AWS + Kubernetes = AWS Elastic Kubernetes Service (EKS)

Dernière mise à jour : sept. 8



Amazon Web Services (AWS) offers a service to deploy a fully managed Kubernetes cluster. This service is called Amazon Elastic Kubernetes Service (EKS). Amazon EKS gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud or on-premises. Amazon EKS helps you provide highly-available and secure clusters and automates key tasks such as patching, node provisioning, and updates. Amazon EKS is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes. AWS provides a complete and autonomous Control Plane we can’t access, as it runs nodes behind the scene. It’s the principle of a managed cluster.


In this tutorial, we will demonstrate how to provision a functional EKS managed cluster on Amazon Cloud. To be as efficient as possible and respect DevOps best practices we will use Infrastructure as Code (IaC) with AWS CloudFormation.


AWS CloudFormation is a very efficient tool to provision numerous resources with a declarative language stored in manifest file in YAML or JSON format.



1 - Prerequisite


AWS Account


For this tutorial, we will need an AWS account (if you don't have one AWS account you can create it here) with both administrator and programmatic accesses to use AWS CLI (you can follow this tutorial to create a programmatic access and get credentials).


Tools installation


  • AWS Command Line Interface (CLI)

This tutorial will be done on Linux and you will need to install AWS CLI version 2 package to interact with the AWS API. To install this package on Linux you can follow this tutorial. To perform operations and interact with AWS you need to configure basic settings for AWS CLI like security credentials, AWS Region or default output format. You can quickly set up AWS CLI with the official documentation.


  • GIT Source Code Management (SCM)

You will need the SCM git a client to retrieve source code from GitHub. For git installation you can check this tutorial with several installation types.


  • Kubectl

To interact with the EKS Cluster, you need to install the Kubernetes command line tool : kubectl. To install this utility you can refer to the official Kubernetes documentation. For this article you will need kubectl version 1.18.



2 - Project


This tutorial demonstrates how to create a managed Kubernetes cluster EKS with AWS CloudFormation. This will be done in 3 main steps in CloudFormation manifest:


Networking Setup

In this section, to follow AWS recommendations and best practices for a production cluster, we will set up network environment by creating different resources like Virtual Private Cloud (VPC), Internet Gateway (IGW), Route Table, Routes, Subnets and Security Groups (SG).


AWS EKS Cluster


Then in this section, we will create : IAM Cluster (Control Plane) Role, provision EKS Control Plane, IAM Node Group Role and provision Node Group (Node Group is the name given by AWS to describe group of worker nodes).


Cluster Testing


Finally we will deploy a simple web application in the EKS Cluster to verify that it's working as expected.




EKS Architecture for Control Plane and Worker Node communication



EKS Project Architecture



3 - Infrastructure Deployment


CloudFormation template is composed of 3 main sections :

  • Parameters : This optional section is useful to customize your template (e. g. : Name of VPC, Range of CIDR Block for VPC, Name of EKS Cluster…) and enable you to input custom values for your template each time you create or update the stack,

  • Resources : The required section is the core of the CloudFormation stack : there, we will declare all AWS resources that we want to include in the stack (e. g. : Virtual Private Cloud, Internet Gateway, Subnet, EKS Cluster…),

  • Outputs : This optional section declares output values that you can reuse with other stacks, returns a response or view on the AWS CloudFormation console (e. g. : ID of VPC, Name of resources…).

Across this section, we will describe and explain each declared resource in the Resources section of the CloudFormation manifest in order to create the EKS Cluster.


3 .1. Networking Setup


VPC Creation


To deploy the EKS Cluster, AWS recommends to create your own dedicated and isolated Virtual Private Cloud (VPC). Create a VPC called eks-VPC with the following declaration:

Resources:
  eksVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: eks-VPC
        - Key: Project
          Value: aws-eks
  • Type defines the desired resource, in our case is AWS::EC2::VPC to create a VPC resource.

  • Properties defines various characteristics of the declared resource. Each resource has its own set of properties. For the VPC resource you can define CIDR Block definition, allocation of Public DNS Hostname for EC2 resources or Tag definition.


Internet Gateway


In AWS, an Internet Gateway (IGW) is a resource that allows communication between your VPC and internet. This will allow internet access for worker nodes. For more information, you can read the official documentation.


Create an Internet gateway eks-InternetGateway with the following declaration:

...
  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: eks-InternetGateway
        - Key: Project
          Value: aws-eks

To associate the previously eks-InternetGateway to the eks-VPC, we need to attach both resources. Let’s attach the Internet Gateway to the the VPC with the following declaration:

...
  eksVPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref eksInternetGateway
      VpcId: !Ref eksVPC

The AWS intrinsic !Ref function returns the value of the specified parameter or resource. Here, we use the function to retrieve dynamically the ID of eks-InternetGateway and eks-VPC previously created.


Route Table


A public route table is necessary to declare all routes that will be used by the VPC. When the eks-VPC is created, a main Route Table is also created, but AWS doesn’t recommend to use the main Route Table of the VPC. The main route table can have explicit and implicit subnet associations. Custom route tables have only explicit associations. This ensures that you explicitly control how each subnet routes traffic. So, we will need to create a custom eks-RouteTable for the eks-VPC with the following declaration:

...
  eksPublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref eksVPC
      Tags:
        - Key: Name
          Value: eks-RouteTable
        - Key: Project
          Value: aws-eks

Then we need to declare the Public Route in the eks-RouteTable to enable internet access from the eks-VPC. Create the Public Route with the following declaration:

...
  eksPublicRoute:
    DependsOn: eksVPCGatewayAttachment
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref eksPublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref eksInternetGateway

This route is added to the eks-RouteTable with RouteTableId toward internet with the DestinationCidrBlock 0.0.0.0/0 by the GatewayId eks-InternetGateway.


The eksPublicRoute resource required by the Internet Gateway has been successfully attached to the VPC before the creation. The DependsOn directive ensures the eksVPCGatewayAttachment has been successfully created before to create this resource.



Subnets creation


AWS provides a principle of Availability Zone (AZ) to increase High-Availability, Fault-Tolerance and Reliability. To deploy an EKS Cluster it's mandatory to create at least two subnets in two different AZs. Each worker node will be deployed in both different AZ.


To meet requirements, to be closer to your European customers or to be compliance and meet legal requirements, we will work in the AWS Region Europe (Paris). This AWS region corresponds to the code name eu-west-3, which is made up of 3 Availability Zones:

  • eu-west-3a

  • eu-west-3b

  • eu-west-3c

In this tutorial, we will use eu-west-3a and eu-west-3b Availability Zones.


The first Subnet eks-PublicSubnet01 will be created in the Availability Zone eu-west-3a. Let’s create an eks-PublicSubnet01 with the following declaration :

...
  eksPublicSubnet01:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: eu-west-3a
      MapPublicIpOnLaunch: true
      CidrBlock:
        Ref: 10.0.0.0/24
      VpcId:
        Ref: eksVPC
      Tags:
        - Key: Name
          Value: eks-PublicSubnet01
        - Key: Project
          Value: aws-eks

The eks-PublicSubnet01 is created in the eu-west-3a Availability Zone, with automated Public Address IP allocation MapPublicIpOnLaunch, the CIDR block range of this subnet is 10.0.0.0/24 and this subnet is attached to the eks-VPC.


The second Subnet eks-PublicSubnet02 will be created in the Availability Zone eu-west-3b. Let’s create an eks-PublicSubnet02 with the following declaration :

...
  eksPublicSubnet02:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: eu-west-3b
      MapPublicIpOnLaunch: true
      CidrBlock:
        Ref: 10.0.1.0/24
      VpcId:
        Ref: eksVPC
      Tags:
        - Key: Name
          Value: eks-PublicSubnet02
        - Key: Project
          Value: aws-eks

The eks-PublicSubnet02 is created in the eu-west-3b Availability Zone, with automated Public Address IP allocation MapPublicIpOnLaunch, the CIDR block range of this subnet is 10.0.1.0/24 and this subnet is attached to the eks-VPC.


To allow internet access for worker nodes from each subnet it's necessary to associate each Public Subnet to the eks-RouteTable. Associate eksPublicSubnet01 and eksPublicSubnet02 subnets to the eks-RouteTable with the following declaration :

...
  eksPublicSubnet01RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref eksPublicSubnet01
      RouteTableId: !Ref eksPublicRouteTable

  eksPublicSubnet02RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref eksPublicSubnet02
      RouteTableId: !Ref eksPublicRouteTable


Security Groups


Security Groups (SG) is a set of rules with fine granularity to allow, restrict or deny communication towards a resource. A cluster security group is designed to allow all traffic from the control plane and managed node groups to flow freely between each other. Finally, create a Security Group to allow communication between EKS Control Plane and worker nodes with the following declaration :

...  
  eksSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Cluster communication with worker nodes
      VpcId: !Ref eksVPC
      Tags:
        - Key: Name
          Value: eks-SecurityGroup
        - Key: Project
          Value: aws-eks

The network implementation is done. This is an important section because it allows to create your own isolated and secure network for the EKS Cluster. It shows also how to establish communication between the VPC and several subnets.


You can view the network architecture with the declaration of all network resources :