+++
author = "AWS Kubernetes Developer Advocates"
categories = ["Archive", "2022", "Weekly"]
date = 2022-03-25T07:00:00Z
description = "EBS CSI driver goes GA, managing scheduling constraints with Karpenter, what the NSA and CISA left out of its Kubernetes Hardening Guide, and more"
draft = false
slug = "012"
title = "EKS News 012"
+++
<br/><br/><br/><br/>
If you haven't heard by now, [Dockershim is being removed](https://k8s.io/dockershim) in the Kubernetes 1.24 release. This week fellow Amazon EKS Developer Advocate, Justin Garrison, released a very handy tool to help customers and the greater Kubernetes ecosystem find where Dockershim is in use. [**Detector for Docker Socket (DDS)**](https://github.com/aws-containers/kubectl-detector-for-docker-socket) is a `kubectl` plugin that allows folks to scan their running clusters or manifest files for docker socket usage. Supported workload types at the time of publishing are Pods, Deployments, StatefulSets, DaemonSets, Jobs, CronJobs. The tool is smart enough to scan the component that spun up the pods being run as part of the aforementioned components. You can install the plugin using [`krew`](https://krew.sigs.k8s.io/) and there are some examples you can spin up on your cluster to make sure the tool is working properly. Go ahead and kick the tires on [**DDS**](https://github.com/aws-containers/kubectl-detector-for-docker-socket) today and let us know what you think!

This week we'll discuss the EKS add-on for EBS CSI driver, managing scheduling constraints with Karpenter, what the NSA and CISA left out of their Kubernetes Hardening Guide, and more.

## New service announcements and features

[EKS add-ons support for EBS CSI driver is now generally available](https://aws.amazon.com/about-aws/whats-new/2022/03/eks-add-ons-ebs-csi-driver-available/)

* The [Elastic Block Store (EBS)](https://aws.amazon.com/ebs/) CSI driver provides a CSI interface used by container orchestrators to manage the lifecycle of Amazon EBS volumes
* EKS add-ons support now includes Windows compatibility, dynamic snapshotting and resizing of EBS volumes via the Kubernetes API, and backwards compatibility with the in-tree EBS driver
* The EBS CSI driver can be installed, managed, and updated directly through the EKS console, CLI, and API.

## New and notable blogs

[MYCOM OSI's Amazon EKS adoption journey](https://aws.amazon.com/blogs/containers/mycom-osis-amazon-eks-adoption-journey/)

* Assurance Cloud Service (ACS) SaaS platform runs as a complex set of telecommunication network and service assurance applications that communication service provider (CSP) customers use in their mission-critical network/service operations centers (NOC/SOC)
* The ACS runtime needs to be deployed in a cell-based architecture with fully isolated zero-trust tenants for each subscriber
* Adopted [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) because it gave them a way of declaring a wide range of AWS resources we needed, including EKS and add-on such as [Flux](https://github.com/aws-samples/aws-cdk-eks-fluxv2-example), using well-known general-purpose programming languages
* With GitOps and AWS CDK, they could initialize the EKS control plane and bootstrap the tenant add-ons and platform services from the very start
* By using EKS, various k8s add-ons, and other AWS cloud features, MYCOM OSI was able to lower costs and improve the flexibility of their ACS SaaS platform

[Managing Pod Scheduling Constraints and Groupless Node Upgrades with Karpenter in Amazon EKS](https://aws.amazon.com/blogs/containers/managing-pod-scheduling-constraints-and-groupless-node-upgrades-with-karpenter-in-amazon-eks/)

* "This blog post will walk you through all of the steps to make this possible, and assumes you have an in-depth understanding of [Amazon Elastic Kubernetes Service (Amazon EKS)](https://aws.amazon.com/eks/) and [Karpenter](https://karpenter.sh/)."
* "Karpenter is a high-performance Kubernetes cluster autoscaler that can help you autoscale your groupless nodes by letting you schedule layered constraints using the Provisioner API. Karpenter also makes node upgrades easy through the node expiry TTL value `ttlSecondsUntilExpired`."
* "[U]pgrade node behavior for the nodes launched by Karpenter by enabling the node expiry time `ttlSecondsUntilExpired` with the provisioner API."

## Containers from the Couch

[Short: Detector for docker socket](https://www.youtube.com/shorts/tc9CKLnAQgU)

[Amazon EKS Explained](https://youtu.be/E956xeOt050)

* In this explainer, Sai outlines the advantages of using a managed Kubernetes service like EKS over self-managing Kubernetes.
* Cluster Auto-scaling with Karpenter
* EKS Addons and more

[Kubernetes workload requests and limits with Goldilocks](https://youtu.be/DfmQWYiwFDk)

* Figuring out how much CPU and memory your container needs is difficult
* The open source project Goldilocks helps simplify that
* Figures out how much CPU and memory your application uses so you can set the proper limits

Please Subscribe to [**Containers from the Couch**](https://containersfromthecouch.com/)

## Ecosystem News

[Kubernetes Release Cadence Survey 2022](https://www.surveymonkey.com/r/k8s-cadence-2022)

* SIG Release is continuing to solicit feedback on the Kubernetes Release change cadence
* "WHO SHOULD FILL OUT THIS SURVEY: Kubernetes project contributors. Users of Kubernetes. Staff of companies that use, resell, and/or host Kubernetes."
* Please help upstream figure out what's best for the wider community

[`COPY --chmod` reduced the size of my container image by 35%](https://blog.vamc19.dev/posts/dockerfile-copy-chmod/)

* "I've written a lot of Dockerfiles with shell scripts in COPY and chmod in RUN"
* "I'm using ubuntu:21.10 as the base image, which is about 70MB. The binary I'm running is about 80MB. Other packages I'm installing would add 10-ish MB. But the image size is 267MB?"
* When changing file metadata in a single Dockerfile line, remember inodes are being modified and that will result in making a new layer in a given image

[What the NSA and CISA Left Out of Their Kubernetes Hardening Guide](https://www.tremolosecurity.com/post/what-the-nsa-and-cisa-left-out-of-their-kubernetes-hardening-guide)

* The Kubernetes Hardening Guide "doesn't provide much depth on authentication and authorization in Kubernetes or guidance on how to implement it. This post will fill in that gap."
* "It's important that you dive deeper into how you authenticate your users and authorize access to resources then what the hardening guide provides."
{{< eo >}}