For those who live in the U.S., we hope you had a festive and safe 4th of July holiday. Lots of interesting blogs this week including a couple that deal with security: how to create STIG compliant AMIs and cryptographic signing for containers. There also an excellent post by Shane Corbett on how to analyze the performance of the Kubernetes API server with Prometheus.

New service announcements and features

• AWS Fargate now fully supports multiline logging powered by AWS for Fluent Bit
  • Concatenates partial log messages that originally belong to one context but were split across multiple records or log lines for both ECS EC2 and Fargate

New and notable EKS blogs

• Building STIG-compliant AMIs for Amazon EKS

  • Describes different approaches for creating STIG compliant AMIs
    • Run hardening scripts against the EKS optimized AMI
    • Use EC2 Image Builder to create STIG compliant base images
    • Start with a STIG/CIS compliant base and add the EKS components using EKS Packer scripts

• Migrating and modernizing Windows Communication Foundation (WCF) workloads onto AWS container services

  • Describes different approaches for “modernizing” legacy WCF applications
  • Replatform: containerize the application as-is
    • You can use AWS App2Container to reduce the complexity and manual efforts in containerizing your IIS-hosted WCF workloads
  • Refactor: migrate to .NET RESTful services, gRPC, or Core WCF
    • You can use Porting Assistant for .NET to reduce the complexity and manual effort in porting your WCF workloads to .NET.

• Run an active-active multi-region Kubernetes application with AppMesh and EKS

  • Explains how to configure R53 to divert traffic (latency based failover) to an alternate region when a App Mesh virtual service becomes unhealthy, thereby limiting the blast radius of a regional failure
  • Provides the best customer experience by optimizing traffic routes based on the customer’s location using R53’s latency based routing
  • Alternative approaches:
    • A multi-cluster shared services architecture with Amazon EKS using Cilium Cluster Mesh
    • Introducing AWS Cloud Map MCS Controller for K8s
    • Operating a multi-regional stateless application using Amazon EKS

• Migrating Fargate service quotas to vCPU-based quotas

  • Moving from task count to vCPU based quotas for EKS Fargate and ECS Fargate
  • The new quotas is 4,000 vCPUs (on-demand and Spot). This is a soft limit, i.e. adjustable
  • You can opt-in to the new quota on July 19th, 2022
  • New quotas will be implementing beginning on August 22nd, 2022 and run through September 8th, 2022. Customers will have an option to temporarily opt-out
  • By September 30th, 2022 all customers that opt-ed out of the initial rollout will be moved to the new vCPU based quota

• Understanding data transfer costs for AWS container services

  • You can incur data transfer costs a variety of ways:
    • Image pulls from ECR public to non-AWS destinations and/or cross-region image pulls from ECR private
    • When data is transferred out through a NAT Gateway
    • Cross-AZ traffic between pods in different AZs or between pods
    • When a service’s traffic policy is set to cluster instead of local
  • This blog provides several tips for avoiding excessive data transfer changes

• Cryptographic Signing for Containers

  • Focuses on helping customers understand software supply chain security in the context of integrity and provenance
    • How cryptographic signatures can be used to simplify the process of ensuring the integrity of container images as they move through your software supply chain
    • How signing can help validate container images are coming from a trusted publisher
    • How signing can be integrated with code scanning and approval workflows to facilitate a secure software supply chain
  • Introduces SBOM as a way to inventory the software components that went into a build/image
    • Can be used to identify which container images with flaws or malicious code

• Provisioning infrastructure using the AWS Proton open-source Backstage plugin

  • A Shared Service Platform (SSP) or Internal Development Platform (IDP) offer a standardize way for developers to deploy applications to production without having to understand the complexities of the underlying infrastructure
  • Backstage is an open-source project that provides a framework for building developer portals, letting organizations provide development teams with features such as a software catalog, scaffolding tools for new projects, and aggregating the data they need from disparate development tools, e.g. CI/CD, API models, documentation, into a single pane of glass
  • AWS Proton plugin for Backstage allows customers to integrate Proton’s infrastructure templating, provisioning, and lifecycle management into their Backstage portal to reduce platform engineering overhead
  • With Proton, platform engineers can associate their CI/CD pipeline, environment, and service templates together while only surfacing required inputs to developers in Backstage
  • References a tutorial showing how Backstage can seed a new code repository, implement a CI/CD pipeline that’s tied to that repository, and finally build and deploy the application to a cluster

• Troubleshooting Amazon EKS API servers with Prometheus

  • Includes links to an excellent collection of Grafana dashboards and gauges for monitoring the health of the Kubernetes API server
  • Describes a set of best practices that will help you avoid inundating the API server and overwhelming etcd
  • Recommends high level metrics to look at when troubleshooting performance issues, e.g. slowest API calls, API request duration, and etcd request duration

Containers from the Couch

• EKS Anywhere on Bare Metal

• Bare metal Kuberbetes cluster with EKS Anywhere

• EKS Anywhere on bare metal with Kubernetes running on cubernetes

Please Subscribe to Containers from the Couch

Ecosystem News

• Paralus: The Access Manager for Kubernetes

  • Paralus is based on Rafay’s Zero-Trust Access Services
  • The project aims to simplify credential access management in multi-cluster environments
  • Features include:
    • Integration with OIDC IdPs
    • Immutable audit trails
    • Dynamic permissions and a whole lot more

• Advanced Features of Kubernetes’ Horizontal Pod Autoscaler

  • Describes how to:
    • consume custom metrics from Prometheus to automatically scale your pods and services using HPA policies
    • consume external metrics, i.e. metrics from services running outside the cluster, from HPA
    • scale to zero
    • Use metrics of type: ContainerResource which allows you to scale based on individual containers metrics rather than the whole pod
  • Logarithmic scale down randomly chooses a pod to delete rather than the pod that’s been running the least amount of time
  • Alternatives:
    • KEDA
    • VPA
    • Predictive HPA

• Pixie Plug-ins

  • Now supports exporting data from Pixie’s dataset to any tool that supports OTEL, allowing developers to send their data to their platform of choice!

• Clusterpedia joins the CNCF sandbox

  • Synchronize and search for multi-cluster resources

• CLOUD ATLAS: why the risks of building on multiple clouds can outweigh the benefits

For Fun

• TryHackMe: Kubernetes for Everyone
  • Practice hacking skills by completing a series of tasks
  • Answers
• Cubernetes