Skip to content

jamiemo/k8s-eks-cloudformation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
CloudFormation.json
CloudFormation.json
 
 
CloudFormation.yaml
CloudFormation.yaml
 
 
README.md
README.md
 
 
efs-dynamic-pvc.yaml
efs-dynamic-pvc.yaml
 
 

Repository files navigation

k8s-eks-cloudformation

This project creates:

  • Two public subnets containing
    • Internet Gateway
    • NAT Gateway
  • Two private subnets contining
    • EKS nodes
  • EKS cluster

There did not seem to be a complete example of deploying all required components of EKS with CloudFormation. This example includes:

  • OIDC Provider
  • EBS CSI Add-on and associated IAM Roles for Service Accounts (IRSA) and policy
  • EFS CSI Add-on and associated IAM Roles for Service Accounts (IRSA) and policy
  • Core DNS Add-on
  • IMDSv2 is required
  • KMS Encrypted Secrets
  • Kube Proxy Add-on
  • VPC CNI Add-on and associated IAM Roles for Service Accounts (IRSA) and policy
  • VPC CNI prefix assignment mode for increased pods per node

Both JSON and YAML examples are the same deployment, and were provided to show examples of both.

References

Some of the more tricky elements were writing the IAM role's trust policy while stripping the leading https:// from the AWS::EKS::Cluster OpenIdConnectIssuerUrl attributee.

Writing the AssumeRolePolicyDocument as a Fn::Sub was part of this solution.

The trick is to know that the AssumeRolePolicyDocument value in a template is specified as json. As such, we can perform a !Sub on any value we pass to it, as long as the result is a valid json string.

The ThumbprintList for the OIDCProvider is hardcoded, as the certificate is valid until 06/29/2034. We can get the complete AWS::EKS::Cluster CertificateAuthorityData but would then need to calculate the thumbprint using OpenSSL and an external process.

To achieve higher pod density, the VPC CNI plugin leverages a new VPC capability that enables IP address prefixes to be associated with elastic network interfaces (ENIs) attached to EC2 instances. Customers can now supply their configuration directly through the Amazon EKS add-ons API, to install and configure their operational software during cluster creation in a single step.

NOTE: The max pods value will be set on any newly created managed node groups, or node groups updated to a newer AMI version.

EFS Dynamic Provisioning

To create a dynamically provisioned EFS persistent volume claim:

  • Update the fs-xxxxxxx in efs-dynamic-pvc.yaml with the deployed EFS
  • Run the following commands:
aws eks --region <region> update-kubeconfig --name <cluster name>
kubectl apply -f efs-dynamic-pvc.yaml
kubectl get pvc

About

A complete example of deploying all required components of EKS with CloudFormation.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published