Guide
July 5, 2018
Kubernetes is an open-source container orchestration platform that supports automated deployments and scaling for containerized workloads and services. Kubernetes uses a combination of Pod, Deployment, Service, and Replication objects to create a suitable runtime environment for containerized applications.
The Amazon Elastic Container Service for Kubernetes (EKS) is a managed Kubernetes service offered by Amazon Web Services (AWS). Kubernetes clusters are made of two distinct parts, namely:
The current implementation of EKS only supports version 1.10.0 of Kubernetes. The service implements a highly available control plane by creating appropriate resources in three availability zones, while the worker nodes and Elastic Compute Cloud (EC2) instances that are used to host containerized applications are managed by the users.
The EKS service automatically updates, patches, and heals the control plane with minimal interruption of traffic to end user applications. The service is tightly integrated with other AWS services, such as Identity Access Management (IAM) for roles and permissions, Elastic Load Balancer (ELB), EC2 for worker nodes, Virtual Private Cloud (VPC) for security, AWS Command Line Interface (CLI), Cloudwatch and Cloudtrail for monitoring and logging.
The Heptio-authenticator-aws tool developed by Heptio is used as a bridge between Kubernetes Role Based Access Control (RBAC) and AWS IAM credentials. This enables EKS to validate all Kubernetes cluster actions performed by the user against their IAM profile. The Webhook mode enables users to use the kubectl CLI to manage the EKS cluster.
Container applications developed to run on native Kubernetes runtimes can, in most cases, be migrated to EKS without any major updates to the application.
The EKS service is currently available in the US West (Oregon) (us-west-2) and US East (N. Virginia) (us-east-1) regions.
Amazon EKS service implements high availability by running the Kubernetes control plane in three availability zones. The user provisioned worker nodes are standard EC2 instances managed with an auto scaling group. The control plane and the provisioned worker nodes are in the same Virtual Private Cloud (VPC). The ingress and egress traffic can be managed by creating appropriate security groups and route table rules.
The diagram below illustrates the high-level EKS architecture:
There are three major steps to provision a EKS cluster:
The following sections provide a step-by-step guide to provision a working instance of EKS.
__Note: __You can create specific/custom IAM policies and attach those IAM policies to users. The user must have administrative privileges to use the Amazon EKS APIs.
__Note: __If you encounter an error when creating the resources in the US-east-1a availability zone, select a different availability zone and repeat the steps.
| - | Protocol | Port Range | Source | Destination |
| ———— | ———— | ———— | ———— |
| Minimum inbound traffic | TCP | 443 | Worker node security group | - |
| Recommended inbound traffic | TCP | 443 | Worker node security group | - |
| Minimum outbound traffic | TCP | 10250 | - | Worker node security group |
| Recommended outbound traffic | TCP| 1025-65535 | - | Worker node security group |
| - | Protocol | Port Range | Source |Destination | | ———— | ———— | ———— | ———— | | Minimum inbound traffic (from other worker nodes) | Any protocol you expect your worker nodes to use for inter-worker communication | Any ports you expect your worker nodes to use for inter-worker communication | Worker node security group | - | | Minimum inbound traffic (from control plane) | TCP | 10250 | Control plane security group | - | | Recommended inbound traffic | All, TCP | All, 1025-65535 | Worker node security group, Control plane security group | - | | Minimum outbound traffic | TCP | 443 | - | Control plane security group | | Recommended outbound traffic | All | All | - | 0.0.0.0/0 |
__Note: __It may take between 10 to 15 minutes to create the cluster.
curl -o kubectl https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/darwin/amd64/k
ubectl
curl -o kubectl https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/linux/amd64/kubectl
curl -o kubectl https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/windows/amd64/kubectl=.exe
chmod +x ./kubectl
echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile
echo 'export PATH=$HOME/bin:$PATH' >> ~/.bashrc
kubectl version --short --client
__Output__:~ Client Version: v1.10.3
[default]
aws_access_key_id = <AWS_ACCESS_KEY_ID>
aws_secret_access_key = <AWS_SECRET_ACCESS_KEY>
__Note: __Download the Access Key ID and Access Keys as they can be viewed only once.
The following values are necessary to create / update the kube configuration file for the EKS cluster:
<endpoint-url>
<base64-encoded-ca-cert>
<cluster-name>
<role-arn>
(Optional value for an IAM role to use with your user)To get the values for the EKS cluster, navigate to the Services tab and click on EKS under Compute, click on the EKS cluster that was just created in previous steps:
Create / Update the config file in the ~/.kube directory (Mac OS and Linux) or the %USERPROFILE%/.kube directory (Windows) with the following content:
apiVersion: v1
clusters:
- cluster:
server: <endpoint-url>
certificate-authority-data: <base64-encoded-ca-cert>
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aws
name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: heptio-authenticator-aws
args:
- "token"
- "-i"
- "<cluster-name>"
# - "-r"
# - "<role-arn>"
kubectl get namespaces
NAME STATUS AGE
default Active 5d
kube-public Active 5d
kube-system Active 5d
curl -o heptio-authenticator-aws https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/darwin/amd64/heptio-authenticator-aws
curl -o heptio-authenticator-aws https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/linux/amd64/heptio-authenticator-aws
curl -o heptio-authenticator-aws https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/bin/windows/amd64/heptio-authenticator-aws.exe
chmod +x ./heptio-authenticator-aws
echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile
echo 'export PATH=$HOME/bin:$PATH' >> ~/.bashrc
heptio-authenticator-aws help
Output:~ A tool to authenticate to Kubernetes using AWS IAM credentials
Usage:
heptio-authenticator-aws [command]
Available Commands:
help Help about any command
init Pre-generate certificate, private key, and kubeconfig files for the server.
server Run a webhook validation server suitable that validates tokens using AWS IAM
token Authenticate using AWS IAM and get token for Kubernetes
verify Verify a token for debugging purpose
Flags:
-i, --cluster-id ID Specify the cluster ID, a unique-per-cluster identifier for your heptio-authenticator-aws installation.
-c, --config filename Load configuration from filename
-h, --help help for heptio-authenticator-aws
Use "heptio-authenticator-aws [command] --help" for more information about a command.
The EKS Worker nodes are standard EC2 instances. They connect to the EKS cluster’s control plane through the cluster’s API endpoint. AWS provides a standard CloudFormation template to provision Worker nodes.
https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
Once the Worker nodes are provisioned, execute the following command on your laptop to download the AWS authenticator’s configuration map file:
curl -O https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/aws-auth-cm.yaml
Before we execute the aws-auth-cm.yaml file, we need to replace <ARN of instance role (not instance profile)> with an actual value from the outputs of CloudFormation template:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: <ARN of instance role (not instance profile)>
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
__Note: __Only replace the rolearn value, do not modify the rest of the file.
kubectl apply -f aws-auth-cm.yaml
kubectl get nodes
You now have a fully functional AWS EKS cluster with three worker nodes.
Levvel helps clients transform their business with strategic consulting and technical execution services. We work with your IT organization, product groups, and innovation teams to design and deliver on your technical priorities.
We help our clients assess, design, implement, and refine their DevOps delivery processes and platforms. Our client engagements significantly reduce the time it takes to provision and deploy new products and consistently improve quality. We focus on quantifiable results while ensuring our clients can sustain these practices over the long-term.
For more information, contact us at hello@levvel.io.
Authored By
CJ Coimbatore
CloudOps Capability Lead
Surya Lolla
DevOps Consultant
Daniel Foley
DevOps Manager
Meet our Experts
CloudOps Capability Lead
Srinivas "CJ" Coimbatore has over two decades of experience in diverse disciplines such as sales, marketing, software development, architecture and delivery, and has worked with teams in all of the major geographies. He is an effective change agent and is very interested in collaborating with teams that are involved in transforming their process through DevOps. In his spare time, he follows Formula 1 racing teams, rides his motorcycle, and—along with his friends—helps raise money for children with health challenges and for the Pediatric Brain Tumor Foundation, Make-a-Wish Foundation, and Angels Among Us. He hopes to eventually spend more time teaching math and science to children.
DevOps Consultant
As an accredited OpenShift delivery specialist, Surya has worked with many clients who are either getting started on a private, public, or hybrid container strategy with CI/CD, or further along but have hit a bump or two along the way and are looking for experienced professionals to evaluate and address their concerns. Surya is interested in meeting people within the DevOps community and learning from their experiences.
DevOps Manager
Daniel Foley is a DevOps Manager at Levvel who is well-versed in many different applications including Apache, MySQL, Puppet, Ansible, Zerto Replication, Centrify, McAfee EPO, Bromium Security, EMC Avamar, OpenShift, Elasticsearch, Prometheus, Docker, Kubernetes, among others. Daniel enjoys scripting to make his life as a Systems Engineer easier and to aid teams and clients. He is extremely familiar with Bash scripting, Python programming, and some Perl and Ruby.
Let's chat.
You're doing big things, and big things come with big challenges. We're here to help.