Over the past few years, Kubernetes has evolved and revolutionized the traditional computing experience, setting in stone its place in cloud computing and container-based application development. Amazon Web Services platform makes it easy to run Kubernetes in the cloud with extensive and highly-available VM infrastructure, managed Kubernetes service platforms, community-backed service integrations, and many other pluggable components.
Now that you have mastered the basics of AWS Kubernetes, you may keen to step on to the next level with pro tips to run Kubernetes reliably and seamlessly in the production with AWS.
This article is intended to cover the advanced tips from AWS for coding, security, logging and monitoring, and continuous integration/ continuous delivery in Kubernetes environments.
Coding: Never build a Kubernetes cluster the hard way
Kubernetes is only a peripheral system that assists you to deploy and run applications. Therefore, it is not the wisest suggestion to dawdle building a Kubernetes cluster from scratch when your application is the end-product you are achieving to deliver. There are multiple proven and easy options to assist in building a Kubernetes cluster, the fast way.
- Kops or Kubernetes Operations is the official open-source Kubernetes community project for building and managing production-grade Kubernetes clusters. Currently, Kops is the best utility tool to deploy Kubernetes clusters to AWS. Kops allows you to generate CloudFormation templates or Terraform scripts which you can use as a baseline to build your Kubernetes clusters.
Similar to Kops, there are two other open source community projects;
- Kubeadm – A toolkit for bootstrapping a Kubernetes cluster, and
- weaveworks/eksctl – A simple CLI for creating clusters on Amazon EKS,
which has commands for creating a minimum viable cluster up and running in minutes.
- Amazon Elastic Kubernetes Service (EKS) is the enterprise solution and the fully managed Kubernetes control plane to fast-track creating Kubernetes clusters and automatically deploy them across multiple availability zones provisioning highly available cluster configuration.
Red Hat Openshift is another option you can go for an enterprise Kubernetes application platform for building, managing, and maintaining clusters on AWS.
Security: Enable RBAC on your cluster
A fine-grained access control mechanism adhering to principles of least privilege is a key property of any well-architected system.
AWS IAM authenticator is one of the best tools you can use to authenticate requests to a Kubernetes cluster deployed on AWS. IAM Groups let you specify user classes, binding IAM roles to Kubernetes roles using aws-auth config map, making it a hassle-free process to attach multiple policies to multiple users at one time.
However, when implementing an RBAC for authorization remember to follow the below recommendations for stringent security.
- Refrain using the AWS root user access key for making the programmatic requests to AWS. Instead, create individual IAM users.
- Use AWS managed policies to get started quickly with permissions and rules.
- Do not use inline policies as custom policies since they are hard to view and modify when they exist within IAM identity.
- Enable a strong password policy and multi-factor-authentication for all users in your account.
- Review IAM permissions and remove unnecessary credentials.
- Define policy conditions specifying IP addresses, MFA, or SSL requirements, if require extra security.
Logging and Monitoring: Observe your Kubernetes cluster
As the application deployment and delivery scale up rapidly in the Kubernetes environment, the service architecture will also mature in complexity. Therefore, software engineers will also need to extend the logging and monitoring capabilities for scanning the performance and health of clusters.
Capturing application and cluster log data is trivial to learn from operational failures and then evolve application architectures as you go. There are open-source tools as well as tools from the AWS partners such as Sumo Logic, New Relic, and Datadog that can be used to capture, store, and analyze log data in a Kubernetes cluster.
- Self-host the EFK (Elasticsearch, Fluentd, Kibana) stack that can act as a centralized log management system.
Fluentd is the log collector deployed to each and every node within the cluster to collect the log data, aggregate, and ship to Elasticsearch. Elasticsearch is the indexer and the search engine that feeds cluster and application data to the Kibana dashboard. Kibana visualizes information that can be used to make decisions and identify potential bottleneck throughput and scaling issues in the Kubernetes clusters.
- Setup Elasticsearch cluster on Amazon Elasticsearch Service which is an enterprise-level managed and a scalable service to deploy Elasticsearch.
If your applications run on a microservices architecture alongside Kubernetes, it is helpful to know how your applications and the underlying services perform and how the requests traverse through nodes and clusters. So that you can identify performance issues and errors and dive on to root causes for debugging. Follow the below steps to allow debugging with AWS X-ray.
- Configure IAM to allow pods to send traces to X-Ray.
- Deploy the AWS X-Ray Demon and embed the X-Ray SDK on to your application to display the traced information on the X-Ray console.
Continuous Integration/ Continuous Delivery: Build, Ship, and Run faster
Deploying frequently, small, reversible changes is an important practice that aids in the diagnosis and resolution of issues in your deploying changes. AWS Code Suite has a range of featured services to help developers build their own continuous integration and continuous delivery pipelines within Kubernetes clusters.
AWS CodePipeline helps you automate your release pipeline detecting changes to your codebase and automating the DevOps process accordingly, based on the release model you define. The following are the expert tips you can implement with AWS CodePipeline for a reliable CI/CD workflow.
- For the best optimization, use Amazon S3 for ‘Source’, AWS CodeCommit for ‘Build’ and AWS CodeDeploy for ‘Staging’, if you are using a three-stage CI/CD pipeline in AWS CodePipeline.
- Use AWS Code Star which comes with a unified dashboard for automatically creating the pipeline, code repositories, source code, and the rest of the stages from building spec files to hosting instances required for a complete code project.
- Integrate CodePipeline with Amazon ECS for continuous delivery of container-based applications, with Elastic Beanstalk for continuous delivery of web applications, and with AWS Lambda for continuous delivery of serverless applications to the cloud.
In addition, Helm, Jenkins, GitKube, and Skaffold are other open-source tools you can use to deploy an application to your Kubernetes cluster.
Final Thoughts on AWS Kubernetes Advanced Tips
However, besides every tip that I have discussed above, the greatest AWS Kubernetes Advanced Tips which I can advise with is; optimize the solutions in your way, which is also the recipe to deploy a reliable, sustainable application on to a Kubernetes cluster.