Overview

Enterprises are moving towards containerized solutions which consist of more minor services and applications that can be scaled independently, are easy to maintain, and have a smaller blast radius. The Elastic Kubernetes Service from AWS has helped customers deploy such solutions to the cloud. EKS is a certified Kubernetes conformant service that leverages the AWS infrastructure to seamlessly auto-scale and load-balance and provides security and monitoring for your containerized application. Below are some of the key learnings and best practices for deploying and managing a secured, scalable, containerized solution.

Key Learnings and Best Practices

Security
  • Use private subnets for deploying worker nodes. Define appropriate network policies to restrict network traffic between pods and external services. An external policy engine such as Calico may be used for advanced controls.
  • Encryption at rest and in transit depends on the storage you use and configure. For example, EFS needs to be configured in advance for encryption at rest as it cannot be dynamically provisioned later. EFS and FSx also offer encryption in transit.
  • Define IAM policies with the least privileged access principle. Use IAM roles for assigning similar policies to multiple users.
  • Kubernetes secrets may be used for storing sensitive information. AWS KMS is preferred to store the encryption key for these secrets, which can be auto-rotated. Alternatively, external secret managers such as Hashicorp vault may be used, which offers an automatic rotation of the secrets.
  • Container scanning tools such as Snyk may be used to identify and fix vulnerabilities in container images.
  • Use Amazon Inspector for assessing security vulnerabilities and alignment with the best practices.
Cost optimization
  • The major cost contributors in EKS are the EC2 or Fargate instances that form the underlying infrastructure for nodes. Start with the right sizing of the instances. Configure auto-scaling for scaling up as well as down as per the demand. Consider using spot instances whenever possible.
Performance
  • Set the processor affinity for the node as per your requirement. This can be further tuned depending on the usage patterns. Note that the affinity can also be set at the pod level.
  • Define pod priorities appropriately. In case of a resource crunch, the scheduler can remove the lower priority pods freeing up resources for the higher priority ones. Ensure that you use Resource Quota to prevent malicious users from creating pods at high priorities.
Auto-scaling and HA
  • Consider using Karpenter over Kubernetes Cluster Autoscaler (CAS) for auto-scaling your cluster. It offers many advantages over CAS, such as flexibility to upgrade the Kubernetes version independently of the auto-scaler, provisioning nodes based on the workload requirements, and trigger scaling directly based on Kubernetes metrics.
  • Avoid using custom launch templates and AMIs when using Karpenter as security group discovery, and auto upgradation of nodes may not be supported.
  • Improve observability by using external tools such as Prometheus for monitoring the cluster and raising alarms on critical metrics threshold breach. These alarms can be used to configure auto-scaling.
  • Expose any application-specific metrics using external libraries that can push these metrics to your monitoring tool. Prometheus offers a client library that can be configured in the application to push such metrics.
Networking
  • Ensure to size the subnets appropriately so that the pods do not need to wait for IP allocation to start up.
  • Enable SNAT for pod-to-pod communication with private IPs in different networks.
  • Consider using AWS App Mesh on top of microservices deployed on EKS. It will do much of the heavy lifting, such as service discovery, observability, auto-retries, traffic control, and even network encryption.
Multi-tenancy
  • If you need to provision for multi-tenancy, ensure that you analyze and choose the right strategy. Any compliance needs will heavily influence this decision.
  • Multi-tenancy can be achieved using different namespaces to divide cluster resources.
  • Use resource quotas to limit resource consumption within a namespace.
  • Consider using Persistent Storage or Persistent Volume (PV) for any data persistence needs. Disable the local volume access and control the PV access using PV claims defined at the namespace level.
  • Restrict access to resources by using RBAC configurations.
DevOps
  • Use multi-stage builds to reduce the image size. Ensure that the final build that is pushed to the container does not contain build tools and any other binaries or files that are not needed at the run time.
  • Leverage local package managers such as Nexus or Artifactory for deploying shared libraries that can be referenced in multiple projects.
  • Automate the provisioning of nodes and other supporting infra using Cloud Formation or Terraform. Use Helm charts to define the needed Kubernetes resources for your application.
Why LTIMindtree
Leading pharmaceutical company in North America
LTIMindtree team helped build the data security platform based on Attribute-Based Access Control (ABAC), one place of truth for maintaining and managing security policies and provisioning access needs. AWS EKS is used to deploy the major components and applications of the Data Security Platform. This system is integrated with various data sources such as Redshift, Snowflake, Azure Databricks, and S3 buckets through native plugins, proxy, and sync mechanisms. This centralized system will be responsible for provisioning the access and storing access logs used for tracking and auditing.
Leading American financial information and analytics company
LTIMindtree helped build an API Marketplace which is built on AWS EKS. This platform serves both internal users as well as external customers. All the microservices functions are built using .NET and Java and are hosted on AWS EKS EC2/Fargate. Customer-facing APIs are hosted on EKS Fargate-based cluster, and internal APIs are hosted on EKS EC2-based cluster. The external system calls the APIs hosted in the marketplace and gets the global datasets, curated third-party datasets, and on-demand access to a financial data set.

LTIMindtree’s Service Offering for EKS

1. Consulting
Our consulting service offering focuses on tool-based assessment using Infinity AppLens and AWS application discovery service, which helps our customers to analyze, define a migration strategy, containerize, and migrate workloads to EKS.
2. Application Modernization
LTIMindtree has deep expertise in transforming monolithic architectures to containerized solutions on EKS and migrating existing containerized workloads from on-premises or other cloud providers to AWS EKS on EC2 or Fargate. We conduct joint application development workshops with customers to understand the requirement technically and from a business standpoint. This helps define the right architecture design to ensure that the proposed solution is cost-effective, secure, scalable, and highly available.
3. DevOps
Our professional DevOps team is equipped to set up CI/CD pipelines for various containerized workloads on EKS. LTIMindtree DevOps Maturity Framework helps assess gaps by sharing a detailed assessment report with a maturity index and recommendations for the to-be state.

LTIMindtree’s Accelerators

This platform is equipped with efficiency kits for application assessment, development, deployment, FinOps, Operations, and DevOps tools to accelerate migration to EKS.
Discovery tools LTIMindtree uses a proprietary tool Infinity AppLens to evaluate the migration of your apps to the cloud. We also have extensive experience in AWS tools such as AWS application discovery service, Migration hub, App2Container, and AWS Evaluator, which aids in technical feasibility and helps the business teams make the right decisions.
Architecture blueprints and best practices Architecture blueprints using AWS EKS for containerized application use cases.
Infinity Ensure A self-service SaaS platform that provides FinOps governance on AWS EKS and other services.
Observability platform for EKS LTIMindtree’s observability solutions easily helps navigate the root cause of the problem, which helps to reduce migration time.

Conclusion

With enterprises moving towards containerized solutions, EKS has gained popularity due to its added benefits of scalability and resilience offered by the AWS infrastructure. LTIMindtree, with its extensive experience in cloud migrations on a variety of workload architectures and migration tools, has helped customers optimize cost and reduce the failure risks and time-to-market in migrating their solutions on EKS.

Have a challenge for us? Let’s Solve