Skip to content

Amazon EKS

Overview

  • Amazon Elastic Container Service for Kubernetes (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on AWS without needing to stand up or maintain your own Kubernetes control plane. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications.
  • Amazon EKS runs Kubernetes control plane instances across multiple Availability Zones to ensure high availability. Amazon EKS automatically detects and replaces unhealthy control plane instances, and it provides automated version upgrades and patching for them.

Prerequisites

  • Mandatory to have Spinnaker setup on a server.
  • Mandatory to have AWS access key and Secret Key in Hand
  • Ensure to have AWS CLI Installed and configured on the Server and have access to the managed and managing account.
  • In case if AWS CLI is not installed, click here

Steps to Setup AWS CLI & aws-iam-authenticator

  • To Install AWS CLI on the Server, it’s mandatory to have a valid setup of python. Along with access to run python & pip commands.
  • Execute the below commands to have python3 installed.

        sudo apt-get install build-essential libpq-dev libssl-dev openssl libffi-dev zlib1g-dev
        sudo apt-get install python3-pip python3-dev
    
  • Execute the below command to Install AWS CLI using pip

        sudo pip3 install awscli
    
    * Execute the below command after successful completion of AWS CLI Installation

        $ aws --version
        aws-cli/1.16.101 Python/2.7.6 Linux/4.4.0-135-generic botocore/1.12.91
    
  • Installation of aws-iam-authenticator

  • Amazon EKS uses IAM to provide authentication to your Kubernetes cluster through the AWS IAM Authenticator for Kubernetes. Beginning with Kubernetes version 1.10, you can configure the stock kubectl client to work with Amazon EKS by installing the AWS IAM Authenticator for Kubernetes and modifying your kubectl configuration file to use it for authentication.
  • Execute the below command to download the aws-iam-authenticator binaries

        Linux: curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/linux/amd64/aws-iam-authenticator
        MacOS: curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/darwin/amd64/aws-iam-authenticator
        Windows: curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/windows/amd64/aws-iam-authenticator.exe
    

  • Execute the below command to provide executable permissions to the binary

        chmod +x ./aws-iam-authenticator
    

  • Copy the binary to a folder in your $PATH. We recommend creating a $HOME/bin/aws-iam-authenticator and ensuring that $HOME/bin comes first in your $PATH.
        mkdir $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$HOME/bin:$PATH
    
  • Add $HOME/bin to your PATH environment variable.
  • For Bash shells on macOS:
        echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile
    
  • For Bash shells on Linux:
        echo 'export PATH=$HOME/bin:$PATH' >> ~/.bashrc
    
  • Test that the aws-iam-authenticator binary works.
        aws-iam-authenticator help
    
  • Execute the below command to configure the AWS CLI with access key & secret key

        aws configure
    

    Note

    Provide all the details prompted during this process.

  • To validate AWS CLI, execute the below command

        aws configure list
    
    Screenshot

Access key and secret key details should have been updated with the values provided.

Steps to Setup Managing Account

  • In this chapter we will be creating two-subnet VPC, IAM roles, instance profiles, and a Security Group for EKS control-plane communications and an EKS cluster.
  • Execute the below command to create a managing account
        curl -O https://github.com/OpsMx/general_downloadble/blob/master/managing.yaml
        aws cloudformation deploy --stack-name spinnaker-managing-infrastructure-setup --template-file managing.yaml --parameter-overrides UseAccessKeyForAuthentication=false EksClusterName=spinnaker-cluster --capabilities CAPABILITY_NAMED_IAM
    
  • Upon successful completion of the above execution, ensure to run the following
        VPC_ID=$(aws cloudformation describe-stacks --stack-name spinnaker-managing-infrastructure-setup --query 'Stacks[0].Outputs[?OutputKey==`VpcId`].OutputValue' --output text)
        CONTROL_PLANE_SG=$(aws cloudformation describe-stacks --stack-name spinnaker-managing-infrastructure-setup --query 'Stacks[0].Outputs[?OutputKey==`SecurityGroups`].OutputValue' --output text)
        AUTH_ARN=$(aws cloudformation describe-stacks --stack-name spinnaker-managing-infrastructure-setup --query 'Stacks[0].Outputs[?OutputKey==`AuthArn`].OutputValue' --output text)
        SUBNETS=$(aws cloudformation describe-stacks --stack-name spinnaker-managing-infrastructure-setup --query 'Stacks[0].Outputs[?OutputKey==`SubnetIds`].OutputValue' --output text)
        MANAGING_ACCOUNT_ID=$(aws cloudformation describe-stacks --stack-name spinnaker-managing-infrastructure-setup --query 'Stacks[0].Outputs[?OutputKey==`ManagingAccountId`].OutputValue' --output text)
        EKS_CLUSTER_ENDPOINT=$(aws cloudformation describe-stacks --stack-name spinnaker-managing-infrastructure-setup --query 'Stacks[0].Outputs[?OutputKey==`EksClusterEndpoint`].OutputValue' --output text)
        EKS_CLUSTER_NAME=$(aws cloudformation describe-stacks --stack-name spinnaker-managing-infrastructure-setup --query 'Stacks[0].Outputs[?OutputKey==`EksClusterName`].OutputValue' --output text)
        EKS_CLUSTER_CA_DATA=$(aws cloudformation describe-stacks --stack-name spinnaker-managing-infrastructure-setup --query 'Stacks[0].Outputs[?OutputKey==`EksClusterCA`].OutputValue' --output text)
        SPINNAKER_INSTANCE_PROFILE_ARN=$(aws cloudformation describe-stacks --stack-name spinnaker-managing-infrastructure-setup --query 'Stacks[0].Outputs[?OutputKey==`SpinnakerInstanceProfileArn`].OutputValue' --output text)
    

Steps to Setup Managed Account

  • In the process of setting up managed account, we will explore the process to create a IAM role that can be assumed by Spinnaker.
  • Execute the below command to complete creating managed account
        curl -O https://github.com/OpsMx/general_downloadble/blob/master/managed.yaml
        aws cloudformation deploy --stack-name spinnaker-managed-infrastructure-setup --template-file managed.yaml --parameter-overrides AuthArn=$AUTH_ARN ManagingAccountId=$MANAGING_ACCOUNT_ID --capabilities CAPABILITY_NAMED_IAM
    

Steps to modify kube config

  • Paste the following to your kubeconfig file, replace , and with values of $EKS_CLUSTER_ENDPOINT, $EKS_CLUSTER_CA_DATA and $EKS_CLUSTER_NAME as noted above:
        apiVersion: v1
        clusters:
        - cluster:
            server: <EKS-Cluster-API-EndPointURL>
            certificate-authority-data: <Cluster Authentication Cert>
          name: kubernetes
        contexts:
        - context:
            cluster: kubernetes
            user: aws
          name: aws
        current-context: aws
        kind: Config
        preferences: {}
        users:
        - name: aws
          user:
            exec:
              apiVersion: client.authentication.k8s.io/v1alpha1
              command: aws-iam-authenticator
              args:
                - "token"
                - "-i"
                - "<cluster name>"
                # - "-r"
                # - "<role-arn>"
              # env:
                # - name: AWS_PROFILE
                #   value: "<aws-profile>"
    
  • Click here to create service account and cluster role bindings.

Steps to Enable Kubernetes with Halyard

  • Execute the following commands to enable Kubernetes with Halyard
        hal config provider kubernetes enable
        hal config provider kubernetes account add <Kube Acc name> --provider-version v2 --context $(kubectl config current-context)
        hal config features edit --artifacts true
    

Steps to Launch and Configure EKS worker Nodes

  • Edit the amazon-eks-nodegroup.yaml file and search for “KeyName”, append and add the keypair details to access the EC2 instance.
        KeyName:
            Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
            Type: AWS::EC2::KeyPair::<KeyPair Name>
    
  • Execute the below command to launch worker nodes, to change EKS embedded image in the template. Refer to the below screenshot for the list of Optimized EKS AMI's available in every region.

        curl -O https://github.com/OpsMx/general_downloadble/blob/master/amazon-eks-nodegroup.yaml
        aws cloudformation deploy --stack-name spinnaker-eks-nodes --template-file amazon-eks-nodegroup.yaml --parameter-overrides NodeInstanceProfile=$SPINNAKER_INSTANCE_PROFILE_ARN NodeInstanceType=t2.large ClusterName=$EKS_CLUSTER_NAME NodeGroupName=spinnaker-cluster-nodes ClusterControlPlaneSecurityGroup=$CONTROL_PLANE_SG Subnets=$SUBNETS VpcId=$VPC_ID --capabilities CAPABILITY_NAMED_IAM
    
  • List of the Optimized EKS AMI’s for Kubernetes 1.11 are available in the below Table

    Kubernetes version 1.11
    Region Amazon EKS-optimized AMI with GPU support
    US West (Oregon) (us-west-2) ami-081099ec932b99961 ami-095922d81242d0528
    US East (N. Virginia) (us-east-1) ami-0c5b63ec54dd3fc38 ami-0a0cbb44e651c5e22
    US East (Ohio) (us-east-2) ami-0b10ebfc82e446296 ami-08697e581e49ffecf
    EU (Frankfurt) (eu-central-1) ami-05e062a123092066a ami-0444fdaca5263be70
    EU (Stockholm) (eu-north-1) ami-0da59d86953d1c266 ami-fe810880
    EU (Ireland) (eu-west-1) ami-0b469c0fef0445d29 ami-03b9f52d2b707ce0a
    EU (London) (eu-west-2) ami-0420d737e57af699c ami-04ea4358308b693ef
    EU (Paris) (eu-west-3) ami-0f5a996749bdfa436 ami-03a8c02c95426b5f6
    Asia Pacific (Tokyo) (ap-northeast-1) ami-04ef881404deec134 ami-02bacb819e2777536
    Asia Pacific (Seoul) (ap-northeast-2) ami-0d87105164496b94b ami-0e35cc17cf9675a1f
    Asia Pacific (Mumbai) (ap-south-1) ami-033ea52f19ce48998 ami-0816e809501cbf4c9
    Asia Pacific (Singapore) (ap-southeast-1) ami-030c789a75c8bfbca ami-031361e2106e79386
    Asia Pacific (Sydney) (ap-southeast-2) ami-0a9b90002a9a1c111 ami-0fde112efc845caec

Steps to join nodes with the EKS Cluster

  • Edit the provided aws-auth-cm.yaml, replace the with $AUTH_ARN and save the same.
        curl -O https://github.com/OpsMx/general_downloadble/blob/master/aws-auth-cm.yaml
        apiVersion: v1
        kind: ConfigMap
        metadata:
          name: aws-auth
          namespace: kube-system
        data:
          mapRoles: |
            - rolearn: <spinnaker-role-arn>
              username: system:node:{{EC2PrivateDNSName}}
              groups:
                - system:bootstrappers
                - system:nodes
    
  • Execute the below command, to join the nodes with cluster
        kubectl apply -f aws-auth-cm.yaml
    
  • Execute the status of your nodes and wait for them to reach the Ready status:
        kubectl get nodes –watch
    

Deploy changes to Spinnaker

  • To finalize the changes on Spinnaker, execute the below command
        sudo hal deploy apply
    

Next Steps

To setup any other cloud provider click here. Otherwise, we are ready to choose an environment to install Spinnaker.

Comments