Before starting to deploy the EKS cluster, ensure the following:
- That you are logged in / have access to an account with sufficient priviledges to create and manage the cluster.
- You will need an access key for the account from which you are creating the Cluster – You must also have a CLI access key for that account on your Linux machine.
- You have access to a linux machine from which you are going to complete the setup, this guide will not cover Mac / Windows. It’s possible to complete using these but the additional steps will not be covered here.
Creating an AMI Role for the EKS Cluster:
- Open the IAM console at https://console.aws.amazon.com/iam/.
- Choose Roles, then Create role.
- Choose EKS from the list of services, then Allows Amazon EKS to manage your clusters on your behalf for your use case, then Next: Permissions.
- Choose Next: Tags.
- (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM Entities in the IAM User Guide.
- Choose Next: Review.
- For Role name, enter a unique name for your role, such as eks_[environment], then choose Create role.
Creating VPC (Virtual Private Cloud) Network:
- Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.
- From the navigation bar, select a Region that supports Amazon EKS.
- Choose Create stack.
- For Choose a template, select Specify an Amazon S3 template URL.
- Paste the following URL into the text area and choose Next:
- On the Specify Details page, fill out the parameters accordingly, and then choose Next.
- Stack name: Choose a stack name for your AWS CloudFormation stack. For example, you can call it [environment].
- VpcBlock: Choose a /16 subnet CIDR range for your VPC. You can keep the default value (For ease of management, this should be unique – Eg 10.90.0.0/16).
- Subnet01Block: Choose a CIDR range for subnet 1. This /24 subnet should be within the VpcBlock CIDR (Eg 10.90.1.0/24).
- Subnet02Block: Choose a CIDR range for subnet 2.This/24 subnet should be within the VpcBlock CIDR (Eg 10.90.2.0/24).
- Subnet03Block: Choose a CIDR range for subnet 3.This /24 subnet should be within the VpcBlock CIDR (Eg 10.90.3.0/24).
- (Optional) On the Options page, tag your stack resources. Choose Next.
- On the Review page, choose Create.
- When your stack is created, select it in the console and choose Outputs.
- Record the SecurityGroups value for the security group that was created. You need this when you create your EKS cluster; this security group is applied to the cross-account elastic network interfaces.
- Record the VpcId for the VPC that was created. You need this when you launch your worker node group template.
- Record the SubnetIds for the subnets that were created. You need this when you create your EKS cluster; these are the subnets that your worker nodes are launched into.
Creating your EKS Cluster:
- Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
- Choose Create cluster.
- If your IAM user does not have administrative privileges, you must explicitly add permissions for that user to call the Amazon EKS API operations. For more information, see Creating Amazon EKS IAM Policies.
- On the Create cluster page, fill in the following fields and then choose Create:
- Cluster name: A unique name for your cluster.
- Kubernetes version: The version of Kubernetes to use for your cluster. By default, the latest stable version is selected.
- Role ARN: Select the IAM role that you created with in the first step.
- VPC: Enter the VPC Id you copied from your Stack earlier.
- Subnets: Leave all 3 Subnets you created earlier selected.
- Security Groups: Enter the ID of the Security Group you copied earlier and select this (tick box on the left hand side).
- Endpoint private access: Choose whether to enable or disable private access for your cluster’s Kubernetes API server endpoint. If you enable private access, Kubernetes API requests that originate from within your cluster’s VPC will use the private VPC endpoint. For more information, see Amazon EKS Cluster Endpoint Access Control.
- This should be set to Enabled
- Endpoint public access: Choose whether to enable or disable public access for your cluster’s Kubernetes API server endpoint. If you disable public access, your cluster’s Kubernetes API server can only receive requests from within the cluster VPC. For more information, see Amazon EKS Cluster Endpoint Access Control.
- This should be set to Disabled
- Logging – For each individual log type, choose whether the log type should be Enabled or Disabled. By default, each log type is Disabled. For more information, see Amazon EKS Control Plane Logging
- All fields should be set to Enabled
- Create Your Cluster!
The Status field shows CREATING until the cluster provisioning process completes. Cluster provisioning usually takes between 10 and 15 minutes.
Wait until the Status field shows ACTIVE before continuing with this guide.
Launching Worker Nodes:
- Open up CloudFormation: https://console.aws.amazon.com/cloudformation/
- Select “Create stack” at the top right hand corner
- Enter the S3 URL: https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2019-02-11/amazon-eks-nodegroup.yaml and proceed
- On the next page, use the following settings:
- Stack Name: [your-vpc-name]-worker-nodes
- ClusterName: The name of your cluster (The name created earlier). NOTE: If this is not correct, the worker nodes will be unable to join the cluster.
- ClusterControlPlaneSecurityGroup: The Security Group created previously
- NodeGroupName: The name to be assigned to your nodes (This should be unique). You can use [environment]
- Group Size options can be left as default unless you wish to change these.
- NodeInstanceType: Select an appropriately sized instance for your requirement. Typically You will start at t3.medium and increase as required.
- NodeImageId: See this link for the latest AWS EKS AMI (Unless you have a custom image generated). – https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
- KeyName: Select an SSH key that you have access to which can SSH into the instances.
- VPCID: Select the VPC you created earlier
- Subnets: Select your newly created subnets (Select from the Dropdown menu by searching first 3 sections of the /16 subnet – Eg 10.90.0).
- Select Next
- You can leave all settings on the next page as default.
- Review the settings on the final page and accept IAM creation before creating your Stack.
Wait until the Stack Status reports “CREATE_COMPLETE” before proceeding
Accessing your EKS Cluster:
Follow this guide to connect to the EKS Cluster. (Note – You will need to complete the below step after connecting so don’t close this page!)
Configuring aws-auth Config Map:
The final step is to update the aws-auth Config map for the cluster to provide Kubectl access.
- From your worker Node Stack, select “Outputs” at the top of the screen
- Copy the value next to “NodeInstanceRole”
- Download aws-auth-cw.yml as below
- Update the yaml with the value from NodeInstanceRole noted in step 2
- Deploy the yaml to your Cluster:
curl -O https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2018-08-30/aws-auth-cm.yaml ## Update the yaml with your NodeInstanceRole arn. kubectl apply -f aws-auth-cm.yaml