Written by Clement Bolin, Cloud Engineer

In response to the rising demand for efficient container orchestration and seamless deployment of microservices, TrackIt developed EKS as a Product, a solution that helps enterprises navigate the intricacies of managing Kubernetes clusters. 

EKS as a Product simplifies Kubernetes cluster deployment and management through purpose-built tools and modules strategically configured to enhance security, functionality, and overall operational efficiency. The solution is crafted to empower users with a user-friendly, secure, and feature-rich environment, effectively addressing the complexities associated with managing Kubernetes clusters. The following is a description of the key components of this solution.

Cluster Module

The Cluster Module is designed to facilitate the configuration of the EKS cluster. This module encompasses the creation of the following essential resources:

  • IAM: Responsible for creating the necessary IAM (Identity and Access Management) resources, including Key Management Service (KMS) configurations, node configurations, and the EKS cluster itself.
  • Cluster: Handles the creation of the EKS cluster and its associated node groups, ensuring a robust foundation for Kubernetes workloads.
  • Extra Dependencies: Modules that can be added to enhance a cluster’s functionality based on specific requirements. Additional features include:
    • Fargate Profiles: Simplify serverless container execution.
    • IRSA (IAM Roles for Service Accounts): Enhance security and access control by associating IAM roles with Kubernetes service accounts.
    • Karpenter: Automates node provisioning and management for optimal resource utilization.
    • AWS Auth: Simplifies AWS authentication and authorization within the cluster.

Addons Module

The Addons Module integrates and configures additional tools within the EKS cluster. 

  1. ArgoCD: A declarative, GitOps continuous delivery tool for Kubernetes applications.
  2. Monitoring:
    • Grafana Agent: Collects and sends metrics and logs to Grafana for comprehensive monitoring.
    • Prometheus: A robust open-source monitoring and alerting toolkit.
    • Mimir: A custom monitoring solution that can be tailored to address specific cluster-related requirements.
  3. Cert Manager: An automated tool for TLS certificate management within Kubernetes applications.
  4. Karpenter: Featured in both Cluster and Addons modules, it automates node management for optimal performance.

IRSA

IAM Roles for Service Accounts (IRSA) associate Kubernetes service accounts with AWS IAM roles, enhancing security and fine-grained access control. With IRSA:

  1. Kubernetes pods and services can assume IAM roles, gaining specific AWS permissions.
  2. Applications running in EKS pods can interact with AWS services securely without relying on static AWS credentials or EC2 instance roles.
  3. A more granular and secure access control model is established, ensuring that only the necessary AWS resources are accessible by specific workloads.

Deployment

Prerequisites

  • AWS Account: The AWS account needs to have the necessary permissions to create an EKS cluster, VPC, IAM roles, and other resources.
  • Terraform Installed: Terraform needs to be installed on the machine. Visit the Terraform website for installation instructions.
  • Configure AWS CLI: The AWS CLI needs to be configured with appropriate credentials and default region. Use “aws configure” to set up the profile.

Step 1: Prepare the Terraform Configuration

Create a Terraform configuration file. Use the trackit-eks module to deploy the EKS cluster. The example provided below is of a basic configuration. The parameters need to be adjusted according to the user’s requirements.

Example

module “eks” {
 source = “./../”

 aws_region_short = var.aws_region_short

 network = {
   vpc_id                   = local.vpc_id
   subnet_ids               = var.vpc.subnet_ids
   control_plane_subnet_ids = var.vpc.subnet_ids
 }

 cluster = {
   version                = “1.29”
   name                   = var.cluster_name
   endpoint_public_access = false
 }

 kms_key_administrators = [
   “arn:aws:iam::XXXXXXXX:user/trackit-eks”,
 ]

 ecr_token = {
   password  = data.aws_ecrpublic_authorization_token.token.password
   user_name = data.aws_ecrpublic_authorization_token.token.user_name
 }

 env       = “staging”
 zone_name = “XXXX.tech”

 tags = var.tags
}

Step 2: Define Variables

Before deployment, all the variables used by the module need to be defined. These include configurations for the cluster, network settings, the ECR token, tags, and more.

Required Variables

  • cluster: Configuration parameters for the EKS cluster such as version, name, and endpoint access.
  • network: Network configuration details including VPC ID and subnet IDs.
  • ecr_token: Credentials for ECR to pull images.
  • tags: Tags that will be applied to all resources.
  • aws_region_short: AWS region where the cluster will be deployed.
  • kms_key_administrators: ARNs of the administrators of the KMS key.
  • zone_name: Domain name for the cluster.
  • env: Environment name (e.g., staging, production).

Optional Variables

  • fargate_profiles: Fargate profile configuration when using AWS Fargate.
  • private_hosted_zone_additional_vpc_ids_association: Additional VPC IDs to associate with the private hosted zone.
  • aws_auth_role_arns: ARNs for roles to be granted access to the EKS cluster.

Step 3: Initialize and Apply Terraform Configuration

  • Initialize Terraform: Execute “terraform init” to initialize the Terraform project and download necessary providers and modules.
  • Review Plan: Execute “terraform plan” to review the changes that will be applied to the infrastructure.
  • Apply Configuration: Use “terraform apply” to deploy the EKS cluster. Confirm the action by typing “yes” when prompted.

List of Available Kubernetes Addons

Karpenter

Karpenter is an open-source auto-scaling project tailored for Kubernetes. It outpaces traditional node group-based scaling, ensuring faster and more cost-effective adjustments by provisioning the precise instances required to meet cluster demands, adapting based on workload.

Fargate

AWS Fargate is a serverless compute engine for containers compatible with Amazon EKS. Fargate removes the need to provision and manage servers, lets users specify and pay for resources per application, and improves security through application isolation by design.

IAM Roles for Service Accounts (IRSA)

IRSA facilitates the assignment of IAM roles to Kubernetes service accounts, presenting a more refined approach to allocating AWS permissions to specific pods within EKS clusters. Commonly utilized in conjunction with add-ons such as the AWS Load Balancer Controller and ExternalDNS, it contributes to effective access management for AWS services.

AWS Load Balancer Controller and ExternalDNS

AWS Load Balancer Controller streamlines the deployment of AWS load balancers for Kubernetes services, unlocking advanced load balancing features such as HTTP/2, gRPC, and WebSocket. ExternalDNS synchronizes exposed Kubernetes services and ingresses with DNS providers, simplifying access to applications.

Glossary

EKS: Amazon Elastic Kubernetes Service (EKS) is a managed container orchestration service provided by Amazon Web Services (AWS). It streamlines the deployment, scaling, and management of containerized applications leveraging Kubernetes, a widely used open-source container orchestration platform. EKS abstracts much of the inherent infrastructure complexity, enabling a focus on the development and operation of containerized workloads with heightened availability, security, and scalability in AWS cloud environments.

EKS Addon: An Amazon Elastic Kubernetes Service (EKS) addon refers to a pre-built extension or module designed to augment the functionality of a Kubernetes cluster operating on AWS EKS. These addons offer supplementary features and services, such as monitoring, networking, or security, streamlining the management and customization of a Kubernetes environment without necessitating manual configuration for each component.

About TrackIt

TrackIt is an international AWS cloud consulting, systems integration, and software development firm headquartered in Marina del Rey, CA.

We have built our reputation on helping media companies architect and implement cost-effective, reliable, and scalable Media & Entertainment workflows in the cloud. These include streaming and on-demand video solutions, media asset management, and archiving, incorporating the latest AI technology to build bespoke media solutions tailored to customer requirements.

Cloud-native software development is at the foundation of what we do. We specialize in Application Modernization, Containerization, Infrastructure as Code and event-driven serverless architectures by leveraging the latest AWS services. Along with our Managed Services offerings which provide 24/7 cloud infrastructure maintenance and support, we are able to provide complete solutions for the media industry.