View Source

Prerequisites

The following tools are required to complete the integration setup:

AWS CLI
eksctl
kubectl: Version 1.28+
Helm: Version 3.14.2+
Amazon EKS 1.28 or newer.

If you don’t have an existing EKS cluster, you can use the following command to provision one that uses the eksctl default cluster parameters:

eksctl create cluster --name poccluster

EKS Nodegroup IAM

By default, the EKS node group should have the following AWS-managed IAM roles attached:

AmazonEC2ContainerRegistryReadOnly: This allows read-only access to Amazon EC2 Container Registry repositories
AmazonEKS_CNI_Policy: This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes
AmazonEBSCSIDriverPolicy: This allows the CSI driver service account to make calls to related services such as EC2 on your behalf.
AmazonEKSWorkerNodePolicy: This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters
AmazonSSMManagedInstanceCore: This is to enable AWS Systems Manager service core functionality

AWS IAM Authenticator

Apply the following changes to the EKS cluster’s aws-auth ConfigMap to ensure the dynamic X-Compute EKS nodes can join the cluster:

Edit the aws-auth ConfigMap in the kube-system namespace:
kubectl edit configmap aws-auth -n kube-system

Insert the following groups into the mapRoles section and replace the role ARN values with the outputs generated at this prerequisite step.

    - groups:
      - system:masters
      rolearn: <Insert the Role ARN of your Worker IAM Role>
      username: admin
    - groups:
      - system:masters
      rolearn: <Insert the Role ARN of your Controller IAM Role>
      username: admin

AWS Node Termination Handler Configuration for Spot Instances

The AWS Node Termination Handler is a tool that monitors spot instance termination events in AWS. By default, when a spot interruption occurs, the handler drains the affected node and attempts to reschedule the pods on other machines. This behavior can result in all pods on the node being removed and the node eventually being terminated, even if the workload is migrated elsewhere.

To prevent this behavior, you can either:

Uninstall the AWS Node Termination Handler.
Modify its configuration to disable node draining on-spot interruptions.

Identify the DaemonSet name.
Run the following command to find the DaemonSet associated with the AWS Node Termination Handler:

kubectl -n kube-system get daemonset | grep aws-node-termination-handler

Example output:

aws-node-termination-handler-exodemo   4         4         4       4            4           kubernetes.io/os=linux   11d

Edit the DaemonSet.
Use the following command to edit the DaemonSet:

kubectl -n kube-system edit daemonset aws-node-termination-handler-example

Update the configuration.
In the editor, search for the parameter ENABLE_SPOT_INTERRUPTION_DRAINING and ENABLE_REBALANCE_DRAINING, and set it to false:
- name: ENABLE_SPOT_INTERRUPTION_DRAINING value: "false" - name: ENABLE_REBALANCE_DRAINING value: "false"

Amazon VPC CNI

Infrastructure Optimizer supports the Amazon VPC CNI plugin v1.18.2-eksbuild.1 or newer.

Download and run this script to:

Configure the node affinity rules of the aws-node DaemonSet to not run on x-compute nodes
Install and configure the exo-aws-node DaemonSet to run on x-compute nodes

If you are using a Mac, please install gnu-sed and replace sed with gsed in the above script.

brew install gnu-sed

This script will restart the Amazon VPC CNI DaemonSet.

Amazon VPC CNI Plugin With IRSA

OPTIONAL - This section is required only if your cluster customized the IAM roles used by the Amazon VPC CNI plugin’s service account (IRSA). For more information about the EKS IRSA, see documentation here.

Determine whether an IAM OpenID Connect (OIDC) provider is already associated with your EKS cluster:

oidc_id=$(aws eks describe-cluster --name poccluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) && aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

If the final command returns a non-empty output, then your EKS cluster already has an IAM OIDC provider attached.

Otherwise, enable an OIDC using the next command:

eksctl utils associate-iam-oidc-provider --cluster poccluster --approve

Run this command to the inline IAM policy to a JSON file named cni_iam.json:

cat > cni_iam.json <<EOT 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:UnassignPrivateIpAddresses",
      "Resource": "*"
    }
  ]
}
EOT

This user-defined policy ensures that the Amazon VPC CNI doesn’t unassign the IP address of your workloads running on Infrastructure Optimizer sandboxes by denying the ability to perform such unassignments.

Use the following command to create the policy:

aws iam create-policy --policy-name cni_iam_policy --policy-document file://cni_iam.json

Then use eksctl to override the existing Amazon VPC CNI IRSA settings:

new_policy_arn=$(aws iam list-policies --query 'Policies[?PolicyName==`cni_iam_policy`].[Arn]' --scope Local --no-cli-pager --output text)

eksctl update iamserviceaccount \                                                                                                                          (ivan@isim-dev2.us-west-1.eksctl.io/default)
  --name aws-node \
  --namespace kube-system \
  --cluster poccluster \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
  --attach-policy-arn "${new_policy_arn}" \
  --approve

Amazon EBS CSI Driver

Download and run this script to:

Configure the node affinity rules of the ebs-csi-node DaemonSet to not run on x-compute nodes
Install and configure the exo-ebs-csi-node DaemonSet to run on x-compute nodes

If you are using a Mac, please install gnu-sed and replace sed with gsed in the above script.

brew install gnu-sed

This script will restart the Amazon VPC CNI DaemonSet.

Amazon EBS CSI Driver with Encryption

OPTIONAL - This section is required only if you are using a custom KMS key for encrypting your Amazon EBS volumes.

Run the following command to create a JSON file named csi_kms_iam.json with the IAM policy:

cat > csi_kms_iam.json <<EOT 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": [
        "custom-key-arn"
      ],
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    },
    {
      "Effect": "Allow", 
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": [
        "custom-key-arn"
      ]
    }
  ]
}
EOT

Use the following command to create the IAM policy:

aws iam create-policy \
      --policy-name KMS_Key_For_Encryption_On_EBS_Policy \
      --policy-document file://csi_kms_iam.json

Attach the IAM policy to the role using the following command:

aws iam attach-role-policy \
      --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/KMS_Key_For_Encryption_On_EBS_Policy \
      --role-name AmazonEKS_EBS_CSI_DriverRole