Security is job 0 at AWS. We continue to hear from customers they’re looking for ways to secure their Kubernetes environments. Here are some resources to help with securing Kubernetes clusters on AWS and your AWS account(s):

• Security in Amazon EKS
• Amazon EKS Best Practices Guide for Security
• Cloud Security – Amazon Web Services (AWS)
• Vulnerability Reporting - Amazon Web Services (AWS)

This week we’ll talk about Amazon CloudWatch Container Insights, AWS CloudFormation Hooks, and some of the latest nuggets from the greater cloud native ecosystem.

New service announcements and features

Amazon CloudWatch Container Insights adds support for Helm chart using AWS Distro for OpenTelemetry

• New Helm chart for installing ADOT on EKS that sends metrics to CW
• Deploys ADOT Collector for collecting infrastructure metrics and Fluent Bit for logs
• Documentation

AWS Announces the General Availability of AWS CloudFormation Hooks

• Customers can invoke custom logic to automate actions or inspect resource configurations prior to a CRUD operation operation, similar to Kubernetes Dynamic Admission Controllers
• Customers can publish their policy and controls to the CloudFormation Registry and enforce them against all stack and resource operations in their AWS accounts
• CloudFormation Public Registry
• CloudFormation Private Registry

Amazon CloudWatch Container Insights adds support for Amazon EKS Fargate using AWS Distro for OpenTelemetry

• ADOT collector runs as a sidecar and exports metrics to CW Container Insights
• Blog
• Documentation

Proactively keep resources secure and compliant with AWS CloudFormation Hooks

• Solutions like Cloud Custodian, AWS Config, etc are reactive in that they alarm on resources that have already been created
• Hooks are meant to prevent the deployment of a resource when it violates your policy
• Hooks are similar to Kubernetes Dynamic Admission Controllers, in that they run before a resource is created, updated, or deleted
• Blog explains how to create hooks of your own
• cloudformation-cli (cfn init and cfn generate) is used to create a project skeleton on your local machine
• Samples
• Workshop

New and notable blogs

Running critical workloads with Amazon EKS and AWS Fargate at Generali Italia

• Generali Italia is one of Europe’s largest insurers
• Set out to improve the claims processing experience along with security, reliability, and ongoing maintenance
• Migrated the application from Docker Swarm to EKS and EKS Fargate because they wanted a solution that was portable, widely adopted, and could be run on premises
• With EKS they can update and scale their infrastructure during business hours with zero downtime and no impact on the workload

Three things to consider when implementing Mutual TLS with AWS App Mesh

• How to generate and configure certificates, e.g. expiry
• How to manage the certificates for the Envoy proxy, e.g. rotation and revocation
• How to ensure all mTLS-required services are added to the mesh

Diving into IAM Roles for Service Accounts

• Walkthrough of what happens behind the scenes when you assign an IAM role to a pod
• Similar content can be found in the BPGs (https://aws.github.io/aws-eks-best-practices/security/docs/iam/#pods-identities )

Containers from the Couch

Short: What is a container?

Please Subscribe to Containers from the Couch

Ecosystem News

loft-sh/vcluster Release v0.6.0

• vcluster now allows you to use EKS Distro binaries to create virtual clusters
• This isn’t an officially supported distro of EKS but is an additional way to consume the official EKS binaries
• More partners and installation options can be found in the docs https://distro.eks.amazonaws.com/users/install/partners/

Lightrun Releases KoolKits - Debugging Toolkits for Kubernetes

• KoolKits (Kubernetes toolkits) are highly-opinionated, language-specific, batteries-included debug container images for Kubernetes
• A KoolKit will be pulled by kubectl debug, spun up as a container in your pod, and have the ability to access the same process namespace as your original container
• Each KoolKit uses (wherever possible) a language version manager instead of relying on language-specific distros

Kubernetes Hardening Tutorial Part 3: Authn, Authz, Logging & Auditing

• Learn how to set up an AWS EKS cluster with Terraform and leverage best practices to configure roles, service accounts, logging, and auditing with useful tools
• Dives into audit logging, service accounts, user authentication, cluster access auditing, and more

Events

EKS Anywhere Deployed on VMware Complete with an API Gateway - Omaha Amazon Web Services Meetup

SoloCon 2022