While it’s been a relatively quiet week newswise, there are a few interesting blogs in this edition including blog authored by TheFork
on how they upgrade their EKS clusters.
New and notable EKS blogs
-
Kubernetes cluster upgrade: the blue-green deployment strategy
- Describes how TheFork performs cluster upgrades
- Use B/G approach when there are breaking changes between Kubernetes and Istio releases
- ALB target groups are used to shift traffic from the old cluster to the new
- https://medium.com/thefork/creating-our-piece-of-cloud-in-aws-fd4e30571682
- Use in-place when there are no breaking changes
- This upgrade strategy helps TheFork keep their environments evergreen
- Separate process for migrating stateful applications
- See Our Kubernetes journey at TheFork | by Quentin BERNARD | TheFork Engineering Blog | Medium for additional information
-
Policy management in Amazon EKS using jsPolicy
- Walk through explaining how to use jsPolicy as a Policy as Code solution
- Uses embedded JS in the manifest for the policy language
- Similar to other PaC solutions, e.g. KubeWarden, Kyverno, OPA/Gatekeeper, etc.
-
Using Amazon EMR on Amazon EKS for transient EMR clusters | Containers
- Explains why you might want to use EMR on EKS instead of spinning up ephemeral EMR clusters to run Spark jobs
- Flexible logging options: can log to multiple backends, include CloudWatch, S3, and OpenSearch
- Job monitoring with Kubernetes native monitoring tools
- Autoscaling: EMR on EKS includes native support for Karpenter which right sizes the instance for the workloads running on it
- Job dependency: specify job dependencies as part of the job definition rather than the cluster
- Multi-tenancy: job templates allow you assign pod priority to specific time sensitive jobs
- Resiliency and capacity: EMR on EKS supports multi-AZ deployments
- Explains why you might want to use EMR on EKS instead of spinning up ephemeral EMR clusters to run Spark jobs
Containers from the Couch and other videos
- KarpenScaling Kubernetes with Karpenter: Advanced Scheduling with Pod Affinity & Volume Topology Awarenesster
- EKS Anywhere on Bare Metal
Upcoming CTFC episodes
- AWS Controllers for Kubernetes with MemoryDB , 7/14 3:00PM Eastern/12:00PM Pacific
- Optimize your containers with slim.ai , 7/20 3:00PM Eastern/12:00PM Pacific
Please Subscribe to Containers from the Couch
Ecosystem News
-
Managing Kubernetes without losing your cool
- 11 tips for managing Kubernetes environments
- Tip #0 is to pay someone else to do it!
- #4 recommends k9s but you might also want to consider Lens
- #6 recommends
kubectl debug
for debugging distroless containers and crash loops; this feature will be included in EKS v1.23 - #8 if you’re going to use admission webhooks to do “substractive access control”, be sure to configure short timeouts to avoid overwhelming the API server and always fail open
-
New Vulnerabilities in the Kubernetes NGINX Ingress Controller
- NGINX ingress is a popular target for hackers because it is commonly used (50% of Kubernetes clusters) and has high permissions (has a service account with permissions such as the ability to read all secrets within a cluster), making it easier for an attacker to move laterally within the environment
- NGINX has undergone significant improvements since the latest vulnerabilities were discovered
- Ultimately, the maintainers plan to fully separate the control plane from the data plane which should prevent lateral movements in the future
- Upgrade to the latest version!