EKS: Deployment Prerequisites
EKS Deployment requires a few things to be in-place before you deploy the cluster through Nirmata:
-
VPC: Create IP Address block for your EC2 instances.
-
Network Group: Any AWS setup requires you to setup a network group with subnet policy which will be used to provide connectivity across your EC2 instances.
-
Security Group: Security group defines that security policy for access into and between your EC2 instances. Security policy is core construct needed to setup your AWS services. For an EKS cluster, two security groups are recommended - control-plane security group for cluster operations and worker node security group for application traffic. For control plane security group, for inbound traffic, ports 443 from all nodes in worker security group are recommended. For outbound traffic, ports 1025-65535 are recommended to be open. Port 10250 is minimum requirement. For worker security group, port 443 and port-range 1025-65535 is recommended to be open. For outbound traffic, all ports can be open. Click here for more information.
-
AWS IAM Role: An AWS IAM role is configured through nirmata role used in cloud-crredentials for AWS that can provision EC2 instances and EKS control-plane. You can create an AWS IAM Role for Nirmata or use an existing one used with cloud-credentials with right permissions.
-
EKS Role: AWS requires an additional role to create and manage the EKS cluster resources. Create a role with AmazonEKSClusterPolicy and AmazonEKSServicePolicy and use that in the Cluster Role ARN. Click here for a step-by-step introduction on creating an IAM role for EKS.
-
Node IAM Role: A node instance IAM role is required to allow kubelet running on nodes to make calls to AWS APIs. Ensure that the AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, and AmazonEC2ContainerRegistryReadOnly managed policies are attached to the role. You can refer to EKS documentation for more details.
-
Cloud Credentials: In Nirmata UI, configure the Cloud Credentials. You can use the ‘Assume Role’ option, which is the most secure option for third party access to your AWS account or use the Access Key option.
To access the Add Cloud Credentials options, select Cloud Credentials from the sidebar menu. Then click on the Add Cloud Credentials icon.
EKS Cluster Type Configuration Steps
To create an EKS cluster type, select Policies from the sidebar menu and then click +Cluster Types and Add Cluster Type button. Choose EKS from the Add Cluster Type panel.
-
Cloud Credentials- Select the Cloud Credentials you would like to use for this cluster type.
-
Kubernetes Version - Select the Kubernetes version.
-
Region - Select the region where your cluster will be deployed.
-
VPC - Select virtual private cloud (VPC) in which your cluster will be deployed.
-
Networks - Select at least two networks for your cluster. Elastic Network Interfaces (ENI) on the cluster nodes will be able to communicate on these networks.
-
Security Groups - Select the security groups to apply to the EKS-managed Elastic Network Interfaces (ENI) that are created in your worker node subnets.
-
Private Endpoint Access - Select this option if you want the API server endpoint for your cluster to be private.
-
Cluster Role ARN - This is the EKS cluster role you created in Step-5 for Nirmata to deploy EKS. Again, with cloud provider integration, you should see it in the drop down menu.
-
Enable Envelop Encryption - Select this option to provide an additional layer of encryption for your Kubernetes cluster.
Then select the configuration for your node pools:
-
Instance Type: Select the EC2 instance type you would like to use for EKS cluster.
-
Image ID: Provide an EKS compliant image for the intance type. (Optional)
-
SSH Key- Select the SSH key ID to be configured on the nodes.
-
Disk Size- Enter the disk size for the nodes.
-
Node Instance IAM Role - Select the IAM Role that will be used by the nodes. You can create a new role, in the AWS IAM console. See instructions in Step 6 for EKS: Deployment Prerequisites
-
Security Group - Select the security groups to apply to the EKS-managed Elastic Network Interfaces (ENI) that are created in your worker node subnets.
-
AMI Type - Select the EKS-optimized Amazon Machine Image for nodes.
-
Node Labels - Specify the labels for your nodes.
Next, you can enable logging for your EKS cluster control plane and select Add-ons to be deployed in your cluster.
After completing the configuration steps, click Create. Your EKS cluster type will be created. Now, you can use this cluster type to create an EKS
Creating an EKS Cluster
To create an EKS cluster, select Clusters from side menu and clicking on the Add Cluster button.
-
Select EKS in the Add Cluster screen
-
Select the cluster type that you previously created
-
Provide the node cloud and alternately enable autoscaling for your node pool.
Once you click on Create cluster button, the cluster will be created in 10-15 minutes.
NOTE: If you are creating a cluster in private address space and do not have a routed connection back to Nirmata you will be able to create the cluster but the Nirmata controller will not connect to Nirmata. Your cluster will display “Pending controller connect” state and subsequently fail.