LoginSignup
0
0

More than 1 year has passed since last update.

@rui0930

AWS EKSの初期設定手順

Posted at

はじめに

参考:https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/getting-started-console.html

VPNを作成する

aws cloudformation create-stack \
  --region us-west-2 \
  --stack-name my-eks-vpc-stack \
  --template-url https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml

Roleを作成する

cluster-role-trust-policy.jsonを作成

/cluster-role-trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

aws iam create-role \
  --role-name myAmazonEKSClusterRole \
  --assume-role-policy-document file://"/Users/xxxxx/cluster-role-trust-policy.json"

// 出力
ROLE    arn:aws:iam::xxxxxxxxx:role/myAmazonEKSClusterRole   2021-10-28T13:31:41+00:00       /       AROAAAAAAAAAAAAAAAAFC   myAmazonEKSClusterRole
ASSUMEROLEPOLICYDOCUMENT        2012-10-17
STATEMENT       sts:AssumeRole  Allow
PRINCIPAL       eks.amazonaws.com

aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \
  --role-name myAmazonEKSClusterRole

クラスターを作成する

EKSで以下のようにやる。

スクリーンショット 2021-10-28 22.41.03.png

PCとEKSの通信を確認する

aws eks update-kubeconfig \
  --region ap-northeast-1 \
  --name my-cluster

// 出力
Added new context arn:aws:eks:ap-northeast-1:0000000000:cluster/my-cluster to /Users/xxxxx/.kube/config

IAM OpenID Connect (OIDC) プロバイダーを作成する

参考:https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/getting-started-console.html
上記を参考にやればできます。

Nodeを作成する

/cni-role-trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/XXXXXXXXXX45D83924220DC4815XXXXX"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.<region-code>.amazonaws.com/id/XXXXXXXXXX45D83924220DC4815XXXXX:sub": "system:serviceaccount:kube-system:aws-node"
        }
      }
    }
  ]
}

aws iam create-role \             
  --role-name myAmazonEKSCNIRole \
  --assume-role-policy-document file://"/Users/xxxxxxxxx/cni-role-trust-policy.json"

// 出力
ROLE    arn:aws:iam::0000000000:role/myAmazonEKSCNIRole       2021-10-28T14:26:32+00:00       /       XXXXXXXXXXXXXXXXXXX   myAmazonEKSCNIRole
ASSUMEROLEPOLICYDOCUMENT        2012-10-17
STATEMENT       sts:AssumeRoleWithWebIdentity   Allow
STRINGEQUALS    system:serviceaccount:kube-system:aws-node
PRINCIPAL       arn:aws:iam::000000000000000:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
  --role-name myAmazonEKSCNIRole

aws eks update-addon \
  --region us-west-2 \
  --cluster-name my-cluster \
  --addon-name vpc-cni \
  --service-account-role-arn arn:aws:iam::111122223333:role/myAmazonEKSCNIRole 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0