Editor’s Note: There will not be an EKS News next week due to the author’s being at Open Source Summit
. If you’re in Austin next week, swing by the AWS booth and say hello.
In this issue, we’ll talking about using Styra DAS Free and OPA with EKS, Amazon EKS single sign-on using AWS SSO, GitOps, eBPF and the future of sidecars, and more.
New and notable blogs
Harden Amazon EKS in minutes with Styra DAS Free and OPA
- In the Amazon EKS Best Practices Guide , AWS recommends Open Policy Agent (OPA) as a policy-as-code (PaC) solution for Kubernetes pod security
- This blog walks you through your first five policies in five minutes
- Restrict the containers that can run as privileged
- Configure read-only file system
- Don’t allow any containers to run as root
- Disallow privilege escalation
- Set requests and limits for each container
- Styra DAS Free is the same solution that’s been proven in some of the largest Amazon EKS and Kubernetes deployments in the world, running in production at global enterprises like Capital One, the European Patent Office, and Zalando
A quick path to Amazon EKS single sign-on using AWS SSO
- AWS Identity and Access Management (IAM) and Kubernetes role-based access control (RBAC) provide the tools to build a strong least-privilege security posture
- In this blog, we demonstrate a quick and direct procedure to implement single sign-on to access Kubernetes resources running on your Amazon EKS clusters
- You can use AWS Single Sign-On (AWS SSO) in combination with Kubernetes RBAC to manage access using AWS Command Line Interface (AWS CLI) and other Kubernetes CLI tools
- Follow the steps below to get up and running quickly, based on AWS best practices, and you can customize them according to your specific needs
Ecosystem News
Kubernetes Workload Identity with AWS SDK for Go v2
- When using Amazon Elastic Kubernetes Service (EKS) , IAM Roles for Service Accounts , a.k.a. IRSA, is used to grant identity and permissions using AWS Identity and Access Management (IAM)
- To use this federated-identities feature with EKS, an IAM OIDC provider must be associated with the cluster
- The AWS IAM Roles for Service Accounts (IRSA) feature eases the application of IAM principals to pods via service account annotations and the EKS Pod Identity Webhook
- The AWS SDK for Go v2 uses the provided environment variables and Kubernetes projected volumes to gain IAM credentials via a federated and managed web identity provided as a JSON Web Token (JWT)
Dynamic Kubernetes Cluster Scaling at Airbnb
- An important part of running Airbnb’s infrastructure is ensuring our cloud spending automatically scales with demand, both up and down
- In this post, we’ll talk about how we dynamically size our clusters using the Kubernetes Cluster Autoscaler
- Having the largest portion of compute at Airbnb on a single platform provided a strong, consolidated lever to improve efficiency, and we are now focused on generalizing our cluster setup (think “cattle, not pets ”)
Manage Your AWS Resources from Kubernetes with ACK
- AWS Controllers for Kubernetes (ACK) allows you to manage AWS Services directly from your Kubernetes cluster with plain YAML files
- There are multiple Controllers for different AWS Services and these are called Service Controllers
- Contributors are working really hard to extend the supported services list in ACK
- “With the help of tools like ACK our life is getting easier”
Debugging Kubernetes Pods: Deep Dive
- In this article, I will talk about debugging and troubleshooting Kubernetes pods using ephemeral containers
- Ephemeral containers
are useful for interactive troubleshooting when
kubectl execis insufficient because a container has crashed or a container image doesn’t include debugging utilities, such as distroless images, or the running pods don’t have the required privileges for debugging - The main idea behind ephemeral containers is that K8S adds a new container with a selected custom image to an existing pod without the need for restarting this pod
- This enables a number of troubleshooting options including networking, tracing/profiling processes, and debugging via a shell on the node
- EKS 1.23 will have support for ephemeral containers when it ships
Scaling Container Technologies at Coinbase with Kubernetes
- Our recent evaluation of Kubernetes underscored its suitability for scaling Coinbase into the future
- We’ve now concluded that managed Kubernetes offerings reduce this operational burden without compromising our stack security
- Managed Kubernetes offerings, such as AWS EKS, take on the responsibility of operating, maintaining, and securing the control plane, reducing the operational burden of running many clusters
- Reducing our operational burden and security responsibility enables us to focus on building the orchestration and automation that is required to support many clusters across a large engineering organization
eBPF, sidecars, and the future of the service mesh
- Could eBPF allow us to replace Linkerd’s sidecars proxies entirely, and just do everything in the kernel?
- The kernel must ensure that no program can stop or break another program, or deny it resources, or interfere with its ability to run, or read its data from memory, or the network, or disk, unless given explicit permission to do so
- Kubernetes’s gift to the world is a composable platform with clear boundaries between layers, and the relationship between eBPF and service meshes fits right into that model: the CNI is responsible for L3/L4 traffic, and the service mesh for L7.
- Any eBPF service mesh still requires proxies and these proxies are typically sidecars
- Could eBPF enable a per-host proxy? Yes, but compared to sidecars, per-host proxies are worse for operations, worse for maintenance, and worse for security (the blast radius becomes the entire host versus one pod).
Updated: Apache Log4j2 CVE-2021-44228 node agent
- There is a new version of the patch that addresses the vulnerabilities described in the following security bulletins:
- “A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.”
- “This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running
kubectl get po -n ingress-nginx” - “If you are unable to roll out the fix, this vulnerability can be mitigated by implementing an admission policy that restricts the spec.rules[].http.paths[].path field on the networking.k8s.io/Ingress resource to known safe characters (see the newly added rules , or the suggested value for annotation-value-word-blocklist ).”
Cloud Native Islamabad on LinkedIn: #kyverno #policyascode #k8s
- A Kyverno policy to trigger AWS Karpenter provisioners for auto-scaling different workloads
Canadian internet outage attributed to beaver
- Because it’s Friday!
- “Some residents of northwestern Canada lost network coverage for eight hours last week in an outage that has since been attributed to nature’s architect: the beaver.”
- “It’s unusual, but it does happen every once in a while,” Bob Gammer told [CTV](https://bc.ctvnews.ca/single-beaver-caused-mass-internet-cell-service-outages-in-northern-b-c-1.5944697
- “So I wouldn’t be a rich man if I had a nickel for every beaver outage, but they do happen.”
- A similar incident occurred in April of last year, DatacenterDynamics reported , when a beaver chewed through a Telus cable and used related material in its dam — temporarily downing network coverage for 900 residents in the process