Lots of updates in this edition of the newsletter including the launch of GuardDuty EKS Runtime Monitoring, AWS Lattice, and EKS support for Resilience Hub. Amazon Managed Prometheus reached a new milestone too. It now supports up to 500M active metrics in a single workspace. Data on EKS (DoEKS), a set of infrastructure templates and best practices for installing and running Spark, Ray, Kubeflow, and other data-based applications, was also released.

As part of Kubecon EU, Amazon will be hosting Container Day on April 18th! Topics include cost optimization, monitoring and logging, governance/compliance, and GitOps. Register today.

New AWS services and features

• Amazon GuardDuty now monitors runtime activity from containers running on Amazon EKS
  • Runtime Monitoring for EKS monitors on-host operating system-level behavior, such as file access, process execution, and network connections. Once a potential threat is detected, GuardDuty generates a security finding that pinpoints the specific container, and includes details such as pod ID, image ID, EKS cluster tags, executable path, and process lineage.
• Amazon EKS adds domainless gMSA authentication for Windows containers
  • Easily authenticate applications hosted on Amazon EKS with Microsoft AD using a portable user identity and a plug-in mechanism to retrieve the gMSA credentials. The plugin is available on the latest EKS-Optimized Windows AMIs (versions 1.22 and above). It enables non-domain-joined Windows nodes to retrieve gMSA credentials with a portable user identity instead of a host computer account.
  • Read this blog for a step-by-step guide on how to get started
• Amazon EMR on EKS adds managed and self-managed node groups support for managed endpoints
  • Previously, customers who had EKS clusters configured with self-managed node groups were unable to use EMR Studio with EMR on EKS. With this feature, customers using managed endpoints can now specify EKS clusters with managed or self-managed node groups to run their interactive workloads.
• Amazon Managed Service for Prometheus supports 500M active metrics per workspace
  • Now you can send up to 500M active metrics to a single workspace after filing a service limit increase request, and can create many workspaces per account, enabling the storage and analysis of billions of Prometheus metrics.
  • 500 million active time series in Amazon Managed Service for Prometheus (video)
• AWS Batch now supports user-defined pod labels on Amazon EKS
  • Now you can specify pod labels within the eksProperties request for your AWS Batch jobs when you register a job definition, or when you submit a job request. This allows you can map your own organizational structures and bring better accountability, compliance, and cost visibility to your workloads.
• AWS Resilience Hub adds support for Amazon EKS
  • Resilience Hub provides a single place to define, validate, and track the resilience of your applications so that you can avoid unnecessary downtime caused by software, infrastructure, or operational disruptions. With its new support for EKS, you can now examine and track the resilience of Kubernetes deployments, replicas, ReplicationControllers, and pods.
  • Read Enhance Amazon EKS Containerized Application Resilience with AWS Resilience Hub for additional information

AWS Blogs

• Introducing Data on EKS (DoEKS)
  • DoEKS is a new open-source project aimed at streamlining and accelerating the process of building, deploying, and scaling data workloads on EKS. With DoEKS, customers get access to a comprehensive range of resources including Infrastructure as Code (IaC) templates for Apache Spark, Ray, Apache Airflow, Argo Workflows, Kubeflow, and more. The project also includes performance benchmark reports, deployment examples, and architectures optimized for data-centric workloads aligned with AWS best practices and industry expertise.
• Managing etcd database size on Amazon EKS clusters
  • When the database size limit is exceeded, etcd emits a no space alarm and stops taking further write requests.
  • etcd grows not only due to addition of new objects, but also due to updates to existing objects.
  • This blog explains why monitoring the etcd database size is important, how and what metrics to monitor, and what you can do when you approach or exceed the database size limit.
• Fully private local clusters for Amazon EKS on AWS Outposts powered by VPC Endpoints
  • This post goes through a design pattern for EKS local clusters on Outposts that allows the local cluster on Outpost to communicate with VPC endpoints for ECR, EC2, and other AWS service over the Outposts service link.
• A deeper look at Ingress Sharing and Target Group Binding in AWS Load Balancer Controller
  • This post shows you how you can reduce costs by using Ingress Grouping and integrate existing load balancers using target group binding.
• Changes to the Kubernetes Container Image Registry
  • This post covers what changes are happening, why they’re happening, important dates to keep in mind, and what actions you need to take to prepare.
• Simplify Service-to-Service Connectivity, Security, and Monitoring with Amazon VPC Lattice
  • Lattice give you a consistent way to connect, secure, and monitor communication between your services. With VPC Lattice, you can define policies for network access, traffic management, and monitoring to connect compute services across instances, containers, and serverless applications. In this release, you can:
    • Use a custom domain name for services. When using HTTPS, you can configure an SSL/TLS certificate that matches the custom domain name.
    • Deploy the open-source AWS Gateway API Controller to use VPC Lattice with a Kubernetes-native experience. It uses the Kubernetes Gateway API to let you connect services across multiple Kubernetes clusters and services running on EC2 instances, containers, and serverless functions.
    • Use an Application Load Balancer (ALB) or a Network Load Balancer (NLB) as a target for a service.
    • The IP address target type now supports IPv6 connectivity.
  • Lattice also released a AWS Gateway API Controller for Kubernetes
• Right-size your Kubernetes Applications Using Open Source Goldilocks for Cost Optimization
  • This post explains how to optimize resource allocation and right-size applications in Kubernetes environments using Goldilocks . It walks through how to install Goldilocks as well as a sample application to view the suggested resource recommendations.
• Deploy and debug EKS cluster

New videos and webinars

• Block Old Kubernetes Registry with OPA Gatekeeper
• Policy Enforcement with GitOps - Using OPA Gatekeeper & ArgoCD
• Deploy Third-party Software with Amazon EKS Add-ons ft. Tetrate Istio
• Update your Kubernetes registry…or else
• Application Security with Sysdig and Snyk
• AWS is coming to KubeCon + CloudNativeCon Europe 2023

Community news

• Scaling Kubernetes to 2,500 nodes
• Scaling Kubernetes to 7500 nodes
• Vault Secrets Operator: A new method for Kubernetes integration
• Are Kubernetes Validating Admission Policies the end of admission controllers?
• 8 tips to optimize and secure your .NET containers for Kubernetes
• Applying Zero Trust to the Software Supply Chain
• IP Allocations with EKS
• In Defense of Less Clusters & More Node Isolation
• You Broke Reddit: The Pi-Day Outage
• Convert Kubernetes YAML Files Into Helm Charts

GitHub Projects

• Copacetic directly patch container image vulnerabilities
• k8sgpt scane your kubernetes clusters, diagnosing and triaging issues in simple english
• kubectl-ai generates and applies Kubernetes manifests using OpenAI GPT