forked from LandmakTechnology/eks-22
-
Notifications
You must be signed in to change notification settings - Fork 0
/
eks-setup
124 lines (100 loc) · 4.1 KB
/
eks-setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# Create EKS Cluster with Node Groups
## Step-00: Introduction
- Understand about EKS Core Objects
- Control Plane
- Worker Nodes & Node Groups
- Fargate Profiles
- VPC
- Create EKS Cluster
- Associate EKS Cluster to IAM OIDC Provider
- Create EKS Node Groups
- Verify Cluster, Node Groups, EC2 Instances, IAM Policies and Node Groups
## Step-01: Create EKS Cluster using eksctl
- It will take 15 to 20 minutes to create the Cluster Control Plane
```
# Create Cluster
eksctl create cluster --name=myeks \
--region=us-east-1 \
--zones=us-east-1a,us-east-1b \
--without-nodegroup
# Get List of clusters
eksctl get clusters
```
## Step-02: Create & Associate IAM OIDC Provider for our EKS Cluster
- To enable and use AWS IAM roles for Kubernetes service accounts on our EKS cluster, we must create & associate OIDC identity provider.
- To do so using `eksctl` we can use the below command.
- Use latest eksctl version (as on today the latest version is `0.21.0`)
```
# Replace with region & cluster name
eksctl utils associate-iam-oidc-provider \
--region us-east-1 \
--cluster myeks \
--approve
```
## Step-03: Create EC2 Keypair
- Create a new EC2 Keypair with name as `kube-demo`
- This keypair we will use it when creating the EKS NodeGroup.
- This will help us to login to the EKS Worker Nodes using Terminal.
## Step-04: Create Node Group with additional Add-Ons in Public Subnets
- These add-ons will create the respective IAM policies for us automatically within our Node Group role.
```
# Create Public Node Group
eksctl create nodegroup --cluster=myeks \
--region=us-east-1 \
--name=myeks-ng-public1 \
--node-type=t3.medium \
--nodes=3 \
--nodes-min=3 \
--nodes-max=14 \
--node-volume-size=20 \
--ssh-access \
--ssh-public-key=mykey \
--managed \
--asg-access \
--external-dns-access \
--full-ecr-access \
--appmesh-access \
--alb-ingress-access
```
## Step-05: Verify Cluster & Nodes
### Verify NodeGroup subnets to confirm EC2 Instances are in Public Subnet
- Verify the node group subnet to ensure it created in public subnets
- Go to Services -> EKS -> eksdemo -> eksdemo1-ng1-public
- Click on Associated subnet in **Details** tab
- Click on **Route Table** Tab.
- We should see that internet route via Internet Gateway (0.0.0.0/0 -> igw-xxxxxxxx)
### Verify Cluster, NodeGroup in EKS Management Console
- Go to Services -> Elastic Kubernetes Service -> eksdemo1
### List Worker Nodes
```
# List EKS clusters
eksctl get cluster
# List NodeGroups in a cluster
eksctl get nodegroup --cluster=<clusterName>
# List Nodes in current kubernetes cluster
kubectl get nodes -o wide
# Our kubectl context should be automatically changed to new cluster
kubectl config view --minify
```
### Verify Worker Node IAM Role and list of Policies
- Go to Services -> EC2 -> Worker Nodes
- Click on **IAM Role associated to EC2 Worker Nodes**
### Verify Security Group Associated to Worker Nodes
- Go to Services -> EC2 -> Worker Nodes
- Click on **Security Group** associated to EC2 Instance which contains `remote` in the name.
### Verify CloudFormation Stacks
- Verify Control Plane Stack & Events
- Verify NodeGroup Stack & Events
### Login to Worker Node using Keypai kube-demo
- Login to worker node
```
# For MAC or Linux or Windows10
ssh -i kube-demo.pem ec2-user@<Public-IP-of-Worker-Node>
# For Windows 7
Use putty
```
## Step-06: Update Worker Nodes Security Group to allow all traffic
- We need to allow `All Traffic` on worker node security group
## Additional References
- https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
- https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html