AWS EKS Starter

EKS Setup Process

EKS will setup and manage our Kubernetes clusters:

  • This will create K8s master in high availability
  • Etcd in high availability
  • IAM plugin setup
  • CA setup (for TLS)
  • Auto scaling done
  • Load Balancers done (NLB and ELB)

In short, you will get an EKS control plane and you'll just need to setup the worker nodes in the availability zones.

The from the laptop, you can use kubectl to talk to AWS.

There is also deep integration with AWS:

  • API calls can be audited in CloudTrail
  • Authetication through IAM while authorization through RBAC.
  • CloudFormation to manage clusteres
  • Customize AMI
  • Load Balancers, EBS Volumes, EFS, etc...
  • Container registies on ECR
  • Networking is handled with a per-pod IP address with attached ENI

EKS Use cases

  • Can create a cluster easily
  • Microservices in containers
  • Paas/Website
  • Migrate from on-prem to cloud
  • ML cluster (support for GPU instances)

The Course

  • Deploy EKS cluster using CF
  • Scale Kubernetes cluster
  • Setup kubectl properly
  • Learn how EKS works under the hood
  • Setup admin using Kubernetes dashboard
  • Deploy stateless app on EKS and expose it with public ELB
  • Deploy stateful app on EKS and bind it with EBS volumes
  • Deploy stateful app (like WordPress) with EFS
  • Manage Kubernetes cluster using AWS CLI and eksctl CLI

EKS Architecture

  • 3 AZs
  • Master node in each
  • Etcd in each
  • K8s worker nodes
EKS Architecture

EKS Architecture

EKS itself will manage all the load and master nodes and etcd as needed.

Basic EKS Setup

Basic setup

Basic setup

Setup for the EKS cluster

IAM User roles

IAM user and permissions

To be able to run through this course your IAM user needs to have certain privileges to e.g. create all the required resources and objects. According AWS Best Practices you should never use your root account for working with AWS services. E.g. to demonstrate the Hands-On lectures, the user eks-course has been used.

There are 2 attempts to follow:

  1. Provide admin access login with an admin of your AWS account go to "IAM" => "users" => click on your user => "Permissions" => "Add permission" => then search for AdministratorAccess and attach this policy Basically your user just requires one policy being attached
  • AdministratorAccess
  1. Provide a dedicated list of privileges/policies to cover all the required privileges, first you have to create additional policies EKS-Admin-policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["eks:*"], "Resource": "*" } ] }


{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["cloudformation:*"], "Resource": "*" } ] }

Finally, assign the following policies to your IAM user you are going to use throughout the course:

  • AmazonEC2FullAccess
  • IAMFullAccess
  • AmazonVPCFullAccess
  • CloudFormation-Admin-policy
  • EKS-Admin-policy where the last 2 policies are the ones you created above

Create IAM role

  • open https://console.aws.amazon.com/iam/ and choose Roles => create role
  • choose EKS service followed by Allows Amazon EKS to manage your clusters on your behalf
  • choose Next: Permissions
  • click Next: Review
  • enter a unique Role name, EKS-course-role and click Create Role

Create keypair

  • open EC2 dashboard https://console.aws.amazon.com/ec2
  • click KeyPairs in left navigation bar under section "Network&Security"
  • click Create Key Pair
  • provide name for keypair, eks-course and click Create
  • !! the keypair will be downloaded immediately => file eks-course.pem !!

Create API Access key/-secret

  • create key+secret via AWS console

AWS-console => IAM => Users => <your user> => tab _Security credentials_ => button _Create access key_

Create base AWS infrastructure

Create VPC, subnets and security group for your K8s cluster

AWS EKS Cluster setup

AWS EKS Cluster setup

To create a VPC there is a prepared CloudFormation template to use. It creates a VPC including 3 Subnets At the moment EKS is only available in the following 2 regions:

  • US West (Oregon), us-west-2
  • US East (N.Virginia), us-east-1

Working on the console

  • open https://console.aws.amazon.com/cloudformation/ and select one of the above mentioned regions
  • click Create Stack
  • select Upload a template to Amazon S3 , click Upload file and select eks-course-vpc.yaml
  • click Next
  • provide data in the Specify Details overview:

# eks-course-vpc.yaml --- AWSTemplateFormatVersion: '2010-09-09' Description: 'AWS EKS course' Parameters: VpcBlock: Type: String Default: Description: CIDR range for VPC Subnet01Block: Type: String Default: Description: CIDR for first subnet within VPC Subnet02Block: Type: String Default: Description: CIDR for second subnet within VPC Subnet03Block: Type: String Default: Description: CIDR for third subnet within VPC Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcBlock EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-VPC' InternetGateway: Type: 'AWS::EC2::InternetGateway' VPCGatewayAttachment: Type: 'AWS::EC2::VPCGatewayAttachment' Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: Public Subnets - Key: Network Value: Public Route: DependsOn: VPCGatewayAttachment Type: AWS::EC2::Route Properties: RouteTableId: !Ref RouteTable DestinationCidrBlock: GatewayId: !Ref InternetGateway Subnet01: Type: AWS::EC2::Subnet Properties: AvailabilityZone: Fn::Select: - '0' - Fn::GetAZs: Ref: AWS::Region CidrBlock: Ref: Subnet01Block VpcId: Ref: VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-Subnet1' Subnet02: Type: AWS::EC2::Subnet Properties: AvailabilityZone: Fn::Select: - '1' - Fn::GetAZs: Ref: AWS::Region CidrBlock: Ref: Subnet02Block VpcId: Ref: VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-Subnet2' Subnet03: Type: AWS::EC2::Subnet Properties: AvailabilityZone: Fn::Select: - '2' - Fn::GetAZs: Ref: AWS::Region CidrBlock: Ref: Subnet03Block VpcId: Ref: VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-Subnet3' Subnet01RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref Subnet01 RouteTableId: !Ref RouteTable Subnet02RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref Subnet02 RouteTableId: !Ref RouteTable Subnet03RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref Subnet03 RouteTableId: !Ref RouteTable ControlPlaneSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Cluster communication with worker nodes VpcId: !Ref VPC Outputs: SubnetIds: Description: Your subnets Value: !Join [',', [!Ref Subnet01, !Ref Subnet02, !Ref Subnet03]] SecurityGroups: Description: SecGroup for communication betw controlplane and workernodes Value: !Join [',', [!Ref ControlPlaneSecurityGroup]] VpcId: Description: The VPC Id Value: !Ref VPC

Setting stack name

  • Stack name : set stack name EKS-course-stack
  • VPC Block : set CIDR range for your VPC, or leave the default from the CloudFormation template
  • Subnet01Block : set CIDR range for this subnet, or leave the default from the CloudFormation template
  • Subnet02Block : set CIDR range for this subnet, or leave the default from the CloudFormation template
  • Subnet03Block : set CIDR range for this subnet, or leave the default from the CloudFormation template

Continuing on

  • Click Next
  • Click Create
  • Observe the progress of the stack creation. After the stack is created, open tab Outputs and record the VPC-ID, SecurityGroup and the Subnet_IDs for all 3 subnets. You'll need those at worker launch time.

Creating the EKS control plane


aws eks create-cluster --name prod --role-arn arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI --resources-vpc-config subnetIds=subnet-6782e71e,subnet-e7e761ac,securityGroupIds=sg-6979fe18


EKS Control Plane

EKS Control Plane

Kubernetes API server is a AWS service, hence it doesn't need dedicated EC2 instances to run.

  • Open the EKS overview page in AWS Management console, https://console.aws.amazon.com/eks/home#/clusters and click Create Cluster.

Populate the following fields:

  • Cluster name : enter a unique name, EKS-course-cluster
  • Kubernetes version : by default the latest available version is preselected
  • Role ARN : select the IAM Role you created in the first Hands-On lesson Part I: cover prerequisites
  • VPC : select the VPC-ID from the dropdown box which was created in the first Hands-On lesson Part II: create base AWS infrastructure
  • Subnets : provide the comma separated Subnet-IDs you recorded in the previous step
  • SecurityGroup : select the security group (it has name ControlPlaneSecurityGroup ) which has been created in Hands-On Part II: create base AWS infrastructure

Then for creation:

  • click Create
  • on the Clusters overview page, observe field Status until cluster creation is finished.

Click on your clustername, and record the API server endpoint and Certificate authority values to configure kubectl in the next Hands-On Part IV: install & configure kubectl.

Setting up local kubectl for EKS

Recap on the kubectl setup

  • kubectl relies on the kubectl config file
  • That relies on the EKS endpoint and User authentication
  • Use auth depends on aws-iam-authenticator executable
  • This generates an auth token based on the aws credentials file

Install kubectl & aws-iam_authenticator

  • kubectl

    • on RH based Linux: sudo dnf install kubernetes-client
      • check: kubectl version --short --client
    • on Windows, open a terminal emulator, preferrably MobaXterm:

    curl -k -# -o kubectl.exe https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/windows/amd64/kubectl.exe chmod +x kubectl.exe mkdir $HOME/bin mv kubectl.exe $HOME/bin echo 'export PATH=$HOME/bin:$PATH' >> ~/.bashrc source .bashrc

    • check: kubectl.exe version --short --client
  • aws-iam-authenticator

    • on Linux:

    curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/aws-iam-authenticator chmod +x ./aws-iam-authenticator cp ./aws-iam-authenticator /usr/local/bin/

    • Test: aws-iam-authenticator help

    • on Windows, open a terminal emulator, preferrably MobaXterm:

    curl -k -# -o aws-iam-authenticator.exe https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/windows/amd64/aws-iam-authenticator.exe chmod +x aws-iam-authenticator.exe mv aws-iam-authenticator.exe $HOME/bin

    • Test: aws-iam-authenticator.exe help
  • aws credentials (ACCESS KEY+SECRET) now we have to provide the Access key+secret from the first lesson Part I : covering prerequisites and put them into the credentials template.

    * populate aws credentials file copy the provided file named _credentials_ to * WINDOWS cygwin: ```mkdir $HOMEPATH/.aws && vi $HOMEPATH/.aws/credentials``` * Linux: ```~/.aws/credentials``` and set the properties _aws_access_key_id_ and _aws_secret_access_key_

Configure kubectl

in this step we are creating a configuration file for the binary kubectl, which is the main tool to interact with Kubernetes later on.

Use template file kube-config-eks and copy it to:

  • Linux: ~/.kube/kube-config-eks
  • Windows (cygwin): mkdir $HOMEPATH/.kube && vi $HOMEPATH/.kube/kube-config-eks

apiVersion: v1 clusters: - cluster: server: <endpoint-url> certificate-authority-data: <base64-encoded-ca-cert> name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws current-context: aws kind: Config preferences: {} users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 command: aws-iam-authenticator args: - 'token' - '-i' - 'EKS-course-cluster'

  • edit file kube-config-eks and replace endpoint-url, base64-encoded-ca-cert by the values you recorded in the Hands-On lesson 3 Part III: create the K8s control plane.

  • Linux : export KUBECONFIG=~/.kube/kube-config-eks Windows : export KUBECONFIG=$HOMEPATH/.kube/kube-config-eks

  • Test connectivity and access:

    #>kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP xxxxxxxxx <none> 443/TCP 4m

    command to check the config for kubectl: kubectl config view

Now you successfully talked to the K8s control plane on AWS