Adnan Malik

1604372986

Serverless Containers With AWS Fargate and Docker

In AWS there are a few services which seem similar or related when it comes to containerisation. They do have their nuances so let’s begin with an introduction of what these are and their similarities and differences (according to the AWS documentation)

Elastic Container Service (ECS)

  • Fully managed container orchestration service
  • Manages the lifecycle and placement of tasks comprised of one or more containers that work together
  • Does not run or execute your container(s)
  • Containers run using ECS Container Instances (normal EC2 instances with ECS Container Agent) or Fargate
  • ECS Container Agent regularly polls the ECS API to manage state
  • Cluster of container instances run in an auto-scaling group
  • You** manage your own EC2 instance, patching and scaling**
  • ECS is free but pricing is per running EC2 instance
  • Offers integration with Elastic Load Balancing (ELB)
  • Supports Application Load Balancer (ALB), the Network Load Balancer (NLB) and Classic Load Balancer (CLB)
  • Load balancing is efficient
  • Each task has its own Elastic Network Interface (ENI)
  • Supports IAM roles for tasks
  • AWS proprietary

#aws-fargate #aws-ecr #docker #aws-ecs #aws-eks

What is GEEK

Buddha Community

Serverless Containers With AWS Fargate and Docker

Adnan Malik

1604372986

Serverless Containers With AWS Fargate and Docker

In AWS there are a few services which seem similar or related when it comes to containerisation. They do have their nuances so let’s begin with an introduction of what these are and their similarities and differences (according to the AWS documentation)

Elastic Container Service (ECS)

  • Fully managed container orchestration service
  • Manages the lifecycle and placement of tasks comprised of one or more containers that work together
  • Does not run or execute your container(s)
  • Containers run using ECS Container Instances (normal EC2 instances with ECS Container Agent) or Fargate
  • ECS Container Agent regularly polls the ECS API to manage state
  • Cluster of container instances run in an auto-scaling group
  • You** manage your own EC2 instance, patching and scaling**
  • ECS is free but pricing is per running EC2 instance
  • Offers integration with Elastic Load Balancing (ELB)
  • Supports Application Load Balancer (ALB), the Network Load Balancer (NLB) and Classic Load Balancer (CLB)
  • Load balancing is efficient
  • Each task has its own Elastic Network Interface (ENI)
  • Supports IAM roles for tasks
  • AWS proprietary

#aws-fargate #aws-ecr #docker #aws-ecs #aws-eks

ICYMI: From Docker Straight to AWS Built-in

In July we announced a new strategic partnership with Amazon to integrate the Docker experience you already know and love with Amazon Elastic Container Service (ECS) with AWS Fargate. Over the last couple of months we have worked with the community on the beta experience in Docker Desktop Edge. Today we are excited to bring this experience to our entire community in Docker Desktop stable, version 2.3.0.5.

You can watch Carmen Puccio (Amazon) and myself (Docker) and view the original demo in the recording of our latest webinar here.

What started off in the beta as a Docker plugin experience docker ecs has been pulled into Docker directly as a familiar docker compose flow. This is just the beginning, and we could use your input so head over to the Docker Roadmap and let us know what you want to see as part of this integration.

There is no better time to try it. Grab the latest Docker Desktop Stable. Then check out my example application which will walk you through everything you need to know to deploy a Python application locally in development and then again directly to Amazon ECS in minutes not hours.

#community #products #aws #containers #docker #docker on aws #ecs #fargate

Christa  Stehr

Christa Stehr

1598408880

How To Unite AWS KMS with Serverless Application Model (SAM)

The Basics

AWS KMS is a Key Management Service that let you create Cryptographic keys that you can use to encrypt and decrypt data and also other keys. You can read more about it here.

Important points about Keys

Please note that the customer master keys(CMK) generated can only be used to encrypt small amount of data like passwords, RSA key. You can use AWS KMS CMKs to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.

You must use and manage data keys outside of AWS KMS. KMS API uses AWS KMS CMK in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. To encrypt application data, use the server-side encryption features of an AWS service, or a client-side encryption library, such as the AWS Encryption SDK or the Amazon S3 encryption client.

Scenario

We want to create signup and login forms for a website.

Passwords should be encrypted and stored in DynamoDB database.

What do we need?

  1. KMS key to encrypt and decrypt data
  2. DynamoDB table to store password.
  3. Lambda functions & APIs to process Login and Sign up forms.
  4. Sign up/ Login forms in HTML.

Lets Implement it as Serverless Application Model (SAM)!

Lets first create the Key that we will use to encrypt and decrypt password.

KmsKey:
    Type: AWS::KMS::Key
    Properties: 
      Description: CMK for encrypting and decrypting
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action: kms:*
          Resource: '*'
        - Sid: Allow administration of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyAdmin}
          Action:
          - kms:Create*
          - kms:Describe*
          - kms:Enable*
          - kms:List*
          - kms:Put*
          - kms:Update*
          - kms:Revoke*
          - kms:Disable*
          - kms:Get*
          - kms:Delete*
          - kms:ScheduleKeyDeletion
          - kms:CancelKeyDeletion
          Resource: '*'
        - Sid: Allow use of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyUser}
          Action:
          - kms:DescribeKey
          - kms:Encrypt
          - kms:Decrypt
          - kms:ReEncrypt*
          - kms:GenerateDataKey
          - kms:GenerateDataKeyWithoutPlaintext
          Resource: '*'

The important thing in above snippet is the KeyPolicy. KMS requires a Key Administrator and Key User. As a best practice your Key Administrator and Key User should be 2 separate user in your Organisation. We are allowing all permissions to the root users.

So if your key Administrator leaves the organisation, the root user will be able to delete this key. As you can see **KeyAdmin **can manage the key but not use it and KeyUser can only use the key. ${KeyAdmin} and **${KeyUser} **are parameters in the SAM template.

You would be asked to provide values for these parameters during SAM Deploy.

#aws #serverless #aws-sam #aws-key-management-service #aws-certification #aws-api-gateway #tutorial-for-beginners #aws-blogs

Christa  Stehr

Christa Stehr

1602964260

50+ Useful Kubernetes Tools for 2020 - Part 2

Introduction

Last year, we provided a list of Kubernetes tools that proved so popular we have decided to curate another list of some useful additions for working with the platform—among which are many tools that we personally use here at Caylent. Check out the original tools list here in case you missed it.

According to a recent survey done by Stackrox, the dominance Kubernetes enjoys in the market continues to be reinforced, with 86% of respondents using it for container orchestration.

(State of Kubernetes and Container Security, 2020)

And as you can see below, more and more companies are jumping into containerization for their apps. If you’re among them, here are some tools to aid you going forward as Kubernetes continues its rapid growth.

(State of Kubernetes and Container Security, 2020)

#blog #tools #amazon elastic kubernetes service #application security #aws kms #botkube #caylent #cli #container monitoring #container orchestration tools #container security #containers #continuous delivery #continuous deployment #continuous integration #contour #developers #development #developments #draft #eksctl #firewall #gcp #github #harbor #helm #helm charts #helm-2to3 #helm-aws-secret-plugin #helm-docs #helm-operator-get-started #helm-secrets #iam #json #k-rail #k3s #k3sup #k8s #keel.sh #keycloak #kiali #kiam #klum #knative #krew #ksniff #kube #kube-prod-runtime #kube-ps1 #kube-scan #kube-state-metrics #kube2iam #kubeapps #kubebuilder #kubeconfig #kubectl #kubectl-aws-secrets #kubefwd #kubernetes #kubernetes command line tool #kubernetes configuration #kubernetes deployment #kubernetes in development #kubernetes in production #kubernetes ingress #kubernetes interfaces #kubernetes monitoring #kubernetes networking #kubernetes observability #kubernetes plugins #kubernetes secrets #kubernetes security #kubernetes security best practices #kubernetes security vendors #kubernetes service discovery #kubernetic #kubesec #kubeterminal #kubeval #kudo #kuma #microsoft azure key vault #mozilla sops #octant #octarine #open source #palo alto kubernetes security #permission-manager #pgp #rafay #rakess #rancher #rook #secrets operations #serverless function #service mesh #shell-operator #snyk #snyk container #sonobuoy #strongdm #tcpdump #tenkai #testing #tigera #tilt #vert.x #wireshark #yaml

Lindsey  Koepp

Lindsey Koepp

1603763460

AWS Bottlerocket vs. Google Container-Optimized OS: Which Should You Use and When

What’s the difference between popular Container-Centric OS choices, Google’s Container-Optimized OS, and AWS’s Bottlerocket? The concepts underlying containers have been around for many years. Container technologies like Docker, Kubernetes, and an entire ecosystem of products, as well as best practices, have emerged in the last few years. This has enabled different kinds of applications to be containerized.

Web service providers like Amazon AWS and Google are giving a further boost to container innovation, for enterprises to adopt and use containers at scale. This will help them to reap the benefits containers bring, including increased portability and greater efficiency.

Linux-based OS, AWS Bottlerocket is a new option, designed for running containers on virtual machines (VMs) or bare-metal hosts. In this article, you will learn the core uses and differences between the two open-source OS.

**AWS Bottlerocket **

It is an open-source, stripped-down Linux distribution that’s similar to projects like Google’s Container-Optimized OS. This single-step update process helps reduce management overhead.

_It makes OS updates easy to automate using container orchestration services such as Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). _

**Google Container-Optimized OS **

It’s an OS image for Google Compute Engine VMs that’s optimized for running Docker containers. It allows you to bring up your Docker containers on Google Cloud Platform securely, and quickly. It is based on the open-source Chromium OS project and is maintained by Google.

But before diving into the core differences, let us give you a basic overview of containers, VMs, and container-optimized OS, and its underlying challenges to better understand the differences.

If you are already aware of all the underlying processes of containers, then you can skip to the main differences for AWS Bottlerocket vs Google Container-Optimized OS.

#containers #amazon-aws #google-cloud #container-optimized-os #aws-containers #docker-containers #linux-based-os #orchestration