Building an Amazon EKS Cluster Preconfigured to Run Financial Workloads
Safeguard sensitive financial information and reduce administrative overhead with AWS Fargate
Olawale Olaleye
Amazon Employee
Published Jan 15, 2024
Last Modified Jul 25, 2024
In the realm of Open Banking, safeguarding sensitive financial information and upholding strict regulatory standards are paramount. Security isn't just a priority; it serves as the foundational cornerstone upon which trust and compliance are constructed. Enterprises must not only guarantee the security of their containerized applications but also streamline their management, all while minimizing administrative overhead. For sectors like Banking, where security is non-negotiable, the demand for simplified and robust cluster setups cannot be overstated. This tutorial equips organizations to precisely address this need. By harnessing the power of Amazon Elastic Kubernetes Service (EKS) in conjunction with Fargate — a serverless container compute engine free from conventional nodes—you can liberate yourself from the complexities of infrastructure management. Instead, you can establish highly secure Kubernetes clusters that seamlessly align with the rigorous security requirements of sectors like Open Banking.
This tutorial shows you how to create an AWS Fargate-based Amazon EKS cluster using an eksctl “quickstart” template. This use case-specific template creates and sets up a cluster preconfigured and ready to run your utmost security-sensitive workloads.
About | |
---|---|
✅ AWS experience | 200 - Intermediate |
⏱ Time to complete | 30 minutes |
🧩 Prerequisites | - AWS Account |
📢 Feedback | Any feedback, issues, or just a 👍 / 👎 ? |
⏰ Last Updated | 2024-01-15 |
Before you begin this tutorial, you need to:
- An active Amazon Web Services (AWS) account.
- Install and configure the latest version of the AWS CLI (v2). To check your version, run:
aws --version
. - Install the latest version of kubectl. To check your version, run:
kubectl version
. - Install the latest version of eksctl. To check your version, run:
eksctl info
.
This tutorial is part of a series on managing security-sensitive workloads using Amazon EKS, and it's dedicated to simplifying cluster management with AWS Fargate. This tutorial shows not only how to create an EKS cluster with Fargate but also how to manage your workloads on it. It covers the following components:
- Serverless Compute: AWS Fargate obviates the need for overseeing underlying infrastructure, sparing you from having to managed EC2 instances. Traditional Kubernetes deployments often involve manual provisioning, scaling, patching, and maintenance of these instances. With Fargate, AWS takes care of these tasks, reducing administrative overhead. When AWS Fargate creates a Fargate pod, it attaches an ENI in the isolated subnet to the pod.
- Authentication: Necessary IAM Roles for Service Accounts (IRSAs) mappings to enable communication between Kubernetes pods and AWS services. This includes the AWS Load Balancer Controller (LBC) used to expose applications, Kubernetes External DNS to automatically manage DNS records and facilitate external service discovery, and Cert Manager to streamline management of SSL/TLS certificates. Additionally, an OpenID Connect (OIDC) endpoint enables seamless and secure communication.
- Sample Application Deployment: Deploy a sample workload in an mTLS namespace. This workload encompasses the deployment of a sample application configured to use Fargate for the compute capacity.
- Networking Modes: Cluster endpoint access control lets you configure whether the endpoint is reachable from the public internet or through your VPC. You can enable the public endpoint (default), private endpoint, or both endpoints at the same time. You can change the endpoint settings at anytime using the EKS console or API. Disabling the public endpoint is mostly ideal for Financial workloads that intends to prevent unwanted connectivity from the internet.
- Control Plane Logging: Enable Amazon EKS control plane logging to provide audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs.
- Secret Encryption: Further encrypt Kubernetes secrets with KMS keys that you create or import keys generated from another system to AWS KMS and use them with the cluster. The KMS keys that you create are customer managed keys (CMK). This further encryption is considered a security best practice for applications that store sensitive data.
In this section, you will configure the Amazon EKS cluster to meet the specific demands of security-sensitive applications. By creating this
cluster-config.yaml
file, you'll define the settings for IAM roles for service accounts, your own AWS KMS key to enable secret encryption in your cluster, enabled all the available control log type that corresponds to the available components of the Kubernetes control plane and configure log retention for 60 days. you'll also create several Linux node pools provided by Fargate Profiles for the respective workloads in specified namespaces.- Create a Customer Managed Key (CMK) in the region you in intend to create the cluster to further encrypt your Kubernetes secrets. We will input the CMK into the create cluster command:
- Create a
cluster-config.yaml
file and paste the following contents into it. Replace theregion
with your preferred region. The region should be the same as the CMK created in earlier step.
Now, we're ready to create our Amazon EKS cluster. This process takes several minutes to complete. If you'd like to monitor the status, see the AWS CloudFormation console.
- Create the EKS cluster using the
cluster-config.yaml
.
Upon completion, you should see the following response output:
Note: The command above will create an Amazon EKS cluster with some pre-configured service accounts needed for the steps in the solution.
Optionally, open the Amazon EKS console, choose the ‘fg-security-quickstart’ and select the Compute tab. You will see that there are no Amazon EC2 nodes in the cluster, eliminating the possibility of logging into the nodes to install or configure packages.
When the previous command completes, verify the state of your cluster by running the following command:
The expected output should look like this:
Now, you're ready to deploy security-sensitive workloads to your Kubernetes cluster. The sample application that follows is a basic frontend web application that returns a text message. Copy and paste the following code block in its entirety into your terminal to create the sample workload:
Run the following commands to create the ‘mtls’ namespace and deploy the application:
After about 60 seconds, verify that the application is running on Fargate:
The expected output should look like this:
Run the commands below to create a test pod in the same namespace as the application:
Wait for about 60s for the pod to be in running state. Verify the application is successfully deployed:
Expected result:
Refer to the mTLS in Amazon EKS Fargate tutorial where we build onto this tutorial and explored how to enable Mutual TLS to authenticate clients while establishing TLS-encrypted connections—a common requirement for business-to-business applications.
To avoid incurring future charges, you should delete the resources created during this tutorial. You can delete the resources with the following commands:
In this tutorial, you’ve successfully set up an Amazon EKS cluster with only Fargate nodes. This infrastructure has laid the foundation you need for secured workload deployments with reduced risks and less administrative efforts in managing the cluster. To further tighten the security of the cluster, you can enable private only cluster endpoint. With private endpoint only enabled, all traffic to your cluster API server must come from within your cluster’s VPC or a connected network using AWS VPN or AWS DirectConnect. There is no public access to your API server from the internet. Any
kubectl
commands must be executed from within the VPC or a connected network. To build on this setup, the installation of the ExternalDNS, AWS Load Balancer Controller and Fargate logging are still required. For an example, explore the tutorial on setting up mTLS in Amazon EKS Fargate.Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.