Kubernetes on AWS: Tips for Cloud-Native Development

Eddie Segal

Kubernetes AWS Tips

Kubernetes is a container orchestration and management tool that automates container deployment. Kubernetes is mainly used in the cloud. A recent survey by CNCF showed that 83% of organizations deploy Kubernetes on at least one public cloud. Amazon Web Services (AWS) provides a mature and robust infrastructure and multiple deployment options for Kubernetes. Read on to understand the key options for running Kubernetes on AWS, how they work, and which is best for your organization’s needs.

Why Run Kubernetes on AWS?

Kubernetes is an open-source container deployment and orchestration system developed by Google. When managing containers in the cloud with Kubernetes, developers can scale applications without rebuilding the cluster and managing the infrastructure. However, setting up Kubernetes on AWS can be complex.

Despite this complexity, there are many reasons to run Kubernetes on AWS. Here are four benefits:

  • Complete control over your servers—as opposed to other cloud providers, AWS always enables you to control your instances.
  • Portability—you can run Kubernetes in any environment, including bare metal, private and public cloud, and can even run on multi-clouds.
  • No vendor lock-in—Kubernetes and the surrounding tools are all open sources. This provides you with an open, and well-supported community.
  • Cloudbursting—you can protect your Kubernetes workloads at peak times by running a part of a cluster on AWS and moving you sensitive workloads to a private cloud.

Kubernetes on AWS: What are the Options?

You can manage Amazon Elastic Compute Cloud (EC2) clusters instances with the Amazon EKS managed service. EKS enables you to run Kubernetes on AWS without operating your own clusters. Managed Kubernetes services take responsibility for the configuration, deployment, and maintenance of clusters. The list below reviews the different AWS services you can use for running Kubernetes.

Amazon Elastic Kubernetes Service (EKS)

EKS is a managed Kubernetes service offered by AWS. It enables you to run Kubernetes control plane instances to achieve high availability across zones. EKS automatically identifies and replaces unhealthy control plane instances, and provides automated version upgrades. You can also integrate other AWS services with EKS to add security and scalability features. This includes Elastic Load Balancing (ELB), Identity and Access Management (IAM) for authentication, and Elastic Container Registry (ECR) for container images.

Amazon Virtual Private Cloud (VPC)

Amazon VPC enables you to use AWS services and other resources on virtual networks. You can define your IP address range and have complete control over your virtual networking environment. This includes control over network gateways, subnets, and route table definitions.

The networking capabilities of VPC enable you to connect Kubernetes cluster nodes or EC2 instances to each other. You set routes through the kubenet plugin. This is a Linux networking plugin that provides native performance throughput for your cluster. However, it lacks other features like extensive networking across availability zones.

Amazon Route53

Kubernetes clusters need a Domain Name System (DNS) to enable communication between the worker and the master nodes. DNS is also needed when Kubernetes discovers the etcd and then the remaining components.

When running Kubernetes in AWS, you can use the Amazon Route 53 service. Route 53 is a DNS service that connects the network traffic to appropriate servers. This subscription-based service enables you to register domain names, perform infrastructure health checks, apply routing policies, and manage configurations using the AWS Console.

Best Practices for Using Amazon EKS

Running Kubernetes workloads on EKS brings new challenges and responsibilities. The following best practices, combined with the regular Kubernetes rules of thumb, should point you in the right direction.

1. Install Calico for cluster network controls

Network traffic in Kubernetes can be internal between pods or with external services. Since pods in EKS clusters have the same security groups as their nodesthe pods can make any network connection that the nodes can. Therefore, you can decrease the number of potential targets for malicious or misconfigured pods by allowing only necessary connections.

The Calico Container Network Interface (CNI) enables you to control network traffic to and from Kubernetes pods by applying the standard Kubernetes Network Policy API. Calico also provides some extensions to the standard policy type. Network policies can control both egress and ingress traffic.

2. Monitor additional resource usage

The deployment of EKS into an existing VPC enables you to create ELB load balancers and EBS volumes as part of your Kubernetes applications.

However, these deployments carry additional costs. Therefore, you should use the Kubernetes Role-Based Access Control (RBAC) to give users the permissions they need. When users have access only to the resources they need, they won’t add unnecessary loads. You should also monitor the resource usage by using the Kubernetes API or the Kubernetes CLI. Monitoring enables you to shut-down unnecessary across all namespaces.

2. Limit network access to the Kubernetes API endpoint

EKS leaves the Kubernetes API endpoint fully open to the public Internet. Despite that, EKS allows unauthenticated connections when running the API server with the –anonymous-auth=true flag. The problem is that you cannot disable this flag. Even if you don’t give any Kubernetes RBAC privileges to anonymous users, this tag still poses a danger

EKS provides several options for protecting API endpoints of a cluster:

  • Disable the public endpoint—use only private endpoints in the cluster’s VPC.
  • Restrict IP addresses—that connect to the public endpoint by using a whitelist of Classless Inter-Domain Routing (CIDR) blocks.
  • Network policies—enable communication only with workloads that require access by blocking traffic from pods to the API endpoint.

Conclusion

Running Kubernetes in AWS enables you to run and manage containers on EC2 cluster instances. AWS makes it easy to run Kubernetes in the cloud with scalable and highly-available virtual machine infrastructure, Amazon EKS, Amazon VPC, and Route 53 for DNS services. There are several best practices that can help you deploy Kubernetes on AWS. This includes using Calico, monitoring resource usage, and limiting network access.

By Eddie Segal

Martin Mendelsohn

How Will COVID-19 Impact Security Talent?

New Security Talent As we emerge from the era of COVID-19, unemployment will recede, and new jobs will be created more rapidly than jobs were ...
Sam Bowman

Medical Data Online: What Are the Risks?

Medical Data in the Cloud Executive-level healthcare leaders must have a thorough understanding of cloud-based security risks. Patient data can vary from simple information such ...
Lauren Brunson

The Growing Need to Consolidate Multi-Tenant Environments

Consolidate Multi-Tenant Environments Over the past four months, countless businesses and universities have scrambled to the cloud to enable their employees and students to work ...
David Discenza

Four Ways to Improve Cybersecurity and Ensure Business Continuity

Four Ways to Improve Cybersecurity Cyber-attacks on businesses have become common place. In fact, it’s estimated that a cyber-attack occurs every 39 seconds. Who are ...
Mary

Leveraging Carrier Ethernet For A Better Connection

Leveraging Carrier Ethernet Determining the Best Cloud Connectivity Solution With the Cloud only being as good as employees’ ability to effectively access it, the overall ...
Kayla Matthews

Here’s How AI Startups Are Doing in 2019

AI Startup Growth Now that artificial intelligence (AI) is part of the mainstream, companies are rapidly investigating what they can do to develop new AI ...
The Sticky Note.png