Skip to main content

EKS: Elastic Kubernetes Service

EKS: Elastic Kubernetes Service

Amazon Elastic Kubernetes Service (EKS) is a fully managed Kubernetes service that makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS. EKS automatically manages the Kubernetes control plane, making it simple to run Kubernetes without needing to install and operate your own Kubernetes clusters.

What is EKS?

EKS runs Kubernetes control plane instances across multiple AWS Availability Zones to ensure high availability. The control plane infrastructure is fully managed by AWS, including automated version upgrades, patching, and scaling. You simply provision worker nodes and connect them to the provided endpoint.

Key Benefits

Managed Control Plane

  • High Availability: Control plane runs across multiple Availability Zones
  • Automatic Updates: Kubernetes version updates and security patches
  • Scalability: Handles thousands of nodes and pods
  • No Infrastructure Management: AWS manages the Kubernetes API servers and etcd

AWS Integration

  • VPC Integration: Seamlessly integrates with your VPC and networking
  • IAM Integration: Native AWS Identity and Access Management (IAM) for authentication
  • Load Balancer Integration: Works with Application Load Balancer (ALB) and Network Load Balancer (NLB)
  • CloudWatch Integration: Native monitoring and logging integration

Security

  • Encryption: Encryption in transit and at rest
  • Private Endpoint: Option to use private API server endpoint
  • IAM Roles for Service Accounts (IRSA): Fine-grained access control
  • Network Policies: Kubernetes network policies for pod-to-pod communication

EKS Architecture

Control Plane Components

  • API Server: Handles all API requests
  • etcd: Distributed key-value store for cluster data
  • Scheduler: Assigns pods to nodes
  • Controller Manager: Maintains desired state of cluster

Worker Nodes

  • Node Groups: Managed groups of EC2 instances running Kubernetes
  • Fargate: Serverless compute for containers (no node management)
  • Self-Managed: EC2 instances you manage yourself

Node Groups

EKS Node Groups automate the provisioning and lifecycle management of worker nodes for your EKS cluster.

Managed Node Groups

  • Automated Provisioning: AWS manages node provisioning, scaling, and updates
  • Auto Scaling: Integrates with Cluster Autoscaler or EKS-managed scaling
  • Launch Templates: Customize instance configuration
  • Less Control: Limited customization compared to self-managed nodes

Self-Managed Node Groups

  • Full Control: Complete control over node configuration
  • Custom AMIs: Use custom Amazon Machine Images
  • More Configuration: More flexibility for specific requirements
  • More Management: You are responsible for updates and maintenance

Fargate

  • Serverless: No node management required
  • Pay per Pod: Only pay for running pods
  • Isolation: Each pod runs in its own kernel
  • Limitations: Some Kubernetes features not supported (DaemonSets, Privileged Pods)

Networking

VPC Configuration

  • Subnet Requirements: At least two subnets in different Availability Zones
  • Security Groups: Automatic creation of cluster security group
  • Network Modes: IPv4 or IPv6 (dual-stack)
  • CNI Plugin: Uses AWS VPC CNI plugin for pod networking

Pod Networking

  • IP Per Pod: Each pod gets its own IP address from VPC
  • Security Groups: Can assign security groups to pods
  • ENI Trunking: Reduces ENI usage for better density

Service Networking

  • LoadBalancer Services: Integrates with AWS Load Balancers
  • NodePort Services: Exposes services on node IPs
  • ClusterIP Services: Internal cluster communication

Authentication and Authorization

IAM Integration

  • AWS IAM Authenticator: Uses IAM for Kubernetes authentication
  • Role-Based Access: Map IAM roles to Kubernetes users
  • No Separate Auth System: Unified authentication with AWS

RBAC (Role-Based Access Control)

  • Kubernetes RBAC: Standard Kubernetes role-based access control
  • IAM Roles: Integrate IAM roles with Kubernetes service accounts
  • Fine-Grained Control: Control access to namespaces and resources

Add-ons

EKS supports various add-ons to extend cluster functionality:

Core Add-ons

  • CoreDNS: DNS server for cluster
  • kube-proxy: Network proxy for services
  • VPC CNI: Networking plugin for pod networking
  • EBS CSI Driver: Persistent volume support

Optional Add-ons

  • AWS Load Balancer Controller: Manage ALB and NLB
  • Cluster Autoscaler: Automatically scale node groups
  • Metrics Server: Resource metrics for HPA
  • Calico: Network policy enforcement

Storage

EBS CSI Driver

  • Persistent Volumes: Use EBS volumes as persistent storage
  • Dynamic Provisioning: Automatic volume provisioning
  • Volume Types: gp3, io1, io2, st1, sc1
  • Encryption: Automatic encryption support

EFS CSI Driver

  • Shared Storage: Network File System (NFS) for shared storage
  • Multiple Pods: Multiple pods can access the same volume
  • Elastic Scaling: Automatically scales storage

Monitoring and Logging

CloudWatch Integration

  • Control Plane Logs: API server, audit, authenticator, scheduler, controller manager logs
  • Container Insights: Container-level metrics and logs
  • Prometheus Integration: Export metrics to Prometheus

Metrics

  • Cluster Metrics: CPU, memory, network, and storage metrics
  • Pod Metrics: Per-pod resource usage
  • Node Metrics: Per-node resource utilization

Deployment Methods

eksctl

# Create cluster with eksctl
eksctl create cluster \
  --name my-cluster \
  --region us-west-2 \
  --nodegroup-name standard-workers \
  --node-type t3.medium \
  --nodes 3 \
  --nodes-min 1 \
  --nodes-max 4

AWS Console

  • Use AWS Management Console for guided cluster creation
  • Visual interface for cluster configuration
  • Simplified setup for beginners

Terraform

resource "aws_eks_cluster" "example" {
  name     = "example-cluster"
  role_arn = aws_iam_role.cluster.arn

  vpc_config {
    subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
  }
}

Best Practices

Cluster Design

  • Use multiple Availability Zones for high availability
  • Separate node groups by workload type (compute, memory, GPU)
  • Use managed node groups for simplicity, self-managed for flexibility
  • Consider Fargate for serverless workloads

Security

  • Enable encryption at rest and in transit
  • Use private API endpoint for production
  • Implement network policies for pod isolation
  • Regularly rotate IAM credentials
  • Use IRSA for pod-level permissions

Cost Optimization

  • Use Spot Instances for fault-tolerant workloads
  • Right-size node groups based on actual usage
  • Use Cluster Autoscaler to scale based on demand
  • Consider Fargate for sporadic workloads

Monitoring

  • Enable all control plane logs
  • Set up CloudWatch Container Insights
  • Configure alerting for critical metrics
  • Monitor cluster and node health regularly

By leveraging EKS's managed Kubernetes service, you can focus on building applications while AWS handles the complex Kubernetes infrastructure management. Always refer to AWS documentation for the latest features and best practices.