• AWS CLI创建Amazon EKS服务


    Amazon EKS文档

    前言:
    创建ClusterRole需要选择一下的角色
    AmazonEKSClusterPolicy

    创建NodeRole需要选择一下的角色
    AmazonEC2ContainerRegistryReadOnly
    AmazonEKSWorkerNodePolicy
    AmazonEKS_CNI_Policy

    1、创建 Amazon EKS 集群 IAM 角色
    1)创建json

    [root@ip-172-93-1-18 ~]# cat example-policy.json 
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ec2:Describe*",
            "iam:ListRoles",
            "sts:AssumeRole"
          ],
          "Resource": "*"
        }
      ]
    }
    [root@ip-172-93-1-18 ~]# cat >eks-cluster-role-trust-policy.json <<EOF
    > {
    >   "Version": "2012-10-17",
    >   "Statement": [
    >     {
    >       "Effect": "Allow",
    >       "Principal": {
    >         "Service": "eks.amazonaws.com"
    >       },
    >       "Action": "sts:AssumeRole"
    >     }
    >   ]
    > }
    > EOF
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29

    2)创建 Amazon EKS 集群 IAM 角色

    [root@ip-172-93-1-18 ~]# aws iam create-role --role-name GamefiAmazonEKSClusterRole --assume-role-policy-document file://"eks-cluster-role-trust-policy.json"
    {
        "Role": {
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17", 
                "Statement": [
                    {
                        "Action": "sts:AssumeRole", 
                        "Effect": "Allow", 
                        "Principal": {
                            "Service": "eks.amazonaws.com"
                        }
                    }
                ]
            }, 
            "RoleId": "AROA3BR37RVO4B2BN3IEW", 
            "CreateDate": "2022-10-21T07:49:13Z", 
            "RoleName": "GamefiAmazonEKSClusterRole", 
            "Path": "/", 
            "Arn": "arn:aws:iam::0123456789:role/GamefiAmazonEKSClusterRole"
        }
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22

    3)将名为 GamefiAmazonEKSClusterRole的 Amazon EKS 托管 IAM policy 附加到角色

    [root@ip-172-93-1-18 ~]# aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy --role-name GamefiAmazonEKSClusterRole
    
    • 1

    2、创建 Amazon EKS 集群

    [root@ip-172-93-1-18 ~]# eksctl create cluster --name gamefi-cluster --region ap-east-1 --version 1.23 --vpc-public-subnets subnet-0670a45dccf9fad59,subnet-0996714ab4116d6e6,subnet-07d5b48efd70ae503 --without-nodegroup
    2022-10-21 07:55:26 []  eksctl version 0.115.0
    2022-10-21 07:55:26 []  using region ap-east-1
    Error: could not import subnet subnet-07d5b48efd70ae503: subnet ID "subnet-0996714ab4116d6e6" is not the same as "subnet-07d5b48efd70ae503"
    [root@ip-172-93-1-18 ~]# eksctl create cluster --name gamefi-cluster --region ap-east-1 --version 1.23 --vpc-public-subnets subnet-0670a45dccf9fad59,subnet-0996714ab4116d6e6 --without-nodegroup
    2022-10-21 07:57:16 []  eksctl version 0.115.0
    2022-10-21 07:57:16 []  using region ap-east-1
    2022-10-21 07:57:16 []  using existing VPC (vpc-09197fd1833f76a27) and subnets (private:map[] public:map[ap-east-1a:{subnet-0996714ab4116d6e6 ap-east-1a 172.93.5.0/24 0 } ap-east-1b:{subnet-0670a45dccf9fad59 ap-east-1b 172.93.6.0/24 0 }])
    2022-10-21 07:57:16 [!]  custom VPC/subnets will be used; if resulting cluster doesn't function as expected, make sure to review the configuration of VPC/subnets
    2022-10-21 07:57:16 []  using Kubernetes version 1.23
    2022-10-21 07:57:16 []  creating EKS cluster "gamefi-cluster" in "ap-east-1" region with 
    2022-10-21 07:57:16 []  if you encounter any issues, check CloudFormation console or try 'eksctl utils describe-stacks --region=ap-east-1 --cluster=gamefi-cluster'
    2022-10-21 07:57:16 []  Kubernetes API endpoint access will use default of {publicAccess=true, privateAccess=false} for cluster "gamefi-cluster" in "ap-east-1"
    2022-10-21 07:57:16 []  CloudWatch logging will not be enabled for cluster "gamefi-cluster" in "ap-east-1"
    2022-10-21 07:57:16 []  you can enable it with 'eksctl utils update-cluster-logging --enable-types={SPECIFY-YOUR-LOG-TYPES-HERE (e.g. all)} --region=ap-east-1 --cluster=gamefi-cluster'
    2022-10-21 07:57:16 []  
    2 sequential tasks: { create cluster control plane "gamefi-cluster", wait for control plane to become ready 
    }
    2022-10-21 07:57:16 []  building cluster stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 07:57:16 []  deploying stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 07:57:46 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 07:58:16 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 07:59:17 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 08:00:17 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 08:01:17 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 08:02:17 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 08:03:17 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 08:04:17 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 08:05:17 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 08:06:17 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 08:07:17 []  waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
    2022-10-21 08:09:17 []  waiting for the control plane to become ready
    2022-10-21 08:09:17 [!]  failed to determine authenticator version, leaving API version as default v1alpha1: failed to parse versions: unable to parse first version "": strconv.ParseUint: parsing "": invalid syntax
    2022-10-21 08:09:18 []  saved kubeconfig as "/root/.kube/config"
    2022-10-21 08:09:18 []  no tasks
    2022-10-21 08:09:18 []  all EKS cluster resources for "gamefi-cluster" have been created
    2022-10-21 08:09:18 []  kubectl command should work with "/root/.kube/config", try 'kubectl get nodes'
    2022-10-21 08:09:18 []  EKS cluster "gamefi-cluster" in "ap-east-1" region is ready
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38

    集群预配置需要几分钟时间。在创建集群时,将显示几行输出。输出的最后一行类似于以下示例行。

    []  EKS cluster "my-cluster" in "region-code" region is ready
    
    • 1

    在控制台上查看EKS集群
    在这里插入图片描述

    3、与EKS建立通信

    [root@ip-172-93-1-18 ~]# aws eks update-kubeconfig --region ap-east-1 --name gamefi-cluster
    Added new context arn:aws:eks:ap-east-1:0123456789:cluster/gamefi-cluster to /root/.kube/config
    
    • 1
    • 2

    通过运行以下命令以确认与集群的通信。

    [root@ip-172-93-1-18 ~]# kubectl get svc
    NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
    kubernetes   ClusterIP   10.100.0.1   <none>        443/TCP   8m52s
    
    
    • 1
    • 2
    • 3
    • 4

    4、创建vpc-cni角色
    创建 IAM 角色。您可以使用 eksctl 或 kubectl 和 AWS CLI 以创建 IAM 角色

    [root@ip-172-93-1-18 ~]# aws eks describe-cluster --name gamefi-cluster --query "cluster.identity.oidc.issuer" --output text
    https://oidc.eks.ap-east-1.amazonaws.com/id/876ADBC8677BE9381336CAE6FAE83F1E
    
    
    • 1
    • 2
    • 3

    创建文件

    [root@ip-172-93-1-18 ~]# vim vpc-cni-trust-policy.json
    [root@ip-172-93-1-18 ~]# cat vpc-cni-trust-policy.json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Federated": "arn:aws:iam::0123456789:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringEquals": {
                        "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com",
                        "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:aws-node"
                    }
                }
            }
        ]
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20

    创建GameFiAmazonEKSVPCCNIRole角色

    [root@ip-172-93-1-18 ~]# aws iam create-role --role-name GameFiAmazonEKSVPCCNIRole   --assume-role-policy-document file://"vpc-cni-trust-policy.json"
    {
        "Role": {
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17", 
                "Statement": [
                    {
                        "Action": "sts:AssumeRoleWithWebIdentity", 
                        "Effect": "Allow", 
                        "Condition": {
                            "StringEquals": {
                                "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:aws-node", 
                                "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
                            }
                        }, 
                        "Principal": {
                            "Federated": "arn:aws:iam::0123456789:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
                        }
                    }
                ]
            }, 
            "RoleId": "AROA3BR37RVOUO3DSXZOW", 
            "CreateDate": "2022-10-21T08:35:11Z", 
            "RoleName": "GameFiAmazonEKSVPCCNIRole", 
            "Path": "/", 
            "Arn": "arn:aws:iam::0123456789:role/GameFiAmazonEKSVPCCNIRole"
        }
    }
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29

    将所需的 IAM policy 附加到角色。运行与集群的 IP 系列匹配的命令。

    [root@ip-172-93-1-18 ~]# aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy --role-name GameFiAmazonEKSVPCCNIRole
    
    • 1

    运行以下命令以使用您以前创建的 IAM 角色的 ARN 对 aws-node 服务账户添加注释

    [root@ip-172-93-1-18 ~]# kubectl annotate serviceaccount -n kube-system aws-node eks.amazonaws.com/role-arn=arn:aws:iam::0123456789:role/GameFiAmazonEKSVPCCNIRole
    serviceaccount/aws-node annotated
    
    
    • 1
    • 2
    • 3

    5、创建group

    [root@ip-172-93-1-18 ~]# eksctl create nodegroup --cluster gamefi-cluster --region ap-east-1 --name gamefi-groups --node-type t3.medium --nodes 2 --nodes-min 2 --nodes-max 3 --ssh-access --ssh-public-key aitd-prod.pem
    2022-10-21 10:16:35 [?]  will use version 1.23 for new nodegroup(s) based on control plane version
    2022-10-21 10:16:36 [?]  nodegroup "gamefi-groups" will use "" [AmazonLinux2/1.23]
    2022-10-21 10:16:36 [?]  using EC2 key pair %!q(*string=<nil>)
    2022-10-21 10:16:36 [?]  1 existing nodegroup(s) (gamefi-group) will be excluded
    2022-10-21 10:16:36 [?]  1 nodegroup (gamefi-groups) was included (based on the include/exclude rules)
    2022-10-21 10:16:36 [?]  will create a CloudFormation stack for each of 1 managed nodegroups in cluster "gamefi-cluster"
    2022-10-21 10:16:37 [?]  
    2 sequential tasks: { fix cluster compatibility, 1 task: { 1 task: { create managed nodegroup "gamefi-groups" } } 
    }
    2022-10-21 10:16:37 [?]  checking cluster stack for missing resources
    2022-10-21 10:16:37 [?]  cluster stack has all required resources
    2022-10-21 10:16:37 [?]  building managed nodegroup stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:16:37 [?]  deploying stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:16:37 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:17:07 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:17:44 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:18:29 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:20:04 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:20:37 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:21:45 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:23:15 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:24:24 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:24:59 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:25:57 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:27:41 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:28:50 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:30:33 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:31:16 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:32:52 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:33:51 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:34:43 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:36:43 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:37:22 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:39:18 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:40:55 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:41:07 [?]  waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
    2022-10-21 10:41:07 [?]  1 error(s) occurred and nodegroups haven't been created properly, you may wish to check CloudFormation console
    2022-10-21 10:41:07 [?]  to cleanup resources, run 'eksctl delete nodegroup --region=ap-east-1 --cluster=gamefi-cluster --name=' for each of the failed nodegroup
    2022-10-21 10:41:07 [?]  exceeded max wait time for StackCreateComplete waiter
    Error: failed to create nodegroups for cluster "gamefi-cluster"
    
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43

    切换到CloudFormation观察创建
    https://console.aws.amazon.com/cloudformation/home
    在这里插入图片描述
    6、先测试AWS CLi配置运行正常

    [root@ip-172-93-1-18 ~]# aws sts get-caller-identity
    {
        "Account": "123456789", 
        "UserId": "SDA3SFERFAFDOY6WO", 
        "Arn": "arn:aws:iam::123456789:user/test"
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6

    然后#更新config文件

    [root@ip-172-93-1-18 ~]# aws eks --region ap-east-1 update-kubeconfig --name gamefi-cluster
    Added new context arn:aws:eks:ap-east-1:123456789:cluster/gamefi-cluster to /root/.kube/config
    
    • 1
    • 2

    7、运行以下命令连接 AWS EKS

    [root@ip-172-93-1-18 ~]# kubectl get nodes
    NAME                                         STATUS   ROLES    AGE     VERSION
    ip-172-93-5-25.ap-east-1.compute.internal    Ready    <none>   3m51s   v1.23.9-eks-ba74326
    ip-172-93-6-207.ap-east-1.compute.internal   Ready    <none>   3m53s   v1.23.9-eks-ba74326
    [root@ip-172-93-1-18 ~]# kubectl get pods -n kube-system
    NAME                       READY   STATUS    RESTARTS   AGE
    aws-node-6ns6x             1/1     Running   0          4m8s
    aws-node-6q8ww             1/1     Running   0          4m7s
    coredns-6c684977f7-sv29g   1/1     Running   0          7m40s
    coredns-6c684977f7-wr54r   1/1     Running   0          7m40s
    kube-proxy-cl9zl           1/1     Running   0          4m8s
    kube-proxy-sw6cf           1/1     Running   0          4m7s
    [root@ip-172-93-1-18 ~]# kubectl get svc
    NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
    kubernetes   ClusterIP   10.100.0.1   <none>        443/TCP   18m
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
  • 相关阅读:
    蓝桥备赛——矩阵读入
    进销存记账软件十大品牌合集,看看哪一款适合你
    JavaWeb的Servlet项目导入Eclipse以及配置Mysql等通用教程
    golang的channel实现原理
    【Java Web项目】基于WebSocket的Web聊天室
    Flink_CDC搭建及简单使用
    RocketMQ 的消费者类型详解与最佳实践
    从月薪10k到30k的必走之路:自动化测试
    Go十大常见错误第7篇:不使用-race选项做并发竞争检测
    31.Python面向对象(四)【str和repr原理、魔法方法__call__和__new__方法、单例模式】
  • 原文地址:https://blog.csdn.net/baidu_38432732/article/details/127448024