Kubernetes is a container orchestration and management tool that automates container deployment. Kubernetes is mainly used in the cloud. A recent survey by CNCF showed that 83% of organizations deploy Kubernetes on at least one public cloud. Amazon Web Services (AWS) provides a mature and robust infrastructure and multiple deployment options for Kubernetes. Read on to understand the key options for running Kubernetes on AWS, how they work, and which is best for your organization’s needs.
Kubernetes is an open-source container deployment and orchestration system developed by Google. When managing containers in the cloud with Kubernetes, developers can scale applications without rebuilding the cluster and managing the infrastructure. However, setting up Kubernetes on AWS can be complex.
Despite this complexity, there are many reasons to run Kubernetes on AWS. Here are four benefits:
You can manage Amazon Elastic Compute Cloud (EC2) clusters instances with the Amazon EKS managed service. EKS enables you to run Kubernetes on AWS without operating your own clusters. Managed Kubernetes services take responsibility for the configuration, deployment, and maintenance of clusters. The list below reviews the different AWS services you can use for running Kubernetes.
Amazon Elastic Kubernetes Service (EKS)
EKS is a managed Kubernetes service offered by AWS. It enables you to run Kubernetes control plane instances to achieve high availability across zones. EKS automatically identifies and replaces unhealthy control plane instances, and provides automated version upgrades. You can also integrate other AWS services with EKS to add security and scalability features. This includes Elastic Load Balancing (ELB), Identity and Access Management (IAM) for authentication, and Elastic Container Registry (ECR) for container images.
Amazon Virtual Private Cloud (VPC)
Amazon VPC enables you to use AWS services and other resources on virtual networks. You can define your IP address range and have complete control over your virtual networking environment. This includes control over network gateways, subnets, and route table definitions.
The networking capabilities of VPC enable you to connect Kubernetes cluster nodes or EC2 instances to each other. You set routes through the kubenet plugin. This is a Linux networking plugin that provides native performance throughput for your cluster. However, it lacks other features like extensive networking across availability zones.
Amazon Route53
Kubernetes clusters need a Domain Name System (DNS) to enable communication between the worker and the master nodes. DNS is also needed when Kubernetes discovers the etcd and then the remaining components.
When running Kubernetes in AWS, you can use the Amazon Route 53 service. Route 53 is a DNS service that connects the network traffic to appropriate servers. This subscription-based service enables you to register domain names, perform infrastructure health checks, apply routing policies, and manage configurations using the AWS Console.
Running Kubernetes workloads on EKS brings new challenges and responsibilities. The following best practices, combined with the regular Kubernetes rules of thumb, should point you in the right direction.
1. Install Calico for cluster network controls
Network traffic in Kubernetes can be internal between pods or with external services. Since pods in EKS clusters have the same security groups as their nodesthe pods can make any network connection that the nodes can. Therefore, you can decrease the number of potential targets for malicious or misconfigured pods by allowing only necessary connections.
The Calico Container Network Interface (CNI) enables you to control network traffic to and from Kubernetes pods by applying the standard Kubernetes Network Policy API. Calico also provides some extensions to the standard policy type. Network policies can control both egress and ingress traffic.
2. Monitor additional resource usage
The deployment of EKS into an existing VPC enables you to create ELB load balancers and EBS volumes as part of your Kubernetes applications.
However, these deployments carry additional costs. Therefore, you should use the Kubernetes Role-Based Access Control (RBAC) to give users the permissions they need. When users have access only to the resources they need, they won’t add unnecessary loads. You should also monitor the resource usage by using the Kubernetes API or the Kubernetes CLI. Monitoring enables you to shut-down unnecessary across all namespaces.
2. Limit network access to the Kubernetes API endpoint
EKS leaves the Kubernetes API endpoint fully open to the public Internet. Despite that, EKS allows unauthenticated connections when running the API server with the –anonymous-auth=true flag. The problem is that you cannot disable this flag. Even if you don’t give any Kubernetes RBAC privileges to anonymous users, this tag still poses a danger
EKS provides several options for protecting API endpoints of a cluster:
Running Kubernetes in AWS enables you to run and manage containers on EC2 cluster instances. AWS makes it easy to run Kubernetes in the cloud with scalable and highly-available virtual machine infrastructure, Amazon EKS, Amazon VPC, and Route 53 for DNS services. There are several best practices that can help you deploy Kubernetes on AWS. This includes using Calico, monitoring resource usage, and limiting network access.
By Eddie Segal
