A subscriber sent me an email saying that last week’s newsletter should have been our DNS edition, #53. Using that logic, this should be our XNS (#54) edition (or MuSka52 trojan if you’re a black hat).

It saddens me to share that AWS has decided to retire the AWS Documentation on GitHub. It was a good idea in principle, but never really accomplish the result we were hoping for. That said, you will still be able to provide feedback by giving a “thumbs up” or “thumbs down” on each page. You can read more about the decision in Jeff Barr’s post Retiring the AWS Documentation on GitHub . In other news, we recently added a section to the EKS best practices guides on cluster upgrades. This should be welcome news for folks who are still on an older release of EKS and who are struggling with where to begin. We also published a Containers from the Couch episode on VPC Lattice , a new [sidecar-less] way of routing and shaping traffic between different services. Also featured this week is a project for managing Kubernetes addons called Sveltos (agile in Greek), and devpod, an open source project from Loft.sh for running IDEs like VS Code.

New AWS services and features

• Best practices for cluster upgrades
  • The best practices guide to EKS cluster upgrades is now available. The guide explains how to prepare for a cluster upgrade such as reviewing deprecated and removed APIs, upgrading your addons, verifying there are sufficient IP addresses, and reviewing the version skew policies. Can be used in conjunction with eks-cluster-upgrade , an open source project that automates a lot of the tasks identified in the guide.

AWS Blogs

• Exploring the effect of Topology Aware Hints on network traffic in Amazon Elastic Kubernetes Service
  • As of EKS 1.27, Topology Aware Hints is known as Topology Aware Routing. The feature is intended to confine network traffic to the zone it originated from. You can enable Topology Aware Routing for a Service by setting the service.kubernetes.io/topology-mode annotation to Auto. When there are enough endpoints available in each zone, Topology Hints will be populated on EndpointSlices to allocate individual endpoints to specific zones, resulting in traffic being routed closer to where it originated from.
  • Topology Aware Hints are not used when either externalTrafficPolicy or internalTrafficPolicy is set to Local on a Service. It is possible to use both features in the same cluster on different Services, just not on the same Service.
  • The blog walks through how to configure Topology Aware Hints and how to verify traffic is being routed according to the hints you’ve configured. It also goes through a list of caveats and conditions that could prevent hints from working as expected such as an uneven distribution of pods across AZs.
  • See also Using Internal Service Traffic Policy
• Automate Security and Monitoring with Amazon EKS Blueprints, Terraform, and Sysdig
  • This post attempts to take you closer to a “hardened Kubernetes” with regard to monitoring and security using simple automation powered by Terraform.
  • With the Sysdig add-ons and EKS Blueprints, you can provision Amazon EKS clusters and start operating with Sysdig in a matter of minutes.
  • To get started, visit sysdiglabs/terraform-eksblueprints-sysdig-addon
• Retiring the AWS Documentation on GitHub
  • After a prolonged period of experimentation we will archive most of the repos starting the week of June 5th, and will devote all of our resources to directly improving the AWS documentation and website.
  • Repos containing code samples, sample apps, CloudFormation templates, configuration files, and other supplementary resources will remain as-is since those repos are primary sources and get a high level of engagement.
• AWS Nitro System gets independent affirmation of its confidential compute capabilities
  • NCC Group , a leading cybersecurity consulting firm based in the United Kingdom, conducted an independent architectural review of the Nitro System to affirm that no person, or even service, from AWS can access data when it is being used in an EC2 .
  • The report states, “As a matter of design, we [NCC Group] found no gaps in the Nitro System that would compromise [AWS’s] security claims.” Specifically, there are no mechanisms for any system or person to log in to Amazon EC2 servers, read the memory of EC2 instances, or access any data on encrypted Amazon Elastic Block Store (EBS) volumes.
  • For organizations that need to process personally identifiable information, as well as healthcare, financial, and intellectual property data within their compute instances, AWS offers AWS Nitro Enclaves which are isolated compute environments for protecting and securely processing highly sensitive data.
  • Read the public report from NCC Group
  • See also Using Enclaves with Amazon EKS
• Monitor Machine Learning workflows with Kubeflow on Amazon EKS
  • This post shows how you can configure an Amazon EKS cluster with Kubeflow, Amazon Managed Service for Prometheus , and Amazon Managed Grafana using AWS Distro for OpenTelemetry (ADOT) for monitoring your Kubeflow machine learning workflows.

New videos and webinars

• EKS Application Networking with Amazon VPC Lattice
• The value of ADOT - with Michael Hausenblas
• App Development for backstage.io on AWS

Community news

• Maintain Cloud-Native Integrity with Argo CD Finalizers
• Let’s debug a kubernetes pod locally
• Use AWS Controllers for Kubernetes (ACK) to deploy a solution with Lambda, DynamoDB, and API Gateway
• Auto-scaling Kinesis Data Streams applications on Kubernetes
• Move Over, Dockerfiles! The New Way to Craft Containers
• Kubernetes jobs

Open source projects

• devpod: Spin up dev environments in any infra
  • Overview video
• projectsveltos , a framework for managing Kubernetes addons across multiple clusters
  • Read the docs
• eks-cluster-upgrade: Automated Amazon EKS cluster upgrade
• github.com/awslabs/eksdemo , a great way to quickly provision an EKS cluster with different addons for demos