Voiced by Amazon Polly
Kubernetes security in EKS is the responsibility of both AWS and the client. This shared responsibility model divides the security aspect between AWS Security and Client-side Security. Amazon Elastic Kubernetes Service is a managed service we can use to run Kubernetes on AWS Kubernetes control plane or nodes. Kubernetes is an open-source system for automating containerized applications’ deployment, scaling, and management.
Amazon EKS integrates with various AWS services like Amazon Elastic Container Registry, Elastic Load Balancing, IAM, and VPC. It saves the users from the hassle of technical errors related to deployment, scalability, and management. With a focus on utilizing the containerized application’s core functionality, Amazon EKS automatically controls the Kubernetes control panel.
Amazon EKS Workflow
Amazon EKS works by starting and managing the Kubernetes control plane and worker nodes for us. It consists of two major components: a cluster of ‘worker nodes’ running on our containers and the control plane, which manages when and where our containers are getting started in our cluster while monitoring their status.
Without Amazon EKS, we must run both the Kubernetes control plane and the cluster of worker nodes ourselves. With Amazon EKS, we start our worker nodes using a single command in the EKS console. AWS handles provisioning, scaling, and managing the Kubernetes control plane in a highly available and secure configuration.
AWS EKS Security
Security is a shared model between the cloud service provider and the user. AWS is responsible for the security of the cloud, while a user is responsible for security in the cloud.
AWS Services for Monitoring and Security of Amazon EKS Resources
- Identity and Access Management for Amazon EKS
- Logging and monitoring in Amazon EKS
- Compliance validation for Amazon EKS
- Resilience in Amazon EKS
- Infrastructure security in Amazon EKS
- Configuration and vulnerability analysis in Amazon EKS
- Pod Security Policy
- Data Encryption and AWS Secrets Manager secrets with Kubernetes
Logging and Monitoring
Amazon EKS control plane provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in our account. With the help of these logs, we can securely run our cluster. We have options to select the exact log types that we need.
Amazon EKS is integrated with AWS CloudTrail. It captures all API calls for Amazon EKS as events.
- Compliance Validation for Amazon EKS: Compliance is a shared responsibility between AWS and the consumers of its services. AWS is responsible for the security of the cloud, and users are responsible for security in the cloud.
For example, at Fargate, AWS is responsible for managing the physical security of the data center, hardware, virtual infrastructure (Amazon EC2), and container runtime (Docker). Fargate users are responsible for protecting the container image and its applications.
Compliance Status changes over time.
Resilience in Amazon EKS: Amazon EKS runs and scales the Kubernetes control plane across multiple Availability Zones to ensure high availability. It automatically scales control plane instances based on load, detects, and replaces unhealthy control plane instances, and automatically patches the control plane. Once we initiate a version update, Amazon EKS updates our control plane for us, maintaining the high availability of the control plane during the update.
This control plane consists of at least two API server instances and three etcd instances running in three Availability Zones within an AWS Region.
- Amazon EKS Configuration and Vulnerability Analysis: Security is essential for configuring and maintaining Kubernetes clusters and applications. The Center for Internet Security Kubernetes Benchmark guides us through the security configuration of Amazon EKS nodes.
- Applies to Amazon EC2 nodes (both managed and self-managed) where we are responsible for security configurations of Kubernetes components.
- Provides a standard, community-approved way to ensure that we have configured our Kubernetes cluster and nodes securely when using Amazon EKS.
- It consists of four sections: control plane logging configuration, node security configurations, policies, and managed services.
- Supports all the Kubernetes versions currently available in Amazon EKS and can be run using kube-bench, a standard open-source tool for checking configuration using the CIS benchmark on Kubernetes clusters.
- Data Encryption and AWS Secret Manager secrets with Kubernetes:
We have three different storage options from AWS that we can use with Kubernetes: EBS, EFS, and FSx for Lustre. All three-offer encryption at rest using a service-managed key or a customer master key (CMK).
- Encrypt data at rest
- Rotate customer master key periodically
- Use of EFS access point to simplify access to shared datasets
With the help of AWS Secrets and Configuration Provider, we can store and manage our secrets in Secrets Manager and then retrieve them through our workloads running on Amazon EKS. We can use IAM roles and policies to limit access to our secrets to specific Kubernetes pods in a cluster. The ASCP retrieves the pod identity and exchanges the identity for an IAM role. ASCP assumes the IAM role of the pod, and then it can retrieve secrets from Secrets Manager that are authorized for that role.
Amazon EKS Use Cases
- Hybrid Deployment: With the help of Elastic Kubernetes Service, we can manage Kubernetes applications and clusters across hybrid environments. We can run Kubernetes on AWS and in our data centers.
- Batch Processing: We can run parallel or sequential batch workloads on EKS clusters. It allows us to plan, schedule, and run batch computing workloads over the entire range of AWS compute services using the EKS. These services and features include Fargate, Amazon EC2, and Spot Instances.
- Machine Learning: AWS deep learning containers use Kubeflow to model the machine learning workflows and effectively execute distributed training jobs with the latest GPU-powered instances.
- Web Applications: With the help of EKS, we can develop applications that run in a highly available configuration over multiple Availability Zones and automatically scale in and out based on requirements. Increases the performance, reliability, scale, and availability of AWS. It integrates with AWS security and networking services (VPC) and Load Balancers for load distribution of web applications.
With the rise of cloud computing, Amazon EKS is an essential tool for running Kubernetes container applications. It is a powerful resource that can help us to automate Kubernetes resources. However, automation doesn’t provide better security. We need to implement security manually. We can deploy worker nodes in private subnets, use AWS KMS to manage secrets, continuous monitoring, encryption of data, etc.
CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
Drop a query if you have any questions regarding advanced cloud technologies, AI/ML, or other consulting opportunities and I will get back to you quickly.
1. Why should we use Amazon EKS?
ANS: – Amazon EKS distributes and extends the Kubernetes control plane, including the API server and backend persistence layer, across multiple AWS Availability Zones for high availability and fault tolerance. It can automatically detect and replace faulty control plane nodes and fix the control plane. It is integrated with many AWS services to ensure the scalability and security of our applications. These services include Elastic Load Balancing for load balancing, AWS Access, and Identity Management for authentication, VPC for isolation, and AWS CloudTrail for logging.
2. What are Amazon EKS add-ons, and why should I use them?
ANS: – Amazon EKS add-ons are used to manage Kubernetes operating software that provides features such as observability, scaling, networking, and AWS cloud resource integration for EKS clusters. At launch, the EKS add-on supports launching and controlling the version of the AWS VPCCNI plug-in via the EKS API. It provides one-click installation and management of Kubernetes operating software. It also ensures the safety and stability of our Kubernetes cluster and reduces the workload of launching and managing a production-ready Kubernetes cluster on AWS.
WRITTEN BY Rahul Kumar Sharma