Step Zero: Amazon Web Services (AWS) - Elastic Container with Kubernetes (EKS)¶
AWS recently released native support for Kubernetes with its EKS offering.
Note
EKS is only available in US West (Oregon) (us-west-2) and US East (N. Virginia) (us-east-1).
This guide uses AWS to set up a cluster. It mirrors the steps found at Getting Started with Amazon EKS and fills in some details that are absent in the Amazon documentation but helpful for the user.
Procedure¶
Create an IAM Role for EKS Service Role.
It should have the following policies:
AmazonEKSClusterPolicy
AmazonEKSServicePolicy
From the user interface, select EKS as the service, then follow the default steps.
Create a VPC if you don’t already have one.
This step has a lot of variability so specific settings are left to the user. One deployment example can be found at Getting Started with Amazon EKS, under Create your Amazon EKS Cluster VPC.
Create a Security Group for the EKS Control Plane to use.
You do not need to set any permissions on this. The following steps will automatically define access control between the EKS Control Plane and the individual nodes.
Create your EKS cluster (using the Amazon user interface).
Use the IAM Role in step 1 and Security Group defined in step 3. The cluster name is going to be used throughout the rest of this section. We’ll use
Z2JHKubernetesCluster
as an example cluster name.Install kubectl and heptio-authenticator-aws.
Refer to Getting Started with Amazon EKS under Configure kubectl for Amazon EKS.
Configure kubeconfig.
Also see Getting Started with Amazon EKS under Step 2: Configure kubectl for Amazon EKS.
From the user interface on AWS you can retrieve the
endpoint-url
andbase64-encoded-ca-cert
.cluster-name
is the name given in step 4. If you are using profiles in your AWS configuration, you can uncomment theenv
block and specify your profile asaws-profile
.apiVersion: v1 clusters: - cluster: server: <endpoint-url> certificate-authority-data: <base64-encoded-ca-cert> name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws current-context: aws kind: Config preferences: {} users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 command: heptio-authenticator-aws args: - "token" - "-i" - "<cluster-name>" # - "-r" # - "<role-arn>" # env: # - name: AWS_PROFILE # value: "<aws-profile>"
Verify
kubectl
works.kubectl get svc
This should return
kubernetes
andClusterIP
.Create the nodes using CloudFormation.
See Getting Started with Amazon EKS under Step 3: Launch and Configure Amazon EKS Worker Nodes.
Warning
If you are endeavoring to deploy on a private network, the cloudformation template creates a public IP for each worker node though there is no route to get there if you specified only private subnets. Regardless, if you wish to correct this, you can edit the cloudformation template by changing
Resources.NodeLaunchConfig.Properties.AssociatePublicIpAddress
fromtrue
tofalse
.Create an AWS authentication ConfigMap.
This is necessary for the workers to find the master plane. Download
aws-auth-cm.yaml
file.curl -O https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/aws-auth-cm.yaml
or copy it:
apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: <ARN of instance role (not instance profile)> username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes
To find the ARN of the instance role, you can pull up any node created in Step 8. The nodes will be of the format
<Cluster Name>-<NodeName>-Node
, for exampleZ2JHKubernetesCluster-Worker-Node
. Click on the IAM Role for that node, you should see aRole ARN
andInstance Profile ARN``s. Use the ``Role ARN
in the above yaml file.
Then run:
kubectl apply -f aws-auth-cm.yaml
Preparing authenticator for Helm.
Note
There might be a better way to configure this. If you find a better way, please file an issue. Thanks.
Since the described helm deployment in the next section uses RBAC, a
system:anonymous
user must be given access to administer the cluster. This can be done by the following command:kubectl create clusterrolebinding cluster-system-anonymous \ --clusterrole=cluster-admin \ --user=system:anonymous