本文链接地址: 在AWS使用EKS - 慢慢的回味
使用AWS的EKS来托管Kubernetes是比较复杂,按照如下的方法可以创建出一个满足大部分使用环境的EKS。
Content:
- 1 创建一个IAM用户(Root用户操作)
- 2 创建策略和角色(Root用户操作)2.1 创建EKS集群角色2.2 创建集群节点组角色2.3 给IAM用户添加权限
- 3 创建EKS集群(IAM用户)3.1 创建EKS集群控制平面3.2 添加工作节点到集群
- 4 设置AWS CLI 工具和Kubectl 工具(IAM用户)4.1 配置AWS CLI4.2 配置Kubectl
1 创建一个IAM用户(Root用户操作)
在AWS中创建一个IAM用户,权限够用就行。
在AWS管理控制台,点击”Add users”:
其它页面默认就好。最后保存好下载的CSV文件,里面包含的Access Key和Secret Access Key在AWS CLI里面会用到。
2 创建策略和角色(Root用户操作)
2.1 创建EKS集群角色
给EKS集群创建一个角色:”testEKSClusterRole”,它包含一个策略: AmazonEKSClusterPolicy。
2.2 创建集群节点组角色
创建角色”testEKSNodeRole”,包含如下策略:
AmazonEKSWorkerNodePolicy
AmazonEC2ContainerRegistryReadOnly
AmazonEKS_CNI_Policy
2.3 给IAM用户添加权限
用户需要如下4个权限。你也可以创建一个用户组,并给其赋予权限,然后加入用户。
赋予受管策略”AmazonEC2FullAccess”, “AmazonVPCReadOnlyAccess”, “AmazonEC2FullAccess”。
添加一个包含如下内容的自定义策略:”TestEKSPolicy”
(请修改账号ID675892200046)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:*",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:*:675892200046:parameter/aws/*",
"arn:aws:ssm:*::parameter/aws/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"logs:PutRetentionPolicy"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
|
添加一个包含如下内容的自定义策略:”IamLimitedAccess”
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"eks.amazonaws.com",
"eks-nodegroup.amazonaws.com",
"eks-fargate.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:TagRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeletePolicy",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:DeleteOpenIDConnectProvider",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:DeleteRole",
"iam:ListInstanceProfiles",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:GetOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::675892200046:role/testEKSNodeRole",
"arn:aws:iam::675892200046:role/testEKSClusterRole",
"arn:aws:iam::675892200046:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
"arn:aws:iam::675892200046:instance-profile/*",
"arn:aws:iam::675892200046:policy/*",
"arn:aws:iam::675892200046:oidc-provider/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::675892200046:role/*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*"
}
]
}
|
3 创建EKS集群(IAM用户)
3.1 创建EKS集群控制平面
在EKS产品页面,点击”Create Cluster”。
如果你没有在”Custer service role”下拉列表中看见角色,请检查第2步。
在子网”Subnets”中, 3个子网就好了。
在集群端点访问”Cluster endpoint access”中,选 “Public”就好,生产环境,请选择”Private”。
在网络插件”Networking add-ons”中,默认就好。
3.2 添加工作节点到集群
当集群创建成功了”Active”, 点击Compute标签中的”Add node group”来创建工作节点。
你可以配置 “SSH login”进入到工作节点。
4 设置AWS CLI 工具和Kubectl 工具(IAM用户)
4.1 配置AWS CLI
安装AWS CLI后,运行”aws configure”来配置第一步中的IAM账号:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws configure
[awscli@bogon ~]$ aws sts get-caller-identity
{
"UserId": "AIDAZ2XSQQJXKNKFI4YDF",
"Account": "675892200046",
"Arn": "arn:aws:iam::675892200046:user/TestEKSUser"
}
|
4.2 配置Kubectl
[awscli@bogon ~]$ aws eks --region us-east-1 update-kubeconfig --name TestEKSCluster
Updated context arn:aws:eks:us-east-1:675892200046:cluster/TestEKSCluster in /home/awscli/.kube/config
|