Amazon EKS features

Overview

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that makes it easy for you to run Kubernetes on AWS and on-premises. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. Amazon EKS is certified Kubernetes-conformant, so existing applications that run on upstream Kubernetes are compatible with Amazon EKS.

Amazon EKS automatically manages the availability and scalability of the Kubernetes control plane nodes responsible for scheduling containers, managing application availability, storing cluster data, and other key tasks.

Amazon EKS lets you run your Kubernetes applications on both Amazon Elastic Compute Cloud (Amazon EC2) and AWS Fargate. With Amazon EKS, you can take advantage of all the performance, scale, reliability, and availability of AWS infrastructure, as well as integrations with AWS networking and security services, such as application load balancers (ALBs) for load distribution, AWS Identity and Access Management (IAM) integration with role-based access control (RBAC), and AWS Virtual Private Cloud (VPC) support for pod networking.

photo of computer data

Managed Kubernetes Clusters

Amazon EKS provides a scalable and highly-available Kubernetes control plane running across multiple AWS Availability Zones (AZs). Amazon EKS automatically manages availability and scalability of Kubernetes API servers and etcd persistence layer. Amazon EKS runs the Kubernetes control plane across three AZs to ensure high availability, and automatically detects and replaces unhealthy control plane nodes.

AWS Controllers for Kubernetes (ACK) gives you direct management control over AWS services from within your Kubernetes environment. ACK makes it simple to build scalable and highly available Kubernetes applications utilizing AWS services.

EKS provides an integrated console for Kubernetes clusters. Cluster operators and application developers can use EKS as a single place to organize, visualize, and troubleshoot your Kubernetes applications running on Amazon EKS. The EKS console is hosted by AWS and is available automatically for all EKS clusters.

EKS add-ons are common operational software for extending the Kubernetes operational functionality. You can use EKS to install and keep the add-on software up-to-date. When you start an Amazon EKS cluster, select the add-ons you would like to run in the cluster, including Kubernetes tools for observability, networking, auto-scaling, and AWS service integrations.

Amazon EKS lets you create, update, scale, and terminate nodes for your cluster with a single command. These nodes can also leverage Amazon EC2 Spot Instances to reduce costs. Managed node groups run Amazon EC2 instances using the latest EKS-optimized or custom Amazon Machine Images (AMIs) in your AWS account, while updates and terminations gracefully drain nodes to ensure your applications remain available.

Hybrid Deployments

You can use EKS on AWS Outposts to run containerized applications requiring particularly low latencies to on-premises systems. AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any connected site. With EKS on Outposts, you can manage containers on-premises with the same ease as you manage your containers in the cloud.

You can attach nodes running in AWS Local Zones or AWS Wavelength to EKS, giving you more choices for AWS-managed infrastructure at the edge.

Amazon EKS Distro packages up the same open-source Kubernetes software distribution used in Amazon EKS on AWS for use on your own on-premises infrastructure. Manage EKS Distro clusters with your own tooling or with Amazon EKS Anywhere.

With Amazon EKS Anywhere, you can easily create and operate Kubernetes clusters (building with the software in Amazon EKS Distro) on-premises, including on your own virtual machines (VMs) and bare metal servers. EKS Anywhere saves you the complexity of building and supporting your own tooling to manage Kubernetes clusters. EKS Anywhere provides automation tooling that simplifies cluster creation, administration and operations on infrastructure such as bare metal, VMware vSphere, and cloud virtual machines. This also includes cloud virtual machines with default logging, monitoring, networking, and storage configurations. EKS Anywhere brings the additional tooling and components you'll need to run Kubernetes in production, such as cluster installation and lifecycle management, observability, cluster backup, and policy management.

Use eksctl for launching nodes and single line management

Use the eksctl command-line tool to get up and running with Amazon EKS in minutes. Simply run an "eksctl create cluster" command to create your EKS cluster. You can use eksctl to simplify cluster management and operations including managing nodes and add ons.

Amazon EKS supports Windows worker nodes and Windows container scheduling. EKS supports running Windows worker nodes alongside Linux worker nodes, allowing you to use the same cluster for managing applications on either operating system.

AWS Graviton2 processors power Arm-based EC2 instances, delivering a major leap in performance and capabilities as well as significant cost savings. Improving application cost efficiency is a primary goal of running containers. Combine both, and you get great price performance. For example, workload testing shows instance types based on Graviton2 processors deliver up to 40% better price performance than their equivalent x86-based M5, C5, and R5 families. Amazon EKS on AWS Graviton2 is generally available where both services are available Regionally.

Networking and Security

Amazon EKS makes it easy to provide security for your Kubernetes clusters, with advanced features and integrations to AWS services and technology partner solutions. For example, IAM provides fine-grained access control and Amazon VPC isolates your Kubernetes clusters from other customers.

Amazon Elastic Kubernetes Service (EKS) supports IPv6, enabling customers to scale containerized applications on Kubernetes far beyond limits of private IPv4 address space. With EKS support for IPv6, pods are assigned only a globally routable IPv6 address, allowing you to scale applications in your cluster without consuming limited private IPv4 address space. This globally routable IPv6 address can be used to directly communicate with any IPv6 endpoint in your Amazon VPC, on-premises network, or the public internet. Further, EKS configures networking so that pods can still communicate with IPv4 based endpoints outside the cluster, enabling you to adopt the benefits of IPv6 using Kubernetes without requiring that all dependent services deployed across your organization are migrated to IPv6.

EKS Pod Identity simplifies the work customers need to do to setup applications on EKS clusters to access AWS services. EKS cluster administrators get a simplified workflow for obtaining IAM credentials required for authenticating Kubernetes applications to access AWS resources such as S3 buckets, DynamoDB tables, and more. EKS Pod Identity makes it easy to use IAM roles across multiple clusters, and simplifies IAM policy management by supporting reuse of policies across IAM roles.

AWS Cloud Map is a cloud resource discovery service. With Cloud Map, you can define custom names and maintain updated locations of dynamically changing application resources. This increases your application availability, because your web service always discovers the most up-to-date resource locations. Cloud Map works with external-dns, an open-source Kubernetes connector that automatically propagates internal service locations to the Cloud Map service registry as Kubernetes services launch, and removes them upon termination. Kubernetes-based services are discoverable via Cloud Map, which provides a unified service registry for all container workloads.

Service mesh standardizes how every microservice within your application communicates, making it easy to build and run complex microservices applications. AWS App Mesh configures your application for end-to-end visibility and high-availability. You can use the AWS App Mesh controller for Kubernetes to create new services connected to the mesh, define traffic routing, and configure security features like encryption. Additionally, App Mesh allows you to automatically register your Kubernetes pods in AWS Cloud Map for service discovery. App Mesh exports metrics, logs, and traces to the endpoints specified in the Envoy bootstrap configuration provided. App Mesh provides an API to configure traffic routes, circuit breaking, retries, and other controls between mesh enabled microservices. App Mesh Mutual TLS helps encrypt all requests between services even when they occur in your private networks. Furthermore, you can add authentication controls to enable communication only between services you allow.

Your EKS clusters run in an Amazon VPC, allowing you to use your own VPC security groups and network access control lists (ACLs). No compute resources are shared with other customers, which provides you a high level of isolation to build secure and reliable applications. EKS uses the Amazon VPC container network interface (CNI), allowing Kubernetes pods to receive IP addresses from the VPC. Amazon EKS works with the Project Calico network policy engine to provide fine-grained networking policies for your Kubernetes workloads. Use the Kubernetes network policy API to control access on a per-service basis.

Amazon EKS integrates Kubernetes RBAC (the native role based access control system for Kubernetes) with AWS IAM. You can assign RBAC roles directly to each IAM entity, allowing granular access permission control over your Kubernetes control plane nodes.

Amazon EKS allows you to assign IAM permissions to your Kubernetes service accounts. The IAM role can control access to other containerized services, AWS resources external to the cluster such as databases and secrets, or third-party services and applications running outside of AWS. This gives you fine-grained, pod-level access control when running clusters with multiple co-located services while simplifying cluster availability and cost optimization.

Amazon EKS is certified by multiple compliance programs for regulated and sensitive applications. Amazon EKS is compliant with SOCPCIISOFedRAMP-ModerateIRAPC5K-ISMSENS HighOSPARHITRUST CSF, and is a HIPAA eligible service.

Amazon EKS is compatible with container image signature verification to enable deploying container workloads with approved images and artifacts. You can verify images (or any other OCI artifact like Software Bill of Materials) signed by AWS Signer, a fully managed signing solution, before deploying images in your Amazon EKS clusters. AWS supports open-source based image signing and verification solutions so you can easily sign artifacts stored in your registry, and verify them using open source policy-as-code or admission controllers.

Load balancing

Amazon EKS supports using Elastic Load Balancing including Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer.

You can run standard Kubernetes cluster load balancing or any Kubernetes-supported ingress controller with your Amazon EKS cluster.

Serverless Compute

EKS supports AWS Fargate to run your Kubernetes applications using serverless compute. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

Cost monitoring

Amazon EKS simplifies the process of understanding the costs associated with your Kubernetes usage, both at the cluster level, and the individual application level.

Amazon EKS automatically adds an AWS cost allocation tag to every EC2 instance that joins a cluster. This frees you from having to enforce a custom tagging policy across your organization to gain insights into cluster level costs. After you activate the EKS cluster name cost allocation tag in the AWS Billing Console, you can use AWS Cost and Usage reports track your EC2 costs associated with EKS clusters.

Amazon EKS supports Kubecost which enables you to monitor costs broken down by Kubernetes resources including pods, nodes, namespaces, and labels. Kubernetes platform administrators and finance leaders can use Kubecost to visualize a breakdown of their Amazon EKS associated charges, allocate costs, and charge back to organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual AWS bill and get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters.

Logging

Amazon EKS is integrated with AWS CloudTrail to provide visibility into EKS management operations, including audit history. You can use CloudTrail to view API calls to the Amazon EKS API. Amazon EKS also delivers Kubernetes control plane logs to Amazon CloudWatch for analysis, debugging, and auditing.

Certified Conformant

Amazon EKS runs upstream Kubernetes and is certified Kubernetes-conformant, so you can use all the existing plug-ins and tooling from the Kubernetes community. Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment, whether running in on-premises data centers or public clouds. This means that you can easily migrate any standard Kubernetes application to Amazon EKS without refactoring your code.

Managed Cluster Updates

Amazon EKS makes it easy to update running clusters to the latest Kubernetes version without managing the update process. Kubernetes version updates are done in place, removing the need to create new clusters or migrate applications to a new cluster.

As new Kubernetes versions are released and validated for use with Amazon EKS, we will support three stable Kubernetes versions at any given time as part of the update process. You can initiate new version installation and review in-flight update status via the SDK, CLI or AWS Console.

Advanced Workload Support

Amazon EKS provides an optimized Amazon Machine Image (AMI) that includes configured NVIDIA drivers for GPU-enabled P2 and P3 Amazon EC2 instances. This makes it easy to use Amazon EKS to run computationally advanced workloads, including machine learning (ML), Kubeflow, deep learning (DL) containers, high performance computing (HPC), financial analytics, and video transcoding.

Open-Source Compatibility

Amazon EKS is fully compatible with Kubernetes community tools and supports popular Kubernetes add-ons. These include CoreDNS, which creates a DNS service for your cluster, and both the Kubernetes Dashboard web-based UI and the kubectl command line tool, which help access and manage your cluster on Amazon EKS.

For more information, see the Kubernetes community tools GitHub page.

EKS Connector

Amazon EKS allows you to connect any conformant Kubernetes cluster to AWS and visualize it in the Amazon EKS console. You can connect any conformant Kubernetes cluster, including Amazon EKS Anywhere clusters running on-premises, self-managed clusters on Amazon Elastic Compute Cloud (Amazon EC2), and other Kubernetes clusters running outside of AWS. Regardless where your cluster is running, you can use the Amazon EKS console to view all connected clusters and the Kubernetes resources running on them.