CDK « Code, Cloud & Context

Deep Dives into EKS Monitoring and Observability with CDKv2

Running production workloads on Amazon EKS demands more than basic health checks. After managing dozens of Kubernetes clusters across various industries, I’ve learned that the difference between a resilient system and a fragile one often comes down to how deeply you can see into your infrastructure. This guide shares the observability patterns and CDK-based automation that have proven invaluable in my production environments.

EKS Monitoring and Observability Architecture – A comprehensive view of metrics, logs, traces, and alerting components

The Three Pillars of Observability

Observability in Kubernetes environments rests on three fundamental pillars: metrics, logs, and traces. Each provides a different lens through which to understand system behavior, and together they form a complete picture of what’s happening inside your clusters.

Metrics tell you what is happening at any given moment. CPU utilization, memory consumption, request rates, and error counts provide quantitative measurements that can trigger alerts and inform scaling decisions. In EKS, metrics flow from multiple sources: the Kubernetes API server, node-level exporters, and application-specific endpoints.

Logs capture the narrative of your system’s behavior. Container stdout/stderr, application logs, and audit logs from the control plane create a detailed record of events. The challenge in Kubernetes is aggregating logs from ephemeral containers that may be rescheduled across nodes at any time.

Traces reveal the journey of individual requests through your distributed system. When a user action triggers calls across multiple microservices, traces connect those disparate events into a coherent story, making it possible to identify bottlenecks and failures in complex architectures.

Building the Metrics Pipeline with CDK

AWS CDK transforms infrastructure provisioning from manual configuration into repeatable, version-controlled code. For EKS monitoring, this means we can define our entire observability stack as Python constructs that deploy consistently across environments.

The foundation starts with Container Insights, which provides out-of-the-box metrics for EKS clusters. However, production systems typically need custom metrics that reflect business-specific concerns. Here’s how I structure the monitoring stack:

from aws_cdk import (
    Stack,
    aws_cloudwatch as cloudwatch,
    aws_sns as sns,
    aws_cloudwatch_actions as cw_actions,
    Duration,
)
from constructs import Construct

class EKSObservabilityStack(Stack):
    def __init__(self, scope: Construct, id: str, cluster_name: str, **kwargs):
        super().__init__(scope, id, **kwargs)
        
        # Create SNS topic for alerts
        alert_topic = sns.Topic(
            self, "EKSAlertTopic",
            display_name=f"{cluster_name}-alerts"
        )
        
        # CPU utilization alarm with stabilization
        cpu_alarm = cloudwatch.Alarm(
            self, "HighCPUAlarm",
            metric=cloudwatch.Metric(
                namespace="ContainerInsights",
                metric_name="pod_cpu_utilization",
                dimensions_map={"ClusterName": cluster_name},
                statistic="Average",
                period=Duration.minutes(5)
            ),
            threshold=80,
            evaluation_periods=3,
            comparison_operator=cloudwatch.ComparisonOperator.GREATER_THAN_THRESHOLD,
            alarm_description="Pod CPU utilization exceeds 80% for 15 minutes"
        )
        cpu_alarm.add_alarm_action(cw_actions.SnsAction(alert_topic))
        
        # Memory pressure alarm
        memory_alarm = cloudwatch.Alarm(
            self, "MemoryPressureAlarm",
            metric=cloudwatch.Metric(
                namespace="ContainerInsights",
                metric_name="pod_memory_utilization",
                dimensions_map={"ClusterName": cluster_name},
                statistic="Average",
                period=Duration.minutes(5)
            ),
            threshold=85,
            evaluation_periods=2,
            comparison_operator=cloudwatch.ComparisonOperator.GREATER_THAN_THRESHOLD
        )
        memory_alarm.add_alarm_action(cw_actions.SnsAction(alert_topic))

Log Aggregation Architecture

Container logs in EKS present unique challenges. Pods are ephemeral, potentially running on any node in the cluster, and their logs disappear when containers terminate. A robust log aggregation strategy must capture logs in real-time and persist them to durable storage.

Fluent Bit has become my preferred choice for log collection in EKS. Deployed as a DaemonSet, it runs on every node and captures container logs before forwarding them to CloudWatch Logs or OpenSearch. The key configuration decisions involve filtering, parsing, and routing logs based on their source and content.

For production clusters, I implement a tiered retention strategy: recent logs (7-14 days) remain in CloudWatch Logs for quick access, while older logs transition to S3 for cost-effective long-term storage. This approach balances operational needs with cost management.

Distributed Tracing with AWS X-Ray

Tracing becomes essential when debugging issues that span multiple services. AWS X-Ray integrates natively with EKS through the OpenTelemetry Collector, which can be deployed as a sidecar or DaemonSet depending on your instrumentation strategy.

The OpenTelemetry approach offers flexibility: applications instrumented with OpenTelemetry SDKs can export traces to X-Ray, Jaeger, or other backends without code changes. This vendor-neutral approach has saved significant refactoring effort when requirements changed.

Production Alert Design Principles

Effective alerting requires careful thought about what truly warrants human attention. Alert fatigue is real, and teams that receive too many notifications quickly learn to ignore them. My approach follows several principles developed through years of on-call experience.

First, alert on symptoms rather than causes. Users care whether the service is responding, not whether CPU is high. High CPU that doesn’t affect user experience shouldn’t page anyone at 3 AM. Second, include stabilization periods to avoid alerting on transient spikes. A brief CPU spike during deployment is normal; sustained high utilization indicates a problem.

Third, provide actionable context in alert messages. An alert should tell the responder what’s wrong, where to look, and ideally suggest initial investigation steps. Finally, implement escalation paths so that unacknowledged alerts reach additional responders.

Cost-Effective Observability

Observability costs can spiral quickly in large clusters. CloudWatch charges for metrics ingestion, storage, and queries. Log storage costs accumulate with retention. Tracing adds overhead to every request. Managing these costs requires intentional decisions about what to collect and how long to retain it.

Sampling strategies help control tracing costs without sacrificing visibility. Collecting 10% of traces still provides statistical significance for identifying patterns while reducing costs by 90%. For logs, aggressive filtering at the collection layer prevents low-value data from reaching storage.

The Path Forward

EKS observability continues evolving with new AWS services and open-source tools. Amazon Managed Service for Prometheus offers a managed Prometheus-compatible metrics backend. Amazon Managed Grafana provides visualization without operational overhead. These managed services reduce the complexity of running observability infrastructure while maintaining compatibility with existing tooling.

The investment in comprehensive observability pays dividends during incidents. When something goes wrong, and it will, the ability to quickly understand system state, trace request flows, and correlate events across services determines how fast you can restore service. Build your observability foundation before you need it.

References

Harnessing AWS CDK for Python: Streamlining Infrastructure as Code

After two decades of managing cloud infrastructure across enterprises of all sizes, I’ve witnessed the evolution of Infrastructure as Code from simple shell scripts to sophisticated declarative frameworks. AWS Cloud Development Kit (CDK) represents a paradigm shift that fundamentally changes how we think about infrastructure provisioning. Rather than wrestling with YAML or JSON templates, CDK allows us to express infrastructure intent using the same programming languages we use for application development. This isn’t just a convenience—it’s a transformation that brings software engineering best practices like abstraction, composition, and testing directly into infrastructure management.

AWS CDK for Python Architecture Diagram — AWS CDK for Python: From Python Code to Deployed AWS Resources

The Construct Hierarchy: Understanding CDK’s Building Blocks

CDK organizes infrastructure into a hierarchy of constructs at three distinct levels. L1 constructs (CFN Resources) provide direct one-to-one mappings to CloudFormation resources, offering complete control but requiring detailed configuration. L2 constructs represent the sweet spot for most use cases—they encapsulate AWS best practices with sensible defaults while remaining customizable. L3 constructs (Patterns) combine multiple resources into complete architectural patterns like load-balanced services or serverless APIs. Understanding when to use each level is crucial for building maintainable infrastructure.

In my experience, teams often make the mistake of defaulting to L1 constructs because they mirror CloudFormation directly. This approach sacrifices the productivity gains CDK offers. L2 constructs handle security configurations, IAM permissions, and resource relationships automatically—tasks that would require hundreds of lines of CloudFormation YAML. Reserve L1 constructs for edge cases where you need features not yet exposed in higher-level abstractions.

Setting Up Your CDK Python Environment

The CDK CLI requires Node.js, but your infrastructure code lives entirely in Python. This separation sometimes confuses newcomers, but it’s intentional—the CLI handles synthesis and deployment while your Python code defines the infrastructure. Start by installing the CDK CLI globally and creating a Python virtual environment for your project:

# Install CDK CLI (requires Node.js)
npm install -g aws-cdk

# Create and activate Python environment
python3 -m venv .venv
source .venv/bin/activate

# Install CDK library (v2 uses single package)
pip install aws-cdk-lib constructs

# Bootstrap your AWS account (one-time setup)
cdk bootstrap aws://ACCOUNT-ID/REGION

The bootstrap step is often overlooked but essential. It creates an S3 bucket and IAM roles that CDK uses for deployments. Without bootstrapping, your first deployment will fail with cryptic permission errors.

Building a Production-Ready S3 Data Lake Stack

Let’s move beyond basic examples and build something closer to production reality—an S3-based data lake with proper security controls, lifecycle policies, and cross-region replication. This demonstrates how CDK’s abstractions simplify complex configurations:

from aws_cdk import (
    Stack, Duration, RemovalPolicy,
    aws_s3 as s3,
    aws_iam as iam,
    aws_kms as kms,
)
from constructs import Construct

class DataLakeStack(Stack):
    def __init__(self, scope: Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)
        
        # Customer-managed KMS key for encryption
        data_key = kms.Key(self, "DataLakeKey",
            enable_key_rotation=True,
            description="Encryption key for data lake buckets"
        )
        
        # Raw data landing zone
        raw_bucket = s3.Bucket(self, "RawDataBucket",
            bucket_name=f"datalake-raw-{self.account}-{self.region}",
            encryption=s3.BucketEncryption.KMS,
            encryption_key=data_key,
            block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
            versioned=True,
            lifecycle_rules=[
                s3.LifecycleRule(
                    id="TransitionToIA",
                    transitions=[
                        s3.Transition(
                            storage_class=s3.StorageClass.INFREQUENT_ACCESS,
                            transition_after=Duration.days(90)
                        )
                    ]
                )
            ],
            removal_policy=RemovalPolicy.RETAIN
        )
        
        # Processed data bucket with intelligent tiering
        processed_bucket = s3.Bucket(self, "ProcessedDataBucket",
            bucket_name=f"datalake-processed-{self.account}-{self.region}",
            encryption=s3.BucketEncryption.KMS,
            encryption_key=data_key,
            intelligent_tiering_configurations=[
                s3.IntelligentTieringConfiguration(
                    name="AutoTiering",
                    archive_access_tier_time=Duration.days(90),
                    deep_archive_access_tier_time=Duration.days(180)
                )
            ]
        )
        
        # Data engineering role with least-privilege access
        data_engineer_role = iam.Role(self, "DataEngineerRole",
            assumed_by=iam.AccountPrincipal(self.account),
            description="Role for data engineering team"
        )
        
        raw_bucket.grant_read_write(data_engineer_role)
        processed_bucket.grant_read(data_engineer_role)

Notice how CDK handles the complex IAM policy generation through the grant_* methods. The equivalent CloudFormation would require manually crafting IAM policies with correct ARN patterns—a common source of security misconfigurations.

Networking Infrastructure with VPC Constructs

VPC configuration in CloudFormation is notoriously verbose. CDK’s L2 VPC construct creates a production-ready network topology with a single declaration:

from aws_cdk import aws_ec2 as ec2

# Production VPC with public/private subnets across 3 AZs
vpc = ec2.Vpc(self, "ProductionVPC",
    ip_addresses=ec2.IpAddresses.cidr("10.0.0.0/16"),
    max_azs=3,
    nat_gateways=2,  # Cost optimization: 2 instead of 3
    subnet_configuration=[
        ec2.SubnetConfiguration(
            name="Public",
            subnet_type=ec2.SubnetType.PUBLIC,
            cidr_mask=24
        ),
        ec2.SubnetConfiguration(
            name="Private",
            subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS,
            cidr_mask=24
        ),
        ec2.SubnetConfiguration(
            name="Isolated",
            subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
            cidr_mask=24
        )
    ],
    gateway_endpoints={
        "S3": ec2.GatewayVpcEndpointOptions(
            service=ec2.GatewayVpcEndpointAwsService.S3
        )
    }
)

This single construct generates over 50 CloudFormation resources: subnets, route tables, NAT gateways, internet gateway, and VPC endpoints. The PRIVATE_WITH_EGRESS subnet type automatically configures NAT gateway routing, while PRIVATE_ISOLATED subnets have no internet access—perfect for databases.

Testing Infrastructure Code

One of CDK’s most underutilized features is infrastructure testing. The assertions module lets you verify your infrastructure meets requirements before deployment:

import pytest
from aws_cdk import App
from aws_cdk.assertions import Template, Match

def test_s3_bucket_encryption():
    app = App()
    stack = DataLakeStack(app, "TestStack")
    template = Template.from_stack(stack)
    
    # Verify all buckets use KMS encryption
    template.has_resource_properties("AWS::S3::Bucket", {
        "BucketEncryption": {
            "ServerSideEncryptionConfiguration": Match.array_with([
                Match.object_like({
                    "ServerSideEncryptionByDefault": {
                        "SSEAlgorithm": "aws:kms"
                    }
                })
            ])
        }
    })

def test_bucket_blocks_public_access():
    app = App()
    stack = DataLakeStack(app, "TestStack")
    template = Template.from_stack(stack)
    
    template.has_resource_properties("AWS::S3::Bucket", {
        "PublicAccessBlockConfiguration": {
            "BlockPublicAcls": True,
            "BlockPublicPolicy": True,
            "IgnorePublicAcls": True,
            "RestrictPublicBuckets": True
        }
    })

Deployment Strategies and CI/CD Integration

CDK integrates naturally with CI/CD pipelines. The cdk diff command shows proposed changes before deployment, enabling pull request reviews of infrastructure changes. For production deployments, I recommend using CDK Pipelines—a construct that creates a self-mutating pipeline:

# Preview changes
cdk diff

# Deploy with approval prompt
cdk deploy --require-approval broadening

# Deploy specific stack
cdk deploy DataLakeStack

# Synthesize without deploying (for CI validation)
cdk synth

Lessons from Production Deployments

After deploying CDK across dozens of production environments, several patterns have emerged. First, always use RemovalPolicy.RETAIN for stateful resources like databases and S3 buckets containing data—accidental stack deletion shouldn’t destroy production data. Second, leverage CDK’s context mechanism for environment-specific configuration rather than hardcoding values. Third, create custom L3 constructs that encode your organization’s standards—this ensures consistency across teams and projects.

The transition from CloudFormation to CDK requires mindset adjustment. You’re no longer writing configuration—you’re writing code. Apply the same rigor: write tests, use version control, conduct code reviews, and refactor when patterns emerge. The investment pays dividends in maintainability and deployment confidence.

Additional References:

AWS CDK Developer Guide – Official documentation with comprehensive tutorials
Construct Hub – Community-contributed CDK constructs and patterns
AWS CDK GitHub Repository – Source code and issue tracking
CDK Python API Reference – Complete API documentation for Python

Searching in

Code, Cloud & Context

Categories

Archives

A sample text widget