An EKS (Elastic Kubernetes Service) cluster is built from several fundamental components described as follows:
EKS Control Plane: AWS offers the EKS Control Plane as a fully managed service, incorporating key Kubernetes master elements such as etcd, kube-apiserver, and kube-controller.
- Every EKS cluster operates with its own isolated control plane, maintaining separation across different clusters and AWS accounts.
- A minimum of two API server nodes and three etcd nodes power the control plane, distributed among three Availability Zones in a given region.
- AWS provides automatic monitoring and replacement of failing control plane instances, restarting them across the region's Availability Zones.
Worker Nodes and Node Groups: Application workloads execute on worker nodes, which are EC2 instances known in Kubernetes terminology as worker machines.
- These EKS worker nodes exist within your AWS account and establish connections to the cluster's control plane through the cluster API server endpoint.
- Groups of nodes contain one or multiple EC2 instances that operate within an EC2 Autoscaling group.
- Each instance in a node group must share identical characteristics: the same instance type, identical Amazon Machine Image (AMI), and common EKS worker node IAM role.
Fargate Profiles (Serverless): EKS supports running application workloads on Serverless Fargate profiles as an alternative to EC2 instances.
- AWS Fargate provides compute capacity for containers that scales on-demand with appropriate sizing.
- Using Fargate eliminates the requirement to provision, configure, or manage virtual machine groups for container operations.
- Fargate ensures each pod operates within its own isolated environment, preventing it from sharing underlying kernel, CPU, memory, or elastic network interface resources with neighboring pods.
- AWS developed dedicated Fargate controllers that identify and assign pods to Fargate profiles.
VPC: The AWS VPC (Virtual Private Cloud) establishes secure networking protocols essential for operating production-grade workloads on EKS.
- Network policies within AWS VPC are utilized by EKS to control traffic flow among control plane components in individual clusters.
- EKS cluster control plane components maintain isolation and prevent cross-communication with separate clusters or AWS accounts, unless specifically permitted via Kubernetes RBAC (Role-Based Access Control) policies.
- These security measures combined with high availability features position EKS as a trusted and advisable platform for production environments.
Now, we will walk through the deployment of an EKS cluster leveraging eksctl, a dedicated command-line utility offered by AWS for building and administering EKS clusters. Once the cluster has been successfully deployed, the following AWS resources will be created and made available:
- EKS Cluster: Serves as the central control plane responsible for overseeing and orchestrating the Kubernetes cluster.
- VPC: A Virtual Private Cloud that establishes network boundaries and provides isolation for the cluster environment.
- Subnets: Network segments spread across multiple Availability Zones to ensure continuous availability and fault tolerance.
- Security Groups: A collection of rules that govern and regulate both incoming and outgoing traffic directed at the cluster.
- Node Groups: Logical groupings that house and organize the underlying worker nodes.
- Worker Nodes: EC2 server instances that form the EKS data plane and handle actual workload execution.
Begin by creating a dedicated IAM user for every individual requiring access to the EKS cluster. This can be accomplished either through the IAM console or via the CLI. Each user must be assigned a specific set of permissions and policies to ensure they have the necessary level of access.
To establish the required privileges, start by creating the following custom policies:
EKS-Demo-Admin-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
}
]
}
CloudFormation-Demo-Admin-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": "*"
}
]
}
Once the custom policies are in place, attach the following permissions to the IAM user designated for this exercise:
- AmazonEC2FullAccess
- IAMFullAccess
- AmazonVPCFullAccess
- CloudFormation-Demo-Admin-policy
- EKS-Demo-Admin-policy
To successfully build and manage your Amazon EKS cluster, a few essential command-line interfaces need to be installed and properly configured. These tools allow you to communicate with the EKS service, handle cluster deployments, and carry out a wide range of operational tasks. Below is a step-by-step walkthrough for setting up each of the necessary CLIs.
AWS CLI:
- Begin by installing the AWS CLI by referring to the setup instructions available in the official AWS CLI User Guide.
- Once installed, configure it by executing the aws configure command and entering your AWS Access Key ID, Secret Access Key, preferred default region, and desired output format.
eksctl:
- Proceed with installing eksctl by consulting the setup documentation found in the official eksctl GitHub repository.
- After installation, confirm it is working correctly by running the eksctl version command.
kubectl:
- Install kubectl by following the setup guidelines outlined in the official Kubernetes documentation.
- Once the installation is complete, validate it by executing the kubectl version command.