AWS EKSの初期設定手順


はじめに

参考:https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/getting-started-console.html

VPNを作成する

aws cloudformation create-stack \
  --region us-west-2 \
  --stack-name my-eks-vpc-stack \
  --template-url https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml

Roleを作成する

cluster-role-trust-policy.jsonを作成

/cluster-role-trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
aws iam create-role \
  --role-name myAmazonEKSClusterRole \
  --assume-role-policy-document file://"/Users/xxxxx/cluster-role-trust-policy.json"

// 出力
ROLE    arn:aws:iam::xxxxxxxxx:role/myAmazonEKSClusterRole   2021-10-28T13:31:41+00:00       /       AROAAAAAAAAAAAAAAAAFC   myAmazonEKSClusterRole
ASSUMEROLEPOLICYDOCUMENT        2012-10-17
STATEMENT       sts:AssumeRole  Allow
PRINCIPAL       eks.amazonaws.com
aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \
  --role-name myAmazonEKSClusterRole

クラスターを作成する

EKSで以下のようにやる。

PCとEKSの通信を確認する

aws eks update-kubeconfig \
  --region ap-northeast-1 \
  --name my-cluster

// 出力
Added new context arn:aws:eks:ap-northeast-1:0000000000:cluster/my-cluster to /Users/xxxxx/.kube/config

IAM OpenID Connect (OIDC) プロバイダーを作成する

参考:https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/getting-started-console.html
上記を参考にやればできます。

Nodeを作成する

/cni-role-trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/XXXXXXXXXX45D83924220DC4815XXXXX"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.<region-code>.amazonaws.com/id/XXXXXXXXXX45D83924220DC4815XXXXX:sub": "system:serviceaccount:kube-system:aws-node"
        }
      }
    }
  ]
}
aws iam create-role \             
  --role-name myAmazonEKSCNIRole \
  --assume-role-policy-document file://"/Users/xxxxxxxxx/cni-role-trust-policy.json"

// 出力
ROLE    arn:aws:iam::0000000000:role/myAmazonEKSCNIRole       2021-10-28T14:26:32+00:00       /       XXXXXXXXXXXXXXXXXXX   myAmazonEKSCNIRole
ASSUMEROLEPOLICYDOCUMENT        2012-10-17
STATEMENT       sts:AssumeRoleWithWebIdentity   Allow
STRINGEQUALS    system:serviceaccount:kube-system:aws-node
PRINCIPAL       arn:aws:iam::000000000000000:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
  --role-name myAmazonEKSCNIRole
aws eks update-addon \
  --region us-west-2 \
  --cluster-name my-cluster \
  --addon-name vpc-cni \
  --service-account-role-arn arn:aws:iam::111122223333:role/myAmazonEKSCNIRole 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}