AWS Case Study: Using KOPS to Run Kubernetes with CIS Benchmark AMIs
As an AWS Premier Consulting Partner, we are often asked about using the Kubernetes container management system within AWS. While Google created Kubernetes (K8s), Google’s Cloud Platform is generally seen as a better fit for running K8s clusters. However, until the recent re:Invent announcement of EKS, KOPS, the Kubernetes project for managing production-grade K8s clusters, was the best tool to deploy and manage K8s clusters in AWS. Which brings us to the topic of today’s blog, a customer story of how we used KOPS to run AWS-based K8s clusters. Stay tuned for the second part of today’s AWS case study in which we discuss the details of doing so with Ubuntu CIS benchmark images.
The customer we worked with on this project is a major US airline who approached the Flux7 DevOps team about migrating and replatforming several of its legacy, on-premise applications — many of which have high standards for uptime and resiliency — to AWS. The goal was to host the applications in an AWS-enabled framework, which the team at Flux7 helped implement in the form of its Enterprise DevOps Framework (EDF).
The engagement had three phases, as reflected by the EDF:
- Establish a solid landing zone
- Get services up and running in AWS
- Create a CI/CD Pipeline
Beginning with the landing zone, we implemented foundational AWS services like IAM and networking. We followed this step by deploying a Docker cluster using K8s KOPS in AWS. KOPS is an open source tool for deploying Kubernetes clusters in AWS. Within this first phase, we deployed Kubernetes clusters for Development, QA, and Production. For each environment, we worked hand-in-hand with the airline team to:
- Develop KOPS config for the cluster. KOPS runs off of a config spec file that is uploaded to an Amazon S3 bucket. We can then pull the config file from the S3 bucket to the running Docker cluster to have KOPS create the cluster in a completely automated manner. Moreover, we can version the KOPS config file if we ever need to make a change to the cluster — all with a single commit.
- Use KOPS to create a K8s cluster with a private topology. KOPS supports both public and private AWS cluster topologies in AWS; in this case, a private topology was the best-fit and so we set up KOPS to launch all nodes in a private subnet in the VPC. Conversely, no nodes run in a public subnet.
- Configure KOPS to send logs to Amazon CloudWatch Logs.
- Use CIS benchmark images for the host OS, Ubuntu Linux, that deploys within each Docker container. In line with Flux7’s security by design approach, by building these configuration guidelines for Linux OS into the solution, it will help the airline proactively safeguard against security threats.
Implementing K8s clusters in Development, QA and Production environments allows the airline teams to effectively and efficiently deploy services. As a result, the next step was to replatform and migrate the company’s applications as services, getting them up and running in AWS.
Last, we built automated security auditing into the process. EDF inspectors (automated tools to monitor, log and inspect services) performed several functions. As mentioned above, KOPS was configured to forward logs to CloudWatch Logs. We also worked with the airline staff to configure the system so that application logs were forwarded to ELK from K8s, and application logs were also forwarded to a central syslog, Arcsight in this case. For monitoring, we setup the K8s Grafana app.
In all, we were able to harden the new AWS accounts, easily provision and update infrastructure with pipelines, bake new AMIs using a pipeline and run Kubernetes on CIS benchmark images for proactive AWS cloud security.
As demand for K8s clusters within AWS grows, KOPS is a significant tool in helping create highly available clusters with private topologies. And by all indications, the K8s cluster in AWS for this airline has proven foundational in its journey to migrate and refactor its legacy applications. Indeed, the AWS migration is viewed as a strong foundation to the firm’s future IT initiatives. Don’t want to miss part two to this customer story? Sign up below to receive our DevOps blog direct to your inbox.
Are you interested in how to use AWS technologies for your to migrate to AWS? Read our AWS migration case studies here.