Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes as a Service on AWS === Google Kubernetes Engine (GKE) on Google Cloud.<\/p>\n
ref: You need to install some command-line tools. Moreover, it would be better that you use the same Kubernetes version between client and server. Otherwise, you will get something like: ref: The following tools are\u00a0also recommended which provide fancy terminal UIs to interact with your Kubernetes clusters.<\/p>\n ref: Use If a nodegroup includes ref: You could re-use ClusterConfig to create more managed nodegroups after cluster creation. However, you can only create: most fields under Also, if you're not familiar with instance types on AWS, try Instance Selector<\/strong> where you only need to specify how much CPU, memory, and GPU you want.<\/p>\n ref: When a cluster is created, EKS automatically installs If not specified explicitly, addons will be created with a role that has all recommended policies attached.<\/p>\n It's worth noting that EKS Pod Identity Associations<\/strong> is AWS's newer, simpler way for Kubernetes pods to assume IAM roles, replacing the older IRSA (IAM Roles for Service Accounts) method.<\/p>\n ref: Pods running on regular nodes will behave as ref: Instead of using the old ref: Connect ref: After upgrading your EKS cluster on AWS Management Console, you might find If you got ref: You might need to manually delete\/detach the following resources in order to delete the cluster:<\/p>\n Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes as a Service on AWS. IMAO, Google Cloud's GKE is still the best choice for managed Kubernetes service if you're not stuck in AWS.<\/p>\n","protected":false},"author":1,"featured_media":832,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38,116],"tags":[16,136,123],"class_list":["post-831","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-about-devops","category-about-web-development","tag-amazon-web-services","tag-aws-eks","tag-kubernetes"],"_links":{"self":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/posts\/831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/comments?post=831"}],"version-history":[{"count":0,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/posts\/831\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/media\/832"}],"wp:attachment":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/media?parent=831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/categories?post=831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/tags?post=831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nhttps:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/getting-started.html<\/a>
\nhttps:\/\/vinta.ws\/code\/the-complete-guide-to-google-kubernetes-engine-gke.html<\/a><\/p>\nInstall CLI Tools<\/h2>\n
WARNING: version difference between client (1.31) and server (1.33) exceeds the supported minor version skew of +\/-1<\/code>.<\/p>\n# kubectl\ncurl -LO \"https:\/\/dl.k8s.io\/release\/$(curl -L -s https:\/\/dl.k8s.io\/release\/stable.txt)\/bin\/darwin\/$(arch)\/kubectl\"\ncurl -LO \"https:\/\/dl.k8s.io\/release\/v1.32.7\/bin\/darwin\/arm64\/kubectl\"\nsudo install -m 0755 kubectl \/usr\/local\/bin\n\n# eksctl\ncurl -LO \"https:\/\/github.com\/weaveworks\/eksctl\/releases\/latest\/download\/eksctl_$(uname -s)_$(arch).tar.gz\"\ntar -xzf \"eksctl_$(uname -s)_$(arch).tar.gz\"\nsudo install -m 0755 eksctl \/usr\/local\/bin\n\n# awscli\ncurl \"https:\/\/awscli.amazonaws.com\/AWSCLIV2.pkg\" -o \"AWSCLIV2.pkg\"\nsudo installer -pkg AWSCLIV2.pkg -target \/<\/code><\/pre>\n
\nhttps:\/\/kubernetes.io\/docs\/tasks\/tools\/install-kubectl-macos\/<\/a>
\nhttps:\/\/github.com\/eksctl-io\/eksctl<\/a>
\nhttps:\/\/docs.aws.amazon.com\/cli\/latest\/userguide\/getting-started-install.html<\/a><\/p>\n# k9s\nbrew install derailed\/k9s\/k9s\n\n# fubectl\ncurl -LO https:\/\/rawgit.com\/kubermatic\/fubectl\/master\/fubectl.source\nsource <path-to>\/fubectl.source<\/code><\/pre>\n
\nhttps:\/\/github.com\/derailed\/k9s<\/a>
\nhttps:\/\/github.com\/kubermatic\/fubectl<\/a><\/p>\nCreate EKS Cluster<\/h2>\n
ClusterConfig<\/code> to define the cluster.<\/p>\n# https:\/\/eksctl.io\/usage\/schema\/\napiVersion: eksctl.io\/v1alpha5\nkind: ClusterConfig\nmetadata:\n name: your-cluster\n region: ap-northeast-1\n version: \"1.33\"\n\n# https:\/\/eksctl.io\/usage\/fargate-support\/\nfargateProfiles:\n - name: fp-default\n selectors:\n # all workloads in \"fargate\" Kubernetes namespace will be scheduled onto Fargate\n - namespace: fargate\n\n# https:\/\/eksctl.io\/usage\/nodegroup-managed\/\nmanagedNodeGroups:\n - name: mng-m5-xlarge\n instanceType: m5.xlarge\n spot: true\n minSize: 1\n maxSize: 10\n desiredCapacity: 2\n volumeSize: 100\n nodeRepairConfig:\n enabled: true\n iam:\n withAddonPolicies:\n autoScaler: true\n awsLoadBalancerController: true\n cloudWatch: true\n ebs: true\n attachPolicyARNs:\n # default node policies (required when explicitly setting attachPolicyARNs)\n - arn:aws:iam::aws:policy\/AmazonEKSWorkerNodePolicy\n - arn:aws:iam::aws:policy\/AmazonEKS_CNI_Policy\n - arn:aws:iam::aws:policy\/AmazonEC2ContainerRegistryPullOnly\n # custom policies\n - arn:aws:iam::xxx:policy\/your-custom-policy\n labels:\n service-node: \"true\"\n\n# https:\/\/eksctl.io\/usage\/cloudwatch-cluster-logging\/\ncloudWatch:\n clusterLogging:\n enableTypes: [\"api\", \"audit\", \"authenticator\"]\n logRetentionInDays: 30\n\n# https:\/\/eksctl.io\/usage\/addons\/\naddons:\n # networking addons are enabled by default\n # - name: kube-proxy\n # - name: coredns\n # - name: vpc-cni\n - name: amazon-cloudwatch-observability\n - name: aws-ebs-csi-driver\n - name: eks-pod-identity-agent\n - name: metrics-server\naddonsConfig:\n autoApplyPodIdentityAssociations: true\n\n# https:\/\/eksctl.io\/usage\/iamserviceaccounts\/\niam:\n # not all addons support Pod Identity Association, so you probably still need OIDC\n withOIDC: true\n\n# https:\/\/eksctl.io\/usage\/kms-encryption\/\nsecretsEncryption:\n keyARN: arn:aws:kms:YOUR_ARN<\/code><\/pre>\n# preview\nAWS_PROFILE=perp eksctl create cluster -f cluster-config.yaml --dry-run\n\n# create\neksctl create cluster -f cluster-config.yaml --profile=perp<\/code><\/pre>\nattachPolicyARNs<\/code>, it must<\/strong> also include the default node policies, like AmazonEKSWorkerNodePolicy<\/code>, AmazonEKS_CNI_Policy<\/code> and AmazonEC2ContainerRegistryPullOnly<\/code>.<\/p>\n
\nhttps:\/\/eksctl.io\/usage\/schema\/<\/a>
\nhttps:\/\/eksctl.io\/usage\/iam-policies\/<\/a>
\nhttps:\/\/github.com\/weaveworks\/eksctl\/tree\/main\/examples<\/a><\/p>\nManaged Nodegroups<\/h3>\n
managedNodeGroups<\/code> section cannot be changed once created. If you need to tweak something, just add a new one.<\/p>\nmanagedNodeGroups:\n - name: mng-spot-2c4g\n instanceSelector:\n vCPUs: 2\n memory: 4GiB\n gpus: 0\n spot: true\n minSize: 1\n maxSize: 5\n desiredCapacity: 2\n volumeSize: 100\n nodeRepairConfig:\n enabled: true<\/code><\/pre>\neksctl create nodegroup -f cluster-config.yaml --profile=perp<\/code><\/pre>\n
\nhttps:\/\/eksctl.io\/usage\/nodegroup-managed\/<\/a>
\nhttps:\/\/eksctl.io\/usage\/instance-selector\/<\/a><\/p>\nAddons<\/h3>\n
vpc-cni<\/code>, coredns<\/code> and kube-proxy<\/code> as self-managed addons. Here are other common addons you probably want to install as well:<\/p>\n\n
eks-pod-identity-agent<\/code>: Manages IAM permissions for pods using Pod Identity Associations instead of OIDC<\/li>\namazon-cloudwatch-observability<\/code>: Collects and sends container metrics, logs, and traces to CloudWatch Container Insights (Logs Insights)<\/li>\naws-ebs-csi-driver<\/code>: Enables pods to use EBS volumes for persistent storage through Kubernetes PersistentVolumes<\/li>\nmetrics-server<\/code>: Provides resource metrics (CPU\/memory) for HPA, VPA and kubectl top<\/code> commands<\/li>\n<\/ul>\n
\nhttps:\/\/eksctl.io\/usage\/addons\/<\/a>
\nhttps:\/\/eksctl.io\/usage\/pod-identity-associations\/<\/a>
\nhttps:\/\/eksctl.io\/usage\/iamserviceaccounts\/<\/a><\/p>\nIAM Permissions<\/h3>\n
NodeInstanceRole<\/code>; pods running on Fargate nodes will use FargatePodExecutionRole<\/code>. If you would like to adjust IAM permissions for a nodegroup, use the following command to find out which IAM role it's using:<\/p>\naws eks describe-nodegroup \n --region ap-northeast-1 \n --cluster-name your-cluster \n --nodegroup-name mng-m5-xlarge \n --query 'nodegroup.nodeRole' \n --output text \n --profile=perp<\/code><\/pre>\n
\nhttps:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/create-node-role.html<\/a><\/p>\nAccess EKS Cluster<\/h2>\n
aws-auth<\/code> ConfigMap, you could use Access Entries<\/strong> to manage users\/roles between AWS IAM and Kubernetes. Though, the user who ran eksctl create cluster<\/code> should remove himself\/herself from the access entries, EKS will add the user automatically.<\/p>\napiVersion: eksctl.io\/v1alpha5\nkind: ClusterConfig\nmetadata:\n name: your-cluster\n region: ap-northeast-1\n\naccessConfig:\n authenticationMode: API\n accessEntries:\n # - principalARN: arn:aws:iam::xxx:user\/user1\n # accessPolicies:\n # - policyARN: arn:aws:eks::aws:cluster-access-policy\/AmazonEKSClusterAdminPolicy\n # accessScope:\n # type: cluster\n - principalARN: arn:aws:iam::xxx:user\/user2\n accessPolicies:\n - policyARN: arn:aws:eks::aws:cluster-access-policy\/AmazonEKSAdminPolicy\n accessScope:\n type: cluster\n - principalARN: arn:aws:iam::xxx:user\/user3\n accessPolicies:\n - policyARN: arn:aws:eks::aws:cluster-access-policy\/AmazonEKSViewPolicy\n accessScope:\n type: cluster\n - principalARN: arn:aws:iam::xxx:user\/production-eks-deploy\n type: STANDARD<\/code><\/pre>\n# list\neksctl get accessentry --region ap-northeast-1 --cluster your-cluster --profile perp\n\n# create\neksctl create accessentry -f access-entries.yaml --profile perp<\/code><\/pre>\n
\nhttps:\/\/eksctl.io\/usage\/access-entries\/<\/a>
\nhttps:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/access-policies.html<\/a><\/p>\nkubectl<\/code> to your EKS cluster by creating a kubeconfig<\/code> file.<\/p>\n# setup context for a cluster\naws eks update-kubeconfig --region ap-northeast-1 --name your-cluster --alias your-cluster --profile=perp\n\n# switch cluster context\nkubectl config use-context your-cluster\n\nkubectl get nodes\n\ncat ~\/.kube\/config<\/code><\/pre>\n
\nhttps:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/create-kubeconfig.html<\/a><\/p>\nUpgrade EKS Cluster<\/h2>\n
kube-proxy<\/code> is still using the old image from the previous Kubernetes version - just upgrade them manually. Or if you are going to create an ARM-based nodegroup, you might also need to upgrade core addons first:<\/p>\neksctl utils update-aws-node --region ap-northeast-1 --cluster your-cluster --approve --profile=perp\neksctl utils update-coredns --region ap-northeast-1 --cluster your-cluster --approve --profile=perp\neksctl utils update-kube-proxy --region ap-northeast-1 --cluster your-cluster --approve --profile=perp\n\nkubectl get pods -n kube-system<\/code><\/pre>\nError: ImagePullBackOff<\/code>, try the following commands and replace the version (and region) with the version listed in Latest available kube-proxy container image version for each Amazon EKS cluster version<\/a>:<\/p>\nkubectl describe daemonset kube-proxy -n kube-system | grep Image\nkubectl set image daemonset.apps\/kube-proxy -n kube-system \nkube-proxy=602401143452.dkr.ecr.ap-northeast-1.amazonaws.com\/eks\/kube-proxy:v1.25.16-minimal-eksbuild.8<\/code><\/pre>\n
\nhttps:\/\/eksctl.io\/usage\/cluster-upgrade\/<\/a>
\nhttps:\/\/github.com\/weaveworks\/eksctl\/issues\/1088<\/a><\/p>\nDelete EKS Cluster<\/h2>\n
\n
NodeInstanceRole<\/code> and FargatePodExecutionRole<\/code> <\/li>\neksctl delete cluster --region ap-northeast-1 --name your-cluster --disable-nodegroup-eviction --profile=perp<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"