What Is AWS EKS?
AWS EKS simplifies the process of running Kubernetes in the cloud, eliminates the need for manual cluster management, and offers a seamless experience for developers. EKS also makes it easy to use AWS services such as AWS Identity and Access Management (IAM), Amazon RDS, and Amazon S3 with your Kubernetes applications.
What Is AWS Fargate?
AWS Fargate is a serverless compute engine for containers that eliminates the need to manage the underlying infrastructure. Fargate provides a way to run containers while abstracting away the underlying hosting. With Fargate, there is no need to provision, configure, and scale virtual machines to run containers. There is also no need to choose server types, decide when to scale your clusters, or optimize cluster packing.
Fargate uses Amazon Elastic Compute Cloud (EC2) instances behind the scenes, but users do not need to manage the underlying EC2 instances. They are billed according to the exact resources their containers consume, not for entire EC2 instances.
This is part is a part of a series of articles about container platforms
In this article:
How EKS Runs on Fargate
EKS on Fargate is an integration that allows Fargate to be used as a computing option for EKS clusters. It means that you can leverage the serverless nature of Fargate in your EKS environment. When you run EKS on Fargate, it abstracts the server and infrastructure management, which simplifies the process of running Kubernetes applications on AWS.
When a pod is to be deployed in EKS, it goes through the Kubernetes scheduler, which decides where the pod should run depending on the resources requested by the pod. In a traditional EKS setup, this would be on an EC2 instance. However, with Fargate, this pod is wrapped into a Fargate task, which is then run on the Fargate infrastructure.
Benefits of Running Amazon EKS Clusters on Fargate
Running Amazon EKS clusters on Fargate offers several benefits:
- Simplified operations: Fargate eliminates the need for cluster administrators to manage underlying nodes, reducing operational overhead.
- Cost efficiency: With Fargate, you pay only for the resources your containers use. This model can be more cost-effective compared to paying for entire EC2 instances, particularly for applications with variable or unpredictable workloads.
- Improved security: Fargate runs each pod in a separate runtime environment, without sharing any resources between pods, which improves security. This isolation helps prevent one application from affecting or accessing the resources of another.
- Easier scalability: Fargate scales compute to match the resource requirements of your containers, without manual intervention.
Getting Started with Amazon EKS on Fargate
Here are the steps involved in creating a new Amazon EKS cluster running on Fargate.
Prerequisites: You should have an existing Amazon account and install eksctl on your local machine.
Step 1: Create Your Amazon EKS Cluster and Nodes
To quickly start with Amazon EKS and Fargate, use eksctl, a command-line utility for creating and managing Kubernetes clusters on Amazon EKS. This tool automates several tasks, making it simpler to set up your cluster.
Use the following command to create your EKS cluster with Fargate:
eksctl create cluster --name <my-cluster> --region <region-code> --fargate
Replace my-cluster with your desired cluster name and region-code with your preferred AWS region.
Note: If you have a cluster with existing nodes, ensure that these nodes can communicate with pods running on Fargate. Fargate pods automatically use the cluster security group, so check that your existing nodes can send and receive traffic to and from this group.
Step 2: Create a Fargate Pod Execution Role
Fargate requires an IAM role to make AWS API calls on your behalf. Because we created the cluster with
eksctl using the
--fargate option, a pod execution role is already set up, and you can find it in the IAM console with a name pattern like this:
If you need to create a pod execution role, see the instructions in the EKS documentation.
Step 3: Create a Fargate Profile for Your Cluster
Before scheduling pods on Fargate in your cluster, define a Fargate profile that specifies which pods use Fargate. Because our cluster was created with
eksctl and the
--fargate option, a default Fargate profile is already created for the kube-system and default namespaces.
If you need to use Fargate with other namespaces, see instructions on how to create additional Fargate profiles.
Note: In EKS by default, CoreDNS runs on EC2, not on Fargate. If you want to run CoreDNS on Fargate, there are a few additional configuration steps.
Step 4: Migrate Applications to the EKS Fargate Cluster
To migrate existing applications, you should first create a Fargate profile that matches the original Kubernetes namespace and Kubernetes labels used by your applications.
Then, delete and recreate any existing pods to have them scheduled on Fargate. Additional optional steps include:
- Deploy load balancing on Amazon EKS to create Ingress objects for pods running on Fargate.
- Use Vertical Pod Autoscaler (VPA) to set the initial CPU and memory for your Fargate Pods, and then use Horizontal Pod Autoscaler (HPA) to scale the pods.
Note: In order to have VPA re-deploy pods to Fargate with higher CPU and memory combinations, set VPA mode to either Auto or Recreate.
AWS Container Security with Aqua
Aqua provides the most complete security across the application lifecycle, from development to production, protecting all cloud native applications running on AWS including, Amazon ECS for container orchestration, Amazon EKS for Kubernetes-based deployments, AWS Fargate for on-demand container scaling, AWS Lambda for serverless functions, and Amazon ECR for storing and managing container images.
If you are running cloud native workloads on AWS, Aqua can help with:
- Image vulnerability scanning & assurance
Preventing unauthorized images from running in the AWS environment Aqua Continuously scan images stored in Amazon ECR to ensure that no vulnerabilities, bad configurations, or secrets are introduced into container images.
- Protecting workloads running on Amazon ECS and EKS
Prevent unvetted containers from running on Amazon ECS, EKS and Fargate environments. Automatically create security policies based on container behavior and ensure that containers only do what they are supposed to do in the application context. Detect and prevent activities that violate policy, and defend against container-specific attack vectors.
- Securing applications on AWS Fargate
Aqua embeds the MicroEnforcer into your containers to ensure that workloads are only performing their intended function, while detecting vulnerable or compromised containers.
- Protecting AWS Lambda Functions
Discovering over-provisioned permissions and roles, vulnerabilities, and embedded credentials and keys. Monitoring functions at runtime, preventing code injection and malicious activity.
- Cloud VM Security and Compliance
Protect workloads running on Amazon EC2 instances and ensure they are properly hardened. Scan for vulnerabilities and malware, apply File Integrity Monitoring (FIM), check configuration against the CIS Benchmark for Linux, and monitor user access and activity. Create command-level audit trail for compliance and forensics.
The full-featured Aqua platform is available for on-demand consumption on the AWS Marketplace: