Home Explore Blog CI



kubernetes
1st chunk of `content/en/blog/_posts/2016-04-00-Kubernetes-On-Aws_15.md`
458d635e200d79ba9eb30857c820a29404d14428d55fc6510000000100000a19
---
title: " How to deploy secure, auditable, and reproducible Kubernetes clusters on AWS "
date: 2016-04-15
slug: kubernetes-on-aws_15
url: /blog/2016/04/Kubernetes-On-Aws_15
author: >
  Colin Hom (CoreOS)
---

At CoreOS, we're all about deploying Kubernetes in production at scale. Today we are excited to share a tool that makes deploying Kubernetes on Amazon Web Services (AWS) a breeze. Kube-aws is a tool for deploying auditable and reproducible Kubernetes clusters to AWS, currently used by CoreOS to spin up production clusters.  

Today you might be putting the Kubernetes components together in a more manual way. With this helpful tool, Kubernetes is delivered in a streamlined package to save time, minimize interdependencies and quickly create production-ready deployments.  

A simple templating system is leveraged to generate cluster configuration as a set of declarative configuration templates that can be version controlled, audited and re-deployed. Since the entirety of the provisioning is by [AWS CloudFormation](https://aws.amazon.com/cloudformation/) and cloud-init, there’s no need for external configuration management tools on your end. Batteries included!  

To skip the talk and go straight to the project, check out [the latest release of kube-aws](https://github.com/coreos/coreos-kubernetes/releases), which supports Kubernetes 1.2.x. To get your cluster running, [check out the documentation](https://coreos.com/kubernetes/docs/latest/kubernetes-on-aws.html).  

**Why kube-aws? Security, auditability and reproducibility**  

Kube-aws is designed with three central goals in mind.  


**Secure** : TLS assets are encrypted via the [AWS Key Management Service (KMS)](https://aws.amazon.com/kms/) before being embedded in the CloudFormation JSON. By managing [IAM policy](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) for the KMS key independently, an operator can decouple operational access to the CloudFormation stack from access to the TLS secrets.



**Auditable** : kube-aws is built around the concept of cluster assets. These configuration and credential assets represent the complete description of the cluster. Since KMS is used to encrypt TLS assets, you can feel free to check your unencrypted stack JSON into version control as well!



**Reproducible** : The _--export_ option packs your parameterized cluster definition into a single JSON file which defines a CloudFormation stack. This file can be version controlled and submitted directly to the CloudFormation API via existing deployment tooling, if desired.
Title: Introducing Kube-AWS: Secure, Auditable, and Reproducible Kubernetes Clusters on AWS
Summary
CoreOS introduces kube-aws, a tool designed to simplify the deployment of Kubernetes clusters on Amazon Web Services (AWS). It emphasizes security through AWS KMS encryption of TLS assets, auditability by managing cluster configurations as version-controlled assets, and reproducibility using single JSON files defining CloudFormation stacks. This tool aims to streamline Kubernetes deployments, reduce dependencies, and enable production-ready environments.