Congratulations to the maintainers of the Karpenter project!
The Karpenter project graduated to beta on 1st Nov, 2023. This is a major milestone for the Karpenter project.
We were very early adopters of Karpenter and have collaborated extensively with our customers and AWS to ensure that Karpenter works seamlessly for their EKS clusters when used with the Rafay Kubernetes Management platform. In this blog, we will describe the benefits of Karpenter and how our customers use Karpenter with Rafay.
As the threat landscape for Kubernetes environments continues to evolve, it is essential to take steps to continuously monitor your clusters for malicious activity. As part of security best practices for EKS, it is critical for organizations to implement a solution for continuously monitoring EKS runtimes, analyzing EKS audit logs, scanning for malware and other suspicious activity. Guardduty uses continuously updated threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your AWS environment. This can include issues like escalation of privileges, use of exposed credentials, or communication with malicious IP addresses, domains, presence of malware on your Amazon EC2 instances and EKS container workloads, or discovery of suspicious API activity.
GuardDuty provides an EKS managed add-on that helps you detect and respond to threats by continuously monitoring your EKS clusters. With Rafay Platform, you can easily configure and manage GuardDuty for your EKS clusters, and monitor its findings from the AWS Console.
In October 2023, the Rafay team participated at HashiConf 2023 in San Francisco. We had several users ask us last week about our thoughts on the conference itself and things we presented and demonstrated. In this blog, we will briefly describe our learnings and observations from this major conference.
In late Sep 2023, we had the opportunity to speak, present and participate at DevOpsCon 2023 in New York City. In this blog, we will briefly describe what we presented at the conference and our observations about the event itself.
DevOpsCon is a global conference focused on CI/CD, Kubernetes Ecosystem, Agile & Lean Business. If you live outside the United States, you may want to attend one of their conferences in other cities such as Munich, Singapore, London and Berlin.
This year's conference in New York was held at the Marriott near Brooklyn Bridge which is a fantastic location, literally right across from the Brooklyn Bridge and NYU Engineering.
Our goals at this conference were very simple.
Educate the attendees about various approaches for secure access to Kubernetes clusters and their pros/cons.
Attend other sessions, meet practitioners and learn about their challenges and how they are solving these.
Imagine this scenario: your clusters, the backbone of your infrastructure, are currently running worker nodes based on an older AMI version. An alarming email from the security team informs you that the AMI ID being used has serious security vulnerabilities. The urgency to address issues like this becomes paramount because these pose a direct threat to the integrity and security of your infrastructure.
Critical security issues like this call for the ability for quick action. How can nodes across all clusters be updated quickly?
Scenarios like this are exactly why we have invested heavily in developing the Fleet Plans functionality. This can help you identify and update all of the impacted worker nodes in various clusters smoothly in this situation.
sequenceDiagram
autonumber
participant admin as Admin
participant rafay as Rafay
rect rgb(191, 223, 255)
Note over admin,rafay: Upgrades of Insecure AMIs
admin->>rafay: Identify Impacted EKS Clusters <br> (Input = AMI ID)
admin->>rafay: Create Fleet Plan <br> (Impacted Clusters)
admin->>rafay: Execute Fleet Plan
admin->>rafay: Verify all EKS clusters <br>in fleet are using new AMI
end
In our recent release, we added support for in-place upgrades of your EKS clusters provisioning based on Kubernetes v1.27.
Our customers have shared with us that they would like to provision new EKS clusters using new Kubernetes versions so that they do not have to plan/schedule for Kubernetes upgrades for these clusters right away. As a result, we generally introduce support for new cluster provisioning for the new Kubernetes version first and then follow up with support for zero touch in-place upgrades.
Note
Organizations that wish to perform sophisticated checks for API deprecation etc are strongly recommended to use Rafay's Fleet Operations for Amazon EKS.
Our recent release update adds support for a number of new features and enhancements. This blog is focused on support for Kubernetes v1.28 with Rafay MKS (i.e. upstream Kubernetes for bare metal and VM based environments).
Both new cluster provisioning and in-place upgrades of existing clusters are supported. As with most Kubernetes releases, this version also deprecates and removes a number of features. To ensure there is zero impact to our customers, we have made sure that every feature in the Rafay Kubernetes Operations Platform has been validated on this Kubernetes version.
Rafay is a Kubernetes management platform that enables platform teams automate the entire lifecycle of K8s clusters, including provisioning, scaling, upgrading, and monitoring. For companies that are embracing a multi-cloud approach, visibility and effective monitoring of clusters require use of disparate tools. Rafay provides various tools and features to centralize manage the cluster estate and track the performance, health, and resource utilization of your Kubernetes clusters and workloads.
Here are some key aspects of Rafay's monitoring solution:
Azure recently added support for Kubernetes v1.27 for AKS clusters. Customers can now use Rafay to provision new AKS clusters based on Kubernetes v1.27 as well.
This version of AKS was Generally Available (GA) starting July 2023 and go end of life in July 2024 i.e. with a 12 month support runway.
Note
Customers have shared with us that they would like to provision new AKS clusters based on new Kubernetes versions so that they do not have to plan/schedule for Kubernetes upgrades for these clusters right away. For the last few releases, we have introduced support for new cluster provisioning for the new Kubernetes version first and then follow up with support for zero touch in-place upgrades.
Amazon Elastic Kubernetes Service (EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes. Kubernetes clusters require a Container Network Interface (CNI) that is responsible for cluster networking. One of the options available with EKS is the Amazon VPC CNI, which allows your Kubernetes Pods to utilize IP Addresses defined within your VPCs Subnets. While this provides more control and flexibility to businesses, it also comes with its own set of challenges.
While the benefits of managing and customizing the Amazon VPC CNI on EKS are significant, it’s important to note that the process can be challenging and time consuming, particularly if you lack experience with kubernetes or Amazon's VPC and its resources.
This is where Rafay’s EKS integration can come in handy. In this blog, we'll explore how Rafay’s Platform can address pain points and simplify the management process.