Amazon EKS Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 82: Line 82:
==Pod Security Policy==
==Pod Security Policy==
{{External|https://docs.aws.amazon.com/eks/latest/userguide/pod-security-policy.html}}
{{External|https://docs.aws.amazon.com/eks/latest/userguide/pod-security-policy.html}}
Alos see: {{Kubernetes_Pod_Security_Policy_Concepts#Pod_Security_Policy_in_EKS|Pod Security Policy Concepts}}
Alos see: {{Internal|Kubernetes_Pod_Security_Policy_Concepts#Pod_Security_Policy_in_EKS|Pod Security Policy Concepts}}


=Autoscaling=
=Autoscaling=

Revision as of 01:46, 4 September 2020

Internal

Overview

EKS Cluster

Control Plane

EKS Worker Node

EKS Worker Node IAM Role

Amazon EKS-optimized AMI

Worker Node Group

Node Group Name

Self-Managed Node Group

Contains self-managed worker nodes. The node group name can be used later to identity the Auto Scaling node group that is created for these worker nodes.

Managed Node Group

Cluster Service Role

See IAM Role.

Cluster Endpoint

AWS Infrastructure Requirements

TODO: Topology diagram

Cluster VPC

Subnets

Security Groups

A dedicated security group for each cluster control plane is recommended.

EKS Platform Versions and Kubernetes Versions

Amazon EKS platform version.

Integration with ECR

Logging

Control Plane Logging

SLA

https://aws.amazon.com/eks/sla/

aws-iam-authenticator

Page 17.

aws-iam-authenticator Operations

aws-iam-authenticator

.kube/config Configuration

AWS documentation refers to the Kubernetes configuration file as "kubeconfig".

.kube/config

EKS Security

API Server User Management and Access Control

https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

When an EKS cluster is created, the IAM entity user or role that creates the cluster is automatically granted "system:master" permissions in the cluster's RBAC configuration.

Additional IAM users and roles can be added by editing the "aws-auth" ConfigMap. TODO, Operations.

For more details on how kubectl picks up the caller identity, see Connect to an EKS Cluster with kubectl.

IAM Role

An IAM role is needed when creating the EKS cluster. An IAM role can be created as described here. The use case should be "EKS - Cluster".

When the cluster is created, the identity that created the cluster (user or role) is added to the Kubernetes RBAC authorization table as the administrator (with system:masters permissions). Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. That role is also known as "Cluster Service Role".

EKS IAM Permissions

These are technically "actions", but they are commonly referred to as "permissions", which implies that the action is part of a formal permission construct associated with the entity requiring it.

  • eks:DescribeCluster

Pod Security Policy

https://docs.aws.amazon.com/eks/latest/userguide/pod-security-policy.html

Alos see:

Pod Security Policy Concepts

Autoscaling

Cluster Autoscaler

Kubernetes Cluster Autoscaler

Horizontal Pod Autoscaler

Kubernetes Horizontal Pod Autoscaling

Vertical Pod Autoscaler

Vertical Pod Autoscaling

Load Balancing and Ingress

https://docs.aws.amazon.com/eks/latest/userguide/load-balancing-and-ingress.html
Kubernetes Ingress Concepts

TODO: https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support

TODO: https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#aws

      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: 'nlb'
        service.beta.kubernetes.io/aws-load-balancer-security-groups: 'sg-00000000000000000'
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'arn:aws:acm:xx-xxxx-x:xxxxxxxxx:xxxxxxx/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx'

Storage

Amazon EFS CSI

Amazon EFS CSI