Happy birthday EKS! It was 5 years ago that EKS was first launched. Since then it has seen tremendous growth and has added a lot of new capabilities with lots more on the way. This week we also celebrate the launch of container image signing and verification with AWS Signer. This was a collaborative effort between AWS Signer, ECR, EKS, and members from the open source community. ECR pull through cache now supports registry.k8s.io
too.
The CNCF’s App Delivery TAG (Technical Advisory Group) are looking for contributors for a survey to help inform new projects and initiatives for the group. Please respond to this survey as it will help the TAG understand the level of platforms maturity and adoption across the business and technology community.
New AWS services and features
- AWS introduces container image signing
- With this feature you can cryptographically sign and verify container image signatures. Using a dynamic admission controller, like Kyverno and OPA/Gatekeeper, you can configure your Kubernetes clusters to only admit pods with images that have been signed by AWS Signer . AWS Signer handles the “undifferentiated heavy lifting” by managing signing keys, rotating signing certificates, and providing audit logs. Together with Notation, AWS Signer allows you to store signatures alongside your images. Read the launch blog for further information along with instructions for how to sign and validate image signatures with AWS Signer, Notation, and Kyverno.
- Announcing Container Image Signing with AWS Signer and Amazon EKS
- Ratify on AWS an OPA/Gatekeeper addon to validate image signatures
- K8s Notary Admission a custom dynamic admission controller for validating image signatures (for non-production use only)
- Amazon EMR on EKS now supports Spark Operator and spark-submit
- Before this feature was released, you had to use the StartJobRun API to submit Spark jobs to a cluster running EMR on EKS. Now you can run your EMR applications, i.e. Spark jobs, using the Spark Operator or spark-submit saving you time and effort. It also means that anyone running Spark workloads on EKS can now take advantage of EMR’s optimized runtime. See the launch blog for further information and a walk through of the feature.
- Introducing Amazon EMR on EKS job submission with Spark Operator and spark-submit
- Amazon ECR adds registry.k8s.io as a supported upstream for pull through cache repositories
- ECR now includes registry.k8s.io , the new upstream Kubernetes container image registry, to the list of supported upstream registries for pull through cache repositories. With this feature you can synchronize images from registry.k8s.io to a private ECR registry for faster pulls and better reliability in that you’re not solely reliant on the upstream registry for image pulls. Pull through cache can be combined with with ECR replication for geo-redundancy and faster pulls from regions where you deploy replicas. Read the launch blog for additional information about how to create a pull through cache for registry.k8s.io and how to update the container URI [to use the local cache] dynamically using Kyverno.
- Announcing pull through cache for registry.k8s.io in Amazon Elastic Container Registry
- AWS Fault Injection Simulator adds new actions for Amazon EKS and ECS
- Now you can inject a variety of faults into EKS pods and ECS tasks, including CPU stress, memory stress, IO stress, network blackhole, network latency, network packet loss, kill process, and delete EKS pod. The new actions do not require you to install any new agents; EKS actions are agentless and ECS actions use the AWS Systems Manager agent.
AWS blogs
- Happy 5th Birthday Amazon EKS!
- The service has evolved a lot since it was first introduced in 2018. It started by offering a managed control plane for Kubernetes and now includes features for managing the lifecycle of worker nodes, cluster addons, and running applications in a “serverless” way with Fargate. AWS has also published or contributed to several open source projects that improves the integration between Kubernetes and other AWS managed services such as the AWS Load Balancer Controller, the CSI Secret Store Driver for Secrets Manager, the ACM plug-in for cert-manager, Amazon Controllers for Kubernetes, and several others. While we’re proud of what we’ve managed to accomplish in the last 5 years, there’s still unfinished work to do. With your feedback, we will continue to make improvements to the service so that Kubernetes becomes truly “boring”.
- All you need to know about moving to containerd on Amazon EKS
- This post walks you through the context around Dockershim removal in EKS 1.24 and the implications when moving from Docker Engine to the containerd runtime. It discusses dependency scenarios, along with various AWS native and open-source tooling available to help you through the transition.
- See also Finch , a Docker desktop alternative powered by containerd
- How organizations are modernizing for cloud operations
- This post explores 4 common operational models (centralized, platform-enabled golden path, embedded DevOps, and decentralized DevOps) used within IT organizations today, where platform engineering fits within these models, the common patterns used to build and develop these self-service platforms, and what lies ahead for platform engineering.
- How Traveloka Uses Backstage as an API Developer Portal for Amazon API Gateway
Community news
- Scaling Stateful Applications in Kubernetes: EKS + EFS
- Amazon EKS Upgrade Journey From 1.26 to 1.27 (Chill Vibes)
- Building an Internal Developer Platform with EKS and GitOps
- Rapid Kubernetes Controller Development with Tilt
- Optimize Kubernetes Resource Management with Time-To-Live (TTL) for Clearner Cluster
- Connection Pooling and Intermittent Failures in K8s
New videos and webinars
- EKS with IPv6 pods
- How a container pull through cache works
- Optimizing container resources with KRR
- Introduction to SPIFFE: An Open Source Standard for Universal Software Identity
- Simplify Observability on Amazon EKS with EKS Blueprints