AWS has released native support for Kubernetes, which is available in selected regions.
This guide uses AWS to set up a cluster. This mirrors the steps found at Getting Started with Amazon EKS with some details filled in that are absent
Create a IAM Role for EKS Service Role. It should have the following policies
AmazonEKSClusterPolicy
AmazonEKSServicePolicy
AmazonEC2ContainerRegistryReadOnly
(From the user interface, select EKS as the service, then follow the default steps)
Create a VPC if you don’t already have one. This step has a lot of variability so it is left to the user. However, one deployment can be found at Getting Started with Amazon EKS, under Create your Amazon EKS Cluster VPC
Create a Security Group for the EKS Control Plane to use You do not need to set any permissions on this. The steps below will automatically define access control between the EKS Control Plane and the individual nodes
Create your EKS cluster (using the user interface) Use the IAM Role in step 1 and Security Group defined in step 3. The cluster name is going to be used throughout. We’ll use Z2JHKubernetesCluster as an example.
Z2JHKubernetesCluster
Install kubectl and aws-iam-authenticator Refer to Getting Started with Amazon EKS on Configure kubectl for Amazon EKS
Configure kubeconfig Also see Getting Started with Amazon EKS Step 2: Configure kubectl for Amazon EKS
From the user interface on AWS you can retrieve the endpoint-url, base64-encoded-ca-cert. cluster-name is the name given in step 4. If you are using profiles in your AWS configuration, you can uncomment the env block and specify your profile as aws-profile.:
endpoint-url
base64-encoded-ca-cert
cluster-name
env
aws-profile
apiVersion: v1 clusters: - cluster: server: <endpoint-url> certificate-authority-data: <base64-encoded-ca-cert> name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws current-context: aws kind: Config preferences: {} users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 command: aws-iam-authenticator args: - "token" - "-i" - "<cluster-name>" # env: # - name: AWS_PROFILE # value: "<aws-profile>"
Verify kubectl works
kubectl get svc
should return kubernetes and ClusterIP
kubernetes
ClusterIP
Create the nodes using CloudFormation
See Getting Started with Amazon EKS Step 3: Launch and Configure Amazon EKS Worker Nodes
Warning if you are endeavoring to deploy on a private network, the cloudformation template creates a public IP for each worker node though there is no route to get there if you specified only private subnets. Regardless, if you wish to correct this, you can edit the cloudformation template by changing Resources.NodeLaunchConfig.Properties.AssociatePublicIpAddress from 'true' to 'false'
Resources.NodeLaunchConfig.Properties.AssociatePublicIpAddress
'true'
'false'
Create a AWS authentication ConfigMap
This is necessary for the workers to find the master plane.
Preparing authenticator for Helm
There might be a better way to configure this
Since the described helm deployment in the next section uses RBAC, system:anonymous user must be given access to administer the cluster. This can be done by the following command
system:anonymous
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
If you’d like to do some optimizations, you need to deploy Cluster Autoscaler (CA) first.
See https://www.eksworkshop.com/beginner/080_scaling/deploy_ca/