+++
author = "AWS Kubernetes Developer Advocates"
categories = ["Archive", "2022", "Weekly"]
date = 2022-07-15T07:00:00Z
description = "#024 edition of the EKS newsletter"
draft = false
slug = "024"
title = "EKS News 024"
+++
<br/><br/><br/><br/>
While it's been a relatively quiet week newswise, there are a few interesting blogs in this edition including blog authored by [TheFork](https://thefork.com) on how they upgrade their EKS clusters.

## New and notable EKS blogs

* [Kubernetes cluster upgrade: the blue-green deployment strategy](https://aws.amazon.com/blogs/containers/kubernetes-cluster-upgrade-the-blue-green-deployment-strategy/)
  * Describes how [TheFork](https://thefork.com) performs cluster upgrades
  * Use B/G approach when there are breaking changes between Kubernetes and Istio releases
    * ALB target groups are used to shift traffic from the old cluster to the new
    * <https://medium.com/thefork/creating-our-piece-of-cloud-in-aws-fd4e30571682>
  * Use in-place when there are no breaking changes
  * This upgrade strategy helps TheFork keep their environments evergreen
  * Separate process for migrating stateful applications
  * See [Our Kubernetes journey at TheFork | by Quentin BERNARD | TheFork Engineering Blog | Medium](https://medium.com/thefork/our-kubernetes-journey-at-thefork-d0964ec275f3) for additional information

* [Policy management in Amazon EKS using jsPolicy](https://aws.amazon.com/blogs/containers/policy-management-in-amazon-eks-using-jspolicy/)
  * Walk through explaining how to use jsPolicy as a Policy as Code solution
  * Uses embedded JS in the manifest for the policy language
  * Similar to other PaC solutions, e.g. KubeWarden, Kyverno, OPA/Gatekeeper, etc.

* [Using Amazon EMR on Amazon EKS for transient EMR clusters | Containers](https://aws.amazon.com/blogs/containers/using-amazon-emr-on-amazon-eks-for-transient-emr-clusters/)
  * Explains why you might want to use EMR on EKS instead of spinning up ephemeral EMR clusters to run Spark jobs
    * Flexible logging options: can log to multiple backends, include CloudWatch, S3, and OpenSearch
    * Job monitoring with Kubernetes native monitoring tools
    * Autoscaling: EMR on EKS includes native support for Karpenter which right sizes the instance for the workloads running on it
    * Job dependency: specify job dependencies as part of the job definition rather than the cluster
    * Multi-tenancy: job templates allow you assign pod priority to specific time sensitive jobs
    * Resiliency and capacity: EMR on EKS supports multi-AZ deployments

## Containers from the Couch and other videos

* [KarpenScaling Kubernetes with Karpenter: Advanced Scheduling with Pod Affinity & Volume Topology Awarenesster](https://www.youtube.com/watch?v=bzyEfxE8MOU)
* [EKS Anywhere on Bare Metal](https://www.youtube.com/watch?v=RmZZ7Gr8kMw)

## Upcoming CTFC episodes

* [AWS Controllers for Kubernetes with MemoryDB](https://www.youtube.com/watch?v=sZKMkOcxf94), 7/14 3:00PM Eastern/12:00PM Pacific
* [Optimize your containers with slim.ai](https://www.youtube.com/watch?v=DA4ArZYJ1-E), 7/20 3:00PM Eastern/12:00PM Pacific

Please Subscribe to [**Containers from the Couch**](https://cftc.info/)

## Ecosystem News

* [Managing Kubernetes without losing your cool](https://marcusnoble.co.uk/2022-07-04-managing-kubernetes-without-losing-your-cool/)
  * 11 tips for managing Kubernetes environments
  * Tip #0 is to pay someone else to do it!
  * #4 recommends k9s but you might also want to consider [Lens](https://k8slens.dev/)
  * #6 recommends `kubectl debug` for debugging distroless containers and crash loops; this feature will be included in EKS v1.23
  * #8 if you're going to use admission webhooks to do "substractive access control", be sure to configure short timeouts to avoid overwhelming the API server and always fail open

* [New Vulnerabilities in the Kubernetes NGINX Ingress Controller](https://blog.lightspin.io/kubernetes-nginx-ingress-controller-vulnerabilities)
  * NGINX ingress is a popular target for hackers because it is commonly used (50% of Kubernetes clusters) and has high permissions (has a service account with permissions such as the ability to read all secrets within a cluster), making it easier for an attacker to move laterally within the environment
  * NGINX has undergone significant improvements since the latest vulnerabilities were discovered
  * Ultimately, the maintainers plan to fully separate the control plane from the data plane which should prevent lateral movements in the future
  * Upgrade to the latest version!

## For fun

* [Live Kubernetes Debugging: Fixes vs. Breakers](https://youtu.be/bQsubShHE94)
{{< eo >}}