Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Eo_circle_deep-purple_number-2.svg.png3.pngIO+EKS Controller Requirements

...

EKS Cluster Requirements

CoreDNS

Number

Component

Item

Detail

Requirements

Eo_circle_deep-purple_number-1.svg.pngImage Modified

Cluster

Software

Kubernetes version

1.29+ (Recommended)

IAM

EKS cluster role

Required Policy:

[AWS managed]

  • AmazonEKSClusterPolicy -> This is to allow Kubernetes control plane to manage AWS resources on your behalf

Permission

Cluster administrator access

Allow:

  • EKS API and ConfigMap -> This is to allow how cluster administor is authorized

Cluster Endpoint Access

Kubernetes API server endpoint access

Allow:

  • Public and private

Network

VPC

Virtual networking resources

IPv4 CIDR block:

  • Please specify a range other than 192.168.137.0/24 (Recommended)

Number of public subnets:

  • Please select two or more

Number of private subnets:

  • Please select two or more

NAT gateways:

  • Please create at least one

NAT Gateway

Network address translation service to connect private subnets to other internet

  • Connectivity type: Public

Security Group

Virtual firewall to control inbound and outbound traffic

Created by CloudFormation Template.

Cluster Endpoint Access

Kubernetes API server endpoint access

Allow:

  • Public and private

Compute

Node Groups IAM

Allows EC2 instances to call AWS services on your behalf

Required Policies:

[AWS managed]

  • AmazonEC2ContainerRegistryReadOnly → This allows read-only access to Amazon EC2 Container Registry repositories

  • AmazonEKS_CNI_Policy → This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes

  • AmazonEKSWorkerNodePolicy → This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters

  • AmazonSSMManagedInstanceCore → This is to enable AWS Systems Manager service core functionality

Launch Templates

Add-ons

Enables service discovery

v1.11.1-eksbuild.6+ (Latest Recommended)

Kube-proxy

Enables service networking

v.1.29.1-eksbuild.2+ (Latest Recommended)

Amazon VPC CNI

Enables pod networking

v1.16.3-eksbuild.2+ (Latest Recommended)

Amazon EBS CSI Driver

Enables EBS within cluster

-

Exostellar Karpenter

Integrates with X-IO

v0.0.36+

Expand
titleConfigure Logout ECR LoginIf Logged in
Code Block
awshelm ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 374070299695.dkr.ecr.us-west-2.amazonaws.comregistry logout public.ecr.aws
Expand
titleSet Environment Variables
Code Block
export HEADNODE="http://192.168.78.143xxx:5000"
export CLUSTER_NAME="integration-new"
export ENV_NAME="k8s"
Expand
titleInstall Exostellar Helm Chart
Code Block
helm upgrade --install karpenter oci://374070299695public.dkr.ecr.us-west-2.amazonaws.com/aws/x5d4i9x1/exostellar-karpenter/karpenter \
   --version v0.0.26 \
   --namespace karpenter \
   --create-namespace \
   --set "settings.clusterName=${CLUSTER_NAME}" \
   --set controller.resources.requests.cpu=1 \
   --set controller.resources.requests.memory=1Gi \
   --set controller.resources.limits.cpu=1 \
   --set controller.resources.limits.memory=1Gi \
   --set headnode=$HEADNODE \
   --set environmentName=$ENV_NAME \
   --wait

Kubernetes

ConfigMap

Expand
titleConfigMap.yaml
Code Block
apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: <Ignore this ARN>
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - system:masters
      rolearn: <Insert the Role ARN of your worker Worker IAM Role>
      username: admin
    - groups:
      - system:masters
      rolearn: <Insert the Role ARN of your Controller IAM role>Role>
      username: admin
  mapUsers: |
    []

IO+EKS Requirements

Number

Component

Item

Detail

Requirements

Eo_circle_deep-purple_number-2.svg.png

Controller

Instance Type

Instance typr type for the controller

m5d.xlarger (Recommended)

VPC

Virtual networking resources

Select the virtual networking resources created above

Security Group

Virtual firewall to control inbound and outbound traffic

Select the security group created above by the EKS cluster

IAM

Instance profile

Required Policies:

[Customer inline]

Expand
titlecontroller-iam-for-eks.json
Code Block
languagejson
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:CreateFleet",
                "ec2:CreateLaunchTemplate",
                "ec2:DeleteLaunchTemplate",
                "ec2:TerminateInstances",
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:AttachNetworkInterface",
                "ec2:DetachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:ListRoles",
                "iam:ListInstanceProfiles",
                "iam:PassRole",
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeInstanceTypeOfferings",
                "iam:GetInstanceProfile",
                "iam:SimulatePrincipalPolicy",
                "sns:Publish",
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:DescribeVolumes",
                "ec2:AttachVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:DetachVolume",
                "ec2:DeleteVolume"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateInstanceExportTask",
                "ec2:DescribeExportTasks",
                "ec2:RebootInstances",
                "ec2:CreateSnapshot",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        }
    ]
}

3.png

Worker

IAM

Instance profile

Required Policies:

[AWS managed]

  • AmazonEC2ContainerRegistryReadOnly → This allows read-only access to Amazon EC2 Container Registry repositories

  • AmazonEKS_CNI_Policy → This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes

  • AmazonEKSWorkerNodePolicy → This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters

  • AmazonSSMManagedInstanceCore → This is to enable AWS Systems Manager service core functionality

[Customer inline]

Expand
titleworker-iam-for-eks.json
Code Block
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "ec2:ModifyInstanceMetadataOptions",
			"Resource": "*"
		}
	]
}
Code Block
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Deny",
			"Action": "ec2:UnassignPrivateIpAddresses",
			"Resource": "*"
		}
	]
}