Voiced by Amazon Polly |
Overview
Kubernetes security in EKS is the responsibility of both AWS and the client. This shared responsibility model divides the security aspect between AWS Security and Client-side Security. Amazon Elastic Kubernetes Service is a managed service we can use to run Kubernetes on AWS Kubernetes control plane or nodes. Kubernetes is an open-source system for automating containerized applications’ deployment, scaling, and management.
Amazon EKS integrates with various AWS services like Amazon Elastic Container Registry, Elastic Load Balancing, IAM, and VPC. It saves the users from the hassle of technical errors related to deployment, scalability, and management. With a focus on utilizing the containerized application’s core functionality, Amazon EKS automatically controls the Kubernetes control panel.
Freedom Month Sale — Upgrade Your Skills, Save Big!
- Up to 80% OFF AWS Courses
- Up to 30% OFF Microsoft Certs
Amazon EKS Workflow
Amazon EKS works by starting and managing the Kubernetes control plane and worker nodes for us. It consists of two major components: a cluster of ‘worker nodes’ running on our containers and the control plane, which manages when and where our containers are getting started in our cluster while monitoring their status.
Without Amazon EKS, we must run both the Kubernetes control plane and the cluster of worker nodes ourselves. With Amazon EKS, we start our worker nodes using a single command in the EKS console. AWS handles provisioning, scaling, and managing the Kubernetes control plane in a highly available and secure configuration.
AWS EKS Security
Security is a shared model between the cloud service provider and the user. AWS is responsible for the security of the cloud, while a user is responsible for security in the cloud.
AWS Services for Monitoring and Security of Amazon EKS Resources
- Identity and Access Management for Amazon EKS
- Logging and monitoring in Amazon EKS
- Compliance validation for Amazon EKS
- Resilience in Amazon EKS
- Infrastructure security in Amazon EKS
- Configuration and vulnerability analysis in Amazon EKS
- Pod Security Policy
- Data Encryption and AWS Secrets Manager secrets with Kubernetes
Logging and Monitoring
Amazon EKS control plane provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in our account. With the help of these logs, we can securely run our cluster. We have options to select the exact log types that we need.
Amazon EKS is integrated with AWS CloudTrail. It captures all API calls for Amazon EKS as events.
- Compliance Validation for Amazon EKS: Compliance is a shared responsibility between AWS and the consumers of its services. AWS is responsible for the security of the cloud, and users are responsible for security in the cloud.
For example, at Fargate, AWS is responsible for managing the physical security of the data center, hardware, virtual infrastructure (Amazon EC2), and container runtime (Docker). Fargate users are responsible for protecting the container image and its applications.
Compliance Program:
Compliance Status changes over time.
Resilience in Amazon EKS: Amazon EKS runs and scales the Kubernetes control plane across multiple Availability Zones to ensure high availability. It automatically scales control plane instances based on load, detects, and replaces unhealthy control plane instances, and automatically patches the control plane. Once we initiate a version update, Amazon EKS updates our control plane for us, maintaining the high availability of the control plane during the update.
This control plane consists of at least two API server instances and three etcd instances running in three Availability Zones within an AWS Region.
- Amazon EKS Configuration and Vulnerability Analysis: Security is essential for configuring and maintaining Kubernetes clusters and applications. The Center for Internet Security Kubernetes Benchmark guides us through the security configuration of Amazon EKS nodes.
- Applies to Amazon EC2 nodes (both managed and self-managed) where we are responsible for security configurations of Kubernetes components.
- Provides a standard, community-approved way to ensure that we have configured our Kubernetes cluster and nodes securely when using Amazon EKS.
- It consists of four sections: control plane logging configuration, node security configurations, policies, and managed services.
- Supports all the Kubernetes versions currently available in Amazon EKS and can be run using kube-bench, a standard open-source tool for checking configuration using the CIS benchmark on Kubernetes clusters.
- Data Encryption and AWS Secret Manager secrets with Kubernetes:
We have three different storage options from AWS that we can use with Kubernetes: EBS, EFS, and FSx for Lustre. All three-offer encryption at rest using a service-managed key or a customer master key (CMK).
Encryption Recommendation:
- Encrypt data at rest
- Rotate customer master key periodically
- Use of EFS access point to simplify access to shared datasets
With the help of AWS Secrets and Configuration Provider, we can store and manage our secrets in Secrets Manager and then retrieve them through our workloads running on Amazon EKS. We can use IAM roles and policies to limit access to our secrets to specific Kubernetes pods in a cluster. The ASCP retrieves the pod identity and exchanges the identity for an IAM role. ASCP assumes the IAM role of the pod, and then it can retrieve secrets from Secrets Manager that are authorized for that role.
Amazon EKS Use Cases
- Hybrid Deployment: With the help of Elastic Kubernetes Service, we can manage Kubernetes applications and clusters across hybrid environments. We can run Kubernetes on AWS and in our data centers.
- Batch Processing: We can run parallel or sequential batch workloads on EKS clusters. It allows us to plan, schedule, and run batch computing workloads over the entire range of AWS compute services using the EKS. These services and features include Fargate, Amazon EC2, and Spot Instances.
- Machine Learning: AWS deep learning containers use Kubeflow to model the machine learning workflows and effectively execute distributed training jobs with the latest GPU-powered instances.
- Web Applications: With the help of EKS, we can develop applications that run in a highly available configuration over multiple Availability Zones and automatically scale in and out based on requirements. Increases the performance, reliability, scale, and availability of AWS. It integrates with AWS security and networking services (VPC) and Load Balancers for load distribution of web applications.
Conclusion
With the rise of cloud computing, Amazon EKS is an essential tool for running Kubernetes container applications. It is a powerful resource that can help us to automate Kubernetes resources. However, automation doesn’t provide better security. We need to implement security manually. We can deploy worker nodes in private subnets, use AWS KMS to manage secrets, continuous monitoring, encryption of data, etc.
Freedom Month Sale — Discounts That Set You Free!
- Up to 80% OFF AWS Courses
- Up to 30% OFF Microsoft Certs
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. Why should we use Amazon EKS?
ANS: – Amazon EKS distributes and extends the Kubernetes control plane, including the API server and backend persistence layer, across multiple AWS Availability Zones for high availability and fault tolerance. It can automatically detect and replace faulty control plane nodes and fix the control plane. It is integrated with many AWS services to ensure the scalability and security of our applications. These services include Elastic Load Balancing for load balancing, AWS Access, and Identity Management for authentication, VPC for isolation, and AWS CloudTrail for logging.
2. What are Amazon EKS add-ons, and why should I use them?
ANS: – Amazon EKS add-ons are used to manage Kubernetes operating software that provides features such as observability, scaling, networking, and AWS cloud resource integration for EKS clusters. At launch, the EKS add-on supports launching and controlling the version of the AWS VPCCNI plug-in via the EKS API. It provides one-click installation and management of Kubernetes operating software. It also ensures the safety and stability of our Kubernetes cluster and reduces the workload of launching and managing a production-ready Kubernetes cluster on AWS.
- Access Control
- amazon eks
- Amazon Elastic Container Registry
- authentication
- authorization
- Availability Zones
- AWS CloudTrail
- AWS EKS
- AWS KMS
- AWS Region
- aws security
- aws security best practices
- aws shared responsibility model
- Compliance Program
- Configuration Provider
- EKS Cluster
- Elastic Load Balancing
- encryption
- IAM
- Kubernetes secrets
- VPC
WRITTEN BY Rahul Kumar Sharma
Aishwarya
Aug 22, 2022
Nice content, keep sharing!!