Portal | Level: L1: Foundations | Topics: Cloud Deep Dive | Domain: Cloud

Cloud Providers (AWS/GCP) - Skill Check

Mental model (bottom-up)

Managed Kubernetes adds cloud-specific glue. EKS/GKE handle the control plane, but you own networking (VPC CNI, pod IPs), identity federation (IRSA/Workload Identity), load balancers (ALB/NLB), and storage (EBS/PD). Understanding the cloud layer beneath Kubernetes is what separates operators from admins.

Visual stack

[Application Pod     ]  uses K8s ServiceAccount
|
[Identity Federation ]  IRSA (AWS) / Workload Identity (GCP)
|
[Cloud IAM Role      ]  scoped permissions (S3, KMS, etc.)
|
[VPC Networking      ]  pod IPs from VPC subnets (not overlay)
|
[Load Balancer       ]  ALB (L7) or NLB (L4) → target pods directly
|
[Managed Control Plane]  EKS/GKE runs etcd, apiserver, scheduler

Glossary

• IRSA - IAM Roles for Service Accounts; maps K8s SA → AWS IAM Role via OIDC
• Workload Identity - GCP equivalent; maps K8s SA → GCP Service Account
• VPC CNI - AWS plugin assigning real VPC IPs to pods (not overlay)
• ALB - Application Load Balancer (Layer 7, HTTP routing, path-based)
• NLB - Network Load Balancer (Layer 4, TCP/UDP, static IP, low latency)
• Prefix delegation - VPC CNI feature giving 16 IPs per ENI slot instead of 1
• Karpenter - node provisioner replacing cluster-autoscaler with faster, smarter scaling

Core questions (easy -> hard)

• How does a pod get AWS permissions without hardcoded credentials?
• IRSA: SA annotation → mutating webhook injects role ARN + token → pod calls STS AssumeRoleWithWebIdentity.
• ALB vs NLB — when do you use each?
• ALB for HTTP/HTTPS with path/host routing. NLB for TCP/UDP, gRPC, static IPs, or low-latency needs.
• Pods stuck Pending with "no available addresses." What happened?
• VPC subnet IPs exhausted. Each EKS pod gets a real VPC IP. Fix: enable prefix delegation or add secondary CIDR.
• How do you prevent a single pod from accessing all AWS resources on the node?
• Use IRSA (per-SA roles) instead of node instance roles. Block IMDS access with NetworkPolicy or iptables.
• GKE vs EKS — key architectural differences?
• GKE: free control plane, integrated Workload Identity, GKE Autopilot. EKS: $0.10/hr control plane, VPC CNI (real IPs), Fargate option.
• How do you handle cross-account access from EKS pods?
• IRSA role in Account A + bucket policy in Account B. Both sides must grant access.
• Your cloud bill jumped 40%. Investigation plan?
• Cost Explorer by service/tag/time. Check node count growth, spot fallback, orphaned EBS volumes, data transfer spikes.

---

Wiki Navigation

Related Content

• AWS CloudWatch (Topic Pack, L2) — Cloud Deep Dive
• AWS Devops Flashcards (CLI) (flashcard_deck, L1) — Cloud Deep Dive
• AWS EC2 (Topic Pack, L1) — Cloud Deep Dive
• AWS ECS (Topic Pack, L2) — Cloud Deep Dive
• AWS General Flashcards (CLI) (flashcard_deck, L1) — Cloud Deep Dive
• AWS IAM (Topic Pack, L1) — Cloud Deep Dive
• AWS Lambda (Topic Pack, L2) — Cloud Deep Dive
• AWS Networking (Topic Pack, L1) — Cloud Deep Dive
• AWS Route 53 (Topic Pack, L2) — Cloud Deep Dive
• AWS S3 Deep Dive (Topic Pack, L1) — Cloud Deep Dive

Pages that link here

• AWS CloudWatch
• AWS EC2
• AWS ECS
• AWS Lambda
• AWS S3 Deep Dive
• Cloud Domain