Introducing Amazon EKS Distro (EKS-D)

This post was contributed by Allan Naim, Chandler Hoisington, Raja Jadeja, Micah Hausler, and Michael Hausenblas.

Today we announced Amazon EKS Distro (EKS-D), a Kubernetes distribution based on and used by Amazon Elastic Kubernetes Service (Amazon EKS) to create reliable and secure Kubernetes clusters. With EKS-D, you can rely on the same versions of Kubernetes and its dependencies deployed by EKS. This includes the latest upstream updates as well as extended security patching support. EKS-D follows the same Kubernetes version release cycle as Amazon EKS and we provide the bits in the context of an open source project on GitHub.

In this post we introduce EKS Distro and explain different ways to get started with EKS Distro using examples from the partner ecosystem.

What is EKS-D?

With EKS Distro, you are now in a position to standardize on the same Kubernetes distribution available through EKS. This means you can now manually deploy reliable and secure clusters without continuously testing and tracking Kubernetes updates, dependencies, and security patches. Each EKS Distro release follows the EKS process for verifying new Kubernetes versions for compatibility. You also have the option to reproduce builds of EKS Distro with the provided build environment settings, tools, and hashes of our published images to confirm your download has not been tampered in transit. With EKS-D, we provide extended support for Kubernetes versions after community support expires, with updated builds of previous versions, now with the latest security patches.

After operating Amazon EKS at scale over the past two years—we’re talking millions of clusters of all sizes around the world—we’re now in a position to identify what works, what components to run, and how. We’ve learned that customers want a consistent experience on-premises and in the cloud for migration purposes or to enable hybrid cloud setups. For example, customers have a use case where, for example, part of the workload resides in an on-premises Kubernetes cluster due to data sovereignty reasons and other parts run on EKS. You now have a spectrum of EKS-based solutions at your hand:

*) for EKS on EC2 you can either manage the nodes yourself or use managed node groups.

To address the consistency requirement, we came up with EKS Distro, our EKS-based Kubernetes distribution that you can run in any environment, be it bare metal or on VMs. EKS-D takes upstream (unmodified) Kubernetes and packages and configures it in a certain, opinionated manner called a Kubernetes distribution and offers those as open source. The difference between a fork and a distribution is an important one: a fork is an alternative upstream code base. A distribution, on the other hand, is an opinionated downstream code base, think for example Linux distros such as Ubuntu or Amazon Linux 2 or Hadoop distros such as offered by Cloudera and found in EMR.

From a high-level perspective, EKS Distro looks as follows (taking into account a number of upstream open source projects including Kubernetes and etcd):

With EKS Distro you have a single vendor for secure access to installable, reproducible builds of Kubernetes for cluster creation and extended security patching support of Kubernetes versions after community support expires. We will provide extended Kubernetes maintenance support for up to 14 months in accordance with Amazon EKS Version Lifecycle Policy providing you the timeframe necessary to update your infrastructure in alignment with your software lifecycle.

Getting started with EKS-D

We teamed up with a number of partners that are providing install methods as well integrations with EKS Distro. In the following, we want to highlight a few of the launch partners and the work they have done to help you get started with EKS-D.

Weaveworks

Weave Kubernetes Platform (WKP) brings GitOps to Amazon EKS Distro (EKS-D) and provides support for installing, creating and managing EKS-D clusters on-premise. Like any distribution of Kubernetes, EKS-D requires configuration, upgrades as well as additional components and add-ons like logging, tracing and metrics. WKP solves these problems by adding GitOps to every layer of your Kubernetes environment for EKS-D or any other distribution both in the cloud and on-premises. By taking advantage of the Cluster API project, GitOps workflows can manage the entire cluster lifecycle including maintenance, upgrades and patches as well as cluster configuration for platform components such as Prometheus and Grafana. With WKP delivering and managing EKS-D clusters, application development teams get the latest GitOps capabilities at their disposal, enabling more frequent deploys, with shorter time to value, and increased reliability and reproducibility. Platform teams also gain full insight and observability for on-premise EKS-D deployments. The Weaveworks launch blog post describes the relationship between EKS-D and WKP in further detail. An additional post steps through a demo of WKP in a hybrid EKS and EKS-D scenario.

Kubestack

Kubestack is about providing the best GitOps developer experience for Terraform and Kubernetes, from local development, all the way to production. Learn how to manage EKS-D clusters with Kubestack via their launch blog post and you can also find a video walkthrough of the process.

Kubermatic

You can install EKS-D using KubeOne by Kubermatic. KubeOne is an infrastructure-agonistic and open source Kubernetes cluster lifecycle management tool that automates the deployment and Day 2 operations of single Kubernetes clusters. Learn how to install EKS-D on AWS and Amazon Linux 2 with Kubermatic’s open source cluster lifecycle management tool KubeOne.

Aqua Security

To secure EKS-D, you need a holistic approach to conquer the complexity of Kubernetes. Aqua provides KSPM (Kubernetes Security Posture Management) to improve visibility and remediate misconfigurations, as well as advanced, agentless Kubernetes runtime protection. You can also use Kubernetes-native capabilities to attain policy-driven, full lifecycle protection and compliance for your Kubernetes applications. Learn more about Aqua’s EKS-D integration.

Sysdig

Sysdig provides security and visibility to detect and respond to runtime threats, validate compliance, and monitor and troubleshoot containers on EKS-D. Check out their launch blog post to learn more about using CNCF Falco and Sysdig Secure for managing runtime security in EKS-D workloads.

Tetrate

Tetrate Service Bridge (TSB) enables unified application connectivity and security across workloads, on EKS and EKS-D. TSB provides easy access and operability to enterprise-grade (upstream or FIPS-compliant) Istio and Envoy Proxy. Multi-tenancy, traffic management, mesh and application-level observability, end-to-end mTLS (mutual Transport Layer Security), fine-grained authorization, and application security are key elements of TSB.

A range of partners have been working on many more EKS-D related activities, including:

Provisioning and management

• Learn how to deploy EKS-D with Rancher’s RKE2.
• Find out how easy it is to install EKS-D using Canonical’s MicroK8s, in a snap.
• Explore how to use Rafay’s Managed Kubernetes Platform (MKP) to manage EKS-D cluster.
• Check out how to provision an EKS-D cluster using Pulumi.
• Upbound Cloud makes it easy for EKS-D users to consolidate configuration of clusters into an environment-agnostic repository of Crossplane configuration. Using this configuration, clusters can then be provisioned on-premises, in the cloud, or at the edge through a single unified API interface.
• Learn how Nirmata’s EKS manager integration with EKS-D simplifies cluster operations.

Observability

• With Instana you can automatically monitor and visualize EKS-D workloads.
• Sumo Logic shows how their observability solution works with EKS-D.
• Epsagon enables you to monitor EKS-D workloads including control plane metrics.
• Datadog provides visibility into the health of VMs, containers, and serverless environments across on-premises, hybrid, and cloud compute infrastructure. Learn more about the EKS-D support.
• Splunk Infrastructure Monitoring provides a turn-key, enterprise-grade monitoring solution for all Kubernetes environments—cloud-native Amazon EKS, hybrid with Amazon Outposts and on-premises self-managed EKS-D environments.

Security

• Alcide provides centralized and unified security coverage across hybrid deployments that span across EKS, Outposts, and the newly added EKS-D.
• Check out what Tigera has done around Calico and Calico Enterprise support to enable robust security and compliance for clusters running EKS-D.

As you can imagine, this is just the beginning of a journey. What’s next, you might ask?

Next steps

To get started head over to https://distro.eks.amazonaws.com and give EKS Distro a try yourself using kops or kubeadm or any of the above mentioned solutions provided by partners.

You can be part of the EKS-D community by providing feedback via GitHub and sending in PRs. If you prefer a more interactive communication, join us on the Kubernetes Slack community via the #eks channel or the AWS Developer Slack channel where we have the #eks-d channel set up.

We’re excited to learn how you’re using EKS Distro and hear from you feedback and suggestions.