AWS EKSの初期設定手順
はじめに
参考:https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/getting-started-console.html
VPNを作成する
aws cloudformation create-stack \
--region us-west-2 \
--stack-name my-eks-vpc-stack \
--template-url https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml
Roleを作成する
cluster-role-trust-policy.jsonを作成
/cluster-role-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
aws iam create-role \
--role-name myAmazonEKSClusterRole \
--assume-role-policy-document file://"/Users/xxxxx/cluster-role-trust-policy.json"
// 出力
ROLE arn:aws:iam::xxxxxxxxx:role/myAmazonEKSClusterRole 2021-10-28T13:31:41+00:00 / AROAAAAAAAAAAAAAAAAFC myAmazonEKSClusterRole
ASSUMEROLEPOLICYDOCUMENT 2012-10-17
STATEMENT sts:AssumeRole Allow
PRINCIPAL eks.amazonaws.com
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \
--role-name myAmazonEKSClusterRole
クラスターを作成する
EKSで以下のようにやる。
PCとEKSの通信を確認する
aws eks update-kubeconfig \
--region ap-northeast-1 \
--name my-cluster
// 出力
Added new context arn:aws:eks:ap-northeast-1:0000000000:cluster/my-cluster to /Users/xxxxx/.kube/config
IAM OpenID Connect (OIDC) プロバイダーを作成する
参考:https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/getting-started-console.html
上記を参考にやればできます。
Nodeを作成する
/cni-role-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/XXXXXXXXXX45D83924220DC4815XXXXX"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.<region-code>.amazonaws.com/id/XXXXXXXXXX45D83924220DC4815XXXXX:sub": "system:serviceaccount:kube-system:aws-node"
}
}
}
]
}
aws iam create-role \
--role-name myAmazonEKSCNIRole \
--assume-role-policy-document file://"/Users/xxxxxxxxx/cni-role-trust-policy.json"
// 出力
ROLE arn:aws:iam::0000000000:role/myAmazonEKSCNIRole 2021-10-28T14:26:32+00:00 / XXXXXXXXXXXXXXXXXXX myAmazonEKSCNIRole
ASSUMEROLEPOLICYDOCUMENT 2012-10-17
STATEMENT sts:AssumeRoleWithWebIdentity Allow
STRINGEQUALS system:serviceaccount:kube-system:aws-node
PRINCIPAL arn:aws:iam::000000000000000:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
--role-name myAmazonEKSCNIRole
aws eks update-addon \
--region us-west-2 \
--cluster-name my-cluster \
--addon-name vpc-cni \
--service-account-role-arn arn:aws:iam::111122223333:role/myAmazonEKSCNIRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Author And Source
この問題について(AWS EKSの初期設定手順), 我々は、より多くの情報をここで見つけました https://qiita.com/rui0930/items/0d7306cdb13c34a47ce6著者帰属:元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。
Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .