Versions Compared

Old Version 88

changes.mady.by.user Yajing Wang

Saved on

compared with

New Version 89

changes.mady.by.user Yajing Wang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Apply the following changes to the the EKS cluster’s aws-auth ConfigMap to ensure the dynamic X-Compute EKS nodes can join the EKS Kubernetes management APIcluster:

  1. Edit the aws-auth ConfigMap in the kube-system namespace:

    Code Block
    languagebash
    kubectl edit configmap aws-auth -n kube-system

  2. Insert the following groups to into the mapRoles section :and replace the role ARN values with the outputs generated at this prerequisite step.

    Code Block
    languageyaml
        - groups:
      - system:masters
      rolearn: <Insert the Role ARN of your Worker IAM Role>
      username: admin
    - groups:
      - system:masters
      rolearn: <Insert the Role ARN of your Controller IAM Role>
      username: admin

...

Amazon VPC CNI

Infrastructure Optimizer supports the AWS Amazon VPC CNI pluginv1.18.2-eksbuild.1 or newer.

Download and run the this

View file
nameconfigure-aws-nodes.sh
script to:

  • Configure the node affinity rules of the aws-node DaemonSet to not run on x-compute nodes

  • Install and configure the exo-aws-node DaemonSet to run on x-compute nodes

Info

This script will restart the AWS Amazon VPC CNI DaemonSet

View file
nameconfigure-aws-nodes.sh

...

Amazon VPC CNI Plugin With IRSA

Info

OPTIONAL - This section is required only if your cluster customized the IAM roles used by the AWS Amazon VPC CNI plugin’s service account (IRSA). For more information about the EKS IRSA, see their documentation here.

Determine whether an IAM OpenID Connect (OIDC) provider is already associated with your EKS cluster:

Code Block
languagebash
oidc_id=$(aws eks describe-cluster --name poccluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) && aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

If the final command returns an a non-empty output, then your EKS cluster already has an IAM OIDC provider attached.

...

This user-defined policy ensures that the AWS Amazon VPC CNI doesn’t unassign the IP address of your workloads running on Infrastructure Optimizer sandboxes , by denying the ability to perform such unassignments.

...

Code Block
languagebash
aws iam create-policy --policy-name cni_iam_policy --policy-document file://cni_iam.json

Then use eksctl to override the existing Amazon VPC CNI IRSA settings:

Code Block
new_policy_arn=$(aws iam list-policies --query 'Policies[?PolicyName==`cni_iam_policy`].[Arn]' --scope Local --no-cli-pager --output text)

...

 Code Block
languagebash
eksctl update iamserviceaccount \                                                                                                                          (ivan@isim-dev2.us-west-1.eksctl.io/default)
  --name aws-node \
  --namespace kube-system \
  --cluster poccluster \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
  --attach-policy-arn "${new_policy_arn}" \
  --approve