aws Getting Started with Amazon EKS

Note

This is just a note for myself and it’s not meant to be a guide for EKS. We have an authentic guide – Getting Started with Amazon EKS

Amazon EKS Prerequisites

Before you can create an Amazon EKS cluster, you must create an IAM role that Kubernetes can assume to create AWS resources. For example, when a load balancer is created, Kubernetes assumes the role to create an Elastic Load Balancing load balancer in your account. This only needs to be done one time and can be used for multiple EKS clusters.

You must also create a VPC and a security group for your cluster to use. Although the VPC and security groups can be used for multiple EKS clusters, we recommend that you use a separate VPC for each EKS cluster to provide better network isolation.

This section also helps you to install the kubectl binary and configure it to work with Amazon EKS.

Create your Amazon EKS Service Role

To create your Amazon EKS service role in the IAM console

1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Roles, then Create role.
3. Choose EKS from the list of services, then Allows Amazon EKS to manage your clusters on your behalf for your use case, then Next: Permissions.
4. Choose Next: Tags.
5. (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM Entities in the IAM User Guide.
6. Choose Next: Review.
7. For Role name, enter a unique name for your role, such as eksServiceRole, then choose Create role.

Create your Amazon EKS Cluster VPC

To create your cluster VPC

1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.
2. From the navigation bar, select a Region that supports Amazon EKS.NoteAmazon EKS is available in the following Regions at this time:
   • US West (Oregon) (us-west-2)
   • US East (N. Virginia) (us-east-1)
   • US East (Ohio) (us-east-2)
   • EU (Frankfurt) (eu-central-1)
   • EU (Stockholm) (eu-north-1)
   • EU (Ireland) (eu-west-1)
   • EU (London) (eu-west-2)
   • EU (Paris) (eu-west-3)
   • Asia Pacific (Tokyo) (ap-northeast-1)
   • Asia Pacific (Seoul) (ap-northeast-2)
   • Asia Pacific (Mumbai) (ap-south-1)
   • Asia Pacific (Singapore) (ap-southeast-1)
   • Asia Pacific (Sydney) (ap-southeast-2)
3. Choose Create stack.
4. For Choose a template, select Specify an Amazon S3 template URL.
5. Paste the following URL into the text area and choose Next:https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2019-02-11/amazon-eks-vpc-sample.yaml
6. On the Specify Details page, fill out the parameters accordingly, and then choose Next.
   • Stack name: Choose a stack name for your AWS CloudFormation stack. For example, you can call it eks-vpc.
   • VpcBlock: Choose a CIDR range for your VPC. You may leave the default value.
   • Subnet01Block: Choose a CIDR range for subnet 1. You may leave the default value.
   • Subnet02Block: Choose a CIDR range for subnet 2. You may leave the default value.
   • Subnet03Block: Choose a CIDR range for subnet 3. You may leave the default value.
7. (Optional) On the Options page, tag your stack resources. Choose Next.
8. On the Review page, choose Create.
9. When your stack is created, select it in the console and choose Outputs.
10. Record the SecurityGroups value for the security group that was created. You need this when you create your EKS cluster; this security group is applied to the cross-account elastic network interfaces that are created in your subnets that allow the Amazon EKS control plane to communicate with your worker nodes.
11. Record the VpcId for the VPC that was created. You need this when you launch your worker node group template.
12. Record the SubnetIds for the subnets that were created. You need this when you create your EKS cluster; these are the subnets that your worker nodes are launched into.

Install and Configure kubectl for Amazon EKS

Kubernetes uses a command-line utility called kubectl for communicating with the cluster API server. Amazon EKS clusters also require the AWS IAM Authenticator for Kubernetes to allow IAM authentication for your Kubernetes cluster. Beginning with Kubernetes version 1.10, you can configure the kubectl client to work with Amazon EKS by installing the AWS IAM Authenticator for Kubernetes and modifying your kubectl configuration file to use it for authentication.

Amazon EKS vends aws-iam-authenticator binaries that you can use that are identical to the upstream aws-iam-authenticator binaries with the same version. Alternatively, you can use go get to fetch the binary from the AWS IAM Authenticator for Kubernetes project on GitHub.

To install kubectl for Amazon EKS

• You have multiple options to download and install kubectl for your operating system.
  • The kubectl binary is available in many operating system package managers, and this option is often much easier than a manual download and install process. You can follow the instructions for your specific operating system or package manager in the Kubernetes documentation to install.
  • Amazon EKS also vends kubectl binaries that you can use that are identical to the upstream kubectl binaries with the same version. To install the Amazon EKS-vended binary for your operating system, see Installing kubectl.

To install aws-iam-authenticator for Amazon EKS

1. Download the Amazon EKS-vended aws-iam-authenticator binary from Amazon S3:
   • Linux: https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/linux/amd64/aws-iam-authenticator
   • MacOS: https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/darwin/amd64/aws-iam-authenticator
   • Windows: https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/windows/amd64/aws-iam-authenticator.exeUse the command below to download the binary, substituting the correct URL for your platform. The example below is for macOS clients.

Step 1: Create Your Amazon EKS Cluster

Now you can create your Amazon EKS cluster.

Important

When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator (with system:master permissions. Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. For more information, see Managing Users or IAM Roles for your Cluster. Also, the AWS IAM Authenticator for Kubernetes uses the AWS SDK for Go to authenticate against your Amazon EKS cluster. If you use the console to create the cluster, you must ensure that the same IAM user credentials are in the AWS SDK credential chain when you are running kubectl commands on your cluster.

If you install and configure the AWS CLI, you can configure the IAM credentials for your user. These also work for the AWS IAM Authenticator for Kubernetes. If the AWS CLI is configured properly for your user, then the AWS IAM Authenticator for Kubernetes can find those credentials as well. For more information, see Configuring the AWS CLI in the AWS Command Line Interface User Guide.

To create your cluster with the console

1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
2. Choose Create cluster.NoteIf your IAM user does not have administrative privileges, you must explicitly add permissions for that user to call the Amazon EKS API operations. For more information, see Creating Amazon EKS IAM Policies.
3. On the Create cluster page, fill in the following fields and then choose Create:
   • Cluster name: A unique name for your cluster.
   • Kubernetes version: The version of Kubernetes to use for your cluster. By default, the latest available version is selected.
   • Role ARN: Select the IAM role that you created with Create your Amazon EKS Service Role.
   • VPC: The VPC you created with Create your Amazon EKS Cluster VPC. You can find the name of your VPC in the drop-down list.
   • Subnets: The SubnetIds values (comma-separated) from the AWS CloudFormation output that you generated with Create your Amazon EKS Cluster VPC. By default, the available subnets in the above VPC are preselected.
   • Security Groups: The SecurityGroups value from the AWS CloudFormation output that you generated with Create your Amazon EKS Cluster VPC. This security group hasControlPlaneSecurityGroup in the drop-down name.ImportantThe worker node AWS CloudFormation template modifies the security group that you specify here, so Amazon EKS strongly recommends that you use a dedicated security group for each cluster control plane (one per cluster). If this security group is shared with other resources, you may block or disrupt connections to those resources.
   NoteYou may receive an error that one of the Availability Zones in your request does not have sufficient capacity to create an Amazon EKS cluster. If this happens, the error output contains the Availability Zones that can support a new cluster. Retry creating your cluster with at least two subnets that are located in the supported Availability Zones for your account. For more information, see Insufficient Capacity.
4. On the Clusters page, choose the name of your newly created cluster to view the cluster information.
5. The Status field shows CREATING until the cluster provisioning process completes. Cluster provisioning usually takes between 10 and 15 minutes.

To create your cluster with the AWS CLI

1. Create your cluster with the following command. Substitute your cluster name, the Amazon Resource Name (ARN) of your Amazon EKS service role that you created in Create your Amazon EKS Service Role, and the subnet and security group IDs for the VPC that you created in Create your Amazon EKS Cluster VPC.