After our 3 week hiatus and a restful Thankgiving holiday, we’re glad to be back, at least until the next round of holidays. This week’s newsletter is longer than normal because it includes updates that have occurred since our last edition was published. Enjoy!

AWS announcements

• AWS Nitro Enclaves now supports Amazon EKS and Kubernetes
  • You can use Kubernetes to orchestrate, scale, and deploy containers to run in EC2 Enclaves.
  • The Nitro Enclaves Kubernetes Device Plug-in gives Kubernetes the ability to manage the lifecycle of an enclave. See Using Enclaves with Amazon EKS for further information.
  • Improves upon an earlier hack described in this blog by Superorbital.
• AWS Marketplace for containers now supports direct deployment to EKS clusters
  • Adds the ability to deploy operational software from marketplace directly to EKS clusters
  • Provides lifecycle management for 3rd party addons like Nirmata’s Kyverno Enterprise, Tetrate’s Istio offering, Kubecost, among others.
  • Addons makes use of Server Side Apply which was featured in 2 recent posts on the Kubernetes blog:
    • Live and let live with Kluctl and Server Side Apply
    • Server Side Apply Is Great And You Should Be Using It
• Amazon EMR on EKS adds support for configuring Spark properties within EMR Studio Jupyter Notebooks
  • Adds support for configuring Spark properties within EMR Studio Jupyter Notebook sessions for interactive Spark workloads
  • Users can customize their Spark settings, such as driver and executor CPU/memory, number of executors, and package dependencies, within a notebook session.
• AWS Migration Hub Refactor Spaces is now integrated with CloudHedge OmniDeq to speed container modernization
  • Customers can use Migration Hub Refactor Spaces with CloudHedge OmniDeq to replatform applications into containers and deploy them directly into refactoring environments
  • Refactor Spaces automates the creation of application refactor environments so that customers do not need to build the AWS infrastructure, multi-account networking, and routing for modernization. CloudHedge OmniDeq is a low/no code platform that automates assessment of legacy application architectures and topology, securely containerizes legacy applications, and deploys them onto managed container services like EKS.
• AWS Controllers for Kubernetes (ACK) controller for Amazon EMR on EKS is now generally available
• AWS announces centralized logging support for Windows containers on Amazon ECS and Amazon EKS
  • A new image for AWS Fluent Bit is available for Windows Server on Amazon ECS and Amazon EKS, allowing logs from Windows machines to be forwarded to various AWS and third-party destinations such as Amazon CloudWatch, S3, Kineses Firehose, Datadog, and Splunk
• Amazon EKS and Amazon EKS Distro now support Kubernetes version 1.24
  • Notable changes include: the removal of dockershim, the addition of topology aware hints, and support for PSS/PSA.

AWS container blogs

• Managing access to Amazon Elastic Kubernetes Service clusters with X.509 certificates
  • Describes how to use IAM Roles Anywhere to authenticate to EKS using an x.509 certificates
  • Exchanges an x.509 certificate for a set of temporary AWS credentials
  • Uses aws_signing_helper to facilitate the exchange
• Managing Pod Security on Amazon EKS with Kyverno
  • Illustrates how to use Kyverno to implement cluster-wide PSS/PSA policies, how to grant policy exceptions to pods deployed into namespaces with restrictive PSS/PSA policies, and extend Pod security checks to pod controllers like Deployments
• Transparent encryption of node to node traffic on Amazon EKS using WireGuard and Cilium
  • This blog explores a lighter weight option that provides encryption for data in transit that is built into the newer versions of the Linux kernel
  • Requires the Cilium CNI to be chained to VPC CNI
  • Aside from Cilium, you can also use certain instances from the Nitro family (traffic exchange between these instances is automatically encrypted using TLS)
• Microservices development using AWS controllers for Kubernetes (ACK) and Amazon EKS blueprints
  • Walks through creating a composite application using ACK and EKS blueprints.
  • The sample application uses a DynamoDB table as storage provisioned by the ACK DynamoDB controller. It then uses the ACK API Gateway controller to create an API Gateway HTTP API with a route linking to the sample application through VpcLink.
• Preventing Kubernetes misconfigurations using Datree
  • Explains how to detect common misconfigurations (misalignment with best practices) with Datree
  • Generates a report showing you which rules have been violated
• Exposing Kubernetes Applications:
  • Exposing Kubernetes Applications, Part 1: Service and Ingress Resources
    • Explores Service and Ingress resource types which are two ways to control the inbound traffic in a Kubernetes cluster
  • Exposing Kubernetes Applications, Part 2: AWS Load Balancer Controller
    • Provides an overview of the AWS open-source implementation of both Service and Ingress controllers, AWS Load Balancer Controller .
  • Exposing Kubernetes Applications, Part 3: NGINX Ingress Controller
    • Provides a similar walkthrough of an additional open-source implementation of an Ingress controller, NGINX Ingress Controller , and some of the ways it’s different from its AWS counterpart
• Amazon EKS now supports Kubernetes version 1.24
• Centralized Logging for Windows Containers on Amazon EKS using Fluent Bit
  • AWS Fluent Bit image support for Windows eliminates the need for Windows customers to implement any custom logging solutions in their application code or manage custom agents on their Windows nodes to scrape the logs
  • The blog covers how customers can deploy Fluent Bit Windows images as a DaemonSet on their Windows nodes to stream Internet Information Services (IIS) logs generated in the Windows pods to CloudWatch logs as a way to centralize logging
• Building Amazon Linux 2 CIS Benchmark AMIs for Amazon EKS
  • This blog provides detailed, step-by-step instructions on how customers can build an Amazon EKS Amazon Machine Image (AMI) compliant with the CIS Amazon Linux2 Benchmarks. It describes a method that uses the Amazon Linux 2 (AL2) CIS Benchmark Level 1 and Level 2 AMI from the AWS Marketplace as a base, and adds Amazon EKS specific components on top of it.
  • Additional hardening may be necessary to meet security and compliance requirements, such as Amazon Linux 2 (AL2) CIS Benchmark Level 1 or Level 2
• Use Karpenter to Speed Up Amazon EMR on EKS Autoscaling

re:Invent Announcements

• General availability of Project Sleek (marketplace integration)
• Preview of Lattice
  • Introducing VPC Lattice – Simplify Networking for Service-to-Service Communication
• General availability of Project Washington (Finch)
  • Introducing Finch: An Open Source Client for Container Development

Videos

• re:Invent sessions
  • AWS re:Invent Kubernetes 2022 - Kubernetes
• AWS Speakers at KubeCon NA
• Container Day KubeCon NA
• Hashicorp Consul Service Mesh on Amazon EKS
• Crossplane on Amazon EKS
• Setting Up Prometheus And Grafana on AWS EKS
• Managed Kubeflow + Managed MLflow + Data Mesh architectures on AWS
• Kubernetes and Amazon Web Services

Ecosystem News

• Weave and Flux are graduated CNCF projects and OpenCost joins the CNCF sandbox!
• HPE GreenLake for Private Cloud Enterprise now offers expanded container deployment options for Kubernetes with Amazon Elastic Kubernetes Service (Amazon EKS) Anywhere
• Three multi-tenant isolation boundaries of Kubernetes
• Kyverno Policy As Code Using CDK8S
• Better together: A Kubernetes and Wasm case study
• Backup-and-Restore of Containers with Kubernetes Checkpointing API
• My CI/CD pipeline is my release captain

GitHub Projects

• Karmada - Kubernetes Armada

For Fun

• Generate images from text with the stable diffusion model on Amazon SageMaker JumpStart
• ChatGPT, a conversational AI that is truly amazing