diff --git a/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/architecture.md b/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/architecture.md index 8c5bcbf9f6..c45bc7a09c 100644 --- a/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/architecture.md +++ b/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/architecture.md @@ -16,7 +16,7 @@ These are some of the architectural highlights when using Palette to manage your - Add a [Cilium](https://cilium.io/) Container Network Interface (CNI) layer to your Amazon EKS cluster to handle networking for hybrid nodes using affinity rules. -- Create hybrid node pools comprised of edge hosts that have been registered with Palette. +- Create hybrid node pools comprising edge hosts that have been registered with Palette. - Define cluster profiles to collectively manage your hybrid nodes. Each cluster profile for a hybrid node pool includes the following configurable layers: @@ -72,7 +72,7 @@ Traffic routing in the Amazon EKS VPC requires the following mapping for hybrid For example, Hybrid Pod CIDR 192.168.0.0/16 → VPN endpoint 172.16.0.1. - For AWS Direct Connect, map traffic to appropriate private subnet CIDR. - For example, Both CIDRs 10.200.0.0/16 & 192.168.0.0/16 → Private subnet 172.16.1.0/24. + For example, both CIDRs 10.200.0.0/16 & 192.168.0.0/16 → Private subnet 172.16.1.0/24. For AWS VPNs, configure two static routes for each of the following CIDRs: @@ -145,4 +145,4 @@ Palette supports the following authentication methods for your hybrid nodes: Refer to [Prepare credentials for hybrid nodes](https://docs.aws.amazon.com/eks/latest/userguide/hybrid-nodes-creds.html) for -guidance on how to setup credentials for your hybrid nodes. +guidance on how to set up credentials for your hybrid nodes. diff --git a/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/create-hybrid-node-pools.md b/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/create-hybrid-node-pools.md index 8499416a05..b7aa1c941d 100644 --- a/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/create-hybrid-node-pools.md +++ b/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/create-hybrid-node-pools.md @@ -7,8 +7,8 @@ tags: ["public cloud", "aws", "eks hybrid nodes"] sidebar_position: 30 --- -This section guides you on how to create a cluster profile to collectively manage your hybrid nodes. You can then create -hybrid node pools and add your edge hosts to them. +This section guides you on how to create a cluster profile to collectively manage your Amazon Elastic Kubernetes Service +(Amazon EKS) Hybrid Nodes. You can then create hybrid node pools and add your edge hosts to them. You must then configure your networking to allow traffic to reach the pods on your hybrid nodes. @@ -42,9 +42,8 @@ You must then configure your networking to allow traffic to reach the pods on yo - For Agent Mode, select **BYOS - Agent Mode**. - For provider images, select **BYOS - Edge OS**. -7. If selecting **BYOS - Agent Mode**, on the **Configure Pack** page, click **Values** under **Pack Details**. - - Click on **Presets** on the right-hand side, and select **Agent Mode**. +7. If selecting **BYOS - Agent Mode**, on the **Configure Pack** page, click **Values** under **Pack Details**. Then, + click on **Presets** on the right-hand side, and select **Agent Mode**. 8. Click **Next layer** to continue. @@ -65,7 +64,7 @@ You must then configure your networking to allow traffic to reach the pods on yo :::info - While this change is not required for the pack to function, setting it to 'dummy' better indicates that this pack + While this change is not required for the pack to function, setting it to `dummy` better indicates that this pack serves as a placeholder only. This is because the Container Network Interface (CNI) was already created for hybrid nodes during the [Add CNI Cluster Profile](./import-eks-cluster-enable-hybrid-mode.md#add-cni-cluster-profile) steps. @@ -146,17 +145,17 @@ Your cluster profile for hybrid nodes is now created and can be used in the 7. Once your edge hosts have been selected, click **Configure** next to each edge host to review and configure individual host options. - | **Field** | **Description** | - | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | - | **Host Name (Optional)** | Provide a optional name for the edge host that will be displayed in Palette. | - | **NIC Name** | Select a specific Network Interface Card (NIC) on the edge host from the **drop-down Menu**, or leave it on **Auto**. | - | **VPN server IP** | Specify the VPN server's IP if the hybrid nodes in the pool use a VPN _and_ the hybrid node's network does not automatically route traffic to the EKS VPC CIDR through the VPN server. If provided, a static route will be configured on edge hosts to route traffic to the Amazon EKS VPC CIDR through the VPN server. If not specified, ensure your hybrid node network routes traffic to the Amazon EKS VPC CIDR through the default gateway. | + | **Field** | **Description** | + | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Host Name (Optional)** | Provide an optional name for the edge host that will be displayed in Palette. | + | **NIC Name** | Select a specific Network Interface Card (NIC) on the edge host from the **drop-down Menu**, or leave it on **Auto**. | + | **VPN server IP** | Specify the Virtual Private Network (VPN) server's IP if the hybrid nodes in the pool use a VPN _and_ the hybrid node's network does not automatically route traffic to the EKS Virtual Private Cloud (VPC) Classless Inter-Domain Routing (CIDR) through the VPN server. If provided, a static route will be configured on edge hosts to route traffic to the Amazon EKS VPC CIDR through the VPN server. If not specified, ensure your hybrid node network routes traffic to the Amazon EKS VPC CIDR through the default gateway. | - Click **Confirm** once done. +8. Click **Confirm** once done. -8. Repeat step 7 for each edge host added to your node pool as needed. +9. Repeat step 7 and 8 for each edge host added to your node pool as needed. -9. Click **Confirm** on the **Add node pool** pop-up window to add the hybrid node pool to your cluster. +10. Click **Confirm** on the **Add node pool** pop-up window to add the hybrid node pool to your cluster. The hybrid node pool will then be provisioned and added to your cluster. This will take up to 15 minutes. @@ -217,7 +216,7 @@ nodes. Before proceeding, consider the following points: Example output. - ```shell + ```shell hideClipboard NAME CILIUMINTERNALIP INTERNALIP AGE edge-abc123def4567890example1 192.168.5.101 10.200.1.23 2h edge-xyz987uvw6543210example2 192.168.6.102 10.200.2.34 3h @@ -235,7 +234,7 @@ nodes. Before proceeding, consider the following points: Example output. - ```shell + ```shell hideClipboard podCIDRs: - 192.168.5.0/25 ``` @@ -245,10 +244,10 @@ nodes. Before proceeding, consider the following points: 4. For each hybrid node, add the following entries. - | **Field** | **Description** | **Example** | - | ------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------------------ | - | Destination | Use the `podCIDRs` value for the hybrid node discovered in step 2. | `192.168.4.128/25` | - | Next Hop / Gateway | Specify the IP address of the hybrid node as listed in the CiliumNode resource under `internalIP` discovered in step 1. | `192.168.5.101` | + | **Field** | **Description** | **Example** | + | ---------------------- | ----------------------------------------------------------------------------------------------------------------------- | ------------------ | + | **Destination** | Use the `podCIDRs` value for the hybrid node discovered in step 2. | `192.168.4.128/25` | + | **Next Hop / Gateway** | Specify the IP address of the hybrid node as listed in the CiliumNode resource under `internalIP` discovered in step 1. | `192.168.5.101` | 5. Ensure the routes are saved and applied. The process varies depending on the VPN solution. @@ -267,7 +266,7 @@ nodes. Before proceeding, consider the following points: Example healthy output. - ```shell + ```shell hideClipboard PING 192.168.5.10 (192.168.5.10): 56 data bytes 64 bytes from 192.168.5.10: icmp_seq=1 ttl=63 time=28.382 ms 64 bytes from 192.168.5.10: icmp_seq=2 ttl=63 time=27.359 ms @@ -341,7 +340,7 @@ Use the following steps to manually trigger a repave on a hybrid node pool. **Node Pool Updates** in the banner. 12. On the **Pool changes summary** pop-up window, click the checkbox next to **Upcoming changes in hybridPoolName - configuration**. Click **Confirm** afterwards. + configuration**. Click **Confirm** afterward. 13. On the **Review update changes** window, review your changes and click **Confirm** to start the repave. diff --git a/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/import-eks-cluster-enable-hybrid-mode.md b/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/import-eks-cluster-enable-hybrid-mode.md index ee1202b519..3a58419d2d 100644 --- a/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/import-eks-cluster-enable-hybrid-mode.md +++ b/docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/import-eks-cluster-enable-hybrid-mode.md @@ -8,8 +8,8 @@ tags: ["public cloud", "aws", "eks hybrid nodes"] sidebar_position: 10 --- -This section guides you on how to import an existing Amazon EKS cluster, enable hybrid mode, and configure a Container -Network Interface (CNI) add-on cluster profile for your hybrid nodes. +This section guides you on how to import an existing Amazon Elastic Kubernetes Service (Amazon EKS) cluster, enable +hybrid mode, and configure a Container Network Interface (CNI) add-on cluster profile for your Amazon EKS Hybrid Nodes. ## Limitations @@ -31,7 +31,7 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge - Access to an AWS cloud account. -- Palette integration with AWS account. Review [Add AWS Account](../add-aws-accounts.md) for guidance. +- Palette integration with AWS account. Review [Add an AWS Account tp Palette](../add-aws-accounts.md) for guidance. - Your Palette account role must have the `clusterProfile.create` permission to import a cluster profile. Refer to the [Cluster Profile](../../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile) @@ -47,7 +47,7 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge - Access to your Amazon EKS cluster through kubectl. - To access your cluster with kubectl, you can use the AWS CLI's built-in authentication capabilities. If you are - using a custom OIDC provider, you will need to configure your kubeconfig to use your OIDC provider. + using a custom OpenID Connect (OIDC) provider, you will need to configure your kubeconfig to use your OIDC provider. Refer to the [Access Imported Cluster with Kubectl](#access-imported-cluster-with-kubectl) section for more information. @@ -56,7 +56,7 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge [Prepare networking for hybrid nodes](https://docs.aws.amazon.com/eks/latest/userguide/hybrid-nodes-networking.html) for guidance. You will need to provide the following details during the import steps: - - The VPC CIDR range where your EKS cluster resides. + - The Virtual Private Cloud (VPC) Classless Inter-Domain Routing (CIDR) range where your EKS cluster resides. - The CIDR ranges for hybrid nodes in other networks that need to connect to this cluster. - The CIDR ranges for hybrid pods in other networks that need to connect to this cluster. @@ -73,7 +73,8 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge If you are using IAM Roles Anywhere, you will need to provide the following details during the import steps: - - The ARN of the IAM Roles Anywhere profile that defines which roles can be assumed by hybrid nodes. + - The Amazon Resource Name (ARN) of the IAM Roles Anywhere profile that defines which roles can be assumed by hybrid + nodes. - The ARN of the IAM role specified in the IAM Roles Anywhere profile that defines the permissions and policies for roles that can be assumed by hybrid nodes. - The ARN of the IAM Roles Anywhere trust anchor that contains your certificate authority configuration. @@ -97,15 +98,15 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge 3. Click on **Add New Cluster** and select **Import Cluster** in the pop-up box. -4. Fill out the required information: +4. Fill out the required information. - | **Field** | **Description** | - | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | - | Cluster Name | The name of the cluster you want to import. Ensure it matches the cluster name in AWS. | - | Cloud Type | The cloud infrastructure type. Select **Amazon** from the **drop-down Menu**. | - | Host Path (Optional) | Specify the Certificate Authority (CA) file path for the cluster. This is the location on the physical host machine where the CA file is stored. | - | Container Mount Path (Optional) | Specify the container mount path where the CA file is mounted in the container. | - | Import mode | The Palette permission mode for the imported cluster. Select **Full-permission mode**. | + | **Field** | **Description** | + | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | + | **Cluster Name** | The name of the cluster you want to import. Ensure it matches the cluster name in AWS. | + | **Cloud Type** | The cloud infrastructure type. Select **Amazon** from the **drop-down Menu**. | + | **Host Path (Optional)** | Specify the CA file path for the cluster. This is the location on the physical host machine where the CA file is stored. | + | **Container Mount Path (Optional)** | Specify the container mount path where the CA file is mounted in the container. | + | **Import mode** | The Palette permission mode for the imported cluster. Select **Full-permission mode**. | 5. Click on **Create & Open Cluster Instance** to start the import. @@ -197,13 +198,13 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge 13. If selecting **IAM Roles Anywhere**, you must provide the following additional details. - | **Field** | **Description** | **Example** | - | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | - | Profile ARN | The ARN of the IAM Roles Anywhere profile that defines which roles can be assumed by hybrid nodes. | `arn:aws:rolesanywhere:us-east-2:123456789012:profile/abcd1234-5678-90ef-ghij-klmnopqrstuv` | - | Role ARN | The ARN of the IAM role specified in the IAM Roles Anywhere profile that defines the permissions and policies for roles that can be assumed by hybrid nodes. | `arn:aws:iam::123456789012:role/IRAHybridNodesRole` | - | Trust Anchor ARN | The ARN of the IAM Roles Anywhere trust anchor that contains your certificate authority configuration. | `arn:aws:rolesanywhere:us-east-2:123456789012:trust-anchor/abcd1234-5678-90ef-ghij-klmnopqrstuv` | - | Root CA Certificate | The PEM-encoded certificate of your Certificate Authority (CA) that serves as the trust anchor. This certificate is used by IAM Roles Anywhere to validate the authenticity of the client certificates presented by your hybrid nodes. | | - | Root CA Private Key | The private key corresponding to your CA certificate, used to sign client certificates. | | + | **Field** | **Description** | **Example** | + | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | + | Profile ARN | The ARN of the IAM Roles Anywhere profile that defines which roles can be assumed by hybrid nodes. | `arn:aws:rolesanywhere:us-east-2:123456789012:profile/abcd1234-5678-90ef-ghij-klmnopqrstuv` | + | Role ARN | The ARN of the IAM role specified in the IAM Roles Anywhere profile that defines the permissions and policies for roles that can be assumed by hybrid nodes. | `arn:aws:iam::123456789012:role/IRAHybridNodesRole` | + | Trust Anchor ARN | The ARN of the IAM Roles Anywhere trust anchor that contains your certificate authority configuration. | `arn:aws:rolesanywhere:us-east-2:123456789012:trust-anchor/abcd1234-5678-90ef-ghij-klmnopqrstuv` | + | Root CA Certificate | The PEM-encoded certificate of your CA that serves as the trust anchor. This certificate is used by IAM Roles Anywhere to validate the authenticity of the client certificates presented by your hybrid nodes. | | + | Root CA Private Key | The private key corresponding to your CA certificate, used to sign client certificates. | | 14. Click **Save Changes** when complete. @@ -226,7 +227,7 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge 16. If the `aws-auth` ConfigMap does not exist, create the following ConfigMap in the `kube-system` namespace using the following command. - Ensure to replace `` with the **Role ARN** entry from step 13. + Replace `` with the **Role ARN** entry from step 13. ```shell kubectl create -f=/dev/stdin <<-EOF @@ -253,8 +254,8 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge kubectl edit configmap aws-auth --namespace kube-system ``` - The following example shows the `mapRoles` entry appended below an existing entry. Ensure to replace `` - with the **Role ARN** entry from step 13. + The following example shows the `mapRoles` entry appended below an existing entry. Replace `` with the + **Role ARN** entry from step 13. ```yaml {13-17} hideClipboard apiVersion: v1 @@ -336,18 +337,18 @@ Cilium handles IP Address Management (IPAM) and Border Gateway Protocol (BGP) fo [Cluster Profile](../../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile) permissions for guidance. -If enabling [Cilium Envoy](https://docs.cilium.io/en/latest/security/network/proxy/envoy/) or other Cilium add-ons, you -must also complete the following prerequisites: +- If enabling [Cilium Envoy](https://docs.cilium.io/en/latest/security/network/proxy/envoy/) or other Cilium add-ons, + you must also complete the following prerequisites: -- Ensure [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed and available in your local workstation. + - Ensure [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed and available in your local workstation. -- Access to your Amazon EKS cluster through kubectl. + - Access to your Amazon EKS cluster through kubectl. - - To access your cluster with kubectl, you can use the AWS CLI's built-in authentication capabilities. If you are - using a custom OIDC provider, you will need to configure your kubeconfig to use your OIDC provider. + - To access your cluster with kubectl, you can use the AWS CLI's built-in authentication capabilities. If you are + using a custom OIDC provider, you will need to configure your kubeconfig to use your OIDC provider. - Refer to the [Access Imported Cluster with Kubectl](#access-imported-cluster-with-kubectl) section for more - information. + Refer to the [Access Imported Cluster with Kubectl](#access-imported-cluster-with-kubectl) section for more + information. ### Add CNI Cluster Profile @@ -371,13 +372,13 @@ must also complete the following prerequisites: 9. In the YAML editor, search for **clusterPoolIPv4PodCIDRList**. This parameter specifies the overall IP ranges available for pod networking across all your hybrid nodes. -Adjust the pod CIDR list for hybrid pods in other networks that need to connect to this cluster. For example, -`192.168.0.0`. + Adjust the pod CIDR list for hybrid pods in other networks that need to connect to this cluster. For example, + `192.168.0.0`. 10. In the YAML editor, search for **clusterPoolIPv4MaskSize**. This parameter determines the subnet mask size used for pod IP allocation within each hybrid node. -Adjust the mask size based on your required pods per hybrid node. For example, `/25`. + Adjust the mask size based on your required pods per hybrid node. For example, `/25`. 11. In the Presets, find the **cilium-agent - Hybrid Nodes Affinity** option, and select **Amazon EKS**. @@ -468,8 +469,8 @@ Once you have downloaded your kubeconfig, you can use kubectl to access your clu ### Custom OIDC Provider -To access an Amazon EKS cluster with a custom [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) -provider, you need to do the following: +To access an Amazon EKS cluster with a custom [OIDC](https://openid.net/developers/how-connect-works/) provider, you +need to do the following: - If you have not yet installed an OIDC provider for your cluster, install [kubelogin](https://github.com/int128/kubelogin). We recommend kubelogin for its ease of authentication. Visit