IO+EKS Prerequisites Summary

Eo_circle_deep-purple_number-1.svg.png EKS Cluster Requirements

Eo_circle_deep-purple_number-2.svg.png IO+EKS Controller Requirements

EKS Cluster Requirements

Component	Item	Detail	Requirements
Cluster	Software	Kubernetes version	1.29+ (Recommended)
	IAM	EKS cluster role	Required Policy: [AWS managed] `AmazonEKSClusterPolicy` -> This is to allow Kubernetes control plane to manage AWS resources on your behalf
	Permission	Cluster administrator access	Allow: `EKS API and ConfigMap` -> This is to allow how cluster administor is authorized
Network	VPC	Virtual networking resources	IPv4 CIDR block: Please specify a range other than `192.168.137.0/24` (Recommended) Number of public subnets: Please select two or more Number of private subnets: Please select two or more NAT gateways: Please create at least one
	NAT Gateway	Network address translation service to connect private subnets to other internet	Connectivity type: Public
	Security Group	Virtual firewall to control inbound and outbound traffic	Created by CloudFormation Template.
	Cluster Endpoint Access	Kubernetes API server endpoint access	Allow: Public and private
Compute	Node Groups IAM	Allows EC2 instances to call AWS services on your behalf	Required Policies: [AWS managed] `AmazonEC2ContainerRegistryReadOnly` → This allows read-only access to Amazon EC2 Container Registry repositories `AmazonEKS_CNI_Policy` → This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes `AmazonEKSWorkerNodePolicy` → This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters `AmazonSSMManagedInstanceCore` → This is to enable AWS Systems Manager service core functionality
Add-ons	Kube-proxy	Enables service networking	v.1.29.1-eksbuild.2+ (Latest Recommended)
	Amazon VPC CNI	Enables pod networking	v1.16.3-eksbuild.2+ (Latest Recommended)
	Amazon EBS CSI Driver	Enables EBS within cluster	-
	Exostellar Karpenter	Integrates with X-IO	v0.0.6+ Logout ECR If Logged in helm registry logout public.ecr.aws Set Environment Variables export HEADNODE="http://192.168.78.xxx:5000" export CLUSTER_NAME="integration-new" export ENV_NAME="k8s" Install Exostellar Helm Chart helm upgrade --install karpenter oci://public.ecr.aws/x5d4i9x1/exostellar-karpenter/karpenter \ --version v0.0.6 \ --namespace karpenter \ --create-namespace \ --set "settings.clusterName=${CLUSTER_NAME}" \ --set controller.resources.requests.cpu=1 \ --set controller.resources.requests.memory=1Gi \ --set controller.resources.limits.cpu=1 \ --set controller.resources.limits.memory=1Gi \ --set headnode=$HEADNODE \ --set environmentName=$ENV_NAME \ --wait
Kubernetes	ConfigMap		ConfigMap.yaml apiVersion: v1 kind: ConfigMap data: mapRoles: \| - groups: - system:bootstrappers - system:nodes rolearn: <Ignore this ARN> username: system:node:{{EC2PrivateDNSName}} - groups: - system:masters rolearn: <Insert the Role ARN of your Worker IAM Role> username: admin - groups: - system:masters rolearn: <Insert the Role ARN of your Controller IAM Role> username: admin mapUsers: \| []

IO+EKS Requirements

Component	Item	Detail	Requirements
Controller	Instance Type	Instance type for the controller	m5d.xlarger (Recommended)
	VPC	Virtual networking resources	Select the virtual networking resources created above
	Security Group	Virtual firewall to control inbound and outbound traffic	Select the security group created above by the EKS cluster
	IAM	Instance profile	Required Policies: [Customer inline] controller-iam-for-eks.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:StopInstances", "ec2:DescribeSpotPriceHistory", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeTags", "ec2:CreateTags", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:TerminateInstances", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeRegions" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:ListRoles", "iam:ListInstanceProfiles", "iam:PassRole", "iam:GetRole" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeInstanceTypeOfferings", "iam:GetInstanceProfile", "iam:SimulatePrincipalPolicy", "sns:Publish", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:ModifyInstanceAttribute", "ec2:DetachVolume", "ec2:DeleteVolume" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:CreateInstanceExportTask", "ec2:DescribeExportTasks", "ec2:RebootInstances", "ec2:CreateSnapshot", "ec2:DescribeSnapshots" ], "Resource": "*" } ] }
Worker	IAM	Instance profile	Required Policies: [AWS managed] `AmazonEC2ContainerRegistryReadOnly` → This allows read-only access to Amazon EC2 Container Registry repositories `AmazonEKS_CNI_Policy` → This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes `AmazonEKSWorkerNodePolicy` → This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters `AmazonSSMManagedInstanceCore` → This is to enable AWS Systems Manager service core functionality [Customer inline] worker-iam-for-eks.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:ModifyInstanceMetadataOptions", "Resource": "" } ] } { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:UnassignPrivateIpAddresses", "Resource": "" } ] }