+++
author = "AWS Kubernetes Developer Advocates"
categories = ["Archive", "2022", "Weekly"]
date = 2022-03-04T08:00:00Z
draft = false
slug = "008"
title = "EKS News 008"
aliases = [
    "/archive/eks-news-008"
]
+++
<br/><br/><br/><br/>
Security is job 0 at AWS. We continue to hear from customers they're looking for ways to secure their Kubernetes environments. Here are some resources to help with securing Kubernetes clusters on AWS and your AWS account(s):

* [Security in Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security.html)
* [Amazon EKS Best Practices Guide for Security](https://aws.github.io/aws-eks-best-practices/security/docs/)
* [Cloud Security – Amazon Web Services (AWS)](https://aws.amazon.com/security/)
* [Vulnerability Reporting - Amazon Web Services (AWS)](https://aws.amazon.com/security/vulnerability-reporting/)

This week we'll talk about Amazon CloudWatch Container Insights, AWS CloudFormation Hooks, and some of the latest nuggets from the greater cloud native ecosystem.

## New service announcements and features

[Amazon CloudWatch Container Insights adds support for Helm chart using AWS Distro for OpenTelemetry](https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudwatch-container-helm-chart-distro-opentelemetry/)

* New Helm chart for installing ADOT on EKS that sends metrics to CW
* Deploys ADOT Collector for collecting infrastructure metrics and Fluent Bit for logs
* [Documentation](https://github.com/aws-observability/aws-otel-helm-charts/tree/master/charts/adot-exporter-for-eks-on-ec2)

[AWS Announces the General Availability of AWS CloudFormation Hooks](https://aws.amazon.com/about-aws/whats-new/2022/02/aws-announces-general-availability-aws-cloudformation-hooks/)

* Customers can invoke custom logic to automate actions or inspect resource configurations prior to a CRUD operation operation, similar to Kubernetes Dynamic Admission Controllers
* Customers can publish their policy and controls to the CloudFormation Registry and enforce them against all stack and resource operations in their AWS accounts
* [CloudFormation Public Registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html)
* [CloudFormation Private Registry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html)

[Amazon CloudWatch Container Insights adds support for Amazon EKS Fargate using AWS Distro for OpenTelemetry](https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudwatch-eks-fargate-distro-opentelemetry/)

* ADOT collector runs as a sidecar and exports metrics to CW Container Insights
* [Blog](https://aws.amazon.com/blogs/containers/introducing-amazon-cloudwatch-container-insights-for-amazon-eks-fargate-using-aws-distro-for-opentelemetry/)
* [Documentation](https://aws-otel.github.io/docs/getting-started/container-insights/eks-fargate)

[Proactively keep resources secure and compliant with AWS CloudFormation Hooks](https://aws.amazon.com/blogs/mt/proactively-keep-resources-secure-and-compliant-with-aws-cloudformation-hooks/)

* Solutions like Cloud Custodian, AWS Config, etc are reactive in that they alarm on resources that have already been created
* Hooks are meant to prevent the deployment of a resource when it violates your policy
* Hooks are similar to Kubernetes Dynamic Admission Controllers, in that they run before a resource is created, updated, or deleted
* Blog explains how to create hooks of your own
* cloudformation-cli (cfn init and cfn generate) is used to create a project skeleton on your local machine
* [Samples](https://github.com/aws-cloudformation/aws-cloudformation-samples/tree/main/hooks)
* [Workshop](https://catalog.us-east-1.prod.workshops.aws/workshops/f09fd78b-ef8a-4a9d-9d2b-f31a3e6ca956/en-US/)

## New and notable blogs

[Running critical workloads with Amazon EKS and AWS Fargate at Generali Italia](https://aws.amazon.com/blogs/containers/running-critical-workloads-with-amazon-eks-and-aws-fargate-at-generali-italia/)
  
* Generali Italia is one of Europe’s largest insurers
* Set out to improve the claims processing experience along with security, reliability, and ongoing maintenance
* Migrated the application from Docker Swarm to EKS and EKS Fargate because they wanted a solution that was portable, widely adopted, and could be run on premises
* With EKS they can update and scale their infrastructure during business hours with zero downtime and no impact on the workload

[Three things to consider when implementing Mutual TLS with AWS App Mesh](https://aws.amazon.com/blogs/containers/three-things-to-consider-when-implementing-mutual-tls-with-aws-app-mesh/)

* How to generate and configure certificates, e.g. expiry
* How to manage the certificates for the Envoy proxy, e.g. rotation and revocation
* How to ensure all mTLS-required services are added to the mesh

[Diving into IAM Roles for Service Accounts](https://aws.amazon.com/blogs/containers/diving-into-iam-roles-for-service-accounts/)

* Walkthrough of what happens behind the scenes when you assign an IAM role to a pod
* Similar content can be found in the BPGs (<https://aws.github.io/aws-eks-best-practices/security/docs/iam/#pods-identities>)

## Containers from the Couch

[Short: What is a container?](https://www.youtube.com/shorts/u0DgA8xHj3g)

Please Subscribe to [Containers from the Couch](https://containersfromthecouch.com/)

## Ecosystem News

[loft-sh/vcluster Release v0.6.0](https://github.com/loft-sh/vcluster/releases/tag/v0.6.0)

* vcluster now allows you to use EKS Distro binaries to create virtual clusters
* This isn't an officially supported distro of EKS but is an additional way to consume the official EKS binaries
* More partners and installation options can be found in the docs <https://distro.eks.amazonaws.com/users/install/partners/>

[Lightrun Releases KoolKits - Debugging Toolkits for Kubernetes](https://lightrun.com/debugging/koolkits-debugging-toolkits-for-kubernetes/)

* KoolKits (Kubernetes toolkits) are highly-opinionated, language-specific, batteries-included debug container images for Kubernetes
* A KoolKit will be pulled by kubectl debug, spun up as a container in your pod, and have the ability to access the same process namespace as your original container
* Each KoolKit uses (wherever possible) a language version manager instead of relying on language-specific distros

[Kubernetes Hardening Tutorial Part 3: Authn, Authz, Logging & Auditing](https://blog.gitguardian.com/kubernetes-tutorial-part-3-authn-authz/)

* Learn how to set up an AWS EKS cluster with Terraform and leverage best practices to configure roles, service accounts, logging, and auditing with useful tools
* Dives into audit logging, service accounts, user authentication, cluster access auditing, and more

## Events

[EKS Anywhere Deployed on VMware Complete with an API Gateway](https://www.meetup.com/Omaha-Amazon-Web-Services-Meetup/events/283889886/) - Omaha Amazon Web Services Meetup

[SoloCon 2022](https://hopin.com/events/solocon-2022/registration)
{{< eo >}}