AWS EKS Cluster
AWS EKS Cluster Provisioner
The AWS EKS Cluster Provisioner deploys a production-ready Kubernetes cluster on Amazon Web Services (AWS), utilizing assume role and aws sts to generate temporary keys, eliminating the need for hardcoded AWS credentials.
AWS EKS Specification
The eks struct configures the EKS provisioner.
accountId: Required AWS account ID.vpcId: Optional field for VPC.vpcCIDR: Optional field for CIDR block.subnets: Optional field for subnet specifications.tags: Optional field for tags.credentials: Required field for cloud provider credentials.
vpcId, vpcCIDR, and subnets are required fields
Prerequisites
To create an EKS cluster on AWS, ensure the following CLI tools are installed on your local machine:
- AWS CLI for EKS cluster communication
- kubectl (optional) for EKS cluster interaction
- astroctl for cluster management
To set up the assume role on the astro platform and your account, run the following command in your target account. Omitting this step will result in an error during cluster creation.
$ astroctl utils provision-assume-role -cluster-name <cluster-name> --target-account-id <target-account-id> --target-region <target-region>
Example command for setting up the assume role for cluster my-cluster in us-west-2 with target account id 123456789012.
$ astroctl utils provision-assume-role -cluster-name my-cluster --target-account-id 123456789012 --target-region us-west-2
Make sure to replace <cluster-name>, <target-account-id>, and <target-region> with the appropriate values. This values are very important and make sure you are creating cluster with same values.
Identify the region and zones using the AWS console or the following commands:
$ astroctl providers regions list -p aws
$ astroctl providers regions zones list -r <region-name> -p aws
API Specification
The eks struct configures the EKS provisioner.
| Field | Description | Required |
|---|---|---|
accountId | AWS account ID | Yes |
vpcId | ID of the Virtual Private Cloud (VPC) | No |
vpcCIDR | CIDR block for the VPC | No |
subnets | Subnet specifications | No |
tags | Key-value pairs for resource tagging | No |
credentials | Cloud provider credentials (only dynamic credentials are supported) | Yes |
Bring Your Own Account (BYOA)
The astro platform allows you to bring your own account for EKS cluster creation. The following example illustrates the EKS specification, with the platform managing VPC, subnet, and other networking configurations. You only need to provide the account ID and ensure proper quota for these configurations. The astroctl will verify quota and permissions before cluster creation.
region: us-west-2
provisioner:
type: eks
eks:
accountId: "xxxxxx" # your account id
tags:
"environment": "dev"
"owner": "foo@bar.com"
credentials:
type: dynamic # uses assume role and aws sts to generate temporary keys
Bring Your Own VPC (BYOVPC)
To facilitate BYOVPC, the astroctl generates a cloudformation stack for creating a new VPC, subnets, and other networking configurations. This stack is created in the target account and region, outputting the VPC ID, CIDR block, and subnets to the console. To generate the stack, use the following command:
$ astroctl utils vpc-cf-eks -r <target-region> --vpc-cidr 192.168.0.0/16 --cluster-name <cluster-name> --output-file <output-file>
After executing the command, you will receive a cloudformation stack file. Load this stack into your AWS account to create the VPC, subnet, and other networking configurations. You can customize this stack to manage your own VPC. This stack has all the necessary configurations to create an EKS cluster with BYOVPC via astro platform.
In this example, the customer brings their own VPC for the EKS cluster.
region: us-west-2
provisioner:
type: eks
eks:
accountId: "xxxxxx" # your account id
vpcId: "vpc-12345678" # your vpc id
vpcCIDR: "10.0.0.0/16" # your cidr block
subnets:
us-west-2a:
- type: public
id: subnet-0b9e119bdba3f8add
- type: private
id: subnet-09ad1a17f7ee64ded
us-west-2b:
- type: public
id: subnet-019c01369039cfb22
- type: private
id: subnet-0a40e1b1bb879d47c
us-west-2c:
- type: public
id: subnet-0be1c43d23931e8b7
- type: private
id: subnet-072d6cdf209a85b7f
tags:
"environment": "dev"
"owner": "foo@bar.com"
credentials:
type: dynamic # uses assume role and aws sts to generate temporary keys
For BYOVPC, the astroctl validates quota, permissions, and configurations before cluster creation. Ensure subnets are in the same region as the provisioner and follow the 3 availability zone, 3 public subnet, 3 private subnet pattern. The platform checks quota, permissions, and configurations, failing if any are not met.
KubeConfig
With simple command like below, you can set the context to the cluster and have the access to the cluster. You need to make sure to install the kubectl CLI as required.
astroctl clusters set-context <cluster-name>
The cluster managed by the astro platform uses aws token to authenticate the kubectl. You need to make sure aws cli installed.
Added Capabilities
The EKS provisioner automatically provisions the following capabilities:
The EKS provisioner automatically enables the following capabilities for EKS clusters:
- Karpenter: A flexible and efficient node provisioning service. You can tailor the provisioner to your needs by referring to the NodeClasses and NodePool documentation for more information.
- You can find the existing node classes and node pool by running
kubectl -n karpenter get nodeclassesandkubectl -n karpenter get nodepools.
- You can find the existing node classes and node pool by running
- Required Roles: The necessary roles for Karpenter, External-DNS, Cert-Manager, and AWS-Load-Balancer-Controller are provisioned to ensure seamless integration.
- AWS VPC CNI Plugin: This plugin is enabled to manage pod networking in your EKS cluster.
- CoreDNS: A DNS service that provides name resolution for your cluster.
You can always install addons by yourself by using the EKS marketplace.