-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
cristov
committed
Sep 3, 2018
1 parent
24a80a8
commit 9cf6558
Showing
7 changed files
with
369 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,299 @@ | ||
--- | ||
AWSTemplateFormatVersion: '2010-09-09' | ||
Description: 'Amazon EKS - Node Group - Released 2018-08-30' | ||
|
||
Parameters: | ||
|
||
KeyName: | ||
Description: The EC2 Key Pair to allow SSH access to the instances | ||
Type: AWS::EC2::KeyPair::KeyName | ||
|
||
NodeImageId: | ||
Type: AWS::EC2::Image::Id | ||
Description: AMI id for the node instances. | ||
|
||
NodeInstanceType: | ||
Description: EC2 instance type for the node instances | ||
Type: String | ||
Default: t2.medium | ||
AllowedValues: | ||
- t2.small | ||
- t2.medium | ||
- t2.large | ||
- t2.xlarge | ||
- t2.2xlarge | ||
- m3.medium | ||
- m3.large | ||
- m3.xlarge | ||
- m3.2xlarge | ||
- m4.large | ||
- m4.xlarge | ||
- m4.2xlarge | ||
- m4.4xlarge | ||
- m4.10xlarge | ||
- m5.large | ||
- m5.xlarge | ||
- m5.2xlarge | ||
- m5.4xlarge | ||
- m5.12xlarge | ||
- m5.24xlarge | ||
- c4.large | ||
- c4.xlarge | ||
- c4.2xlarge | ||
- c4.4xlarge | ||
- c4.8xlarge | ||
- c5.large | ||
- c5.xlarge | ||
- c5.2xlarge | ||
- c5.4xlarge | ||
- c5.9xlarge | ||
- c5.18xlarge | ||
- i3.large | ||
- i3.xlarge | ||
- i3.2xlarge | ||
- i3.4xlarge | ||
- i3.8xlarge | ||
- i3.16xlarge | ||
- r3.xlarge | ||
- r3.2xlarge | ||
- r3.4xlarge | ||
- r3.8xlarge | ||
- r4.large | ||
- r4.xlarge | ||
- r4.2xlarge | ||
- r4.4xlarge | ||
- r4.8xlarge | ||
- r4.16xlarge | ||
- x1.16xlarge | ||
- x1.32xlarge | ||
- p2.xlarge | ||
- p2.8xlarge | ||
- p2.16xlarge | ||
- p3.2xlarge | ||
- p3.8xlarge | ||
- p3.16xlarge | ||
ConstraintDescription: Must be a valid EC2 instance type | ||
|
||
NodeAutoScalingGroupMinSize: | ||
Type: Number | ||
Description: Minimum size of Node Group ASG. | ||
Default: 1 | ||
|
||
NodeAutoScalingGroupMaxSize: | ||
Type: Number | ||
Description: Maximum size of Node Group ASG. | ||
Default: 3 | ||
|
||
NodeVolumeSize: | ||
Type: Number | ||
Description: Node volume size | ||
Default: 20 | ||
|
||
ClusterName: | ||
Description: The cluster name provided when the cluster was created. If it is incorrect, nodes will not be able to join the cluster. | ||
Type: String | ||
|
||
BootstrapArguments: | ||
Description: Arguments to pass to the bootstrap script. See files/bootstrap.sh in https://github.com/awslabs/amazon-eks-ami | ||
Default: "" | ||
Type: String | ||
|
||
NodeGroupName: | ||
Description: Unique identifier for the Node Group. | ||
Type: String | ||
|
||
ClusterControlPlaneSecurityGroup: | ||
Description: The security group of the cluster control plane. | ||
Type: AWS::EC2::SecurityGroup::Id | ||
|
||
VpcId: | ||
Description: The VPC of the worker instances | ||
Type: AWS::EC2::VPC::Id | ||
|
||
Subnets: | ||
Description: The subnets where workers can be created. | ||
Type: List<AWS::EC2::Subnet::Id> | ||
|
||
Metadata: | ||
AWS::CloudFormation::Interface: | ||
ParameterGroups: | ||
- | ||
Label: | ||
default: "EKS Cluster" | ||
Parameters: | ||
- ClusterName | ||
- ClusterControlPlaneSecurityGroup | ||
- | ||
Label: | ||
default: "Worker Node Configuration" | ||
Parameters: | ||
- NodeGroupName | ||
- NodeAutoScalingGroupMinSize | ||
- NodeAutoScalingGroupMaxSize | ||
- NodeInstanceType | ||
- NodeImageId | ||
- NodeVolumeSize | ||
- KeyName | ||
- BootstrapArguments | ||
- | ||
Label: | ||
default: "Worker Network Configuration" | ||
Parameters: | ||
- VpcId | ||
- Subnets | ||
|
||
Resources: | ||
|
||
NodeInstanceProfile: | ||
Type: AWS::IAM::InstanceProfile | ||
Properties: | ||
Path: "/" | ||
Roles: | ||
- !Ref NodeInstanceRole | ||
|
||
NodeInstanceRole: | ||
Type: AWS::IAM::Role | ||
Properties: | ||
AssumeRolePolicyDocument: | ||
Version: '2012-10-17' | ||
Statement: | ||
- Effect: Allow | ||
Principal: | ||
Service: | ||
- ec2.amazonaws.com | ||
Action: | ||
- sts:AssumeRole | ||
Path: "/" | ||
ManagedPolicyArns: | ||
- arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy | ||
- arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy | ||
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly | ||
|
||
NodeSecurityGroup: | ||
Type: AWS::EC2::SecurityGroup | ||
Properties: | ||
GroupDescription: Security group for all nodes in the cluster | ||
VpcId: | ||
!Ref VpcId | ||
Tags: | ||
- Key: !Sub "kubernetes.io/cluster/${ClusterName}" | ||
Value: 'owned' | ||
|
||
NodeSecurityGroupIngress: | ||
Type: AWS::EC2::SecurityGroupIngress | ||
DependsOn: NodeSecurityGroup | ||
Properties: | ||
Description: Allow node to communicate with each other | ||
GroupId: !Ref NodeSecurityGroup | ||
SourceSecurityGroupId: !Ref NodeSecurityGroup | ||
IpProtocol: '-1' | ||
FromPort: 0 | ||
ToPort: 65535 | ||
|
||
NodeSecurityGroupFromControlPlaneIngress: | ||
Type: AWS::EC2::SecurityGroupIngress | ||
DependsOn: NodeSecurityGroup | ||
Properties: | ||
Description: Allow worker Kubelets and pods to receive communication from the cluster control plane | ||
GroupId: !Ref NodeSecurityGroup | ||
SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup | ||
IpProtocol: tcp | ||
FromPort: 1025 | ||
ToPort: 65535 | ||
|
||
ControlPlaneEgressToNodeSecurityGroup: | ||
Type: AWS::EC2::SecurityGroupEgress | ||
DependsOn: NodeSecurityGroup | ||
Properties: | ||
Description: Allow the cluster control plane to communicate with worker Kubelet and pods | ||
GroupId: !Ref ClusterControlPlaneSecurityGroup | ||
DestinationSecurityGroupId: !Ref NodeSecurityGroup | ||
IpProtocol: tcp | ||
FromPort: 1025 | ||
ToPort: 65535 | ||
|
||
NodeSecurityGroupFromControlPlaneOn443Ingress: | ||
Type: AWS::EC2::SecurityGroupIngress | ||
DependsOn: NodeSecurityGroup | ||
Properties: | ||
Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane | ||
GroupId: !Ref NodeSecurityGroup | ||
SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup | ||
IpProtocol: tcp | ||
FromPort: 443 | ||
ToPort: 443 | ||
|
||
ControlPlaneEgressToNodeSecurityGroupOn443: | ||
Type: AWS::EC2::SecurityGroupEgress | ||
DependsOn: NodeSecurityGroup | ||
Properties: | ||
Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443 | ||
GroupId: !Ref ClusterControlPlaneSecurityGroup | ||
DestinationSecurityGroupId: !Ref NodeSecurityGroup | ||
IpProtocol: tcp | ||
FromPort: 443 | ||
ToPort: 443 | ||
|
||
ClusterControlPlaneSecurityGroupIngress: | ||
Type: AWS::EC2::SecurityGroupIngress | ||
DependsOn: NodeSecurityGroup | ||
Properties: | ||
Description: Allow pods to communicate with the cluster API Server | ||
GroupId: !Ref ClusterControlPlaneSecurityGroup | ||
SourceSecurityGroupId: !Ref NodeSecurityGroup | ||
IpProtocol: tcp | ||
ToPort: 443 | ||
FromPort: 443 | ||
|
||
NodeGroup: | ||
Type: AWS::AutoScaling::AutoScalingGroup | ||
Properties: | ||
DesiredCapacity: !Ref NodeAutoScalingGroupMaxSize | ||
LaunchConfigurationName: !Ref NodeLaunchConfig | ||
MinSize: !Ref NodeAutoScalingGroupMinSize | ||
MaxSize: !Ref NodeAutoScalingGroupMaxSize | ||
VPCZoneIdentifier: | ||
!Ref Subnets | ||
Tags: | ||
- Key: Name | ||
Value: !Sub "${ClusterName}-${NodeGroupName}-Node" | ||
PropagateAtLaunch: 'true' | ||
- Key: !Sub 'kubernetes.io/cluster/${ClusterName}' | ||
Value: 'owned' | ||
PropagateAtLaunch: 'true' | ||
UpdatePolicy: | ||
AutoScalingRollingUpdate: | ||
MinInstancesInService: '1' | ||
MaxBatchSize: '1' | ||
|
||
NodeLaunchConfig: | ||
Type: AWS::AutoScaling::LaunchConfiguration | ||
Properties: | ||
AssociatePublicIpAddress: 'true' | ||
IamInstanceProfile: !Ref NodeInstanceProfile | ||
ImageId: !Ref NodeImageId | ||
InstanceType: !Ref NodeInstanceType | ||
KeyName: !Ref KeyName | ||
SecurityGroups: | ||
- !Ref NodeSecurityGroup | ||
BlockDeviceMappings: | ||
- DeviceName: /dev/xvda | ||
Ebs: | ||
VolumeSize: !Ref NodeVolumeSize | ||
VolumeType: gp2 | ||
DeleteOnTermination: true | ||
UserData: | ||
Fn::Base64: | ||
!Sub | | ||
#!/bin/bash | ||
set -o xtrace | ||
/etc/eks/bootstrap.sh ${ClusterName} ${BootstrapArguments} | ||
/opt/aws/bin/cfn-signal --exit-code $? \ | ||
--stack ${AWS::StackName} \ | ||
--resource NodeGroup \ | ||
--region ${AWS::Region} | ||
|
||
Outputs: | ||
NodeInstanceRole: | ||
Description: The node instance role | ||
Value: !GetAtt NodeInstanceRole.Arn |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
#!/bin/bash | ||
# Configure AWS CLI | ||
#availability_zone=$(curl http://169.254.169.254/latest/meta-data/placement/availability-zone) | ||
#export AWS_DEFAULT_REGION=${availability_zone%?} | ||
|
||
# Lab-specific configuration | ||
export AWS_AVAILABILITY_ZONES="$(aws ec2 describe-availability-zones --query 'AvailabilityZones[].ZoneName' --output text | awk -v OFS="," '$1=$1')" | ||
export AWS_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) | ||
aws ec2 describe-instances --instance-ids $AWS_INSTANCE_ID > /tmp/instance.json | ||
export AWS_STACK_NAME=$(jq -r '.Reservations[0].Instances[0]|(.Tags[]|select(.Key=="aws:cloudformation:stack-name")|.Value)' /tmp/instance.json) | ||
export AWS_ENVIRONMENT=$(jq -r '.Reservations[0].Instances[0]|(.Tags[]|select(.Key=="aws:cloud9:environment")|.Value)' /tmp/instance.json) | ||
export AWS_MASTER_STACK=${AWS_STACK_NAME%$AWS_ENVIRONMENT} | ||
export AWS_MASTER_STACK=${AWS_MASTER_STACK%?} | ||
export AWS_MASTER_STACK=${AWS_MASTER_STACK#aws-cloud9-} | ||
export KOPS_STATE_STORE=s3://$(aws cloudformation describe-stack-resource --stack-name $AWS_MASTER_STACK --logical-resource-id "KopsStateStore" | jq -r '.StackResourceDetail.PhysicalResourceId') | ||
|
||
# EKS-specific variables from CloudFormation | ||
export EKS_VPC_ID=$(aws cloudformation describe-stacks --stack-name $AWS_MASTER_STACK | jq -r '.Stacks[0].Outputs[]|select(.OutputKey=="EksVpcId")|.OutputValue') | ||
export EKS_SUBNET_IDS=$(aws cloudformation describe-stacks --stack-name $AWS_MASTER_STACK | jq -r '.Stacks[0].Outputs[]|select(.OutputKey=="EksVpcSubnetIds")|.OutputValue') | ||
export EKS_SECURITY_GROUPS=$(aws cloudformation describe-stacks --stack-name $AWS_MASTER_STACK | jq -r '.Stacks[0].Outputs[]|select(.OutputKey=="EksVpcSecurityGroups")|.OutputValue') | ||
export EKS_SERVICE_ROLE=$(aws cloudformation describe-stacks --stack-name $AWS_MASTER_STACK | jq -r '.Stacks[0].Outputs[]|select(.OutputKey=="EksServiceRoleArn")|.OutputValue') | ||
|
||
# Persist lab variables | ||
echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION" >> ~/.bashrc | ||
echo "AWS_AVAILABILITY_ZONES=$AWS_AVAILABILITY_ZONES" >> ~/.bashrc | ||
echo "AWS_STACK_NAME=$AWS_STACK_NAME" >> ~/.bashrc | ||
echo "AWS_MASTER_STACK=$AWS_MASTER_STACK" >> ~/.bashrc | ||
echo "KOPS_STATE_STORE=$KOPS_STATE_STORE" >> ~/.bashrc | ||
|
||
# Persist EKS variables | ||
echo "EKS_VPC_ID=$EKS_VPC_ID" >> ~/.bashrc | ||
echo "EKS_SUBNET_IDS=$EKS_SUBNET_IDS" >> ~/.bashrc | ||
echo "EKS_SECURITY_GROUPS=$EKS_SECURITY_GROUPS" >> ~/.bashrc | ||
echo "EKS_SERVICE_ROLE=$EKS_SERVICE_ROLE" >> ~/.bashrc | ||
|
||
# EKS-Optimized AMI | ||
if [ "$AWS_DEFAULT_REGION" == "us-east-1" ]; then | ||
export EKS_WORKER_AMI=ami-08cab282f9979fc7a | ||
elif [ "$AWS_DEFAULT_REGION" == "us-west-2" ]; then | ||
export EKS_WORKER_AMI=ami-0b2ae3c6bda8b5c06 | ||
fi | ||
echo "EKS_WORKER_AMI=$EKS_WORKER_AMI" >> ~/.bashrc | ||
|
||
# Create EC2 Keypair | ||
aws ec2 create-key-pair --key-name ${AWS_STACK_NAME} --query 'KeyMaterial' --output text > $HOME/.ssh/k8s-workshop.pem | ||
chmod 0400 $HOME/.ssh/k8s-workshop.pem |
Oops, something went wrong.