[SEO Subhead]
This Guidance demonstrates how to automate the deployment of an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for external single sign-on authentication. Using Amazon EKS Blueprints for Terraform, an open-source infrastructure-as-code (IaC) tool, you can integrate your cluster’s control plane with an external identity provider like Okta. This Guidance lets you automatically provision resources, create roles and keys, and perform the integration, all through Terraform blueprints, simplifying single sign-on setup.
Note: [Disclaimer]
Architecture Diagram
![](https://d1.awsstatic.com/apac/events/2021/aws-innovate-aiml/2022/eng/innovate-aiml-22-UI_Gradient-Divider.082bb46e8d9654e48f62bf018e131dd8ec563c4e.jpg)
[Architecture diagram description]
Step 1
Your platform engineer commits and pushes Terraform IaC changes to the project’s Git repository.
Get Started
![](https://d1.awsstatic.com/apac/events/2021/aws-innovate-aiml/2022/eng/innovate-aiml-22-UI_Gradient-Divider.082bb46e8d9654e48f62bf018e131dd8ec563c4e.jpg)
Deploy this Guidance
Well-Architected Pillars
![](https://d1.awsstatic.com/apac/events/2021/aws-innovate-aiml/2022/eng/innovate-aiml-22-UI_Gradient-Divider.082bb46e8d9654e48f62bf018e131dd8ec563c4e.jpg)
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational Excellence
Amazon CloudWatch provides focused log event management that helps you quickly identify the root causes of issues and simplifies troubleshooting. Providing comprehensive insights into the infrastructure and application levels of Amazon EKS clusters, it lets you monitor utilization trends and make metrics-driven decisions for optimizing operations. Additionally, as a managed Kubernetes application platform, Amazon EKS is optimized for efficiency in operational management. Finally, Amazon VPC provides network layer isolation for cluster resources, thus increasing operational efficiency. Together, these services reduce the operational burden of deploying and maintaining a security integration with external single sign-on providers.
-
Security
This Amazon EKS integration provides consistent enterprise-grade security through single sign-on providers like Okta. When you use Okta, you can be sure that only properly authenticated users mapped to the Okta organization structure can access your platform and application. This Guidance also natively integrates with AWS Secrets Manager to store Kubernetes secrets, and it enables a private or isolated networking layer through Amazon VPC. This configuration prevents applications deployed to Amazon EKS from being directly accessed through the internet. You can also opt for a completely isolated VPC (one with no internet access) and use VPC endpoints to connect the cluster to required services. Additionally, IAM provides fine-grained access policies to manage instance federation to the cluster, and AWS KMS encrypts all data at rest. Finally, Bottlerocket, an operating system built to run containers, adds security layers like Read Only, Security-Enhanced Linux, and no Secure Shell access.
-
Reliability
Amazon EKS runs a secure, scalable, and highly-available Kubernetes control plane across multiple AZs to maintain cluster infrastructure health. Managed node groups for Amazon EKS make sure that Amazon Elastic Compute Cloud (Amazon EC2) node instances are running the latest Amazon Machine Image (AMI). This supports high availability and fault toleration. Additionally, CloudWatch event management efficiently detects events that can negatively impact reliability so that you can proactively address them.
-
Performance Efficiency
Amazon EKS is a highly available orchestration service optimized for the scalability and performance of containerized applications. It effectively manages its infrastructure to accommodate the total resources requested by the applications running in the cluster. This Guidance balances workloads across the cluster’s compute nodes, and it scales Amazon EC2 instances based on application workload requirements. You can also increase performance efficiency by using compute-efficient compute nodes, such as instances based on AWS Graviton Processors.
-
Cost Optimization
The Amazon EKS control plane lets you run applications without provisioning your own infrastructure, enabling you to avoid associated overhead costs. Additionally, because Amazon EKS is a managed service, its cluster costs are significantly lower than self-maintaining clusters. The control plane has a fixed cost and uses managed node groups to provision and allocate compute resources according to application requirements. By rightsizing Amazon EC2 instances and using compute-efficient nodes based on AWS Graviton processors, you can utilize resources more efficiently to optimize costs.
-
Sustainability
Amazon EKS and Amazon Elastic Container Registry (Amazon ECR) reduce the environmental impact of your workloads. Because they are managed services, you don’t need to provision your own physical infrastructure for the control plane and image registry. Additionally, this Guidance uses managed node groups to scale Amazon EKS compute nodes up and down based on demand, minimizing energy waste. Finally, it provides the option to use compute-efficient Amazon EC2 instances based on AWS Graviton processors, helping you reduce the carbon footprint of your workloads.
Related Content
![](https://d1.awsstatic.com/apac/events/2021/aws-innovate-aiml/2022/eng/innovate-aiml-22-UI_Gradient-Divider.082bb46e8d9654e48f62bf018e131dd8ec563c4e.jpg)
[Title]
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.