前言:
创建ClusterRole需要选择一下的角色
AmazonEKSClusterPolicy
创建NodeRole需要选择一下的角色
AmazonEC2ContainerRegistryReadOnly
AmazonEKSWorkerNodePolicy
AmazonEKS_CNI_Policy
1、创建 Amazon EKS 集群 IAM 角色
1)创建json
[root@ip-172-93-1-18 ~]# cat example-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:ListRoles",
"sts:AssumeRole"
],
"Resource": "*"
}
]
}
[root@ip-172-93-1-18 ~]# cat >eks-cluster-role-trust-policy.json <<EOF
> {
> "Version": "2012-10-17",
> "Statement": [
> {
> "Effect": "Allow",
> "Principal": {
> "Service": "eks.amazonaws.com"
> },
> "Action": "sts:AssumeRole"
> }
> ]
> }
> EOF
2)创建 Amazon EKS 集群 IAM 角色
[root@ip-172-93-1-18 ~]# aws iam create-role --role-name GamefiAmazonEKSClusterRole --assume-role-policy-document file://"eks-cluster-role-trust-policy.json"
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
}
}
]
},
"RoleId": "AROA3BR37RVO4B2BN3IEW",
"CreateDate": "2022-10-21T07:49:13Z",
"RoleName": "GamefiAmazonEKSClusterRole",
"Path": "/",
"Arn": "arn:aws:iam::0123456789:role/GamefiAmazonEKSClusterRole"
}
}
3)将名为 GamefiAmazonEKSClusterRole的 Amazon EKS 托管 IAM policy 附加到角色
[root@ip-172-93-1-18 ~]# aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy --role-name GamefiAmazonEKSClusterRole
2、创建 Amazon EKS 集群
[root@ip-172-93-1-18 ~]# eksctl create cluster --name gamefi-cluster --region ap-east-1 --version 1.23 --vpc-public-subnets subnet-0670a45dccf9fad59,subnet-0996714ab4116d6e6,subnet-07d5b48efd70ae503 --without-nodegroup
2022-10-21 07:55:26 [ℹ] eksctl version 0.115.0
2022-10-21 07:55:26 [ℹ] using region ap-east-1
Error: could not import subnet subnet-07d5b48efd70ae503: subnet ID "subnet-0996714ab4116d6e6" is not the same as "subnet-07d5b48efd70ae503"
[root@ip-172-93-1-18 ~]# eksctl create cluster --name gamefi-cluster --region ap-east-1 --version 1.23 --vpc-public-subnets subnet-0670a45dccf9fad59,subnet-0996714ab4116d6e6 --without-nodegroup
2022-10-21 07:57:16 [ℹ] eksctl version 0.115.0
2022-10-21 07:57:16 [ℹ] using region ap-east-1
2022-10-21 07:57:16 [✔] using existing VPC (vpc-09197fd1833f76a27) and subnets (private:map[] public:map[ap-east-1a:{subnet-0996714ab4116d6e6 ap-east-1a 172.93.5.0/24 0 } ap-east-1b:{subnet-0670a45dccf9fad59 ap-east-1b 172.93.6.0/24 0 }])
2022-10-21 07:57:16 [!] custom VPC/subnets will be used; if resulting cluster doesn't function as expected, make sure to review the configuration of VPC/subnets
2022-10-21 07:57:16 [ℹ] using Kubernetes version 1.23
2022-10-21 07:57:16 [ℹ] creating EKS cluster "gamefi-cluster" in "ap-east-1" region with
2022-10-21 07:57:16 [ℹ] if you encounter any issues, check CloudFormation console or try 'eksctl utils describe-stacks --region=ap-east-1 --cluster=gamefi-cluster'
2022-10-21 07:57:16 [ℹ] Kubernetes API endpoint access will use default of {publicAccess=true, privateAccess=false} for cluster "gamefi-cluster" in "ap-east-1"
2022-10-21 07:57:16 [ℹ] CloudWatch logging will not be enabled for cluster "gamefi-cluster" in "ap-east-1"
2022-10-21 07:57:16 [ℹ] you can enable it with 'eksctl utils update-cluster-logging --enable-types={SPECIFY-YOUR-LOG-TYPES-HERE (e.g. all)} --region=ap-east-1 --cluster=gamefi-cluster'
2022-10-21 07:57:16 [ℹ]
2 sequential tasks: { create cluster control plane "gamefi-cluster", wait for control plane to become ready
}
2022-10-21 07:57:16 [ℹ] building cluster stack "eksctl-gamefi-cluster-cluster"
2022-10-21 07:57:16 [ℹ] deploying stack "eksctl-gamefi-cluster-cluster"
2022-10-21 07:57:46 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 07:58:16 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 07:59:17 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 08:00:17 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 08:01:17 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 08:02:17 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 08:03:17 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 08:04:17 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 08:05:17 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 08:06:17 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 08:07:17 [ℹ] waiting for CloudFormation stack "eksctl-gamefi-cluster-cluster"
2022-10-21 08:09:17 [ℹ] waiting for the control plane to become ready
2022-10-21 08:09:17 [!] failed to determine authenticator version, leaving API version as default v1alpha1: failed to parse versions: unable to parse first version "": strconv.ParseUint: parsing "": invalid syntax
2022-10-21 08:09:18 [✔] saved kubeconfig as "/root/.kube/config"
2022-10-21 08:09:18 [ℹ] no tasks
2022-10-21 08:09:18 [✔] all EKS cluster resources for "gamefi-cluster" have been created
2022-10-21 08:09:18 [ℹ] kubectl command should work with "/root/.kube/config", try 'kubectl get nodes'
2022-10-21 08:09:18 [✔] EKS cluster "gamefi-cluster" in "ap-east-1" region is ready
集群预配置需要几分钟时间。在创建集群时,将显示几行输出。输出的最后一行类似于以下示例行。
[✓] EKS cluster "my-cluster" in "region-code" region is ready
在控制台上查看EKS集群
3、与EKS建立通信
[root@ip-172-93-1-18 ~]# aws eks update-kubeconfig --region ap-east-1 --name gamefi-cluster
Added new context arn:aws:eks:ap-east-1:0123456789:cluster/gamefi-cluster to /root/.kube/config
通过运行以下命令以确认与集群的通信。
[root@ip-172-93-1-18 ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 8m52s
4、创建vpc-cni角色
创建 IAM 角色。您可以使用 eksctl 或 kubectl 和 AWS CLI 以创建 IAM 角色
[root@ip-172-93-1-18 ~]# aws eks describe-cluster --name gamefi-cluster --query "cluster.identity.oidc.issuer" --output text
https://oidc.eks.ap-east-1.amazonaws.com/id/876ADBC8677BE9381336CAE6FAE83F1E
创建文件
[root@ip-172-93-1-18 ~]# vim vpc-cni-trust-policy.json
[root@ip-172-93-1-18 ~]# cat vpc-cni-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::0123456789:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com",
"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:aws-node"
}
}
}
]
}
创建GameFiAmazonEKSVPCCNIRole角色
[root@ip-172-93-1-18 ~]# aws iam create-role --role-name GameFiAmazonEKSVPCCNIRole --assume-role-policy-document file://"vpc-cni-trust-policy.json"
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRoleWithWebIdentity",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:aws-node",
"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
}
},
"Principal": {
"Federated": "arn:aws:iam::0123456789:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
}
}
]
},
"RoleId": "AROA3BR37RVOUO3DSXZOW",
"CreateDate": "2022-10-21T08:35:11Z",
"RoleName": "GameFiAmazonEKSVPCCNIRole",
"Path": "/",
"Arn": "arn:aws:iam::0123456789:role/GameFiAmazonEKSVPCCNIRole"
}
}
将所需的 IAM policy 附加到角色。运行与集群的 IP 系列匹配的命令。
[root@ip-172-93-1-18 ~]# aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy --role-name GameFiAmazonEKSVPCCNIRole
运行以下命令以使用您以前创建的 IAM 角色的 ARN 对 aws-node 服务账户添加注释
[root@ip-172-93-1-18 ~]# kubectl annotate serviceaccount -n kube-system aws-node eks.amazonaws.com/role-arn=arn:aws:iam::0123456789:role/GameFiAmazonEKSVPCCNIRole
serviceaccount/aws-node annotated
5、创建group
[root@ip-172-93-1-18 ~]# eksctl create nodegroup --cluster gamefi-cluster --region ap-east-1 --name gamefi-groups --node-type t3.medium --nodes 2 --nodes-min 2 --nodes-max 3 --ssh-access --ssh-public-key aitd-prod.pem
2022-10-21 10:16:35 [?] will use version 1.23 for new nodegroup(s) based on control plane version
2022-10-21 10:16:36 [?] nodegroup "gamefi-groups" will use "" [AmazonLinux2/1.23]
2022-10-21 10:16:36 [?] using EC2 key pair %!q(*string=<nil>)
2022-10-21 10:16:36 [?] 1 existing nodegroup(s) (gamefi-group) will be excluded
2022-10-21 10:16:36 [?] 1 nodegroup (gamefi-groups) was included (based on the include/exclude rules)
2022-10-21 10:16:36 [?] will create a CloudFormation stack for each of 1 managed nodegroups in cluster "gamefi-cluster"
2022-10-21 10:16:37 [?]
2 sequential tasks: { fix cluster compatibility, 1 task: { 1 task: { create managed nodegroup "gamefi-groups" } }
}
2022-10-21 10:16:37 [?] checking cluster stack for missing resources
2022-10-21 10:16:37 [?] cluster stack has all required resources
2022-10-21 10:16:37 [?] building managed nodegroup stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:16:37 [?] deploying stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:16:37 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:17:07 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:17:44 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:18:29 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:20:04 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:20:37 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:21:45 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:23:15 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:24:24 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:24:59 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:25:57 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:27:41 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:28:50 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:30:33 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:31:16 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:32:52 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:33:51 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:34:43 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:36:43 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:37:22 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:39:18 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:40:55 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:41:07 [?] waiting for CloudFormation stack "eksctl-gamefi-cluster-nodegroup-gamefi-groups"
2022-10-21 10:41:07 [?] 1 error(s) occurred and nodegroups haven't been created properly, you may wish to check CloudFormation console
2022-10-21 10:41:07 [?] to cleanup resources, run 'eksctl delete nodegroup --region=ap-east-1 --cluster=gamefi-cluster --name=' for each of the failed nodegroup
2022-10-21 10:41:07 [?] exceeded max wait time for StackCreateComplete waiter
Error: failed to create nodegroups for cluster "gamefi-cluster"
切换到CloudFormation观察创建
https://console.aws.amazon.com/cloudformation/home
6、先测试AWS CLi配置运行正常
[root@ip-172-93-1-18 ~]# aws sts get-caller-identity
{
"Account": "123456789",
"UserId": "SDA3SFERFAFDOY6WO",
"Arn": "arn:aws:iam::123456789:user/test"
然后#更新config文件
[root@ip-172-93-1-18 ~]# aws eks --region ap-east-1 update-kubeconfig --name gamefi-cluster
Added new context arn:aws:eks:ap-east-1:123456789:cluster/gamefi-cluster to /root/.kube/config
7、运行以下命令连接 AWS EKS
[root@ip-172-93-1-18 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-172-93-5-25.ap-east-1.compute.internal Ready <none> 3m51s v1.23.9-eks-ba74326
ip-172-93-6-207.ap-east-1.compute.internal Ready <none> 3m53s v1.23.9-eks-ba74326
[root@ip-172-93-1-18 ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
aws-node-6ns6x 1/1 Running 0 4m8s
aws-node-6q8ww 1/1 Running 0 4m7s
coredns-6c684977f7-sv29g 1/1 Running 0 7m40s
coredns-6c684977f7-wr54r 1/1 Running 0 7m40s
kube-proxy-cl9zl 1/1 Running 0 4m8s
kube-proxy-sw6cf 1/1 Running 0 4m7s
[root@ip-172-93-1-18 ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 18m