Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 102 Next »

Welcome to Infrastructure Optimizer! 🎉 👏

We are excited to help you with maximizing your cloud resource efficiency and savings!

Before you begin, use this checklist to confirm that your environment satisfies the specifications required to operate Infrastructure Optimizer.

The pre-check commands will require the IAM principal to have at least the ec2:Describe* permissions

Network

By default, Infrastructure Optimizer schedules workload workers to run in private subnets to protect them from direct external accesses.

Use the following command to ensure that the AWS VPC where Infrastructure Optimizer will run has at least one private subnets with public NAT Gateways:

aws ec2 describe-subnets --filter Name=vpc-id,Values=<vpc_id> --query 'Subnets[?MapPublicIpOnLaunch==`false`].SubnetId'

aws ec2 describe-nat-gateways --filter Name=vpc-id,Values=<vpc_id> --output json | jq '.NatGateways[] | {NatGatewayId, SubnetId, ConnectivityType}'

These commands will provide a list of private subnets suitable for running the Infrastructure Optimizer workload workers.

If no private subnets exist, follow the AWS documentation to create a private subnet and a public NAT Gateway.

Security

A pre-provisioned, user-managed SSH key pair is required to access the Infrastructure Optimizer head node.

OPTIONAL: Follow the AWS EC2 documentation to generate a SSH key pair.

For environments with existing PKI setup, the x509 certificates, private key, and optionally, intermediate chain certificates and CA certificates will be also needed.

Compute

Infrastructure Optimizer runs on the following OSes:

  • Rocky Linux

  • CentOS

Permissions

Installations And Deployment

The AWS IAM principal used to install Infrastructure Optimizer must have the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstanceStatus",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroupRules",
                "ec2:CreateTags",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeRouteTables",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeAddresses",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::cf-template*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack",
                "cloudformation:CreateUploadBucket",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplateSummary",
                "cloudformation:ListStacks",
                "cloudformation:ListStackResources",
                "cloudformation:DeleteStack"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:ListRoles",
                "iam:TagRole",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:ListPolicies",
                "iam:PassRole",
                "iam:ListOpenIDConnectProviders",
                "iam:GetOpenIDConnectProvider",
                "iam:ListEntitiesForPolicy",
                "iam:CreateServiceLinkedRole",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:AttachRolePolicy" 
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:UpdateClusterConfig",
                "eks:UpdateClusterVersion",
                "eks:CreateNodegroup",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:UpdateNodegroupConfig",
                "eks:UpdateNodegroupVersion",
                "eks:DescribeAddon",
                "eks:DescribeAddonVersions",
                "eks:ListAddons",
                "eks:UpdateAddon",
                "eks:AccessKubernetesApi",
                "eks:ListAccessPolicies",
                "eks:AssociateAccessPolicy",
                "eks:ListIdentityProviderConfigs",
                "eks:DescribeAccessEntry",
                "eks:ListPodIdentityAssociations",
                "eks:ListAssociatedAccessPolicies",
                "eks:CreateAccessEntry"  
            ],
            "_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:ListAssociations",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        }
    ]
}
 Expand this section to view a detailed explanation of the scope of each IAM permission

1. Amazon EC2 (Elastic Compute Cloud)

  • Instance Management

    • ec2:RunInstances

    • ec2:DescribeInstances

    • ec2:DescribeInstanceTypes

    • ec2:DescribeInstanceStatus

    • ec2:StopInstances

    • ec2:TerminateInstances

    • ec2:ModifyInstanceAttribute

  • Network and Security

    • ec2:DescribeSubnets

    • ec2:DescribeVpcs

    • ec2:DescribeVpcAttribute

    • ec2:DescribeSecurityGroups

    • ec2:AuthorizeSecurityGroupIngress

    • ec2:CreateSecurityGroup

    • ec2:RevokeSecurityGroupIngress

    • ec2:DeleteSecurityGroup

    • ec2:DescribeSecurityGroupRules

  • Resource Tagging and Metadata

    • ec2:CreateTags

  • Others

    • ec2:DescribeKeyPairs

    • ec2:DescribeImages

    • ec2:DescribeImageAttribute

    • ec2:DescribeAvailabilityZones

    • ec2:DescribeAccountAttributes

    • ec2:DescribeRouteTables

    • ec2:DescribeNetworkAcls

    • ec2:DescribeAddresses

    • ec2:DescribeDhcpOptions

    • ec2:DescribeSnapshots

2. Amazon S3 (Simple Storage Service)

  • Object Operations

    • s3:GetObject

    • s3:PutObject

3. Amazon CloudFormation

  • Stack Operations

    • cloudformation:CreateStack

    • cloudformation:UpdateStack

    • cloudformation:CreateUploadBucket

    • cloudformation:DescribeStackEvents

    • cloudformation:DescribeStacks

    • cloudformation:GetTemplateSummary

    • cloudformation:ListStacks

    • cloudformation:ListStackResources

    • cloudformation:DeleteStack

4. AWS IAM (Identity and Access Management)

  • Role Management

    • iam:CreateRole

    • iam:DeleteRole

    • iam:ListRoles

    • iam:TagRole

    • iam:PutRolePolicy

    • iam:DeleteRolePolicy

    • iam:GetRole

    • iam:ListAttachedRolePolicies

    • iam:AttachRolePolicy

  • Instance Profile Operations

    • iam:CreateInstanceProfile

    • iam:AddRoleToInstanceProfile

    • iam:RemoveRoleFromInstanceProfile

    • iam:DeleteInstanceProfile

  • Policy Management

    • iam:ListPolicies

    • iam:PassRole

  • Other

    • iam:ListOpenIDConnectProviders

    • iam:GetOpenIDConnectProvider

    • iam:ListEntitiesForPolicy

    • iam:CreateServiceLinkedRole

    • iam:ListInstanceProfiles

    • iam:ListInstanceProfilesForRole

5. Amazon EKS (Elastic Kubernetes Service)

  • Cluster Operations

    • eks:DescribeCluster

    • eks:ListClusters

    • eks:UpdateClusterConfig

    • eks:UpdateClusterVersion

  • Nodegroup Operations

    • eks:CreateNodegroup

    • eks:DescribeNodegroup

    • eks:ListNodegroups

    • eks:UpdateNodegroupConfig

    • eks:UpdateNodegroupVersion

  • Addon Operations

    • eks:DescribeAddon

    • eks:DescribeAddonVersions

    • eks:ListAddons

    • eks:UpdateAddon

  • API Access and Policy Management

    • eks:AccessKubernetesApi

    • eks:ListAccessPolicies

    • eks:AssociateAccessPolicy

    • eks:ListIdentityProviderConfigs

    • eks:DescribeAccessEntry

    • eks:ListPodIdentityAssociations

    • eks:ListAssociatedAccessPolicies

    • eks:CreateAccessEntry

6. AWS SSM (System Manager)

  • Association Operations

    • ssm:ListAssociations

    • AWSTemplateFormatVersion: '2010-09-09'
      Description: Create IAM roles and policies for Controllers and Workers
      
      Resources:
        ExostellarControllerRole:
          Type: 'AWS::IAM::Role'
          Properties:
            AssumeRolePolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Principal:
                    Service: ec2.amazonaws.com
                  Action: 'sts:AssumeRole'
            Policies:
              - PolicyName: ExostellarControllerPolicy
                PolicyDocument: |
                  {
                    "Version": "2012-10-17",
                    "Statement": [
                      {
                        "Effect": "Allow",
                        "Action": [
                          "ec2:RunInstances",
                          "ec2:StopInstances",
                          "ec2:DescribeSpotPriceHistory",
                          "ec2:DescribeInstances",
                          "ec2:DescribeInstanceTypes",
                          "ec2:DescribeTags",
                          "ec2:CreateTags",
                          "ec2:CreateFleet",
                          "ec2:CreateLaunchTemplate",
                          "ec2:DeleteLaunchTemplate",
                          "ec2:TerminateInstances",
                          "ec2:AssignPrivateIpAddresses",
                          "ec2:UnassignPrivateIpAddresses",
                          "ec2:AttachNetworkInterface",
                          "ec2:DetachNetworkInterface",
                          "ec2:CreateNetworkInterface",
                          "ec2:DeleteNetworkInterface",
                          "ec2:ModifyNetworkInterfaceAttribute",
                          "ec2:DescribeRegions",
                          "ec2:CreateVolume",
                          "ec2:DescribeVolumes",
                          "ec2:AttachVolume",
                          "ec2:ModifyInstanceAttribute",
                          "ec2:DetachVolume",
                          "ec2:DeleteVolume",
                          "ec2:CreateInstanceExportTask",
                          "ec2:DescribeExportTasks",
                          "ec2:RebootInstances",
                          "ec2:CreateSnapshot",
                          "ec2:DescribeSnapshots",
                          "iam:CreateServiceLinkedRole",
                          "iam:ListRoles",
                          "iam:ListInstanceProfiles",
                          "iam:PassRole",
                          "iam:GetRole",
                          "ec2:DescribeSubnets",
                          "ec2:DescribeSecurityGroups",
                          "ec2:DescribeImages",
                          "ec2:DescribeKeyPairs",
                          "ec2:DescribeInstanceTypeOfferings",
                          "iam:GetInstanceProfile",
                          "iam:SimulatePrincipalPolicy",
                          "sns:Publish",
                          "ssm:GetParameters",
                          "ssm:GetParametersByPath"
                        ],
                        "Resource": "*"
                      },
                      {
                        "Effect": "Allow",
                        "Action": [
                          "eks:DescribeCluster"
                        ],
                        "Resource": "*"
                      }
                    ]
                  }
            Tags:
              - Key: "Name"
                Value: !Sub "${AWS::StackName}-controller-role"
      
        ExostellarControllerProfile:
          Type: 'AWS::IAM::InstanceProfile'
          Properties:
            Roles:
              - !Ref ExostellarControllerRole
      
        ExostellarWorkerRole:
          Type: 'AWS::IAM::Role'
          Properties:
            AssumeRolePolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Principal:
                    Service: ec2.amazonaws.com
                  Action: 'sts:AssumeRole'
            Policies:
              - PolicyName: ExostellarWorkerPolicy
                PolicyDocument: |
                  {
                    "Version": "2012-10-17",
                    "Statement": [
                      {
                        "Effect": "Deny",
                        "Action": [
                          "ec2:UnassignPrivateIpAddresses"
                        ],
                        "Resource": "*"
                      },
                      {
                        "Effect": "Allow",
                        "Action": [
                          "ec2:ModifyInstanceMetadataOptions",
                          "eks:DescribeCluster"
                        ],
                        "Resource": "*"
                      }
                    ]
                  }
            Tags:
              - Key: "Name"
                Value: !Sub "${AWS::StackName}-worker-role"
            ManagedPolicyArns:
              - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
              - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
              - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
              - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
              - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
      
        ExostellarWorkerProfile:
          Type: 'AWS::IAM::InstanceProfile'
          Properties:
            Roles:
              - !Ref ExostellarWorkerRole
      
      Outputs:
        ExostellarControllerRoleARN:
          Description: ARN of the Controller IAM Role. This will be used in the ConfigMap.
          Value: !GetAtt ExostellarControllerRole.Arn
      
        ExostellarControllerRoleInstanceProfileARN:
          Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration.
          Value: !GetAtt ExostellarControllerProfile.Arn
      
        ExostellarWorkerRoleARN:
          Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap.
          Value: !GetAtt ExostellarWorkerRole.Arn
      
        ExostellarWorkerRoleInstanceProfileARN:
          Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration.
          Value: !GetAtt ExostellarWorkerProfile.Arn

      ssm:GetParametersByPath

EC2 Instance Profiles

The X-Spot controllers and workers require a set of IAM permissions to manage and scale your workloads efficiently. Use this CloudFormation template to create the EC2 instance profiles.

When completed, the roles and instance profile ARNs output by CloudFormation will be needed for subsequent installation steps

AWSTemplateFormatVersion: '2010-09-09'
Description: Create IAM roles and policies for Controllers and Workers

Resources:
  ExostellarControllerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: ExostellarControllerPolicy
          PolicyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:RunInstances",
                    "ec2:StopInstances",
                    "ec2:DescribeSpotPriceHistory",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeTags",
                    "ec2:CreateTags",
                    "ec2:CreateFleet",
                    "ec2:CreateLaunchTemplate",
                    "ec2:DeleteLaunchTemplate",
                    "ec2:TerminateInstances",
                    "ec2:AssignPrivateIpAddresses",
                    "ec2:UnassignPrivateIpAddresses",
                    "ec2:AttachNetworkInterface",
                    "ec2:DetachNetworkInterface",
                    "ec2:CreateNetworkInterface",
                    "ec2:DeleteNetworkInterface",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:DescribeRegions",
                    "ec2:CreateVolume",
                    "ec2:DescribeVolumes",
                    "ec2:AttachVolume",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:DetachVolume",
                    "ec2:DeleteVolume",
                    "ec2:CreateInstanceExportTask",
                    "ec2:DescribeExportTasks",
                    "ec2:RebootInstances",
                    "ec2:CreateSnapshot",
                    "ec2:DescribeSnapshots",
                    "iam:CreateServiceLinkedRole",
                    "iam:ListRoles",
                    "iam:ListInstanceProfiles",
                    "iam:PassRole",
                    "iam:GetRole",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeImages",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeInstanceTypeOfferings",
                    "iam:GetInstanceProfile",
                    "iam:SimulatePrincipalPolicy",
                    "sns:Publish",
                    "ssm:GetParameters",
                    "ssm:GetParametersByPath"
                  ],
                  "Resource": "*"
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "eks:DescribeCluster"
                  ],
                  "Resource": "*"
                }
              ]
            }
      Tags:
        - Key: "Name"
          Value: !Sub "${AWS::StackName}-controller-role"

  ExostellarControllerProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !Ref ExostellarControllerRole

  ExostellarWorkerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: ExostellarWorkerPolicy
          PolicyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Deny",
                  "Action": [
                    "ec2:UnassignPrivateIpAddresses"
                  ],
                  "Resource": "*"
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:ModifyInstanceMetadataOptions",
                    "eks:DescribeCluster"
                  ],
                  "Resource": "*"
                }
              ]
            }
      Tags:
        - Key: "Name"
          Value: !Sub "${AWS::StackName}-worker-role"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
        - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
        - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
        - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
        - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"

  ExostellarWorkerProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !Ref ExostellarWorkerRole

Outputs:
  ExostellarControllerRoleARN:
    Description: ARN of the Controller IAM Role. This will be used in the ConfigMap.
    Value: !GetAtt ExostellarControllerRole.Arn

  ExostellarControllerRoleInstanceProfileARN:
    Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration.
    Value: !GetAtt ExostellarControllerProfile.Arn

  ExostellarWorkerRoleARN:
    Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap.
    Value: !GetAtt ExostellarWorkerRole.Arn

  ExostellarWorkerRoleInstanceProfileARN:
    Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration.
    Value: !GetAtt ExostellarWorkerProfile.Arn
  • No labels