While it’s been a relatively quiet week newswise, there are a few interesting blogs in this edition including blog authored by TheFork
on how they upgrade their EKS clusters.
New and notable EKS blogs
Kubernetes cluster upgrade: the blue-green deployment strategy
- Describes how TheFork performs cluster upgrades
- Use B/G approach when there are breaking changes between Kubernetes and Istio releases
- ALB target groups are used to shift traffic from the old cluster to the new
- https://medium.com/thefork/creating-our-piece-of-cloud-in-aws-fd4e30571682
- Use in-place when there are no breaking changes
- This upgrade strategy helps TheFork keep their environments evergreen
- Separate process for migrating stateful applications
- See Our Kubernetes journey at TheFork | by Quentin BERNARD | TheFork Engineering Blog | Medium for additional information
Policy management in Amazon EKS using jsPolicy
- Walk through explaining how to use jsPolicy as a Policy as Code solution
- Uses embedded JS in the manifest for the policy language
- Similar to other PaC solutions, e.g. KubeWarden, Kyverno, OPA/Gatekeeper, etc.
Using Amazon EMR on Amazon EKS for transient EMR clusters | Containers
- Explains why you might want to use EMR on EKS instead of spinning up ephemeral EMR clusters to run Spark jobs
- Flexible logging options: can log to multiple backends, include CloudWatch, S3, and OpenSearch
- Job monitoring with Kubernetes native monitoring tools
- Autoscaling: EMR on EKS includes native support for Karpenter which right sizes the instance for the workloads running on it
- Job dependency: specify job dependencies as part of the job definition rather than the cluster
- Multi-tenancy: job templates allow you assign pod priority to specific time sensitive jobs
- Resiliency and capacity: EMR on EKS supports multi-AZ deployments
- Explains why you might want to use EMR on EKS instead of spinning up ephemeral EMR clusters to run Spark jobs
Containers from the Couch and other videos
- KarpenScaling Kubernetes with Karpenter: Advanced Scheduling with Pod Affinity & Volume Topology Awarenesster
- EKS Anywhere on Bare Metal
Upcoming CTFC episodes
- AWS Controllers for Kubernetes with MemoryDB , 7/14 3:00PM Eastern/12:00PM Pacific
- Optimize your containers with slim.ai , 7/20 3:00PM Eastern/12:00PM Pacific
Please Subscribe to Containers from the Couch
Ecosystem News
Managing Kubernetes without losing your cool
- 11 tips for managing Kubernetes environments
- Tip #0 is to pay someone else to do it!
- #4 recommends k9s but you might also want to consider Lens
- #6 recommends
kubectl debugfor debugging distroless containers and crash loops; this feature will be included in EKS v1.23 - #8 if you’re going to use admission webhooks to do “substractive access control”, be sure to configure short timeouts to avoid overwhelming the API server and always fail open
New Vulnerabilities in the Kubernetes NGINX Ingress Controller
- NGINX ingress is a popular target for hackers because it is commonly used (50% of Kubernetes clusters) and has high permissions (has a service account with permissions such as the ability to read all secrets within a cluster), making it easier for an attacker to move laterally within the environment
- NGINX has undergone significant improvements since the latest vulnerabilities were discovered
- Ultimately, the maintainers plan to fully separate the control plane from the data plane which should prevent lateral movements in the future
- Upgrade to the latest version!