Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 82 Next »

Infrastructure Optimizer supports Amazon EKS 1.28 or newer.

If you don’t have an existing EKS cluster, you can use the following command to provision one that uses the eksctl default cluster parameters:

eksctl create cluster --name <cluster_name>

The following tools are required to complete the integration setup:

EKS Nodegroup IAM

By default, the EKS node group should have the following AWS-managed IAM roles attached:

  • AmazonEC2ContainerRegistryReadOnly → This allows read-only access to Amazon EC2 Container Registry repositories

  • AmazonEKS_CNI_Policy → This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes

  • AmazonEKSWorkerNodePolicy → This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters

  • AmazonSSMManagedInstanceCore → This is to enable AWS Systems Manager service core functionality

AWS IAM Authenticator

Apply the following changes to the the EKS cluster’s aws-auth ConfigMap to ensure the dynamic X-Compute EKS nodes can join the EKS Kubernetes management API:

  1. Edit the aws-auth ConfigMap in the kube-system namespace:

    kubectl edit configmap aws-auth -n kube-system
  2. Insert the following groups to the mapRoles section:

        - groups:
          - system:masters
          rolearn: <Insert the Role ARN of your Worker IAM Role>
          username: admin
        - groups:
          - system:masters
          rolearn: <Insert the Role ARN of your Controller IAM Role>
          username: admin

AWS CNI

Infrastructure Optimizer supports the AWS VPC CNI plugin v1.18.2-eksbuild.1 or newer.

Download and run the configure-aws-nodes.sh script to:

  • Configure the node affinity rules of the aws-node DaemonSet to not run on x-compute nodes

  • Install and configure the exo-aws-node DaemonSet to run on x-compute nodes

This script will restart the AWS CNI DaemonSet

AWS CNI Plugin With IRSA

OPTIONAL - This section is required only if your cluster customized the IAM roles used by the AWS CNI plugin’s service account. For more information about the EKS IRSA, see their documentation here.

Determine whether an IAM OIDC provider is already associated with your EKS cluster:

oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)

aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

If the final command returns an non-empty output, then your EKS cluster already has an IAM OIDC provider attached.

Otherwise, enable an OIDC using the next command:

eksctl utils associate-iam-oidc-provider --cluster <cluster_name> --approve

Save this inline IAM policy to a JSON file:

cat > cni_iam.json <<EOT 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:UnassignPrivateIpAddresses",
      "Resource": "*"
    }
  ]
}
EOT

This user-defined policy denies the ability to unassign one or more secondary private IP addresses, or “IPv4 Prefix Delegation” prefixes from a network interface.

Use the following command to create the policy:

aws iam create-policy --policy-name cni_iam_policy --policy-document file://cni_iam.json

Add Add-on Amazon VPC CNI with the IRSA to enable pod networking

new_policy_arn=$(aws iam list-policies --query 'Policies[?PolicyName==`cni_iam_policy`].[Arn]' --scope Local --no-cli-pager --output text)

eksctl create addon --name vpc-cni \
    --cluster <cluster_name> \
    --version latest \
    --attach-policy-arn ${new_policy_arn} \
    --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
  • No labels