Infrastructure Optimizer supports Amazon EKS 1.28 or newer.
If you don’t have an existing EKS cluster, you can use the following command to provision one that uses the eksctl default cluster parameters:
eksctl create cluster --name poccluster
The following tools are required to complete the integration setup:
EKS Nodegroup IAM
By default, the EKS node group should have the following AWS-managed IAM roles attached:
AmazonEC2ContainerRegistryReadOnly→ This allows read-only access to Amazon EC2 Container Registry repositoriesAmazonEKS_CNI_Policy→ This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodesAmazonEKSWorkerNodePolicy→ This allows Amazon EKS worker nodes to connect to Amazon EKS ClustersAmazonSSMManagedInstanceCore→ This is to enable AWS Systems Manager service core functionality
AWS IAM Authenticator
Please make sure the Controller and Worker IAMs are created following the step here before proceeding.
Apply the following changes to the EKS cluster’s aws-auth ConfigMap to ensure the dynamic X-Compute EKS nodes can join the cluster:
Edit the
aws-authConfigMap in thekube-systemnamespace:kubectl edit configmap aws-auth -n kube-system
Insert the following groups into the
mapRolessection and replace the role ARN values with the outputs generated at this prerequisite step.- groups: - system:masters rolearn: <Insert the Role ARN of your Worker IAM Role> username: admin - groups: - system:masters rolearn: <Insert the Role ARN of your Controller IAM Role> username: admin
Amazon VPC CNI
Infrastructure Optimizer supports the Amazon VPC CNI plugin v1.18.2-eksbuild.1 or newer.
Download and run this script to:
Configure the node affinity rules of the
aws-nodeDaemonSet to not run onx-computenodesInstall and configure the
exo-aws-nodeDaemonSet to run onx-computenodes
If you are using a Mac, please install gnu-sed and replace sed with gsed in the above script.
brew install gnu-sed
This script will restart the Amazon VPC CNI DaemonSet.
Amazon VPC CNI Plugin With IRSA
OPTIONAL - This section is required only if your cluster customized the IAM roles used by the Amazon VPC CNI plugin’s service account (IRSA). For more information about the EKS IRSA, see documentation here.
Determine whether an IAM OpenID Connect (OIDC) provider is already associated with your EKS cluster:
oidc_id=$(aws eks describe-cluster --name poccluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) && aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4
If the final command returns a non-empty output, then your EKS cluster already has an IAM OIDC provider attached.
Otherwise, enable an OIDC using the next command:
eksctl utils associate-iam-oidc-provider --cluster poccluster --approve
Run this command to the inline IAM policy to a JSON file named cni_iam.json:
cat > cni_iam.json <<EOT
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:UnassignPrivateIpAddresses",
"Resource": "*"
}
]
}
EOT
This user-defined policy ensures that the Amazon VPC CNI doesn’t unassign the IP address of your workloads running on Infrastructure Optimizer sandboxes by denying the ability to perform such unassignments.
Use the following command to create the policy:
aws iam create-policy --policy-name cni_iam_policy --policy-document file://cni_iam.json
Then use eksctl to override the existing Amazon VPC CNI IRSA settings:
new_policy_arn=$(aws iam list-policies --query 'Policies[?PolicyName==`cni_iam_policy`].[Arn]' --scope Local --no-cli-pager --output text)
eksctl update iamserviceaccount \ (ivan@isim-dev2.us-west-1.eksctl.io/default)
--name aws-node \
--namespace kube-system \
--cluster poccluster \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
--attach-policy-arn "${new_policy_arn}" \
--approve