IO+EKS Prerequisites Summary

Eo_circle_deep-purple_number-1.svg.png EKS Cluster Requirements

Eo_circle_deep-purple_number-2.svg.png IO+EKS Controller Requirements

EKS Cluster Requirements

Number	Component	Item	Detail	Requirements

Component	Item	Detail	Requirements
Cluster	Software	Kubernetes version	1.29+ (Recommended)
	IAM	EKS cluster role	Required Policy: [AWS managed] `AmazonEKSClusterPolicy` -> This is to allow Kubernetes control plane to manage AWS resources on your behalf
	Permission	Cluster administrator access	Allow: `EKS API and ConfigMap` -> This is to allow how cluster administor is authorized
	Cluster Endpoint Access	Kubernetes API server endpoint access	Allow: Public and private
Network	VPC	Virtual networking resources	IPv4 CIDR block: Please specify a range other than `192.168.137.0/24` (Recommended) Number of public subnets: Please select two or more Number of private subnets: Please select two or more NAT gateways: Please create at least one
	NAT Gateway	Network address translation service to connect private subnets to other internet	Connectivity type: Public
	Security Group	Virtual firewall to control inbound and outbound traffic	Created by CloudFormation Template.
Compute	Node Groups IAM	Allows EC2 instances to call AWS services on your behalf	Required Policies: [AWS managed] `AmazonEC2ContainerRegistryReadOnly` → This allows read-only access to Amazon EC2 Container Registry repositories `AmazonEKS_CNI_Policy` → This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes `AmazonEKSWorkerNodePolicy` → This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters `AmazonSSMManagedInstanceCore` → This is to enable AWS Systems Manager service core functionality
Add-ons	Kube-proxy	Enables service networking	v.1.29.1-eksbuild.2+ (Latest Recommended)
	Amazon VPC CNI	Enables pod networking	v1.16.3-eksbuild.2+ (Latest Recommended)
	Amazon EBS CSI Driver	Enables EBS within cluster	-
	Exostellar Karpenter	Integrates with X-IO	v0.0.6+ `helm registry logout public.ecr.aws` `export HEADNODE="http://192.168.78.xxx:5000" export CLUSTER_NAME="integration-new" export ENV_NAME="k8s"` `helm upgrade --install karpenter oci://public.ecr.aws/x5d4i9x1/exostellar-karpenter/karpenter \ --version v0.0.6 \ --namespace karpenter \ --create-namespace \ --set "settings.clusterName=${CLUSTER_NAME}" \ --set controller.resources.requests.cpu=1 \ --set controller.resources.requests.memory=1Gi \ --set controller.resources.limits.cpu=1 \ --set controller.resources.limits.memory=1Gi \ --set headnode=$HEADNODE \ --set environmentName=$ENV_NAME \ --wait`
Kubernetes	ConfigMap		`apiVersion: v1 kind: ConfigMap data: mapRoles: \| - groups: - system:bootstrappers - system:nodes rolearn: <Ignore this ARN> username: system:node:{{EC2PrivateDNSName}} - groups: - system:masters rolearn: <Insert the Role ARN of your Worker IAM Role> username: admin - groups: - system:masters rolearn: <Insert the Role ARN of your Controller IAM Role> username: admin mapUsers: \| []`

IO+EKS Requirements

Number	Component	Item	Detail	Requirements

Component	Item	Detail	Requirements
Controller	Instance Type	Instance type for the controller	m5d.xlarger (Recommended)
	VPC	Virtual networking resources	Select the virtual networking resources created above
	Security Group	Virtual firewall to control inbound and outbound traffic	Select the security group created above by the EKS cluster
	IAM	Instance profile	Required Policies: [Customer inline] { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:StopInstances", "ec2:DescribeSpotPriceHistory", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeTags", "ec2:CreateTags", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:TerminateInstances", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeRegions" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:ListRoles", "iam:ListInstanceProfiles", "iam:PassRole", "iam:GetRole" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeInstanceTypeOfferings", "iam:GetInstanceProfile", "iam:SimulatePrincipalPolicy", "sns:Publish", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:ModifyInstanceAttribute", "ec2:DetachVolume", "ec2:DeleteVolume" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:CreateInstanceExportTask", "ec2:DescribeExportTasks", "ec2:RebootInstances", "ec2:CreateSnapshot", "ec2:DescribeSnapshots" ], "Resource": "*" } ] }
Worker	IAM	Instance profile	Required Policies: [AWS managed] `AmazonEC2ContainerRegistryReadOnly` → This allows read-only access to Amazon EC2 Container Registry repositories `AmazonEKS_CNI_Policy` → This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes `AmazonEKSWorkerNodePolicy` → This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters `AmazonSSMManagedInstanceCore` → This is to enable AWS Systems Manager service core functionality [Customer inline] `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:ModifyInstanceMetadataOptions", "Resource": "" } ] }` `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:UnassignPrivateIpAddresses", "Resource": "" } ] }`