EKS News 023

For those who live in the U.S., we hope you had a festive and safe 4th of July holiday. Lots of interesting blogs this week including a couple that deal with security: how to create STIG compliant AMIs and cryptographic signing for containers. There also an excellent post by Shane Corbett on how to analyze the performance of the Kubernetes API server with Prometheus.

  • Building STIG-compliant AMIs for Amazon EKS

    • Describes different approaches for creating STIG compliant AMIs
      • Run hardening scripts against the EKS optimized AMI
      • Use EC2 Image Builder to create STIG compliant base images
      • Start with a STIG/CIS compliant base and add the EKS components using EKS Packer scripts
  • Migrating and modernizing Windows Communication Foundation (WCF) workloads onto AWS container services

    • Describes different approaches for “modernizing” legacy WCF applications
    • Replatform: containerize the application as-is
      • You can use AWS App2Container to reduce the complexity and manual efforts in containerizing your IIS-hosted WCF workloads
    • Refactor: migrate to .NET RESTful services, gRPC, or Core WCF
  • Run an active-active multi-region Kubernetes application with AppMesh and EKS

  • Migrating Fargate service quotas to vCPU-based quotas

    • Moving from task count to vCPU based quotas for EKS Fargate and ECS Fargate
    • The new quotas is 4,000 vCPUs (on-demand and Spot). This is a soft limit, i.e. adjustable
    • You can opt-in to the new quota on July 19th, 2022
    • New quotas will be implementing beginning on August 22nd, 2022 and run through September 8th, 2022. Customers will have an option to temporarily opt-out
    • By September 30th, 2022 all customers that opt-ed out of the initial rollout will be moved to the new vCPU based quota
  • Understanding data transfer costs for AWS container services

    • You can incur data transfer costs a variety of ways:
      • Image pulls from ECR public to non-AWS destinations and/or cross-region image pulls from ECR private
      • When data is transferred out through a NAT Gateway
      • Cross-AZ traffic between pods in different AZs or between pods
      • When a service’s traffic policy is set to cluster instead of local
    • This blog provides several tips for avoiding excessive data transfer changes
  • Cryptographic Signing for Containers

    • Focuses on helping customers understand software supply chain security in the context of integrity and provenance
      • How cryptographic signatures can be used to simplify the process of ensuring the integrity of container images as they move through your software supply chain
      • How signing can help validate container images are coming from a trusted publisher
      • How signing can be integrated with code scanning and approval workflows to facilitate a secure software supply chain
    • Introduces SBOM as a way to inventory the software components that went into a build/image
      • Can be used to identify which container images with flaws or malicious code
  • Provisioning infrastructure using the AWS Proton open-source Backstage plugin

    • A Shared Service Platform (SSP) or Internal Development Platform (IDP) offer a standardize way for developers to deploy applications to production without having to understand the complexities of the underlying infrastructure
    • Backstage is an open-source project that provides a framework for building developer portals, letting organizations provide development teams with features such as a software catalog, scaffolding tools for new projects, and aggregating the data they need from disparate development tools, e.g. CI/CD, API models, documentation, into a single pane of glass
    • AWS Proton plugin for Backstage allows customers to integrate Proton’s infrastructure templating, provisioning, and lifecycle management into their Backstage portal to reduce platform engineering overhead
    • With Proton, platform engineers can associate their CI/CD pipeline, environment, and service templates together while only surfacing required inputs to developers in Backstage
    • References a tutorial showing how Backstage can seed a new code repository, implement a CI/CD pipeline that’s tied to that repository, and finally build and deploy the application to a cluster
  • Troubleshooting Amazon EKS API servers with Prometheus

    • Includes links to an excellent collection of Grafana dashboards and gauges for monitoring the health of the Kubernetes API server
    • Describes a set of best practices that will help you avoid inundating the API server and overwhelming etcd
    • Recommends high level metrics to look at when troubleshooting performance issues, e.g. slowest API calls, API request duration, and etcd request duration

Please Subscribe to Containers from the Couch