v7.0.0 : 2022, Bottlerocket, full encryption, SSM and more

[ArchiFleKs]

This is a major release, it took some time to have something clean. Lot's of changes.

Upstream modules

This release now use the latest Terrraform AWS EKS module in version 18 which had a lot of breaking changes

Bottlerocket support

Bottlerocket OS is available for node groups (see example here). Bottlerocket is a container centric OS with less attack surface and no default shell.

AWS Session Manager support

All the instances (Bottlerocket or Amazon Linux) are registered with AWS Session Manager. No SSH keys or SSH access is open on instances. Shell access on every instance can be given with SSM for added security.

aws ssm start-session --target INSTANCE_ID

From and to Zero scaling with EKS Managed Node Groups

tEKS support scaling to and from 0, even with using well know Kubernetes labels, there are a number of ongoing issues for support of EKS Managed node groups with Cluster Autoscaler. Thanks to automatic ASG tagging, tEKS adds the necessary tags on autoscaling group to balance similar node groups and allow you to scale to and from 0 and even to use well know labels such as node.kubernetes.io/instance-type or topology.kubernetes.io/zone . The logic can be extended to support other well known labels.

Automatic dependencies upgrade

We are using renovate to automatically open PR with the latest dependencies update (Terraform modules upgrade) so you never miss an upgrade and are always up to date with the latest features.

Enforced security

• Encryption by default for root volume on instances with Custom KMS Key
• AWS EBS CSI volumes encrypted by default with Custom KMS Key
• No IAM credentials on instances, everything is enforced with IRSA.
• Each addons is deployed in it's own namespace with sensible default network policies.
• Calico Tigera Operator for network policy.
• PSP are enabled but not enforced because of depreciation.

Out of the box logging

Three stacks are supported:

• AWS for Fluent Bit: Forward containers logs to Cloudwatch Logs
• Grafana Loki: Uses Promtail to forward logs to Loki. Grafana or a tEKS supported monitoring stack (see below) is necessary to display logs.

Out of the box monitoring

• Prometheus Operator with defaults dashboards
• Addons that support metrics are enable along with their serviceMonitor
• Custom grafana dashboard are available by default

Two stacks are supported:

• Victoria Metrics Stack: Victoria Metrics is a Prometheus alertnative, compatible with prometheus CRDs
• Kube Prometheus Stack: Classic Prometheus Monitoring

Long term storage with Thanos

With Prometheus, tEKS includes Thanos by default. Thanos
uses S3 to store and query metrics, offering long term storage without the costs. For more information check out our article on the CNCF Blog

Support for ARM instances

With either Amazon Linux or BottleRocket, you can use a mix of ARM and AMD64 instances. Check out our example

---

This discussion was created from the release v7.0.0 : 2022, Bottlerocket, full encryption, SSM and more.