- Run on AWS
- No Shell Scripts
- Use ARM Nodes to save money
- Use ASG/spot instances for Control Plane, including etcd, persist data across restart
- Route 53 with DNSSEC signed Zones
Use IMDSv2 only- flatcar/Flatcar#220 (comment) - Waiting for Afterbrun update in Flatcar
- Use SSM Fleet Manager
- TODO: Configure cloud-watch Agent for system logs
IPv6 only network, IPv6 Dual Stack- https://blog.devopstom.com/ipv6-only-ec2/ - Github, DockerHub, SSM has no IPv6 endpoints
- Amazon EC2 Loadbalancer requires IPv4, no native IPv6 supported
- Flatcar Provision Tools has no wide IPv6 support
- Flatcar Container Linux
- aws-encryption-provider
- rootless control plane
- ✅ CoreDNS
- ✅ Run CIS Benchmark
- IAM Roles for Service Accounts (IRSA)
- Kubernetes CNI
- kube-proxy in IPVS mode
- ✅ amazon-vpc-cni-k8s for Networking
- calico for NetworkPolicy
- Cloud Provider
- ✅ cloud-provider-aws
- ✅ kubelet-csr-approver to automatically approve kubelet server crts
- Storage
- Node Scaling
- Ingress Controller
- Authentication
- Backup
- Cluster Policies
- Node local DNS cache ✅ Node Problem Detector
- gVisor
- https://github.com/flatcar-linux/flatcar-linux-update-operator/
- ArgoCD
- Reloader
- SealedSecrets ✅ cert-manager
- https://goteleport.com/pricing/
- https://litmuschaos.io/
- https://falco.org/
- crossplane
- AWS Controllers for Kubernetes (ACK)
- etcd-io/etcd#13847
- coreos/ignition#1340
- coreos/afterburn#726
- kubernetes/cloud-provider-aws#327
- kubernetes/cloud-provider-aws#335
- hashicorp/terraform-provider-aws#24009
- hashicorp/terraform-provider-tls#181
- aws/eks-charts#721 / aws/amazon-vpc-cni-k8s#1949
- flatcar/Flatcar#707
- flatcar-archive/coreos-overlay#1800
- aws/karpenter-provider-aws#1652
- aws/amazon-ssm-agent#442
- kubernetes-sigs/aws-ebs-csi-driver#1204