Managing Kubernetes Clusters in Hybrid Cloud Environments with Amazon EKS and D2iQ Kommander

By Ravi Yadav, Director, Ecosystem, Corporate Development & Strategy at D2iQ

Though containers vastly simplify the distribution of applications, Kubernetes ecosystems are so powerful that they, in turn, can become complex. This is particularly true in hybrid cloud environments.

D2iQ Kommander simplifies Kubernetes container management, including governance, workload configuration, and life cycles. This post explains how to take advantage of D2iQ Kommander’s capabilities on Amazon Web Services (AWS).

To continuously innovate, many organizations are anchoring their infrastructure on container management solutions. The open source project Kubernetes is now the de facto standard for container management, and its popularity is growing in a number of ways.

Here are some stats from a 2019 Cloud Native Computing Foundation (CNCF) survey:

84% of organizations are running containerized applications in production, a 15% increase from 2018.
78% of enterprise companies are running Kubernetes in production environments, a 58% jump from 2018.
38% of organizations employ a hybrid cloud strategy, a capability that can be bolstered by Kubernetes adoption.

Kubernetes delivers great promise for automating deployment tasks, scaling application resources, and operating containers. However, most organizations don’t have a clear picture of how Kubernetes solutions fit into a hybrid or multi-cloud architecture or their managed services.

D2iQ is an AWS Partner Network (APN) Select Technology Partner with the AWS Containers Competency. We offer a full suite of enterprise-grade technologies, services, training, and support offerings.

D2iQ Kommander provides a single control plane for federated cluster management, lifecycle automation, and service delivery. It’s particularly helpful with managed container services on AWS.

For instance, Amazon Elastic Kubernetes Service (Amazon EKS) makes it easy to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane.

By running D2iQ Kommander on AWS, you can quickly deploy a secure and conformant Kubernetes cluster on Amazon EKS, and attach it to Kommander for central visibility and control across your public cloud and on-premises environments.

Navigating the Container Management Landscape

Organizations see the benefits of cloud-native practices and want to leverage them within their own business, but keeping up and managing a fast-moving ecosystem is a challenge. More specifically, it’s difficult to find a consistent way to manage container workloads across on-premises and cloud environments.

Hundreds of Kubernetes providers and adjacent cloud-native technical integrations have emerged since Kubernetes was first released in 2014. The result is a cluster and service sprawl across environments, with significant operational waste from redundant configuration and management efforts.

In addition, limited centralized policy management and access controls leave organizations unable to ensure governance and control while still providing developer flexibility.

D2iQ Kommander is a federated management plane that delivers unified control over a wide expanse of Kubernetes resources. It delivers scale, consistency, governance, and operational efficiency for disparate Kubernetes clusters across on-premises and cloud footprints.

In addition to providing visibility across clusters such as Amazon EKS, Kommander enables a centralized, federated view of the add-ons used to provide security, monitoring, authentication, and workload scalability around heterogeneous environments.

This visibility helps to ensure successful operations on Day Two, at scale. It also simplifies the task of ensuring the consistent use of approved versions of add-ons for sprawling Kubernetes environments, improving the security posture of the clusters.

You can see in Figure 1 an example of how Kommander provides a consistent and consolidated view of your Kubernetes clusters, their resources, and their overall health.

D2iQ-Kubernetes-1.3

Figure 1 – Kommander provides a consolidated view of your Kubernetes clusters.

Installing Kommander on Amazon EKS

This process involves two major steps:

Install Kommander.
Connect Amazon EKS clusters to Kommander.

Step 1: Install Kommander

Kommander supports both Konvoy and non-Konvoy clusters. Currently, installing Kommander also installs Konvoy.

Download Konvoy

Follow these instructions to download the latest version of Konvoy.
Download the tarball to your local downloads directory. For example, if you are installing on MacOS, download the compressed archive to the default ~/Downloads directory. Afterward, extract the tarball to your local system by running the following command:

tar -xf ~/Downloads/konvoy-kommander_darwin.tar.bz2

Copy the Konvoy package files

Copy the Konvoy package files to a directory in your user’s PATH to ensure you can invoke the konvoy command from any directory. For example, copy the package to /usr/local/bin/ by running the following command:

sudo cp ~/Downloads/darwin/konvoy-kommander.tar.bz2/* /usr/local/bin/

Check Konvoy’s version

Use the version command and validate it matches the latest version of Konvoy.

konvoy --version

Launch Konvoy

Once you have the latest version of Konvoy, move into the directory where you would like to test and run:

konvoy up

Try Kommander

After you provision your first Konvoy cluster, your username, password, and a URL to Konvoy will be printed to the command-line. Once in Konvoy, select the Try Kommander! button.
Figure 2 shows an example of the Konvoy dashboard, which displays the health and version details of your cluster.

Figure 2 – Konvoy dashboard showing the health of the cluster.

Step 2: Connect Amazon EKS Clusters to Kommander

To connect your Amazon EKS clusters to Kommander, follow the steps below.

Create an Amazon EKS cluster

Follow these instructions in the AWS documentation to create an Amazon EKS cluster.

Create a service account for Kommander

Use the following Kommander script to create a special service account on the Amazon EKS cluster dedicated to Kommander access.
The script also creates the matching kubeconfig file for the newly-created service account, which you’ll use to attach the Amazon EKS cluster to Kommander.

#!/bin/bash

set -euo pipefail

WORKINGDIR="$(mktemp -d)"
CONFIGFILE="kubeconfig"
KCONFIG="${WORKINGDIR}/${CONFIGFILE}"
SERVICE_ACCOUNT_NAME="kommander-admin"
SERVICE_ACCOUNT_NAMESPACE="kube-system"

echo $KCONFIG
touch $KCONFIG

SERVICE_ACCOUNT_NAME="$(cat << EOF | kubectl create -f - -o go-template='{{.metadata.name}}'
---
apiVersion: v1
kind: ServiceAccount
metadata:
  generateName: ${SERVICE_ACCOUNT_NAME}-
  namespace: ${SERVICE_ACCOUNT_NAMESPACE}
EOF
)"

cat << EOF | kubectl create -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${SERVICE_ACCOUNT_NAME}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: ${SERVICE_ACCOUNT_NAME}
  namespace: ${SERVICE_ACCOUNT_NAMESPACE}
EOF

SERVICE_ACCOUNT_SECRET_NAME=""
until [[ "${SERVICE_ACCOUNT_SECRET_NAME}" =~ ${SERVICE_ACCOUNT_NAME}-token-* ]]
do
    SERVICE_ACCOUNT_SECRET_NAME="$(kubectl get sa ${SERVICE_ACCOUNT_NAME} --namespace kube-system -o go-template\='{{(index .secrets 0).name}}')"
done

CLUSTER_NAME="$(kubectl config current-context)"
CACRT="$(kubectl -n ${SERVICE_ACCOUNT_NAMESPACE} get secret ${SERVICE_ACCOUNT_SECRET_NAME} -o go-template='{{index .data "ca.crt"}}' | base64 -D)"
USERTOKEN="$(kubectl -n ${SERVICE_ACCOUNT_NAMESPACE} get secret ${SERVICE_ACCOUNT_SECRET_NAME} -o go-template='{{index .data "token"}}' | base64 -D)"
ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")

echo -n "$CACRT" > ${WORKINGDIR}/ca.crt
kubectl config set-cluster "${CLUSTER_NAME}" \
    --kubeconfig="${KCONFIG}" \
    --server="${ENDPOINT}" \
    --embed-certs=true \
    --certificate-authority="${WORKINGDIR}/ca.crt"
kubectl config set-credentials "${SERVICE_ACCOUNT_NAME}@${CLUSTER_NAME}" \
    --kubeconfig="${KCONFIG}" \
    --token="${USERTOKEN}"
kubectl config set-context "${SERVICE_ACCOUNT_NAME}@${CLUSTER_NAME}" \
    --kubeconfig="${KCONFIG}" \
    --cluster="${CLUSTER_NAME}" \
    --user="${SERVICE_ACCOUNT_NAME}@${CLUSTER_NAME}" \
    --namespace="${SERVICE_ACCOUNT_NAMESPACE}"

kubectl config use-context "${SERVICE_ACCOUNT_NAME}@${CLUSTER_NAME}" --kubeconfig="${KCONFIG}"

echo "...done!"
echo -e "---\nkubeconfig available at: ${WORKINGDIR}/${CONFIGFILE}"

Copy ‘kubeconfig’ to Kommander

Once the script finishes running, copy its output to Kommander’s Connect Cluster page.
Once you create a service account on your connected cluster, you’ll have to manage the service account. If you disconnect the cluster at any point, the service account and credentials will inherently remain usable from the Kubernetes API perspective until you remove them manually.
This script may not work “out of the box” in some environments and you may need to modify it for your environment. Alternatively, you can use the script as a guide to run the necessary commands yourself.

Add the Amazon EKS cluster to Kommander

Go to the Kommander clusters view and select Add Cluster.

Attach the cluster

From the Add Cluster options, select Attach Cluster.

Paste the ‘kubeconfig’ file

In the Attach Cluster dialog, paste the kubeconfig file created by the earlier script run.

Figure 3 – Attach cluster dialogue detailing how to provide the cluster’s connection details.

Submit the ‘kubeconfig’ file

Once you paste the kubeconfig file into the window, click Submit. The summary for the cluster appears in the card view.
This operations dashboard provides instant visibility and operational efficiency into Kubernetes clusters.

D2iQ-Kubernetes-4.1

Figure 4 – Kommander clusters dashboard shows the Amazon EKS environment.

Conclusion

Containerized application development has taken root in the enterprise, with 87 percent of organizations running containerized applications. However, the very popularity of the Kubernetes ecosystem can lead to significant operational challenges in hybrid cloud environments.

D2iQ Kommander makes it easy to handle centralized governance, workload configuration, and lifecycle management of Kubernetes clusters. Set it up on Amazon EKS to manage your Kubernetes clusters across a broad range of cloud and on-premises environments.

The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.

.

.

D2iQ – APN Partner Spotlight

D2iQ is an AWS Containers Competency Partner. It offers a full suite of enterprise-grade technologies, services, training, and support offerings. D2iQ Kommander provides a single control plane for federated cluster management, lifecycle automation, and service delivery.

Contact D2iQ | Solution Overview

*Already worked with D2iQ? Rate this Partner

*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.