Introduction to Amazon EKS

Containers Immersion Day

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
First things first…

• What are containers and

why are customers using
them?

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application environment components

Runtime Code
Engine

Dependencies Configuration

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Different environments

Local Laptop Staging / QA Production On-Prem

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
It worked on my machine, why not in prod?

v7.0.0 v4.0.0 v7.0.0

v6.0.0

Local Laptop Staging / QA Production On-Prem

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Containers to the rescue

Runtime Engine

Dependencies

Code

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Containers vs VMs
Containers Virtual Machines
- Using Linux primitives for - Virtualisation or emulate
isolation hardware components
- Share Linux Kernel - Completely separate kernels
- Fast starts, minimal overhead (maybe not Linux)
- Flexible isolation - Slower starts, must boot kernel
and set-up hardware.
Container Container VM Guest VM Guest

cgroups namespaces --- Virtual Virtual

Hardware Hardware
Linux Kernel Linux Kernel KVM

Hardware Hardware

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Container images

W
• Read only image that is used

rit
ab
as a template to launch a

ad

le
container. Container

d
N
GI
N
ad

X
Image

d
References

n
• Start from base images that

od unt
parent

ej
have your dependencies, add image

U
Image

s
b
your custom code.

u
Base image

• Dockerfile for easy, bootfs

reproducible builds.
kernel

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Four environments, same container

Local Laptop Staging / QA Production On-Prem

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Kubernetes?

Gives you primitives

Open source container Helps you run
for building
management platform containers at scale
modern applications

https://kubernetes.io/docs/tutorials/kubernetes-basics/

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes basic architecture

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Kubernetes?
Objects Objects
Pod Job
A thin wrapper around one or more containers Ensures a pod properly runs to completion

DaemonSet Service
Implements a single instance of a pod on a Maps a fixed IP address to a logical group of pods
worker node
Label
Deployment
Key/Value pairs used for association and filtering
Details how to roll out (or roll back) across
versions of your application kubectl
ReplicaSet Command line interface

Ensures a defined number of pods are always Namespace

running
logically named group

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EKS?
Amazon EKS runs vanilla Kubernetes; EKS is upstream and a
certified conformant version of Kubernetes (with backported
security fixes)
Amazon EKS supports 4 versions of Kubernetes,
giving you time to test and roll out upgrades

Amazon EKS provides a managed Kubernetes experience

Amazon EKS for performant, reliable, and secure Kubernetes

Amazon EKS makes Kubernetes operations,

administration, and management simple

Amazon EKS helps you build reliable, stable, and secure

applications in virtually any environment

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS High Level Architecture
Customer VPC AWS Cloud

A fully managed, single

Self-Managed Managed Node tenant, Kubernetes control
Node Groups Groups plane per cluster

Private Kubernetes API IPs Fargate MicroVM

Fargate Pod IPs Kubernetes Pod

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS Control Plane Architecture
Survive single-AZ Availability Zone 1 Availability Zone 2 Availability Zone 3

AWS Cloud
events

EKS-managed VPC
NLB NLB NLB
Highly available cluster
endpoint Private subnet

99.95% SLA API server instance API server instance

24x7x365 support

Automatic Resizing

Increased the volume etcd Instance etcd Instance etcd Instance

throughput 6x

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS Runtimes Overview

Run containers on EC2

instances within your
Administrator Kubernetes account that you
deploys Pod schedules the pod Amazon EC2 manage and configure.

A fully managed
Amazon EKS supports running containers on EC2
container environment
instances or on AWS Fargate. Clusters can run containers with no infrastructure
on a single runtime or multiple runtimes at the same management.
time.
AWS Fargate

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Runtime Options

Self-Managed Node Groups Managed Node Groups

Bring your own Autoscaling Groups Provisioned by EKS in your VPC. They
running your own custom AMI. You run the latest EKS optimized AMI.
are responsible for patching and the Handles automatic draining and
underlying OS. rolling out new AMIs.

Runtime Options

GPU Based Instances Nitro Based Instances AMD Backed Instances Graviton 2 Instances Spot Instances and AWS Outpost AWS Local Zones
Compute Savings Plans

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes Ingress and The
AWS Load Balancer Controller

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes Ingress object

• Exposes HTTP/HTTPS routes

to services within the cluster

• Many implementations: ALB,

NGINX, F5, HAProxy etc.

• Default service type:

ClusterIP

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Load Balancer Controller
A KUBERNETES CONTROLLER FOR ELASTIC LOAD BALANCERS

• Manages AWS Elastic Load Balancing for

an Amazon EKS or a Kubernetes cluster
• Uses standard Kubernetes resources
Kubernetes Network
Service Load § v1: Service (Type: LoadBalancer)
Type: LoadBalancer Balancer
§ networking.k8s.io/v1: Ingress
§ networking.k8s.io/v1: IngressClass
• Custom resources
Kubernetes Application § elbv2.k8s.aws/v1beta1: TargetGroupBinding
Ingress Load
Balancer • Supports latest ELB features

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scaling applications with
Kubernetes

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes Autoscaling

1. Horizontal Pod
Autoscaling (HPA)
HPA
Metrics
Store
2. Vertical Pod
Autoscaling (VPA)
VPA

3. Cluster Autoscaler
(CAS) Pending pods X CAS

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes Autoscaling

1. Horizontal Pod
Autoscaling (HPA)
HPA
Metrics
Store
2. Vertical Pod
Autoscaling (VPA)
VPA

Scale up ASG

X
3. Cluster Autoscaler
(CAS)
Pending pods CAS

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API call to ASG
What is Karpenter?
Karpenter is an open-source, flexible, and high-performance
Kubernetes cluster autoscaler.

Open source and Dynamic, group- Automatic node Rapid scaling

Kubernetes-native less node sizing
provisioning

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 How Karpenter Works
Pending pods Existing capacity • Deeply integrated with EC2
§ EC2 Fleet API, no ASGs

• Deeply Kubernetes native

§ Watch API, Labels, Finalizers

Unschedulable pods Just-in-time capacity • Automated instance selection

§ Matches workload needs to instance type
based on the Provisoner profile

Right-sized instances.
No ASGs to manage • Karpenter terminates
API call to EC2
underutilized nodes
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes Security

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS – Self Managed Workers

Customer Data

Controller Manager

AWS Responsibility

Customer Responsibility
API Server

Scheduler
Container Images, Source Code, IAM

Kubernetes Control Plane

QOS and Pod
Limit Ranges

Cluster Add-
Pod Security
HPA & VPA

Disruption
Quotas &
Bindings
Network

Budgets
Policies

Policies
Priority
RBAC

Ons
EKS Cluster Configuration Pod

ETCD
Worker Node Scaling VPC Configuration

OS, Kubelet, CRI & AMI, AMI Configuration

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EKS – Managed Node Groups

Customer Data

Controller Manager

AWS Responsibility

Customer Responsibility
API Server

Scheduler
Container Images, Source Code, IAM

Kubernetes Control Plane

QOS and Pod
Limit Ranges

Cluster Add-
Pod Security
HPA & VPA

Disruption
Quotas &
Bindings
Network

Budgets
Policies

Policies
Priority
RBAC

Ons
EKS Cluster Configuration Pod

ETCD
Worker Node Scaling VPC Configuration

OS, Kubelet, CRI & AMI, AMI Configuration

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Customer Responsibility
AWS Responsibility
Scheduler
Controller Manager ETCD
API Server
Kubernetes Control Plane
Cluster Add-
VPC Configuration
Ons

OS, Kubelet, CRI & AMI, AMI Configuration

Pod
Container Images, Source Code, IAM

Disruption
Budgets

EKS Cluster Configuration

Pod Security
Policies

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer Data

QOS and Pod

Priority

Worker Node Scaling

HPA & VPA
EKS – Fargate

Quotas &
Limit Ranges
RBAC
Bindings
Network
Policies
Kubernetes Networking

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes networking model
• Every Pod gets its own
IP address
• Containers in the same Pod
share the network (IP address)
• Pods communicate to other
Pods without NAT

Container Network
Interface plugin

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pod IPv4 networking – CNI plugin
Your VPC
The Amazon VPC Container Network Interface (CNI)
plugin is used for
Worker subnet - Creating and attaching ENIs to worker nodes
- Assigning secondary IP addresses for Pods
Primary ENI - Wiring the host network
PRIMARY IP: 10.0.0.20

SECONDARY IPs:
- 10.0.0.101
10.0.0.101 10.0.1.203 10.0.2.123 - 10.0.1.203
- 10.0.2.123

Secondary ENI
PRIMARY IP: 10.0.0.30
Alternatives to Amazon VPC CNI
SECONDARY IPs:
10.0.1.64 10.0.0.32 10.0.2.67
- 10.0.1.64 - Calico from Tigera
- 10.0.0.32
- 10.0.2.67
- Cilium from Isovalent
- Weave Net from Weaveworks
Worker node - Antrea from VMware

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CNI – Configuration options
• Prefix delegation
kubectl set env daemonset aws-node -n kube-system ENABLE_PREFIX_DELEGATION=true/false

• Security groups for Pods

kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true/false

• Custom networking
kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true/false

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secondary IPs for Pods per EC2 instance

1x ENI IP
9x secondary
IPs
1x ENI IP
9x secondary
IPs
1x ENI IP
9x secondary
IPs

m5.large

MAX PODS = (Number of network interfaces × [the number of IP addresses per network interface – 1]) + 2

29
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC prefix delegation

Allows for assigning a prefix to an EC2 ENI

- /28 block for IPv4 (16x IPv4 addresses)

- /80 block for IPv6 (280 trillion IPv6 addresses)

Prefix delegation is only supported on Nitro instances

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Prefix delegation

1x IP
9x delegations

1x IP
9x delegations

1x IP
9x delegations

m5.large

MAX IPs ≠ MAX PODS

432 IPv4 110
Trillions IPv6
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pod IPv4 networking – Prefix delegation
Your VPC
Benefits
Worker subnet
• Increased Pod density
• Fewer API calls required to EC2
Primary ENI control plane
PRIMARY IP: 10.0.0.20

DELEGATED PREFIX:
10.0.1.1 10.0.1.5 10.0.1.17 10.0.1.0/28 (16x IPs)
10.0.1.16/28 (16x IPs)
[…]

Secondary ENI
PRIMARY IP: 10.0.0.30

DELEGATED PREFIX:
10.0.3.3 10.0.3.6 10.0.3.7
10.0.3.0/28 (16x IPs)

Worker node

kubectl set env daemonset aws-node -n kube-system ENABLE_PREFIX_DELEGATION=true

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pod networking – Custom networking
Your VPC
If the private IPv4 space is limited, the number of
available IP addresses could constrain the number
Worker subnet of Pods

Primary ENI /24 VPC CIDR provides 251 unique IPv4 addresses
PRIMARY IP: 10.0.0.20

SECONDARY IPs:
- 10.0.0.11
10.0.0.11 10.0.0.23 10.0.0.12 - 10.0.0.23
- 10.0.0.12

Secondary ENI
PRIMARY IP: 10.0.0.30

SECONDARY IPs:
10.0.0.61 10.0.0.32 10.0.0.55 - 10.0.0.61
- 10.0.0.32
- 10.0.0.55

Worker Node

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pod networking – Custom networking
Your VPC +
100.64.0.0/16
VPCs can have multiple IPv4 CIDR ranges

Subnet 1 100.64.0.0/10 (RFC 6598) can be used in

private networks
Primary ENI
PRIMARY IP: 10.0.0.20
Worker node primary ENI is not used for Pods

Custom networking can be combined with SNAT

and prefix delegation
Subnet 2 Secondary ENI
PRIMARY IP: 100.64.0.30

SECONDARY IPs:
100.64.0.61 100.64.11.3 100.64.9.17
- 100.64.0.61
- 100.64.11.3
- 100.64.9.17

Worker node

kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Questions?
• Introduction to Amazon EKS

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.