EKS News 018

In this issue, we’ll cover EKS Anywhere curated packages, detailed billing reports for Amazon EKS on AWS Fargate, Amazon EKS Observability Accelerator, Cloud Native Security Whitepaper (v2), 380K Kubernetes API servers publicly exposed, and more.

Amazon EKS Anywhere curated packages are now in public preview

  • Amazon Elastic Kubernetes Service (EKS) Anywhere now allows you to enable Amazon-curated software packages that extend the core functionalities of Kubernetes on your EKS Anywhere clusters
  • You can install the Harbor package as a local container registry starting today, with the Emissary-Ingress package and the support for service type load balancing through MetalLB coming in the next few months
  • More curated packages may be added over time based on customer demand
  • We talked about curated packages during AWS Container Days; you can watch the video to hear more.

AWS Distribution of Kubeflow supporting Kubeflow v1.4.1 is now generally available

  • Pleased to announce the general availability of AWS support for Kubeflow v1.4
  • You can use this Kubeflow distribution to build ML systems on top of Amazon Elastic Kubernetes Service (Amazon EKS) to build, train, tune, and deploy ML models for a wide variety of use cases, including computer vision, natural language processing, speech translation, and financial modeling
  • Kubeflow on AWS provides a clear path to use Kubeflow with Amazon EKS for managed Kubernetes clusters, Amazon Simple Storage Service (Amazon S3) for an easy-to-use pipeline artifacts store, Amazon Relational Database Service (Amazon RDS) for highly scalable pipelines and metadata store, Amazon Elastic File System/Amazon FSx for Lustre for a simple, scalable and serverless file storage solution for increased training performance, AWS Secrets Manager to protect secrets needed to access your applications, AWS CloudWatch for persistent log management, AWS Deep Learning Containers for highly optimized Jupyter notebook server images, AWS Application Load Balancer for secure external traffic management over HTTPS, AWS Cognito for user authentication with TLS

Track costs with detailed billing reports for Amazon EKS on AWS Fargate

  • As customers scale their deployments on Fargate, they have expressed a need to track consumption with more specificity, such as usage from individual pods, namespaces, clusters, or time intervals
  • In the past, customers may have dealt with this problem using third-party solutions, like Kubecost. For customers using Fargate on Amazon EKS, AWS Cost and Usage Reports provides a native way to track costs.
  • With AWS Cost and Usage Reports, you can get detailed billing information down to the pod level for workloads running within an EKS cluster on Fargate-provided infrastructure

Deploy a high-performance database for containerized applications: Amazon MemoryDB for Redis with Kubernetes

  • Customers who are using Kubernetes to automatically deploy, scale, and manage their containerized applications are looking to do the same for their database
  • Amazon MemoryDB is a Redis-compatible, durable, in-memory database that makes it simple to build modern applications that require microsecond read and single-digit millisecond write performance, data durability, and high availability
  • ACK for MemoryDB enables you to provision and manage MemoryDB clusters as part of your Kubernetes applications using your normal infrastructure management workflows

Introducing Amazon EKS Observability Accelerator

  • On May 17, 2022, AWS announced EKS Observability Accelerator, which is used to configure and deploy purpose-built observability solutions on Amazon EKS clusters for specific workloads using Terraform modules
  • We built the Terraform modules to enable observability on Amazon EKS clusters for the following workloads:
    • Java/JMX
    • NGINX
    • Memcached
    • HAProxy
  • In this post, you will walk through the steps for using EKS Observability Accelerator to build the Amazon EKS cluster and configure opinionated observability components to monitor specific workloads, which is a Java/JMX application
  • The EKS Blueprints repository contains The Amazon EKS Observability Accelerator module

Proactive autoscaling of Kubernetes workloads with KEDA and Amazon CloudWatch

  • Customers have started adopting event-driven deployment, allowing Kubernetes deployments to scale automatically in response to metrics from various sources dynamically
  • KEDA (Kubernetes-based Event Driven Autoscaler) lets you drive the autoscaling of Kubernetes workloads based on the number of events, such as a custom metric scraped breaching a specified threshold, or when there’s a message in a Amazon Managed Streaming for Apache Kafka queue
  • This capability helps customers scale compute capacity on-demand by provisioning the pods only when needed to serve bursts of traffic

Cloud Native Security Whitepaper (v2)

  • While the large majority of the original paper stands the test of time, this refreshed version demystifies security assurance and compliance by walking through specific use-cases of ransomware incident handling and how to secure financial institutions under EU regulations
  • Feedback from readers of the original paper is also addressed through inclusion of these new sections:
    • Secure Defaults – Cloud Native 8: A high level guidance on implementing cloud native apps that are secure by default
    • SSDF v1.1 mapping: Maps the NIST SSDF practices and tasks to Cloud Native Security Application Lifecycle
    • ATT&CK Threat matrix for Containers: Summary of how the threat matrix provides a structure towards applying guidance described in this paper
    • Guidance on how to share feedback: Instructions on how to share feedback on the paper is now part of the paper with a short summary on how feedback was collected and addressed after publication of the first version.

Over 380 000 open Kubernetes API servers

  • We find over 380,000 Kubernetes API daily that allow for some form of access, out of over 450,000 that we are able to identify
  • There is a corresponding Accessible Kubernetes API Server Report
  • Refer to Securing a Cluster in the Kubernetes docs for what to do to protect a cluster from accidental or malicious access and provides recommendations on overall security

Level up Security Management with HashiCorp Vault and Flux

  • HashiCorp Vault is now a native Flux extension enabling secret management for all environments including on premise and hybrid
  • Secure GitOps automated pipelines with rotating encryption keys in HashiCorp Vault, re-encryption of secrets and audit any changes in git

cilium/tetragon: eBPF-based Security Observability and Runtime Enforcement

chen-keinan/kube-beacon: Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification