Amazon EKS (Elastic Kubernetes Service) is a managed service provided by Amazon Web Services (AWS) that makes it easier for users to run Kubernetes on AWS without needing to install, operate, and maintain their own Kubernetes control plane or nodes.
Using EKS has the benefits of AWS’s security, scalability, and high availability features, while still providing compatibility with standard Kubernetes tools and APIs. This makes it a popular choice for businesses looking to operate Kubernetes on AWS.
This is part of a series of articles about AWS EKS
In this article
The AWS EKS Cluster’s control plane is tasked with managing and sustaining your Kubernetes cluster’s desired state. For example, it keeps track of applications and the containers they are running. In the AWS EKS framework, the control plane operates over multiple AWS availability zones, providing redundancy and improving reliability.
The control plane includes several components: The Kubernetes API server, the scheduler, and the essential resource controllers. These components work in tandem to manage your Kubernetes cluster’s status. Its management and maintenance are fully handled by AWS.
Worker nodes host the applications and services within your Kubernetes cluster. Each of these nodes operates a Kubernetes agent called Kubelet. This agent’s key responsibility involves coordinating with the control plane to ascertain that the node’s containers are functioning in good health and running appropriate versions of their respective applications.
A pod is the smallest unit in the Kubernetes object model. It may encompass one or several containers, and represents one functional process in your cluster. Kubernetes can scale pods up or down per your application’s requirements.
The EKS cluster uses AWS networking capabilities to enable communication between various Kubernetes cluster components. It supports the networking policies of Kubernetes, allowing you to control pod intercommunication and interaction with other network endpoints.
The AWS EKS Cluster relies on AWS VPCs and uses elastic network interfaces (ENIs) to facilitate interaction between the control plane and worker nodes, ensuring that your Kubernetes applications can easily connect to other services and applications in the AWS environment.
Within an AWS EKS Cluster, a Virtual Private Cloud (VPC) delivers a protected virtual network in which you can launch AWS resources. It gives you total control over the virtual networking environment. A VPC enables you to govern the IP address range, establish subnets, configure route tables, and determine network gateways. This makes sure your AWS EKS Cluster runs in a secure and effective manner.
The AWS EKS Cluster uses AWS security groups and identity and access management (IAM) to safeguard your Kubernetes applications. Security groups act as a virtual firewall for your EKS cluster, managing incoming and outgoing traffic at the instance level. IAM provides a means to control access to AWS resources and services. It allows you to create and manage AWS user and group accounts, as well as grant or deny their permissions to cluster resources.
An EKS Cluster supports the built-in load balancing features in Kubernetes, which automatically distribute incoming application traffic across several pods. This ensures your applications remain fault-tolerant and readily available.
In addition, the AWS EKS Cluster supports AWS’s Elastic Load Balancing (ELB). ELB automatically divides incoming application traffic among various targets, including Amazon EC2 instances, containers, and IP addresses.
Learn more in our detailed guide to AWS EKS architecture
The following steps will help you get started with your first EKS cluster. We show how to create a cluster in the AWS Management Console; you can also do it via the AWS CLI or eksctl, Amazon’s command line tool for EKS.
To create your cluster, follow these steps:
The next step in setting up your EKS cluster is to specify the network configuration. This is a critical step, as the network configuration determines how your EKS cluster communicates with other resources in your AWS environment:
Configuring logging is another vital step in setting up your EKS cluster. By configuring logging, you can monitor the performance of your EKS cluster and troubleshoot any issues that may arise:
The final step in setting up your EKS cluster is to review your configuration and create your EKS cluster.
This will initiate the creation of your EKS cluster. This process may take a few minutes.
Ensuring proper access control is paramount to maintaining a secure Kubernetes environment on EKS. This involves leveraging AWS IAM roles, enabling Kubernetes’ Role-Based Access Control (RBAC), and safeguarding administrative credentials. With RBAC, you can fine-tune permissions to resources, thus upholding the principle of least privilege. By assigning specific roles to users or groups, you create a clear and auditable way to manage who can access what, reducing the risk of unauthorized operations.
In EKS, it’s essential to use network policies for controlling pod-to-pod communications. This involves designing VPCs thoughtfully, segregating different environments, using pod security policies, and restricting traffic using AWS Security Groups. Furthermore, Kubernetes networking tools like Calico or Flannel can extend network segmentation capabilities, ensuring both east-west and north-south traffic is adequately controlled.
While AWS manages etcd backups for EKS users, it’s equally important to ensure application data resilience. This involves periodic backups using volume snapshots and crafting disaster recovery scenarios. Like any robust system, recovery plans shouldn’t just exist on paper. They need regular testing to validate their efficacy, ensuring business continuity during unforeseen disruptions.
In Kubernetes, efficient resource management ensures workloads run predictably. Setting resource requests and limits helps prevent overcommitment and resource contention. On the scaling front, Kubernetes tools like Cluster Autoscaler and Horizontal Pod Autoscaler adjust resources in response to demand, ensuring system responsiveness. Furthermore, using node affinity and taints can optimize workload placements, aligning with specific node capabilities and requirements.
It is also critical to right-size resources to ensure you don’t overpay for unutilized capacity. EC2 Spot Instances, which offer discounted pricing, can be a huge cost saver for fault-tolerant workloads. AWS Fargate also introduces an opportunity to offload node management entirely, focusing solely on pod deployments, often leading to cost savings.
Stateful applications in EKS often rely on Amazon EBS volumes. These volumes need regular backups to prevent data loss. Additionally, with Kubernetes’ storage classes, you can differentiate storage needs, selecting between SSDs or HDDs based on workload-specific I/O requirements, thus balancing performance and cost.
Visibility into your EKS cluster operations is crucial for both operational efficiency and security. At a basic level, you can use Amazon CloudWatch and logging solutions like Fluentd to capture cluster performance metrics and application logs. However, to achieve full observability for your EKS clusters, it is advised to use a full cloud native monitoring solution.
Lumigo is a cloud native observability platform that delivers automated distributed tracing, purpose-built for distributed applications, including those running on EKS.
Lumigo provides deep visibility into applications and infrastructure with all the relevant information on each component, enabling you to easily monitor and troubleshoot container applications.