I N G
N A T I V E
A P P L I C A T I O N S
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
But where you run K8s matters
Q U A L I T Y O F T H E
C L O U D P L A T F O R M
Q U A L I T Y O F T H E
A P P L I C A T I O N S
Y O U R U S E R S
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
63%of Kubernetes workloads
run on AWS today
—CNCF survey
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3x Kubernetes masters for HA
Kubernetes on AWS
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API
server
Cloud
controller
Controller
manager
Scheduler Add-onsKubeDNS
Kubernetes master
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3
Etcd
Master
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Run Kubernetes for me.”
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Native AWS Integrations.”
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
”An Open Source Kubernetes Experience.”
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
E L A S T I C C O N T A I N E R S E R V I C E F O R K U B E R N E T E S
(EKS)
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability
Zone 1
Etcd
Master
Etcd
Master
Availability
Zone 2
Availability
Zone 3
Etcd
Master
34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
mycluster.eks.amazonaws.com
Availability
Zone 1
Availability
Zone 2
Availability
Zone 3
Kubectl
35. EKS Customers
C r e a t e E K S c l u s t e r
P r o v i s i o n w o r k e r n o d e s
L a u n c h a d d - o n s
L a u n c h w o r k l o a d s
36. EKS – Kubernetes masters
C r e a t e H A m a s t e r s
C e r t i f i c a t e
m a n a g e m e n t
I A M i n t e g r a t i o n
S e t u p L BC r e a t e H A e t c d
A u t o s c a l e
C r e a t e c l u s t e r
37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DEMO
38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
APIAPIAPIAPI
EKS
39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
aws eks create-cluster –cluster-name reinvent2017 –desired-master-version 1.7
–role-arn arn:aws:iam::account-id:role/role-name
40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
aws eks describe-cluster –cluster-name reinvent2017
41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
aws eks list-clusters
42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
aws eks delete-cluster –cluster-name
reinvent2017
43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HTTP/1.1 200 Content-type:
application/json
{ "cluster":
{
"clusterName": "string",
"createdAt": number,
"currentMasterVersion": "string",
"desiredMasterVersion": "string",
"masterEndpoint": "string",
"roleArn": "string",
"status": "string",
"statusMessage": "string"
}
}
44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
CloudWatch
AWS
CloudTrail
Master
51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Metrics
Nodes
Node exporter
Pod/Container
Kube-state-metrics
cAdvisor
Application
/metrics
JMX
Cluster-wide Aggregator
Prometheus, Heapster
Visualizer
Grafana, Kibana, Dashboard
Data Model
InfluxDB, Graphite
Alerting
AlertManager, Kapacitor
52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Native VPC networking
with CNI plugin
Pods have the same VPC
address inside the pod
as on the VPC
Simple, secure
networking
Open source and
on Github
…{ }
54. VPC CNI plugin
• Bridge between the K8s land – AWS VPC
• A WS R o u tab le I Ps
• Thin layer – no performance impact
• Pod IP ENI secondary IP
55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CNI Infrastructure
R u n t i m e
N e t w o r k
p l u g i n
N e t w o r k
c o n f i g u r a t i o n
56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How do I use it?
• Any K8s cluster on AWS.
• EKS
• BYOK8s
• Daemonset deployment.
kubectl create –f eks-cni.yaml
57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC CNI networking internals
K u b e l e t
V P C C N I
p l u g i n
1 . C N I A d d / D e l e t e
E C 2
E N I E N I E N I
P o d P o d P o d P o d
V P C
N e t w o r k
.........
0 . C r e a t e E N I
2 . S e t u p v e t h
58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC CNI plugin architecture
K u b e l e t
V P C C N I
p l u g i n
N e t w o r k l o c a l
c o n t r o l p l a n e
E N I s /
S e c o n d a r y I P s
C N I A d d / D e l e t e
g R P C
E C 2
59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Packet flow : pod - to - pod
E C 2
Default namespace
Pod namespace
veth veth
Route
Table
Main RT
E C 2
Default namespace
Pod namespace
veth
Route
Table
Main RT
ENI RT
veth
VPC
fabric
ENI RT
60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Packet flow : pod - to external
E C 2
Default namespace
Pod namespace
veth
Route
Table
Main RT
ENI RT
veth
IPTables
External
Network
61. Open source
• Github – h t t p s : / / g i t h u b . c o m / a w s / a m a z o n - v p c - c n i - k 8 s
• Contributions
62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes Network
Policies enforce network
security rules
Calico is the leading
implementation of the
network policy API
Open source, active
development (>100
contributors)
Commercial support
available from Tigera
64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
S T A G E
S E P A R A T I O N
“ T E N A N T ”
S E P A R A T I O N
F I N E - G R A I N E D
F I R E W A L L S
C O M P L I A N C E
E.g., typically use namespaces
for different teams within
a company—but without
network policy, they are
not network isolated
Reduce attack surface within
microservice-based applications
Isolate dev, test, and prod E.g., PCI, HIPAA
65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
66. Kubernetes + AWS IAM
• AWS native access management
• In collaboration with Heptio
• Kubectl and worker nodes
• Works with Kubernetes RBAC
67. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubectl
3) Authorizes AWS Identity with RBAC
K8s API
1) Passes AWS Identity
2) Verifies AWS Identity
4) K8s action
allowed/denied
AWS Auth
68. Worker provisioning
k u b e c t l
A W S A u t h
c o n f i g m a p & R B A C
W o r k e r
s
R o l e
R o l e
configmap
69. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Heptio IAM Authenticator
h t t p s : / / g i t h u b . c o m / h e p t i o l a b s / k u b e r n e t e s - a w s - a u t h e n t i c a t o r
An open source approach to integrating
AWS IAM authentication with Kubernetes
70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1.7.41.7.5
Version
1.7
Version
1.8
72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubectl
Workers
PrivateLink
Interface Amazon EKS
76. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
77. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
78. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CNI plugin
Allow Kubernetes users to take advantage of native
VPC networking in their Kubernetes pods
79. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Open source Kubernetes community
C O D E
R E V I E W S
F I X I N G
B U G S
I M P L E M E N T I N G
N E W F E A T U R E S
80. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What’s next?
B E T A S I G N - U P
S T A R T S N O W !
G E N E R A L L Y
A V A I L A B L E 2 0 1 8
L E A R N M O R E :
A W S . A M A Z O N .
C O M / E K S /
P R E V I E W
81. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THANK YOU!