+++
author = "AWS Kubernetes Developer Advocates"
categories = ["Archive", "2022", "Weekly"]
date = 2022-09-23T07:00:00Z
description = "#033 edition of the EKS newsletter"
draft = false
slug = "033"
title = "EKS News 033"
+++
<br/><br/><br/><br/>

## AWS Container Announcements

* [Announcing local clusters for Amazon EKS on Outposts](https://aws.amazon.com/about-aws/whats-new/2022/09/amazon-eks-outposts-local-clusters/)
  * Local clusters enable you to run the entire EKS cluster locally on Outposts, so you can mitigate the risk of application downtime that caused by temporary network disconnects to the cloud.
  * Local clusters run the same Kubernetes as EKS in the cloud, and automatically deploy the latest security patches to make it easier for you to maintain an up-to-date, secure cluster.
* [AWS Fargate increases compute and memory resource configurations by 4x](https://aws.amazon.com/about-aws/whats-new/2022/09/aws-fargate-increases-compute-memory-resource-configurations-4x/)
  * Launch pods that consume up to 16 vCPU and 120GB of memory, a 4x increase from before.

## AWS Container Blogs

* [Deploy your Amazon EKS cluster locally on AWS Outposts](https://aws.amazon.com/blogs/aws/deploy-your-amazon-eks-clusters-locally-on-aws-outposts/)
  * When nodes are disconnected from the control plane for awhile Kubernetes may consider them unhealthy and schedule them for replacement when the connection is reestablished. This may lead to application downtime when connectivity is restored.
  * Local clusters give you the ability to host your entire EKS cluster on Outposts. In this configuration, both the Kubernetes control plane and your worker nodes run on premises on your Outposts rack.
  * With local clusters, the cluster's API endpoint can only be accessed privately, i.e. from machines that are deployed in the same VPC as the cluster or over the local network via the Outposts local gateway with Direct VPC Routing.
  * The rest of the blog walks through how to create a local cluster on Outposts
* [Using Prometheus to Avoid Disasters with Kubernetes CPU Limits](https://aws.amazon.com/blogs/containers/using-prometheus-to-avoid-disasters-with-kubernetes-cpu-limits/)
  * A deep dive into Kubernetes' vCPU limits and their impact on application performance.
  * When using limits, it's a good idea to monitor `container_cpu_cfs_throttled_periods_total`. This metric gives you how many periods were throttled versus the total periods available `container_cpu_cfs_periods_total`. The cAdvisor metric called `container_cpu_cfs_throttled_seconds_total` gives you an idea how far over the quota the process is.
  * The blog [You can't have both high utilization and high reliability](https://home.robusta.dev/blog/kubernetes-utilization-vs-reliability/) offers a slightly different perspective on CPU requests/limits and the tradeoffs between HA and utilization.
* [Supply Chain Security on EKS using KMS, Kyverno, and Cosign](https://aws.amazon.com/blogs/opensource/supply-chain-security-on-amazon-elastic-kubernetes-service-amazon-eks-using-aws-key-management-service-aws-kms-kyverno-and-cosign/)
  * The Cloud Native Computing Foundation (CNCF) Security Technical Advisory Group (TAG) has published a whitepaper on [Software Supply Chain Security Best Practices](https://project.linuxfoundation.org/hubfs/CNCF_SSCP_v1.pdf), designed to provide the cloud native and open source communities with a holistic approach to architect a secure supply chain regardless of whether they are a software producer or consumer. This includes signing artifacts, e.g. container images, with a cryptographic key whose provenance can be verified.
  * This post demonstrates how to use Cosign with AWS KMS to generate a signed and verified public/private key pair. The solution uses a Kyverno ImageVerify policy to check the signature of container images and only allows containers that have been signed the KMS public key to run on the cluster.
* [Unified authorization for AWS with Styra Declarative Authorization Service: EKS Edition](https://aws.amazon.com/blogs/awsmarketplace/unified-authorization-aws-styra-declarative-authorization-service-eks-edition/)
  * A walk through that shows how to use OPA and Styra DAS to implement security guardrails on EKS
* [Introducing the ACK controller for Amazon Managed Service for Prometheus (AMP)](https://aws.amazon.com/blogs/mt/introducing-the-ack-controller-for-amazon-managed-service-for-prometheus/)
  * This post shows how to configure AMP resources via ACK, and how to migrate a Prometheus workload to use these newly provisioned resources.
  * Once a workspace has been successfully created and configured, you update the Prometheus configuration to remote write to the new AMP workspace.
* [Run Apache Spark with Amazon EMR on EKS backed by Amazon FSx for Lustre storage](https://aws.amazon.com/blogs/big-data/run-apache-spark-with-amazon-emr-on-eks-backed-by-amazon-fsx-for-lustre-storage/)
  * You can use Amazon EMR on EKS to run Apache Spark workloads on EKS. This service uses the Amazon EMR runtime for Apache Spark, which increases the performance of your Spark jobs so that they run faster and cost less.
  * While you can use EBS storage with EMR on EKS, some users are looking for an HDFS-like shared file system to handle specific workloads like time-sensitive applications or streaming analytics
  * FSx for Lustre is a fully managed shared storage service built on the world’s most popular high-performance file system. It offers highly scalable, cost-effective storage, which provides sub-millisecond latencies, millions of IOPS, and throughput of hundreds of gigabytes per second.
  * This post demonstrates how to use EMR on EKS to submit Spark jobs with FSx for Lustre for storing and retrieving data. It can be mounted on Spark driver and executor pods through static and dynamic PersistentVolumeClaims methods.
* [Design considerations for Amazon EMR on EKS in a multi-tenant Amazon EKS environment](https://aws.amazon.com/blogs/big-data/design-considerations-for-amazon-emr-on-eks-in-a-multi-tenant-amazon-eks-environment/)
  * This post illustrates how to configure and run EMR on EKS in a multi-tenant EKS cluster that can used by your various teams. In doing so, it looks at: network, resource management, cost management, and security.
* [Use AWS Network Firewall to filter outbound HTTPS traffic from applications hosted on Amazon EKS and collect hostnames provided by SNI](https://aws.amazon.com/blogs/security/use-aws-network-firewall-to-filter-outbound-https-traffic-from-applications-hosted-on-amazon-eks/)
  * This blog post shows how to set up an Amazon Elastic Kubernetes Service (Amazon EKS) cluster such that the applications hosted on the cluster can have their outbound internet access restricted to a set of hostnames provided by the Server Name Indication (SNI) in the allow list in the [AWS Network Firewall](https://aws.amazon.com/network-firewall/) rules.
  * This post also shows you how to use Network Firewall to collect hostnames of the specific sites that are being accessed by your application.
* [Integrating Kubecost with Amazon Managed Prometheus](https://aws.amazon.com/blogs/mt/integrating-kubecost-with-amazon-managed-service-for-prometheus/)
  * Kubecost now supports integration with Amazon Managed Prometheus. In this blog, the author walks through an example that shows how to configure Kubecost to use AMP.

## Videos

* [Deploy MetalLB in Kubernetes](https://www.youtube.com/watch?v=LMOYOtzpoXg)
* [Local Clusters for Amazon EKS on AWS Outposts](https://www.youtube.com/watch?v=zxTSKtQkF2M)
* [Kubernetes cluster autoscaler vs Karpenter](https://www.youtube.com/shorts/QMkhwpm9Zz0)
* [Kubernetes mutating vs. validating webhooks](https://www.youtube.com/shorts/iFYFZVzbibI)
* [A catalog of past and future CNCF webinars](https://community.cncf.io/cncf-online-programs/)

## Ecosystem News

* [Managing Kyverno policies as OCI Artifacts with OCIRepository sources](https://www.cncf.io/blog/2022/09/19/managing-kyverno-policies-as-oci-artifacts-with-ocirepository-sources/)
* [Kubernetes was never designed for batch jobs](https://betterprogramming.pub/kubernetes-was-never-designed-for-batch-jobs-f59be376a338)
  * A laundry list of the shortcomings of Kubernetes jobs for running batch workloads.
  * Advocates for better native support for batch workloads.
  * In the interim, you can consider using Volcano, Airflow, Argo Workflow, Spark, or AWS Batch for running batch jobs.
* [Now accepting CFPs for Kubecon EU, Amsterdam](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/)
* [Why fix Kubernetes and Systemd?](https://link.medium.com/YlfJL1t0rtb)
  * The scope of Kubernetes and systemd overlap in several places. This was among the main motivations behind [Aurae](https://docs.google.com/document/d/1dA591eipsgWeAlaSwbYNQtAQaES243IIqXPAfKhJSjU/edit#). The author believes that distributed systems, i.e. Kubernetes, should have more ownership of what is running on a node.
  * One of the goals of Aurae is to simplify systems that run on a node.
  * For additional information, see [Practice Systems Awareness](https://medium.com/@kris-nova/practical-systems-awareness-322faf092da2)
* [Introducing Wolfi – the first Linux (Un)distro designed for securing the software supply chain](https://www.chainguard.dev/unchained/introducing-wolfi-the-first-linux-un-distro)
* [An Open Source Approach to Self Hosting a GitOps Platform](https://kubefirst.io/blog/how-kubefirst-builds-kubernetes-platforms-in-8-steps)
* [GoNoGo Checks Kubernetes Add-ons Before an Upgrade](https://www.fairwinds.com/blog/gonogo-checks-kubernetes-add-ons)
* [How DoorDash Ensures Velocity and Reliability through Policy Automation](https://doordash.engineering/2022/09/20/how-doordash-ensures-velocity-and-reliability-through-policy-automation/)
  * This blog discusses how DoorDash leverages an open policy agent to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments.

## GitHub Projects

* [Wolfi](https://github.com/wolfi-dev)

## For Fun

* [DALL-E](https://openai.com/dall-e-2/), a truly amazing AI model that translates text into works of art!
{{< eo >}}