You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
Version 1
Current »
To ensure your setup is optimal for Infrastructure Optimizer, please ensure your Amazon Elastic Kubernetes Service (Amazon EKS) Cluster and Karpenter adhere to the following specifications.
EKS Prerequisites Overview
Cluster Details
Required Cluster Settings
Component | Requirements |
Cluster IAM | Type: AWS Managed |
Cluster Permission | |
Cluster Endpoint Access | |
Required Node Group Settings
Component | Requirements |
Node Group IAM | Type: AWS Managed AmazonEC2ContainerRegistryReadOnly → This allows read-only access to Amazon EC2 Container Registry repositories
AmazonEKS_CNI_Policy → This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes
AmazonEKSWorkerNodePolicy → This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters
AmazonSSMManagedInstanceCore → This is to enable AWS Systems Manager service core functionality
|
Required Daemonset Settings
Edit the Daemonset Configuration: Begin by editing the aws-node daemonset in the kube-system namespace:
kubectl edit daemonset -n kube-system aws-node
Within the editor, navigate to the nodeSelectorTerms section and add the following:
- key: eks.amazonaws.com/nodegroup
operator: NotIn
values:
- x-compute
Export Current Daemonset Configuration: Save the current configuration of the aws-node daemonset to a YAML file:
kubectl get daemonset -n kube-system aws-node -o yaml > exo-aws-node-daemon-set.yaml
Modify the Daemonset File:
Open the exo-aws-node-daemon-set.yaml file and make the following changes:
Change the nodeSelectorTerms from NotIn > In for x-compute nodegroup
Change only name (2 places) and app.kubernetes.io/name (2 places) of daemonset to exo-aws-node instead of aws-node
Apply the Updated Configuration: Apply the updated configuration to the cluster:
kubectl apply -f exo-aws-node-daemon-set.yaml
Tune the following variables:
kubectl set env daemonset -n kube-system exo-aws-node \
AWS_VPC_K8S_CNI_EXTERNALSNAT=true
kubectl set env daemonset -n kube-system exo-aws-node \
ENABLE_PREFIX_DELEGATION=true MAX_ENI=1 \
WARM_PREFIX_TARGET=13 WARM_IP_TARGET=0 MINIMUM_IP_TARGET=0
kubectl set env daemonset -n kube-system exo-aws-node \
DISABLE_NETWORK_RESOURCE_PROVISIONING=true
kubectl set env daemonset -n kube-system exo-aws-node \
POD_SECURITY_GROUP_ENFORCING_MODE=standard
Required ConfigMap Settings
Edit the ConfigMap Configuration: Begin by editing the aws-auth config in the kube-system namespace:
kubectl edit configmap aws-auth -n kube-system
Insert the following to the mapRoles section:
- groups:
- system:masters
rolearn: <Insert the Role ARN of your Worker IAM Role>
username: admin
- groups:
- system:masters
rolearn: <Insert the Role ARN of your Controller IAM Role>
username: admin
Add-ons
Required Amazon VPC CNI Settings
Amazon VPC CNI IAM Role: cni-addon-iamserviceaccount
Type: AWS Managed
| | Policy | Explanation |
|---|
| 1 | AmazonEKS_CNI_Policy
| This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes |
Type: Customer Inline
| | Policy | Explanation |
|---|
| 1 | UnassignPrivateIpAddresses
| This denies unassigning one or more secondary private IP addresses, or IPv4 Prefix Delegation prefixes from a network interface |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:UnassignPrivateIpAddresses",
"Resource": "*"
}
]
}
