Amazon EKS とは
EKSは、マネージド型サービスで管理がほぼ不要で、可用性や耐障害性に優れている
バージョン
- Kubernetes 1.29
VPC
以下に従い、VPC構築
https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/creating-a-vpc.html
※抜粋したものを以下に記載
1.CloudFomationコンソールを開く
2.サポートされているリージョンを選択
>東京
3.スタックの作成を選択する
4.前提条件 - テンプレートの準備内の既存のテンプレートを選択する。テンプレートの指定では、Amazon S3 URLを選択し、URLを追加する
https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-sample.yaml
5.スタック名は任意でdev-eks-vpc
6.何も設定する理由がなければ、次へ
7.設定内容を確認し、特に何もなければ送信
8.作成中
9.CREATE COMPLETEであることを確認
10.VPCコンソールにて作成されたことを確認
※dev-eks-vpc-VPCになってしまったので、dev-eks-vpcに変更しました
環境情報
・クラスター内のpodやノード間の通信は制限しない
・ノードから外部へのアクセスを可能
ロール作成
[cloudshell-user@ip-10-134-21-242 ~]$ cat >eks-create.json <<EOF
> {
> "Version": "2012-10-17",
> "Statement": [
> {
> "Effect": "Allow",
> "Principal": {
> "Service": "eks.amazonaws.com"
> },
> "Action": "sts:AssumeRole"
> }
> ]
> }
> EOF
$ aws iam create-role --role-name myDevEKSCreateRole --assume-role-policy-document file://"eks-create.json"
{
"Role": {
"Path": "/",
"RoleName": "myDevEKSCreateRole",
"RoleId": "<ロールID>",
"Arn": "arn:aws:iam::<12桁の数値>:role/myDevEKSCreateRole",
"CreateDate": "2024-04-28T15:51:18+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
}
[cloudshell-user@ip-10-134-21-242 ~]$ aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy --role-name myDevEKSCreateRole
VPCの情報を取得
$ aws ec2 describe-vpcs \
> --query 'Vpcs[0].VpcId' \
> --output text
vpc-xxxxxxxx
$ aws ec2 create-security-group \
> --group-name eks-dev-security-group \
> --description "My security group for Amazon EKS" \
> --vpc-id vpc-XXX
{
"GroupId": "sg-xxxx"
}
セキュリティグループ作成と確認
$ export SECURITY_GROUP_ID=$(aws ec2 describe-security-groups --filters Name=group-name,Values=eks-dev-security-group --query "SecurityGroups[0].GroupId" --output text)
echo $SECURITY_GROUP_ID
sg-xxxx
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 30000-32767 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 10250 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 10255 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 2379 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 2380 \
--cidr 0.0.0.0/0
aws ec2 update-security-group-rule-descriptions-egress \
--group-id $SECURITY_GROUP_ID \
--ip-permissions '[{"IpProtocol": "-1", "IpRanges": [{"CidrIp": "0.0.0.0/0", "Description": "Allow all outbound traffic"}]}]'
# 設定されたことを確認する
[cloudshell-user@ip-10-132-88-162 ~]$ aws ec2 describe-security-groups \
> --group-ids $SECURITY_GROUP_ID \
> --query 'SecurityGroups[0].IpPermissions'
[
{
"FromPort": 30000,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 32767,
"UserIdGroupPairs": []
},
{
"FromPort": 10255,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 10255,
"UserIdGroupPairs": []
},
{
"FromPort": 2379,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 2379,
"UserIdGroupPairs": []
},
{
"FromPort": 10250,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 10250,
"UserIdGroupPairs": []
},
{
"FromPort": 2380,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 2380,
"UserIdGroupPairs": []
},
{
"FromPort": 443,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 443,
"UserIdGroupPairs": []
}
]
aws ec2 describe-security-groups \
> --group-ids $SECURITY_GROUP_ID \
> --query 'SecurityGroups[0].IpPermissionsEgress'
[
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow all outbound traffic"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
]
そのために情報を取得する
# VPCとサブネットのIDを取得する
VPC_ID=$(aws ec2 describe-vpcs \
--query 'Vpcs[0].VpcId' \
--output text)
SUBNET_IDS=$(aws ec2 describe-subnets \
--filters Name=vpc-id,Values=$VPC_ID \
--query 'Subnets[*].SubnetId' \
--output text)
read -ra SUBNET_ID_ARRAY <<< "$SUBNET_IDS"
SUBNET_ID_1="${SUBNET_ID_ARRAY[0]}"
SUBNET_ID_2="${SUBNET_ID_ARRAY[1]}"
echo "VPC ID: $VPC_ID"
echo "Subnet ID 1: $SUBNET_ID_1"
echo "Subnet ID 2: $SUBNET_ID_2"
IAMロールのarnを取得
ROLE_NAME=myDevEKSCreateRole
ROLE_ARN=$(aws iam get-role --role-name $ROLE_NAME --query 'Role.Arn' --output text)
SGのID取得
export SECURITY_GROUP_ID=$(aws ec2 describe-security-groups --filters Name=group-name,Values=eks-dev-security-group --query "SecurityGroups[0].GroupId" --output text)
クラスター作成
aws eks create-cluster \
--region ap-northeast-1 \
--name dev-eks \
--kubernetes-version 1.29 \
--role-arn $ROLE_ARN \
--resources-vpc-config subnetIds=$SUBNET_ID_1,$SUBNET_ID_2,securityGroupIds=$SECURITY_GROUP_ID
# 作成されるため、確認する
aws eks describe-cluster --name dev-eks --region ap-northeast-1
{
"cluster": {
"name": "dev-eks",
"arn": "arn:aws:eks:ap-northeast-1:XXX:cluster/dev-eks",
"createdAt": "2024-04-29T13:00:12.045000+00:00",
"version": "1.29",
"endpoint": "https://XXX.gr7.ap-northeast-1.eks.amazonaws.com",
"roleArn": "arn:aws:iam::XXX:role/myDevEKSCreateRole",
"resourcesVpcConfig": {
"subnetIds": [
"subnet-ID",
"subnet-ID"
],
"securityGroupIds": [
"sg-ID"
],
"clusterSecurityGroupId": "ID",
"vpcId": "vpc-ID",
"endpointPublicAccess": true,
"endpointPrivateAccess": false,
"publicAccessCidrs": [
"0.0.0.0/0"
]
},
"kubernetesNetworkConfig": {
"serviceIpv4Cidr": "10.100.0.0/16",
"ipFamily": "ipv4"
},
"logging": {
"clusterLogging": [
{
"types": [
"api",
"audit",
"authenticator",
"controllerManager",
"scheduler"
],
"enabled": false
}
]
},
"identity": {
"oidc": {
"issuer": "https://oidc.eks.ap-northeast-1.amazonaws.com/id/XXX"
}
},
"status": "ACTIVE",
"certificateAuthority": {
"data": "XXX"
},
"platformVersion": "eks.6",
"tags": {},
"health": {
"issues": []
},
"accessConfig": {
"authenticationMode": "CONFIG_MAP"
}
}
}
ノードグループの作成
aws iam update-assume-role-policy --role-name myDevEKSCreateRole --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
ROLE_NAME=myDevEKSCreateRole
ROLE_ARN=$(aws iam get-role --role-name $ROLE_NAME --query 'Role.Arn' --output text)
aws eks create-nodegroup \
--cluster-name dev-eks \
--nodegroup-name dev-nodegroup \
--subnets $SUBNET_ID_1 $SUBNET_ID_2 \
--instance-types t3.medium \
--node-role $ROLE_ARN \
--region ap-northeast-1
aws eks describe-nodegroup --cluster-name dev-eks --nodegroup-name dev-nodegroup --region ap-northeast-1
{
"nodegroup": {
"nodegroupName": "dev-nodegroup",
"nodegroupArn": "arn:aws:eks:ap-northeast-1:XXX:nodegroup/dev-eks/dev-nodegroup/XXX",
"clusterName": "dev-eks",
"version": "1.29",
"releaseVersion": "1.29.0-20240415",
"createdAt": "2024-04-29T14:02:06.944000+00:00",
"modifiedAt": "2024-04-29T14:02:06.944000+00:00",
"status": "CREATING",
"capacityType": "ON_DEMAND",
"scalingConfig": {
"minSize": 1,
"maxSize": 2,
"desiredSize": 2
},
"instanceTypes": [
"t3.medium"
],
"subnets": [
"subnet-XXX",
"subnet-XXX"
],
"amiType": "AL2_x86_64",
"nodeRole": "arn:aws:iam::XXX:role/myDevEKSCreateRole",
"diskSize": 20,
"health": {
"issues": []
},
"updateConfig": {
"maxUnavailable": 1
},
"tags": {}
}
}
aws iam attach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
aws iam attach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
aws iam attach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
aws iam attach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEKSVPCResourceController
aws iam attach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
aws eks create-nodegroup \
--cluster-name dev-eks \
--nodegroup-name dev-nodegroups \
--subnets $SUBNET_ID_1 $SUBNET_ID_2 \
--instance-types t3.medium \
--node-role $ROLE_ARN \
--region ap-northeast-1
while true; do
STATUS=$(aws eks describe-nodegroup --cluster-name dev-eks --nodegroup-name dev-nodegroups --region ap-northeast-1 --query "nodegroup.status" --output text)
echo "Nodegroup status: $STATUS"
sleep 5
done
ノード取得
kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-172-31-1-127.ap-northeast-1.compute.internal Ready <none> 5m43s v1.29.0-eks-5e0fdde
ip-172-31-22-77.ap-northeast-1.compute.internal Ready <none> 5m45s v1.29.0-eks-5e0fdde
後始末
aws eks list-nodegroups --cluster-name dev-eks --region ap-northeast-1
aws eks delete-nodegroup --cluster-name dev-eks --nodegroup-name dev-nodegroups --region ap-northeast-1
aws eks delete-cluster --name dev-eks --region ap-northeast-1
宿題
- コマンド説明、必要なロール等は後で追記予定
- 今度はTerraformとかでやりたい
- 端末からの接続等の設定も