Episode 67: Amazon EKS
Amazon Elastic Kubernetes Service, or EKS, provides a managed Kubernetes control plane that integrates seamlessly with AWS services. Kubernetes is a powerful open-source container orchestration system, but running it yourself means managing the control plane: the API server, etcd database, scheduler, and controllers. EKS removes that burden by running the control plane across multiple AWS Availability Zones for high availability, while customers focus on worker nodes and workloads. Beginners should picture this as a public transit authority: AWS maintains the rail network and traffic signals, while customers run the trains and choose what cargo or passengers they carry. This shared responsibility simplifies operations while preserving Kubernetes’s flexibility and portability.
A central design choice in EKS is how to run worker nodes. AWS offers managed node groups, where EC2 instances are provisioned, patched, and replaced automatically. Customers can also create self-managed node groups for full control, though this requires handling updates. A third option is Fargate profiles, which run pods directly on AWS-managed serverless infrastructure without managing EC2 instances at all. Beginners can see these as three housing options: renting managed apartments (managed nodes), building your own houses (self-managed), or using hotels that require no maintenance (Fargate). Each model balances control, effort, and simplicity.
EKS uses Kubernetes primitives like pods, deployments, and services. Pods are the smallest deployable units, encapsulating containers that share resources. Deployments manage rolling updates and replica counts, ensuring workloads scale and recover automatically. Services expose pods through stable IP addresses and load balancing, allowing applications to communicate reliably. Beginners should imagine pods as food trucks, deployments as the franchise manager deciding how many trucks operate, and services as the advertising campaign that directs customers to the right truck. These abstractions form the building blocks of Kubernetes, and EKS supports them natively.
Networking in EKS is powered by the Amazon VPC Container Network Interface, or CNI. This gives pods their own IP addresses from the VPC, making them first-class citizens in the network. It simplifies integration with other AWS services but introduces scaling considerations, as IP exhaustion can occur with large clusters. Beginners should picture this as assigning every resident of a city their own mailing address instead of sharing one building address. It makes delivery easy but requires careful city planning to avoid running out of street numbers. Pod-level IPs improve integration but demand subnet awareness.
Ingress traffic in EKS is often managed by the AWS Load Balancer Controller, which integrates with Application and Network Load Balancers. Developers define Ingress resources in Kubernetes, and the controller provisions AWS load balancers accordingly. This bridges Kubernetes-native APIs with AWS infrastructure. Beginners should see this as a receptionist translating customer requests into the right department within a company. Ingress provides flexibility, while the controller ensures AWS resources align with Kubernetes configurations automatically.
IAM Roles for Service Accounts, or IRSA, provide fine-grained AWS permissions to pods. Instead of giving worker nodes broad IAM roles, each pod can assume a role mapped to its Kubernetes service account. Beginners should picture this as giving each employee their own ID badge instead of a single master key for the entire office. IRSA ensures least privilege, improves security, and is a best practice for Kubernetes workloads on AWS. It’s a key integration point between AWS IAM and Kubernetes RBAC systems.
Persistent storage in EKS relies on container storage interface (CSI) drivers. The EBS CSI driver allows pods to mount block storage volumes for stateful applications like databases. The EFS CSI driver provides shared file storage across multiple pods, ideal for web content or analytics pipelines. Beginners should imagine EBS as a personal locker assigned to one person and EFS as a communal filing cabinet available to a team. These storage integrations ensure Kubernetes applications on EKS can persist data reliably.
Cluster add-ons provide essential services. CoreDNS handles service discovery inside the cluster, kube-proxy manages networking rules, and the metrics server provides resource usage data. These add-ons run as pods within the cluster, and EKS supports their lifecycle management. Beginners should think of these like city utilities: DNS is the phonebook, kube-proxy is the traffic signal system, and the metrics server is the electricity meter. Together, they make the Kubernetes “city” functional and observable.
Observability in EKS integrates with AWS Container Insights for metrics and logs, CloudWatch for monitoring, and X-Ray for distributed tracing. Logs from pods can be shipped centrally, while metrics reveal performance trends. Beginners should see this as dashboards in a control room: they don’t just monitor the trains running (pods), but also track delays, passenger counts, and bottlenecks. Without observability, Kubernetes clusters risk becoming opaque, so EKS ties them into AWS-native monitoring tools.
Security in EKS spans multiple layers. Role-based access control (RBAC) manages Kubernetes-level permissions. IAM integrates with IRSA for AWS resource access. Network segmentation uses security groups, VPC subnets, and Kubernetes network policies. Beginners should picture this as a secure office complex: keycards grant access to specific rooms, walls separate departments, and hallways have guards. By combining RBAC, IAM, and network segmentation, EKS enables strong multi-layered defenses in multi-tenant environments.
Version management is crucial. EKS supports multiple Kubernetes versions, with regular upgrades required to stay supported. AWS publishes a cadence of version deprecations, requiring teams to test and plan carefully. Beginners should see this like renewing passports: every few years, a new version is mandatory for continued travel. Falling behind risks incompatibility and loss of security updates. Staying current with Kubernetes versions is both an operational and security best practice.
Multi-tenant cluster considerations often come up with EKS. Teams may share clusters, separating workloads with namespaces, RBAC, and network policies. While this reduces overhead, it can also complicate security. Beginners should think of this as renting floors in a skyscraper: tenants share elevators and utilities, but walls and locks separate offices. Proper governance is essential to ensure noisy neighbors don’t interfere with one another. For highly regulated workloads, separate clusters may be safer.
The EKS cost model includes a flat fee for the control plane per cluster, plus compute, storage, and networking costs for worker nodes or Fargate pods. Unlike ECS, where control plane usage is free, EKS charges directly for cluster management. Beginners should picture this as paying for both the stadium (control plane) and the athletes (nodes). While the fee is modest compared to compute costs, it highlights that EKS is designed for teams committed to Kubernetes as a strategic platform, not just dabblers.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Kubernetes relies on multiple layers of autoscaling, and EKS supports them all. The Cluster Autoscaler adds or removes worker nodes depending on pending pod demand, ensuring the underlying infrastructure matches workload needs. The Horizontal Pod Autoscaler, or HPA, scales pods in or out based on metrics like CPU or custom signals. The Vertical Pod Autoscaler, or VPA, adjusts resource requests for pods over time. Beginners should imagine running a restaurant: the HPA hires more waiters when customers arrive, the VPA adjusts tray size based on meal complexity, and the Cluster Autoscaler expands the dining hall itself. Together, these layers create elasticity at both the application and infrastructure level.
Deployment strategies in EKS mirror those in Kubernetes. Rolling updates replace pods gradually, minimizing downtime. Blue/green deployments allow new versions to run in parallel, with traffic redirected only after validation. Canary deployments test new versions on a small subset of users before full rollout. Beginners should picture this as theater performances: rolling updates replace actors one by one, blue/green builds an entire new cast before opening night, and canary invites a small audience to preview the show. Each approach balances speed, safety, and risk tolerance.
Ingress and service types are critical to exposing applications. Ingress provides fine-grained routing rules managed by controllers like the AWS Load Balancer Controller, while service types define how pods are reached. LoadBalancer services provision AWS ALBs or NLBs, NodePort services open static ports on nodes, and ClusterIP services keep access internal. Beginners should imagine a building: LoadBalancer is the front entrance with a receptionist, NodePort is a side door with a fixed address, and ClusterIP is an internal hallway. Knowing which to use keeps traffic secure and efficient.
Managing configuration and secrets in EKS relies on ConfigMaps and Secrets. ConfigMaps handle non-sensitive settings like environment variables, while Secrets store sensitive credentials. External secret stores like AWS Secrets Manager or Parameter Store integrate smoothly, avoiding hardcoding. Beginners should see ConfigMaps as sticky notes on desks, while Secrets are locked safes accessible only with permission. Externalizing configuration ensures workloads remain portable, secure, and manageable across environments.
Image sources in EKS typically come from Amazon ECR, which provides secure repositories and scanning. Pull policies in Kubernetes define whether pods always fetch new images or reuse cached ones. Beginners should picture this like grocery deliveries: sometimes you restock every day (Always), sometimes you only restock if shelves are empty (IfNotPresent). ECR combined with IAM permissions ensures images remain trusted and private, while pull policies strike a balance between freshness and efficiency.
Network policies add another layer of defense by restricting east-west communication within clusters. By default, pods can talk freely to each other, but network policies allow teams to restrict flows based on labels or namespaces. Beginners should imagine office floors with open hallways but adding doors that only allow specific employees through. Network policies reduce blast radius and align with zero-trust principles, especially in multi-tenant clusters where not every service should have unrestricted access.
Admission controllers provide guardrails for cluster security and consistency. They intercept API requests to validate, mutate, or deny configurations before they’re applied. Examples include requiring labels, blocking privileged pods, or enforcing resource limits. Beginners should picture these as security officers checking paperwork before workers enter a construction site. Admission controllers prevent misconfigurations at the door, ensuring clusters follow governance rules and reducing the risk of insecure deployments.
Large organizations often use multi-account or multi-Region patterns with EKS. Clusters may be separated by account for governance or compliance, while multi-Region deployments provide resilience and latency benefits. Cross-account registries and shared VPCs enable standardization. Beginners should compare this to a franchise operating in multiple cities: each store runs locally but follows corporate rules and uses shared supply chains. EKS scales beyond a single cluster, fitting into global and multi-account strategies.
Upgrading Kubernetes versions requires careful planning. A best practice is to test upgrades in staging clusters, roll changes to production in waves, and always have rollback strategies ready. Beginners should think of this as replacing parts in an airplane engine while it’s flying: you test on simulators first, update non-critical planes, and only then touch critical flights. Regular upgrades are unavoidable, so disciplined playbooks reduce risk while keeping clusters supported and secure.
Cost controls in EKS focus on right-sizing nodes and workloads. Oversized pods waste resources, while undersized clusters drive performance issues. Fargate pods offer flexibility by billing per pod rather than per node, reducing waste for sporadic workloads. Beginners should picture this as deciding between renting a banquet hall or booking seats individually. For large predictable events, halls make sense; for smaller or variable groups, individual seats are more cost-efficient. Cost-aware design ensures EKS stays efficient without losing flexibility.
Common pitfalls in EKS include IP exhaustion from pod-level IP assignments, mismatched IAM and RBAC roles causing access confusion, or overlooking network segmentation. Beginners should see these as city planning errors: running out of street addresses, issuing ID cards that don’t open the right doors, or building neighborhoods with no fences. These missteps are avoidable with awareness and planning but can cripple clusters if ignored.
The choice between ECS, EKS, and Lambda often comes down to ecosystem alignment. ECS is AWS-native and simpler, EKS appeals to organizations standardizing on Kubernetes across clouds, and Lambda is best for short-lived serverless functions. Beginners should imagine three transportation choices: ECS is AWS’s reliable train system, EKS is a global airline network compatible everywhere, and Lambda is a taxi that arrives on demand. Each is valuable, but the context of the workload determines the best fit.
From an exam perspective, learners should focus on recognizing EKS components and integrations. If the scenario highlights pods, deployments, or ConfigMaps, it’s Kubernetes. If it mentions IRSA, pod-level IPs, or ALB Ingress controllers, the answer is EKS. If the exam asks which service provides a managed Kubernetes control plane, EKS is the only correct response. Mapping these keywords quickly ensures efficient exam performance.
In conclusion, EKS provides Kubernetes portability while relieving teams of managing the control plane. With integrations like IRSA, EBS and EFS drivers, and Container Insights, it blends the power of Kubernetes with the stability of AWS. For learners, the takeaway is that EKS is chosen when Kubernetes is a strategic priority, offering consistency across clouds but leveraging AWS’s managed services for scale and security. It is the bridge between open-source Kubernetes and AWS-native container orchestration, empowering teams to run modern applications flexibly and reliably.
