Key points of AWS eks deployment and differences between console and eksctl creation

AWS EKS Deployment points and console and eksctl Create differences

The last article described how to use eksctl establish AWS EKS

This article , It mainly describes the creation of AWS EKS Key points to pay attention to , And the console and eksctl The difference of

One 、EKS Deployment points

1.1 IAM role （ Console mode ,eksctl The role is created automatically ）

Create... On the console AWS EKS Two roles and permissions are required , One for Cluster, One for Node.

among Node There are two kinds , One is EC2 Mode , One is Fargate Pattern

stay IAM Console select Create role , choice EKS Case study , Create separate Cluster Cases and Nodegroup Case study

1.2 The Internet

The selected subnet of the node group created in the console , There are three options

The first is the public subnet , The second is with NAT Gateway Private subnet for routing

The third kind of , It's a purely private subnet , Only intranet routing .

The cluster of the third seed network is a private cluster , But a purely private subnet must have the following VPC Endpoint（ Reference documents [1]）

* Interface endpoints for ECR (both ecr.api and ecr.dkr) to pull container images (AWS CNI plugin etc)
* A gateway endpoint for S3 to pull the actual image layers
* An interface endpoint for EC2 required by the aws-cloud-provider integration
* An interface endpoint for STS to support Fargate and IAM Roles for Services Accounts (IRSA)
* An interface endpoint for CloudWatch logging (logs) if CloudWatch logging is enabled

1.3 node AMI

Use AWS EKS, The node must be Amazon EKS Optimization of the AMI（ Reference resources [2]）

If you need to customize the image , You need to perform Amazon EKS Optimize AMI Generation script [3]

1.4 Cluster identity

establish Amazon EKS When the cluster , Clusters that will be at the control level RBAC Automatically create a cluster for in the configuration IAM Entity user or role （ for example , Federated users ） grant system:masters jurisdiction .

Cluster default masters Permission for Creator , Initially created cluster , In addition to the Creator IAM The entity cannot operate the cluster .

So make sure you keep track of where the cluster was originally created IAM Entity .

To grant other AWS The ability of a user or role to interact with your cluster , Must edit Kubernetes Internal aws-auth ConfigMap.

1.5 Nodes automatically expand (AutoScaling)

stay AWS EKS Managed node group in , Although used AutoScaling Group to create nodes , But the initial AutoScaling There are no expansion and contraction rules .

stay AWS EKS Nodes in the cluster need to be automatically expanded and shrunk, and they need to be installed and configured in the cluster cluster-autoscaler.

Two 、 Console and eksctl The difference of

2.1 Node groups

stay AWS EKS All node groups created by the console are managed node groups , Be able to display and view on the console .

and eksctl The created nodes include managed node groups and self managed node groups , The self managed node group is not present AWS EKS Interface display .

The self-confidence management node group can also be managed through Cloudformation establish ,eksctl The essence is to create a Cloudformation The stack realizes the management of the cluster .

2.2 plug-in unit

stay AWS EKS In the cluster created by the console Amazon VPC CNI、CoreDNS、kube-proxy All plug-ins are managed plug-ins , from AWS Manage updates .

While using eksctl The three plug-ins in the created cluster are unmanaged plug-ins , Although it is AWS Open source plug-ins , But not by AWS Manage updates , It needs to be managed by users themselves .

2.3 Options

stay AWS EKS The optional cluster attributes of the cluster created by the console are simple , and eksctl There are many optional attributes of the cluster created by .

However, many attributes will make it more difficult to control the cluster , And AWS The compatibility of other integration services is complex .

So in use eksctl When creating a cluster , Usually choose the minimum principle , That is, only the corresponding node groups and general cluster attributes are configured .

IAM and OIDC And other properties are not configured , Cluster creation and subsequent addition .

2.4 Node group storage

stay AWS EKS The node group created by the console can configure the data volume by starting the template , But it won't mount automatically , You need to write bash Script files

While using eksctl Create a new node group , Only the root volume size can be modified , Unable to create data volume .

Reference resources

[1] eksctl：https://eksctl.io/usage/eks-private-cluster/#configuring-private-access-to-additional-aws-services

[2] Amazon EKS Optimize AMI：https://docs.aws.amazon.com/zh_cn/eks/latest/userguide/eks-optimized-amis.html

[3] Optimize AMI Script ：https://github.com/awslabs/amazon-eks-ami