
AWS Service Operator for Kubernetes Now Available - SoapSeller
https://aws.amazon.com/blogs/opensource/aws-service-operator-kubernetes-available/
======
bearforcenine
> _we need to set up a way to manage AWS IAM credentials to Kubernetes pods...
> In a production system, this should be done using a tool such as kube2iam or
> kiam..._

I am curious if AWS has any plans to build an IAM integration for K8s that
provides IAM credentials/roles directly to pods. An integration through EKS or
K8s directly would make interacting with AWS resources very easy.

Being able to authenticate to the K8s cluster using
[https://github.com/kubernetes-sigs/aws-iam-
authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator) is
nice, but it doesn't help give pods IAM roles.

~~~
twalla
[https://github.com/jtblin/kube2iam](https://github.com/jtblin/kube2iam) is
probably what you're looking for, it uses iptables to allow/disallow pods
requests to the ec2 metadata service based on kubernetes annotations

in fact, if you check out the source (located here:
[https://github.com/awslabs/aws-service-
operator](https://github.com/awslabs/aws-service-operator)) it's recommended
to use kube2iam

edit: haven't fully read the article yet but if the operator supports managing
IAM roles thru a CRD you could potentially create the role and attach it via
annotation in one go.

double edit: looks like IAM roles aren't directly supported yet, the following
is what appears to be supported:

\- cloudformation templates

\- dynamodb

\- s3

\- sns subscriptions and topics

\- sqs queues

\- ecr repos

~~~
christopherhein
Correct, they are on the roadmap, I've been waffling on the implementation
because this could open security issues. I'm happy to say we'll at least be
able to use k8s RBAC to gate who can get, list, create, update and delete the
Roles but your security posture from the node perspective still will need to
gate what the pods could assume. [https://github.com/awslabs/aws-service-
operator/issues/58](https://github.com/awslabs/aws-service-operator/issues/58)
[https://github.com/awslabs/aws-service-
operator/issues/59](https://github.com/awslabs/aws-service-operator/issues/59)
are the issues if you'd like to add any extra notes or check out the potential
implementation.

------
iddqd
For me, this is the most exciting thing AWS has launched in a while!

------
blazespin
Just an attempt to de-comiditize cloud infra .. what we need is a cloud
agnostic solution built by someone other than aws/azure/goog

~~~
iamgopal
What's wrong with them ? Three is enough competition.

~~~
rorykoehler
Cost is what is wrong. They will form a cartel if there are no competing
solutions that reign them in.

------
neurobashing
What terminal theme was that in the screenshot? I saw command icons, so it’s a
Mac, but how do you make iterm look like that?

~~~
Eldt
Take a look at the zsh/fish themes

------
InTheArena
This is absolutely awesome. I've thought about doing this a couple of times,
as a abstraction layer on top of different clouds, but this is really cool...
It's also the first time that I think we have really seen AWS really
contribute something to the K8s ecosystem _they do lots of good work at the
CNCF_ that is interesting and innovative. (EKS is not as capable as GKS or
AKS, and even things like HPA only recently are enabled).

~~~
patrickg_zill
Does this work benefit those who are not using AWS?

------
extraterra
It's great to see Kubernetes being integrated more tightly with the AWS
ecosystem. If now all cloud providers open sourced their MySQL/PostgreSQL
forks...

~~~
jjeaff
Are there any good docker compose or helm files out there right now that would
work for a nice production ready MySQL or PostgreSQL dB?

It seems like k8s has everything you would need to have the redundant data
sources, failover, and point in time recovery options that cloudsql or
auroradb have.

~~~
wskinner
We run the official Postgres docker image as a StatfeulSet. Very easy to
setup, and we haven’t had any issues with it.

~~~
tango12
Do you run a single instance Postgres or a cluster? What kind of failure modes
have you tested if you’re running a cluster?

~~~
wskinner
Single instance. And we have small scale.

------
juancampa
Is there something equivalent for GCP? AFAIK you control load balancers via
Ingress objects but that's about it in terms of integration, right?

~~~
wstrange
GCP has service catalog[1] that can interface to various GCP services
(Spanner, cloud sql, pub sub, etc.).

Service catalog is based on the open service broker spec.

[1] [https://cloud.google.com/kubernetes-engine/docs/how-
to/add-o...](https://cloud.google.com/kubernetes-engine/docs/how-to/add-
on/service-catalog/use-service-catalog)

~~~
joseph
Amazon has had that for a while too, but I just learned about it recently, see
[1]. I wonder if this is doing the same thing under the hood, or if it is a
competing project within Amazon. Regardless, something like this is sorely
needed for making infrastructure changes deployable along with application
changes.

1\. [https://aws.amazon.com/blogs/opensource/provision-aws-
servic...](https://aws.amazon.com/blogs/opensource/provision-aws-services-
kubernetes-aws-service-broker/)

~~~
jacques_chester
The difference between "meet customers at a Kubernetes CRD" and "meet
customers at an OSBAPI broker" is small enough that it's not worth paying
strategy tax to crimp the latter, especially since these customer groups will
be overlapping but not equivalent sets (this is how enterprise software grows
so vast).

Rephrasing: AWS are smart to have a bob each way.

------
simonebrunozzi
The cloud fight of 2019-2020: AWS vs GCP in the Kubernetes arena. Curious to
see who's going to win, of if it's going to be a tie.

Jokes apart: GCP got a head start in containers thanks to Kubernetes; AWS
realized it and tried to catch up. Dominating the space will have huge
consequences down the road.

My humble view is that whoever starts a RedHat-like service (with support, and
SLAs, and enterprise services) on top of Kubernetes, might get the upper hand.
Having built Kubernetes might not be enough for GCP to maintain the lead.

~~~
k__
As far as I know the container fights are done Kubernetes won even AWS admits
it, now it's all about serverless technologies.

~~~
hn_throwaway_99
For serverless technologies to "win" they _have_ to solve the "cold start"
problem. AWS likes to pitch Lambdas as an easy mobile backed, but if you need
to talk to a DB (which most mobile backends do) then you'll want to put your
Lambda in a VPC, which makes cold starts on the order of 5-10 _seconds_ ,
which is a deal breaker for most synchronous APIs.

I don't understand why AWS or GCP haven't added "pre-warming" requests to
their cloud functions, similar to App Engine.

~~~
stevehawk
why the need to put lambdas in a VPC in order to hit a DB?

~~~
merlincorey
A VPC in AWS is essentially a virtual datacenter.

For many years now, essentially all AWS services are tied to a VPC.

Each account gets 5 VPCs per region, by default.

Whether you use RDS or EC2 to setup a database server, it will be tied to a
VPC for networking isolation purposes.

As such you then would need the Lambda in the VPC, or to allow public internet
access to the database.

The point is pretty moot though, because you can schedule Cloudwatch Events
every 4 minutes to keep a lambda warm, if necessary.

Frameworks like Zappa even do this for you automatically.

~~~
hn_throwaway_99
> The point is pretty moot though, because you can schedule Cloudwatch Events
> every 4 minutes to keep a lambda warm, if necessary.

I encourage you to read this article, [https://theburningmonk.com/2018/01/im-
afraid-youre-thinking-...](https://theburningmonk.com/2018/01/im-afraid-youre-
thinking-about-aws-lambda-cold-starts-all-wrong/) , because if you're running
a web API with Lambdas, keeping _one instance_ warm with the "cloudwatch event
every 4 minutes" trick will most definitely _not_ solve your cold start
issues.

~~~
Rapzid
> I think many still repeat the "conventional wisdom" about the cold start,
> and never get past that point.

First comment on your article nails it. At the end of the day lambdas
scheduling is a black box. People have deduced certain behavior, but AWS is
explicit about not relying on undocumented behavior.

I would be loath to recommend lambda for any application where business
performance is sensitive to the services latencies.

------
mooreds
Why didn't they launch with RDS support? Seems like a no brainer.

~~~
christopherhein
Great question, it's a little more complicated than one might think at first.
In trying to build a "batteries included" experience I'd need to have per-view
into your cluster and what VPC, Subnet and AZ you are running in I don't want
to make this a configuration option so I need to build out a way to collect
this information dynamically so that I can make sure we create DB subnets for
the RDS to provision into. Then I need to configure depending on the engine
(pg, mysql etc) the port and security group configuration. All in all the CFT
and is more complicated and with the way the resources are code generated it
requires heavy customization. All that being said it is well up on the top of
my list to implement. Also always interested in letting other folks come and
contribute if they feel inclined. :)

~~~
mooreds
Ah, maybe I meant "it's a no brainer from a user perspective". Thanks for the
explanation.

~~~
christopherhein
:) No worries, if you have other services that you find would be really useful
please file issues [https://github.com/awslabs/aws-service-
operator/issues](https://github.com/awslabs/aws-service-operator/issues)

