An Amazon EKS cluster consists of two primary components:
The Amazon EKS control plane
The Amazon EKS control plane consists of control plane nodes that run the Kubernetes software, such as
etcdand the Kubernetes API server.
The control plane runs in an account managed by AWS, and the Kubernetes API is exposed via the Amazon EKS endpoint associated with customers cluster. Each Amazon EKS cluster control plane is single-tenant and unique, and runs on its own set of Amazon EC2 instances.
All of the data stored by the
etcdnodes and associated Amazon EBS volumes is encrypted using AWS KMS. The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the nodes (for example, to support
Amazon EKS nodes run in your AWS account and connect to customers cluster’s control plane via the API server endpoint and a certificate file that is created for their cluster.
There are two getting started guides available for creating a new Kubernetes cluster with nodes in Amazon EKS:
Getting started with eksctl – This getting started guide helps customers to install all of the required resources to get started with Amazon EKS using
eksctl, a simple command line utility for creating and managing Kubernetes clusters on Amazon EKS. This is the fastest and simplest way to get started with Amazon EKS.
Getting started with the AWS Management Console – This getting started guide helps customers to create all of the required resources to get started with Amazon EKS using the AWS Management Console.
Amazon EKS uses IAM to provide authentication to customers Kubernetes cluster (through the
aws eks get-tokencommand, available in version 1.16.156 or later of the AWS CLI, or the AWS IAM Authenticator for Kubernetes), but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization. This means that IAM is only used for authentication of valid IAM entities. All permissions for interacting with their Amazon EKS cluster’s Kubernetes API is managed through the native Kubernetes RBAC system.
What is elastic Kubernetes service?
Kubernetes is open source software that allows customers to deploy and manage containerized applications at scale. Kubernetes groups containers into logical groupings for management and discoverability, then launches them onto clusters of EC2 instances. Using Kubernetes customers can run containerized applications including microservices, batch processing workers, and platforms as a service (PaaS) using the same tool set on premises and in the cloud.
What is Docker
Docker is a software platform that allows customers to build, test, and deploy applications quickly. Docker packages software into standardized units called containers that have everything the software needs to run including libraries, system tools, code, and runtime. Using Docker, AWS customers can quickly deploy and scale applications into any environment and know their code will run.
Running Docker on AWS provides developers and admins a highly reliable, low-cost way to build, ship, and run distributed applications at any scale. AWS supports both Docker licensing models: open source Docker Community Edition (CE) and subscription-based Docker Enterprise Edition (EE).
Why do we need Kubernetes?
Kubernetes provisions and scales the the control plane, including the API servers and back end persistence layer, across multiple AWS availability zones for high availability and fault tolerance. Amazon EKS automatically detects and replaces unhealthy control plane nodes and provides patching for the control plane. Customers can run EKS using AWS Fargate, which is serverless compute for containers.
Fargate removes the need to provision and manage servers, lets them specify and pay for resources per application, and improves security through application isolation by design. Amazon EKS is integrated with many AWS services to provide scalability and security for your applications. These services include Elastic Load Balancing for load distribution, IAM for authentication, Amazon VPC for isolation, and AWS CloudTrail for logging.
How does Amazon EKS work?
Amazon EKS works by provisioning (starting) and managing the Kubernetes control plane and worker nodes for customers. At a high level, Kubernetes consists of two major components – a cluster of ‘worker nodes’ that run customers containers and the control plane that manages when and where containers are started on their cluster and monitors their status.
Without Amazon EKS, customers have to run both the Kubernetes control plane and the cluster of worker nodes themselves. With Amazon EKS, customers provision their worker nodes using a single command in the EKS console, CLI, or API, and AWS handles provisioning, scaling, and managing the Kubernetes control plane in a highly available and secure configuration. This removes a significant operational burden for running Kubernetes and allows customers to focus on building applications instead of managing AWS infrastructure.
Amazon EKS is a managed service that makes it easy for customers to run Kubernetes on AWS without needing to install, operate, and maintain their own Kubernetes control plane or nodes. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications.
Amazon EKS runs Kubernetes control plane instances across multiple Availability Zones to ensure high availability. Amazon EKS automatically detects and replaces unhealthy control plane instances, and it provides automated version upgrades and patching for them.
Amazon EKS is integrated with many AWS services to provide scalability and security for your applications, including the following:
- Amazon ECR for container images
- Elastic Load Balancing for load distribution
- IAM for authentication
- Amazon VPC for isolation
Benefits of Amazon Elastic Kubernetes service
EKS runs the Kubernetes management infrastructure across multiple AWS Availability Zones, automatically detects and replaces unhealthy control plane nodes, and provides on-demand, zero downtime upgrades and patching.
EKS supports AWS Fargate to provide server-less compute for containers. Fargate removes the need to provision and manage servers, lets customers specify and pay for resources per application, and improves security through application isolation by design.
EKS automatically applies the latest security patches to customers cluster control plane. AWS also works closely with the community to ensure critical security issues are addressed before new releases and patches are deployed to existing clusters.
Built with the Community
EKS runs upstream Kubernetes and is certified Kubernetes conformant, so applications managed by EKS are fully compatible with applications managed by any standard Kubernetes environment. AWS actively works with the Kubernetes community, including making contributions to the Kubernetes code base that help customers take advantage of AWS services and features.
AWS Fargate is a technology that AWS customers can use with Amazon ECS to run containers without having to manage servers or clusters of Amazon EC2 instances. With Fargate, they no longer have to provision, configure, or scale clusters of virtual machines to run containers. This removes the need to choose server types, decide when to scale their clusters, or optimize cluster packing.
When customers run their Amazon ECS tasks and services with the Fargate launch type or a Fargate capacity provider, the package they application in containers, specify the CPU and memory requirements, define networking and IAM policies, and launch the application. Each Fargate task has its own isolation boundary and does not share the underlying kernel, CPU resources, memory resources, or elastic network interface with another task.
Benefits of Amazon Fargate
- With Fargate, customer can focus on building and operating your applications whether they are running it with ECS or EKS. They only interact with and pay for your containers, and avoid the operational overhead of scaling, patching, securing, and managing servers. Fargate ensures that the infrastructure customers containers run on is always up-to-date with the required patches.
- Fargate launches and scales the compute to closely match the resource requirements customers specify for the container. With Fargate, there is no over-provisioning and paying for additional servers. Customers can also get Spot and Compute Savings Plan pricing options with Fargate just like with Amazon EC2 instances. Compared to On-Demand prices, Fargate Spot provides up to 70% discount for interrupt-tolerant applications, and Compute Savings Plan offers up to 50% discount on committed spend for persistent workloads.
- Individual ECS tasks or EKS pods each run in their own dedicated kernel runtime environment and do not share CPU, memory, storage, or network resources with other tasks and pods. This ensures workload isolation and improved security for each task or pod.
- With Fargate, customers get out-of-box observability through built-in integrations with other AWS services including Amazon CloudWatch Container Insights. Fargate allows them to gather metrics and logs for monitoring their applications through an extensive selection of third party tools with open interfaces.
Both ECS and EKS are AWS managed services. Thus the control plane is abstracted from customers, as such they don’t have any control nor visibility on the underlying instances that run those control planes. Amazon EKS
Using Amazon EKS, customers can deploy, manage, and scale containerized applications running on Kubernetes on AWS. Amazon EKS runs the Kubernetes management infrastructure for customers across multiple AWS Availability Zones to eliminate a single point of failure. Amazon EKS is certified Kubernetes-conformant, so customers can use existing tooling and plugins from partners and the Kubernetes community. Applications running on any standard Kubernetes environment are fully compatible and can be migrated to Amazon EKS.AWS customers pay $0.10 per hour for each Amazon EKS cluster that they create. They can use a single Amazon EKS cluster to run multiple applications by taking advantage of Kubernetes namespaces and IAM security policies. Customers can run EKS on AWS using either EC2 or AWS Fargate, and on premises using AWS Outposts.
If you are using EC2 (including with EKS managed node groups), you pay for AWS resources (e.g. EC2 instances or EBS volumes) you create to run your Kubernetes worker nodes. Customers only pay for what they use, as they use it; there are no minimum fees and no upfront commitments.
Amazon EKS on Fargate
For those customers who are using AWS Fargate, pricing is calculated based on the vCPU and memory resources used from the time they start to download their container image until the Amazon EKS pod terminates, rounded up to the nearest second. A minimum charge of 1 minute applies. See detailed pricing information on the AWS Fargate pricing page.
Amazon EKS on AWS Outposts
Amazon EKS on AWS Outposts pricing is simple and works the same as it does in the cloud: the Amazon EKS cluster is deployed in the cloud (not on Outposts) and customers pay $0.10 per hour. Their Kubernetes worker nodes run on the capacity provided by Outposts EC2 at no additional charge.
Amazon Elastic Container Service (Amazon ECS) allows customers to easily run, scale, and secure Docker container applications on AWS. Applications packaged as containers locally will deploy and run in the same way as containers managed by Amazon ECS. Amazon ECS eliminates the need to install, operate, and scale your own container orchestration and cluster management infrastructure, and allows them to focus on the resource needs and availability requirements of the containerized application.
Amazon ECS enables customers to grow from a single container to thousands of containers across hundreds of instances without creating additional complexity in how they run their application. AWS customers can run anything: applications, batch jobs, or microservices. Amazon ECS abstracts away all the complexity of the infrastructure so they can focus on designing, building, and running containerized applications.
There are two different charge models for Amazon Elastic Container Service (ECS). Amazon ECS on AWS Outposts follows the same model as EC2 Launch Type.
Fargate Launch Type Model
With Fargate, customers pay for the amount of vCPU and memory resources that their containerized application requests. vCPU and memory resources are calculated from the time they container images are pulled until the Amazon ECS Task* terminates, rounded up to the nearest second. A minimum charge of 1 minute applies.
EC2 Launch Type Model
There is no additional charge for EC2 launch type. AWS customers pay for AWS resources (e.g. EC2 instances or EBS volumes) they create to store and run your application. The only pay for what they use, as they use it; there are no minimum fees and no upfront commitments.