Focus mode active/Press Alt+Shift+R to toggle/Esc to exit
Deepen PracticeOrdered learning track

EKS Runtime Components Backend Engineers Should Recognize

EKS Operations Foundation

Production-oriented foundation for operating backend workloads on Amazon EKS: managed control plane, node groups, Fargate profiles, VPC CNI, CoreDNS, kube-proxy, EBS CSI, AWS Load Balancer Controller, workload ownership, observability, failure modes, escalation boundaries, and internal verification checklist.

18 min read3441 words
PrevNext
Lesson 7998 lesson track54–80 Deepen Practice
#kubernetes#eks#aws#managed-kubernetes+9 more

Part 079 — EKS Operations Foundation

Tujuan

Amazon EKS adalah managed Kubernetes dari AWS. Untuk backend engineer, EKS bukan sekadar “Kubernetes yang jalan di AWS”. EKS menambahkan beberapa operational layer yang sangat memengaruhi workload Java/JAX-RS production:

  • managed control plane
  • node group dan lifecycle node
  • Fargate profile jika digunakan
  • Amazon VPC CNI dan alokasi Pod IP dari subnet
  • CoreDNS add-on
  • kube-proxy add-on
  • EBS CSI driver untuk volume
  • AWS Load Balancer Controller untuk ALB/NLB integration
  • IAM integration melalui IRSA atau EKS Pod Identity jika dipakai internal
  • AWS observability, logging, audit, dan CloudTrail boundary
  • dependency access ke RDS, MSK, ElastiCache, Amazon MQ, Secrets Manager, SSM, S3, SQS/SNS, dan service AWS lain

Part ini membangun mental model EKS yang diperlukan backend engineer untuk incident debugging, PR review, production readiness, dan diskusi dengan platform/SRE.

Prinsip utama:

A backend engineer does not need to administer EKS,
but must understand which EKS layer can break the workload.

1. EKS dalam Operational Stack

EKS terdiri dari beberapa lapisan. Saat aplikasi error, jangan langsung menyimpulkan bug aplikasi. Bisa saja failure terjadi di salah satu lapisan runtime berikut.

flowchart TD A[User / Client] --> B[Route 53 / External DNS] B --> C[ALB / NLB] C --> D[AWS Load Balancer Controller] D --> E[Kubernetes Ingress / Service] E --> F[EndpointSlice] F --> G[Pod IP from VPC CNI] G --> H[Java / JAX-RS Container] H --> I[RDS PostgreSQL] H --> J[MSK / Kafka] H --> K[Amazon MQ / RabbitMQ] H --> L[ElastiCache / Redis] H --> M[Secrets Manager / SSM] H --> N[S3 / Other AWS Services] subgraph EKS Cluster O[Managed Control Plane] P[Node Group / Fargate] Q[CoreDNS] R[kube-proxy] S[VPC CNI] T[EBS CSI] end O --> E P --> G Q --> H R --> E S --> G T --> H

Backend debugging harus bisa menjawab:

  • Apakah workload sehat di Kubernetes layer?
  • Apakah node atau subnet capacity bermasalah?
  • Apakah Pod IP allocation bermasalah?
  • Apakah AWS Load Balancer Controller memprovision ALB/NLB dengan benar?
  • Apakah target group melihat pod/node sebagai healthy?
  • Apakah DNS AWS dan CoreDNS bekerja?
  • Apakah IAM identity pod valid?
  • Apakah security group, route table, NAT, atau VPC endpoint memblokir dependency?
  • Apakah observability cukup untuk membedakan EKS failure dari application failure?

2. Managed Control Plane

EKS mengelola Kubernetes control plane. Backend engineer biasanya tidak mengoperasikan API server, scheduler, controller manager, atau etcd secara langsung.

Namun control plane tetap relevan karena semua reconciliation bergantung padanya.

Operational symptoms yang bisa terlihat dari backend side:

SymptomKemungkinan LayerCatatan
kubectl lambat atau timeoutAPI server / network / authEskalasi ke platform/SRE
object update tidak cepat terefleksicontroller lag / API pressureValidasi dengan events dan GitOps
deployment stuck tanpa obvious pod issuecontrol plane / admission / webhookCek events dan policy
banyak object gagal createdadmission webhook / quota / RBACBisa terkait governance
GitOps sync gagal applyAPI server / validation / policyCek GitOps health

Safe investigation:

kubectl version --short
kubectl cluster-info
kubectl get --raw='/readyz?verbose'
kubectl get events -A --sort-by=.lastTimestamp | tail -50
kubectl get apiservices

Catatan safety:

  • Jangan melakukan perubahan cluster-level tanpa mandat platform.
  • Jangan menghapus webhook, APIService, CRD, atau add-on untuk “mencoba memperbaiki”.
  • Untuk backend engineer, control plane issue biasanya escalation boundary.

3. Node Groups

EKS workload biasanya berjalan pada node EC2 melalui:

  • managed node group
  • self-managed node group
  • Karpenter-provisioned node jika digunakan
  • Fargate profile untuk pod tertentu

Node group menentukan:

  • instance type
  • CPU/memory capacity
  • availability zone distribution
  • AMI dan runtime version
  • taint/toleration
  • labels
  • autoscaling behavior
  • spot/on-demand strategy
  • kernel/runtime behavior
  • CNI capacity
  • storage attachment behavior

Backend engineer perlu memahami node group karena banyak masalah workload muncul sebagai pod-level symptom.

Pod SymptomNode Group Cause
Pod Pendinginsufficient CPU/memory, taint mismatch, AZ capacity issue
Pod evictednode memory/disk pressure
latency spikenoisy neighbor, CPU contention, node pressure
connection failurenode security group / route table / subnet issue
image pull failurenode egress / registry permission / VPC endpoint issue
volume mount failurenode/AZ/storage CSI issue

Safe commands:

kubectl get nodes -o wide
kubectl describe node <node-name>
kubectl top nodes
kubectl get pods -A -o wide --field-selector spec.nodeName=<node-name>
kubectl get events -A --sort-by=.lastTimestamp | grep -i '<node-name>'

Internal verification checklist:

  • node group naming convention
  • system vs workload node group
  • on-demand vs spot usage
  • Java backend workload placement rule
  • taints/tolerations
  • zone spreading policy
  • instance family
  • node autoscaling policy
  • patch/upgrade process
  • node drain communication process

4. Managed Node Group vs Self-Managed Node Group vs Karpenter

Backend engineer tidak harus mengelola node lifecycle, tetapi harus tahu implikasi operasionalnya.

ModelOperational MeaningBackend Concern
Managed node groupAWS/EKS manages part of lifecyclepredictable but still needs capacity planning
Self-managed node groupmore custom controlhigher platform operational burden
Karpenterdynamic provisioning based on pending podsfaster scaling, more placement/cost complexity
Fargate profilepod scheduled to serverless computefewer node concerns, different limits and debugging model

Failure mode:

  • managed node group upgrade drains pods unexpectedly if PDB weak
  • self-managed node group AMI drift causes runtime inconsistency
  • Karpenter chooses instance type with unexpected network/storage capacity
  • spot interruption evicts critical pod
  • Fargate profile mismatch leaves pod Pending

Backend readiness question:

Can my workload survive node replacement, node drain, zone rebalance, and spot interruption?

5. Fargate Profile Awareness

EKS Fargate runs pods without user-managed EC2 nodes. It is not universally better. It changes operational trade-offs.

Potential benefits:

  • no node management for selected workloads
  • pod-level isolation
  • useful for some stateless or operational workloads

Potential concerns:

  • daemonsets may not apply the same way
  • observability/logging integration may differ
  • networking behavior still depends on VPC/subnet/security config
  • startup latency and scaling characteristics differ
  • some storage/network/security patterns may be constrained
  • debugging node-level issues is less visible

Backend engineer checklist:

  • Is workload running on EC2 node group or Fargate?
  • Are observability agents available for Fargate pods?
  • Are resource requests aligned with Fargate sizing?
  • Are ingress/service endpoints healthy?
  • Are secrets, IAM, DNS, and egress working the same as node-based pods?

Safe commands:

kubectl get pod <pod> -n <ns> -o wide
kubectl describe pod <pod> -n <ns>
kubectl get events -n <ns> --sort-by=.lastTimestamp

6. VPC CNI Foundation

Amazon VPC CNI is one of the most important EKS-specific components.

Core idea:

In common EKS networking, pods receive IP addresses from VPC subnets.

This means pod networking is not just Kubernetes networking. It is tied to AWS VPC capacity and routing.

Operational consequences:

  • subnet IP exhaustion can prevent new pods from starting
  • instance type affects maximum pod density
  • ENI/IP allocation behavior affects scheduling and scale-up
  • pod IPs may be routable inside VPC depending on config
  • security group and route table issues can affect pod egress
  • private subnet design directly affects workloads

Common symptoms:

SymptomPossible VPC CNI Cause
pod stuck creatingcannot assign pod IP
pod Pending despite node capacityENI/IP capacity constraint
intermittent network failure after scale-upsubnet/IP pressure
new pods cannot reach dependencyroute/security/subnet config
traffic works in one AZ but not anothersubnet/AZ-specific issue

Useful signals:

kubectl get daemonset aws-node -n kube-system
kubectl get pods -n kube-system -l k8s-app=aws-node -o wide
kubectl logs -n kube-system daemonset/aws-node --tail=100
kubectl describe node <node-name> | grep -i -E 'podcidr|capacity|allocatable|eni|address'

Escalate to platform/SRE when:

  • AWS CNI logs show allocation failures
  • subnet IP capacity is low
  • ENI allocation fails
  • pod networking fails across many workloads
  • node networking differs by AZ

7. CoreDNS Add-on

CoreDNS resolves Kubernetes service names and often forwards external DNS queries.

Backend symptoms caused by DNS:

  • Java service cannot resolve PostgreSQL hostname
  • Kafka bootstrap hostname intermittently fails
  • RabbitMQ host resolves from one pod but not another
  • Redis private endpoint resolution fails
  • external AWS service endpoint resolution fails
  • latency spike due to DNS retry/timeout

Safe investigation:

kubectl get deployment coredns -n kube-system
kubectl get pods -n kube-system -l k8s-app=kube-dns -o wide
kubectl logs -n kube-system deployment/coredns --tail=100
kubectl get configmap coredns -n kube-system -o yaml

From a debug pod, if allowed:

kubectl run dns-debug -n <ns> --rm -it --image=busybox:1.36 --restart=Never -- nslookup kubernetes.default.svc.cluster.local
kubectl run dns-debug -n <ns> --rm -it --image=busybox:1.36 --restart=Never -- nslookup <service>.<namespace>.svc.cluster.local
kubectl run dns-debug -n <ns> --rm -it --image=busybox:1.36 --restart=Never -- nslookup <dependency-hostname>

Production caveat:

  • Use approved internal debug image.
  • Do not run arbitrary public image in production unless allowed.
  • Prefer existing platform-approved toolbox pod.

8. kube-proxy Add-on

kube-proxy programs service routing rules for Kubernetes Service traffic, depending on mode and cluster setup.

Backend engineer usually does not operate kube-proxy, but should recognize symptoms:

  • Service traffic intermittently fails
  • ClusterIP not routing to endpoints
  • only node-local service path fails
  • EndpointSlice is correct but traffic still fails
  • multiple services fail at once

Safe checks:

kubectl get daemonset kube-proxy -n kube-system
kubectl get pods -n kube-system -l k8s-app=kube-proxy -o wide
kubectl logs -n kube-system daemonset/kube-proxy --tail=100
kubectl get service -n <ns> <svc> -o yaml
kubectl get endpointslice -n <ns> -l kubernetes.io/service-name=<svc>

Escalate when:

  • many services fail simultaneously
  • EndpointSlice is correct but ClusterIP routing fails
  • kube-proxy pods crash or show sync failures
  • issue is node-specific and repeats across workloads

9. EBS CSI Driver

EBS CSI driver enables Kubernetes PVC backed by Amazon EBS.

Backend engineer encounters this mainly when workload uses persistent storage, file processing, local-ish durable data, stateful workload, or operator-managed dependency.

Common symptoms:

SymptomPossible Cause
PVC Pendingno matching StorageClass, AZ mismatch, quota/capacity issue
FailedMountCSI issue, permission, node/AZ problem
pod stuck ContainerCreatingvolume attach/mount delay
disk fullapplication writes too much, no cleanup, no expansion
attach failure after reschedulevolume AZ constraint

Safe commands:

kubectl get storageclass
kubectl get pvc -n <ns>
kubectl describe pvc -n <ns> <pvc>
kubectl describe pod -n <ns> <pod>
kubectl get events -n <ns> --sort-by=.lastTimestamp | grep -i -E 'mount|volume|attach|pvc|csi'
kubectl get pods -n kube-system | grep -i ebs

Backend responsibility:

  • know whether the app writes to mounted volume
  • ensure file lifecycle/cleanup exists
  • understand AZ-sensitive scheduling implications
  • avoid treating PVC as magic infinite storage
  • ensure backup/restore ownership is explicit for stateful data

Platform/SRE responsibility:

  • CSI driver installation and health
  • StorageClass definition
  • EBS encryption/default policy
  • volume expansion policy
  • node/CSI compatibility
  • storage quota and operational runbook

10. AWS Load Balancer Controller

AWS Load Balancer Controller commonly provisions and reconciles:

  • ALB for Ingress
  • NLB for Service type LoadBalancer
  • TargetGroupBinding resources if used

This controller is a bridge between Kubernetes desired state and AWS load balancer resources.

flowchart LR A[Ingress / Service Manifest] --> B[AWS Load Balancer Controller] B --> C[ALB / NLB] C --> D[Listener / Rule] D --> E[Target Group] E --> F[Node or Pod Targets] F --> G[Kubernetes Service / Pod]

Common backend-facing symptoms:

  • Ingress exists but no ALB created
  • ALB exists but rule missing
  • target group has unhealthy targets
  • 502/503 from ALB
  • TLS cert not attached
  • annotation rejected
  • wrong scheme: internet-facing vs internal
  • wrong target type: instance vs ip
  • slow reconciliation after manifest change

Safe commands:

kubectl get ingress -n <ns>
kubectl describe ingress -n <ns> <ingress>
kubectl get service -n <ns> <svc> -o yaml
kubectl get pods -n kube-system | grep -i load-balancer
kubectl logs -n kube-system deployment/aws-load-balancer-controller --tail=200
kubectl get targetgroupbindings -A

Internal verification checklist:

  • controller installed namespace
  • allowed annotations
  • ingress class
  • ALB/NLB ownership
  • TLS certificate source
  • internal vs external scheme
  • target type convention
  • health check path/port
  • WAF/security group policy
  • platform escalation path

11. IAM Integration Boundary

EKS has multiple identity layers:

Human access to Kubernetes API     -> AWS IAM / cluster access / RBAC
Pod access to Kubernetes API       -> Kubernetes ServiceAccount + RBAC
Pod access to AWS services         -> IRSA / EKS Pod Identity / node role fallback
AWS control plane reconciliation   -> controller IAM roles

Backend incident risk:

  • pod cannot read Secrets Manager secret
  • app cannot access S3 bucket
  • app cannot call STS
  • AWS SDK uses node role unexpectedly
  • ServiceAccount annotation missing
  • trust policy broken
  • token expired or not projected
  • controller lacks permission to create ALB/EBS resource

Safe checks:

kubectl get serviceaccount -n <ns> <sa> -o yaml
kubectl describe pod -n <ns> <pod> | grep -i serviceaccount
kubectl exec -n <ns> <pod> -- env | grep -E 'AWS_|JAVA_|SPRING_|QUARKUS_|MICRONAUT_' || true

Do not print credentials, tokens, or secret values.

Escalate to platform/security when:

  • IAM trust policy is wrong
  • role permission needs change
  • CloudTrail shows denied API call
  • service account annotation or pod identity association is managed centrally
  • least-privilege exception is needed

12. EKS Add-on Version Awareness

EKS cluster behavior depends heavily on add-ons:

  • VPC CNI
  • CoreDNS
  • kube-proxy
  • EBS CSI
  • AWS Load Balancer Controller
  • metrics server if installed separately
  • External Secrets / Secrets Store CSI if used
  • observability agents
  • policy controllers

Backend engineer does not usually upgrade them, but should know the risk:

Add-onBackend Impact
VPC CNIpod IP allocation, pod networking, subnet pressure
CoreDNSservice discovery and external dependency resolution
kube-proxyService routing
EBS CSIPVC mount/attach/resize
AWS Load Balancer ControllerIngress/ALB/NLB provisioning
metrics serverHPA CPU/memory metrics
observability agentslogs/metrics/traces visibility
policy controllersmanifest admission and deployment rejection

Internal verification checklist:

  • add-on versions
  • owner team
  • upgrade cadence
  • known compatibility issues
  • incident history
  • dashboards/alerts per add-on
  • rollback plan
  • maintenance windows

13. EKS Impact on Java/JAX-RS Services

EKS-specific layers affect Java/JAX-RS services in practical ways.

Startup

Startup may depend on:

  • image pull from ECR
  • pod IP allocation through VPC CNI
  • ConfigMap/Secret mount
  • Secrets Manager/SSM access
  • DNS resolution
  • RDS/Kafka/RabbitMQ/Redis connectivity
  • Java truststore/certificate config

Failure signal:

  • ImagePullBackOff
  • ContainerCreating
  • CrashLoopBackOff
  • readiness failure
  • connection timeout on startup
  • AWS SDK credential error

Request serving

Runtime request path may depend on:

  • ALB/NLB target health
  • ingress rules
  • target group health check
  • Service/EndpointSlice
  • pod readiness
  • Java thread pool
  • DB pool
  • downstream AWS service egress

Shutdown

Node drain, rollout, or spot interruption can trigger:

  • SIGTERM
  • readiness removal
  • in-flight request drain
  • consumer rebalance
  • DB connection close
  • message ack/offset commit behavior

EKS-specific concern:

Node lifecycle is not abstract.
AWS node replacement, spot interruption, managed node group upgrade, and autoscaling can all terminate pods.

14. EKS Impact on Common Dependencies

DependencyEKS Operational Concerns
PostgreSQL / RDSprivate endpoint DNS, security group, subnet route, connection pool explosion, IAM auth if used
Kafka / MSKbroker DNS, security group, TLS/SASL, partition/replica scaling, egress path
RabbitMQ / Amazon MQendpoint DNS, TLS, security group, connection/channel lifecycle, queue consumer scaling
Redis / ElastiCachecluster endpoint DNS, TLS, security group, connection pool, subnet/AZ reachability
Camundaengine endpoint, database dependency, worker scaling, job timeout, connectivity
S3IAM role, VPC endpoint, NAT route, bucket policy, KMS key policy
Secrets Manager / SSMIRSA/Pod Identity, endpoint access, KMS, rotation, SDK credential chain

Debugging dependency failures requires checking:

DNS -> route -> security group -> NetworkPolicy -> IAM -> TLS -> timeout -> client pool -> dependency health

15. EKS Failure Mode Map

Failure ModeFirst SymptomBackend-Safe EvidenceLikely Escalation
Subnet IP exhaustionpods cannot start / CNI errorpod events, aws-node logsplatform/network
ALB target unhealthyingress 502/503ingress describe, target group healthplatform/SRE
CoreDNS unhealthydependency DNS failCoreDNS pod/logs, nslookupplatform/SRE
IRSA brokenAWS access deniedServiceAccount annotation, app logssecurity/platform
EBS CSI issueFailedMountPVC events, pod eventsplatform/storage
node pressureeviction/restartsnode conditions, eventsplatform/SRE
ECR auth issueImagePullBackOffpod events, imagePullSecretplatform/CI/security
NLB/ALB annotation issueLB not reconciledcontroller logs, ingress eventsplatform/SRE
add-on upgrade regressionbroad failureadd-on version/eventsplatform/SRE

16. Production-Safe EKS Investigation Flow

flowchart TD A[Symptom] --> B{Application-only?} B -->|Maybe| C[Check pod logs/metrics/traces] B -->|No / unclear| D[Check Kubernetes object status] C --> E[Check recent deployment] D --> F[Check events] F --> G{Pod lifecycle issue?} G -->|Image pull| H[Check ECR / ImagePullSecret / node egress] G -->|Pending| I[Check scheduling / node group / subnet IP / autoscaler] G -->|CrashLoop| J[Check config/secret/JVM/startup] G -->|Ready but no traffic| K[Check Service / EndpointSlice / Ingress / ALB] G -->|Dependency failure| L[Check DNS / SG / route / VPC endpoint / IAM / TLS] H --> M[Escalate if platform-owned] I --> M K --> M L --> M J --> N[Fix app/config or rollback]

First commands:

kubectl get deploy,rs,pod,svc,ingress,hpa,pdb -n <ns> -o wide
kubectl get events -n <ns> --sort-by=.lastTimestamp | tail -50
kubectl describe pod -n <ns> <pod>
kubectl logs -n <ns> <pod> --previous --tail=200
kubectl describe ingress -n <ns> <ingress>
kubectl get endpointslice -n <ns> -l kubernetes.io/service-name=<svc>

EKS layer commands:

kubectl get pods -n kube-system -o wide
kubectl get daemonset -n kube-system aws-node kube-proxy
kubectl get deployment -n kube-system coredns aws-load-balancer-controller
kubectl get storageclass
kubectl get nodes -o wide
kubectl describe node <node-name>

17. Backend Engineer Responsibility

Backend service owner should own:

  • application readiness/liveness/startup behavior
  • graceful shutdown
  • resource requests/limits proposal
  • JVM/container tuning
  • connection pool sizing
  • dependency timeout/retry behavior
  • application metrics/logs/traces
  • service dashboard and runbook
  • deployment and rollback readiness
  • manifest PR review for workload-owned fields
  • evidence capture during incident

Backend engineer should understand but usually not own:

  • EKS control plane
  • node group lifecycle
  • VPC CNI configuration
  • ALB/NLB controller installation
  • CSI driver installation
  • cluster add-on upgrades
  • subnet/security group/route table design
  • IAM role provisioning
  • cluster-level policy controllers

18. Platform/SRE Responsibility

Platform/SRE commonly owns:

  • EKS cluster lifecycle
  • Kubernetes version upgrade
  • managed node groups / Karpenter / autoscaler
  • VPC CNI configuration
  • CoreDNS/kube-proxy/EBS CSI add-ons
  • AWS Load Balancer Controller
  • ingress class and ALB/NLB standards
  • baseline observability agents
  • policy/admission controllers
  • cluster security baseline
  • node patching and drain procedures
  • disaster recovery and cluster rebuild procedures

During incident, backend engineer should provide:

  • affected namespace/workload
  • exact symptom and timeframe
  • recent deployment/config change
  • pod/events/logs evidence
  • affected AZ/node if visible
  • dependency impact
  • business impact if known
  • mitigation already attempted

19. EKS Operational Readiness Checklist

For each backend service deployed to EKS, verify:

Workload

  • Deployment strategy is defined.
  • Readiness/liveness/startup probes are valid.
  • Graceful shutdown is implemented.
  • Resource requests/limits are justified.
  • JVM flags match container limits.
  • PDB exists for critical multi-replica service.
  • HPA policy is sane if autoscaling is enabled.

Networking

  • Ingress/Service path is known.
  • ALB/NLB target health check path is aligned.
  • Service selector and EndpointSlice are correct.
  • DNS names for dependencies are documented.
  • Egress path to dependencies is known.
  • NetworkPolicy and security group expectations are documented.

AWS Integration

  • AWS service access uses approved workload identity.
  • IAM role and permission owner are known.
  • Secrets Manager/SSM/Key Vault-like source is documented if used.
  • ECR/registry access path is reliable.
  • VPC endpoint/NAT dependency is known.

Observability

  • Application logs are structured.
  • Correlation ID/trace ID exists.
  • JVM metrics exist.
  • Kubernetes workload metrics exist.
  • Ingress/ALB metrics exist.
  • Dependency metrics exist.
  • Alerts link to runbooks.
  • Deployment markers exist.

Runbook

  • CrashLoop runbook exists.
  • ImagePull runbook exists.
  • Pod Pending runbook exists.
  • Ingress 5xx runbook exists.
  • DNS/dependency runbook exists.
  • Access denied runbook exists.
  • Rollback path is explicit.

20. EKS PR Review Checklist for Backend Engineers

When reviewing Kubernetes manifests for EKS deployment, check:

Deployment

  • Are replicas appropriate for production?
  • Does rollout strategy preserve availability?
  • Is maxUnavailable safe?
  • Is maxSurge safe for dependency connection capacity?
  • Is progressDeadlineSeconds configured?

Pods

  • Are probes aligned with Java startup and readiness?
  • Is termination grace long enough for request drain/consumer shutdown?
  • Are resource requests/limits realistic?
  • Are JVM memory flags aligned with memory limit?
  • Is ephemeral storage bounded for file/log/temp workloads?

AWS/EKS-specific

  • Is the ServiceAccount correct?
  • Are IRSA/Pod Identity annotations expected?
  • Is ingress class correct?
  • Are ALB annotations approved?
  • Is target type convention followed?
  • Is health check path correct?
  • Is TLS certificate source correct?
  • Are EBS/PVC assumptions valid?
  • Does the change depend on subnet, security group, or IAM updates?

Observability

  • Are labels/annotations sufficient for dashboards?
  • Are deployment markers available?
  • Are alerts impacted?
  • Is there a rollback signal?

Failure impact

  • Could this create too many DB connections?
  • Could this create too many Kafka/RabbitMQ consumers?
  • Could this break readiness and remove all endpoints?
  • Could this cause ALB target group unhealthy?
  • Could this break access to AWS secrets/services?

21. Internal Verification Checklist

Use this checklist in the actual CSG/team environment. Do not assume any answer without verification.

Cluster and environment

  • Which EKS clusters exist per environment?
  • What are the namespace naming conventions?
  • Which namespaces are owned by Quote & Order team?
  • Which workloads are production-critical?
  • Which cluster is cloud/on-prem/hybrid connected?

Access and ownership

  • What access does backend engineer have?
  • What is read-only vs write access?
  • What is break-glass procedure?
  • Who owns EKS cluster operations?
  • Who owns node group/capacity?
  • Who owns IAM roles and trust policies?
  • Who owns ALB/NLB and ingress standards?
  • Who owns observability stack?

EKS components

  • EKS version
  • node group type and labels
  • spot/on-demand policy
  • Karpenter/Cluster Autoscaler usage
  • Fargate profile usage
  • VPC CNI version and config
  • CoreDNS version and config
  • kube-proxy mode/version
  • EBS CSI version
  • AWS Load Balancer Controller version

Networking

  • private/public subnet layout
  • subnet IP utilization monitoring
  • security group model
  • security group for pods usage if any
  • NAT gateway/VPC endpoint usage
  • Route 53/private hosted zone usage
  • internal/external ALB convention
  • ingress class convention

Workload integration

  • ECR/registry access
  • Secrets Manager/SSM usage
  • IRSA/EKS Pod Identity usage
  • RDS/MSK/Amazon MQ/ElastiCache access model
  • NetworkPolicy usage
  • mTLS/TLS truststore strategy
  • Java service startup/shutdown standard

Operations

  • deployment pipeline
  • GitOps repo
  • Helm/Kustomize standard
  • incident process
  • rollback process
  • dashboard and alert standard
  • SLO/error budget practice
  • production readiness checklist
  • post-incident RCA template

22. Common Anti-Patterns

Avoid these assumptions:

If the pod is Running, the service is healthy.

Running does not mean ready, reachable, authorized, or useful.

If Kubernetes object is correct, AWS resource must be correct.

AWS Load Balancer Controller, IAM, subnet, security group, and route tables are separate reconciliation and configuration layers.

If HPA scales pods, capacity problem is solved.

New pods still need node capacity, Pod IPs, dependency capacity, warm-up time, and healthy target registration.

If access denied happens inside app logs, it is an app bug.

It may be ServiceAccount, IRSA, trust policy, IAM permission, KMS policy, bucket policy, endpoint policy, or SDK credential chain.

If DNS works locally, it works from pod.

Pod DNS path may involve CoreDNS, VPC resolver, private hosted zones, search domains, NetworkPolicy, or VPC endpoint DNS.


23. Summary

EKS operations foundation for backend engineers is about recognizing runtime layers that can affect backend services.

The important mental model:

Backend symptom = application behavior + Kubernetes state + EKS add-ons + AWS network/IAM/load balancer/storage state.

A senior backend engineer should be able to:

  • identify whether failure is application, Kubernetes, EKS add-on, AWS network, IAM, storage, or dependency layer
  • collect production-safe evidence
  • avoid unsafe cluster-level changes
  • communicate precise escalation context to platform/SRE/security
  • review workload manifests with EKS-specific operational risk in mind
  • ensure Java/JAX-RS service readiness, shutdown, resources, observability, and dependency access are production-ready

In the next part, we go deeper into EKS Networking Operations: VPC CNI, pod IPs, subnet exhaustion, security groups, ALB/NLB, Route 53, target groups, VPC endpoints, and networking runbooks.

Lesson Recap

You just completed lesson 79 in deepen practice. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.