Kubernetes on AWS: Tips for Cloud-Native Development

Kubernetes AWS Tips

Kubernetes is a container orchestration and management tool that automates container deployment. Kubernetes is mainly used in the cloud. A recent survey by CNCF showed that 83% of organizations deploy Kubernetes on at least one public cloud. Amazon Web Services (AWS) provides a mature and robust infrastructure and multiple deployment options for Kubernetes. Read on to understand the key options for running Kubernetes on AWS, how they work, and which is best for your organization’s needs.

Why Run Kubernetes on AWS?

Kubernetes is an open-source container deployment and orchestration system developed by Google. When managing containers in the cloud with Kubernetes, developers can scale applications without rebuilding the cluster and managing the infrastructure. However, setting up Kubernetes on AWS can be complex.

Despite this complexity, there are many reasons to run Kubernetes on AWS. Here are four benefits:

  • Complete control over your servers—as opposed to other cloud providers, AWS always enables you to control your instances.
  • Portability—you can run Kubernetes in any environment, including bare metal, private and public cloud, and can even run on multi-clouds.
  • No vendor lock-in—Kubernetes and the surrounding tools are all open sources. This provides you with an open, and well-supported community.
  • Cloudbursting—you can protect your Kubernetes workloads at peak times by running a part of a cluster on AWS and moving you sensitive workloads to a private cloud.

Kubernetes on AWS: What are the Options?

You can manage Amazon Elastic Compute Cloud (EC2) clusters instances with the Amazon EKS managed service. EKS enables you to run Kubernetes on AWS without operating your own clusters. Managed Kubernetes services take responsibility for the configuration, deployment, and maintenance of clusters. The list below reviews the different AWS services you can use for running Kubernetes.

Amazon Elastic Kubernetes Service (EKS)

EKS is a managed Kubernetes service offered by AWS. It enables you to run Kubernetes control plane instances to achieve high availability across zones. EKS automatically identifies and replaces unhealthy control plane instances, and provides automated version upgrades. You can also integrate other AWS services with EKS to add security and scalability features. This includes Elastic Load Balancing (ELB), Identity and Access Management (IAM) for authentication, and Elastic Container Registry (ECR) for container images.

Amazon Virtual Private Cloud (VPC)

Amazon VPC enables you to use AWS services and other resources on virtual networks. You can define your IP address range and have complete control over your virtual networking environment. This includes control over network gateways, subnets, and route table definitions.

The networking capabilities of VPC enable you to connect Kubernetes cluster nodes or EC2 instances to each other. You set routes through the kubenet plugin. This is a Linux networking plugin that provides native performance throughput for your cluster. However, it lacks other features like extensive networking across availability zones.

Amazon Route53

Kubernetes clusters need a Domain Name System (DNS) to enable communication between the worker and the master nodes. DNS is also needed when Kubernetes discovers the etcd and then the remaining components.

When running Kubernetes in AWS, you can use the Amazon Route 53 service. Route 53 is a DNS service that connects the network traffic to appropriate servers. This subscription-based service enables you to register domain names, perform infrastructure health checks, apply routing policies, and manage configurations using the AWS Console.

Best Practices for Using Amazon EKS

Running Kubernetes workloads on EKS brings new challenges and responsibilities. The following best practices, combined with the regular Kubernetes rules of thumb, should point you in the right direction.

1. Install Calico for cluster network controls

Network traffic in Kubernetes can be internal between pods or with external services. Since pods in EKS clusters have the same security groups as their nodesthe pods can make any network connection that the nodes can. Therefore, you can decrease the number of potential targets for malicious or misconfigured pods by allowing only necessary connections.

The Calico Container Network Interface (CNI) enables you to control network traffic to and from Kubernetes pods by applying the standard Kubernetes Network Policy API. Calico also provides some extensions to the standard policy type. Network policies can control both egress and ingress traffic.

2. Monitor additional resource usage

The deployment of EKS into an existing VPC enables you to create ELB load balancers and EBS volumes as part of your Kubernetes applications.

However, these deployments carry additional costs. Therefore, you should use the Kubernetes Role-Based Access Control (RBAC) to give users the permissions they need. When users have access only to the resources they need, they won’t add unnecessary loads. You should also monitor the resource usage by using the Kubernetes API or the Kubernetes CLI. Monitoring enables you to shut-down unnecessary across all namespaces.

2. Limit network access to the Kubernetes API endpoint

EKS leaves the Kubernetes API endpoint fully open to the public Internet. Despite that, EKS allows unauthenticated connections when running the API server with the –anonymous-auth=true flag. The problem is that you cannot disable this flag. Even if you don’t give any Kubernetes RBAC privileges to anonymous users, this tag still poses a danger

EKS provides several options for protecting API endpoints of a cluster:

  • Disable the public endpoint—use only private endpoints in the cluster’s VPC.
  • Restrict IP addresses—that connect to the public endpoint by using a whitelist of Classless Inter-Domain Routing (CIDR) blocks.
  • Network policies—enable communication only with workloads that require access by blocking traffic from pods to the API endpoint.

Conclusion

Running Kubernetes in AWS enables you to run and manage containers on EC2 cluster instances. AWS makes it easy to run Kubernetes in the cloud with scalable and highly-available virtual machine infrastructure, Amazon EKS, Amazon VPC, and Route 53 for DNS services. There are several best practices that can help you deploy Kubernetes on AWS. This includes using Calico, monitoring resource usage, and limiting network access.

By Eddie Segal

Rahul
How to Start Your Cloud Career Cloud computing is the present. And it is the future as well!! In fact, a quote by Chris Howard says, ‘Cloud Computing is a spectrum of things complementing one ...
James Corbishly
Teams Sprawl in the Remote Workspace As working from home has become the new everyday norm, with more employers embracing the remote-work model as a new and likely permanent fixture of the employment world, there ...
Gary Bernstein
Test Data Management How do you test your data management systems? With Delphix, you can automate your tests by running your data against a virtual copy of your production environment. Today, the amount of data ...
Using Data Scraping to Learn What You Need to Know
Data Scraping Opportunities How can you know what you don’t know? It sounds like a rhetorical question, but it is in fact a vital component of business strategy. As much as any company or organization ...
The all-new Stellar Repair for MS SQL – an Efficient Tool to Fix SQL Database Corruption
Efficient Tool to Fix SQL Database Corruption SQL database corruption is not uncommon. There are many reasons for SQL database corruption, such as virus infection, bugs in the SQL Server, errors during updates, abrupt system ...

SECURITY TRAINING

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.

  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.