使用aws cli连接eks


下载命令行:

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

解压:

unzip awscliv2.zip

安装:

./aws/install

配置access_key和access_secret:

]# aws configure

配置文件:

]# cd .aws/
]# cat config
[default]
region = us-west-1
]# cat credentials 
[default]
aws_access_key_id = xxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxx

更新kubeconfig配置:

aws eks update-kubeconfig --name <cluster-name>

查看资源:

]# kubectl get pods -A
NAMESPACE     NAME                      READY   STATUS    RESTARTS   AGE
kube-system   aws-node-j8gpf            1/1     Running   0          7h23m
kube-system   aws-node-pm9dd            1/1     Running   0          7h23m
kube-system   coredns-db9fb9979-7jmhl   1/1     Running   0          7h21m
kube-system   coredns-db9fb9979-xq6zn   1/1     Running   0          7h21m
kube-system   kube-proxy-2rnhl          1/1     Running   0          7h23m
kube-system   kube-proxy-xzpbm          1/1     Running   0          7h23m



eks上安装aws原生的ingressController


安装eksctl:

curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
eksctl version

搞OIDC:

oidc_id=$(aws eks describe-cluster --name mexico --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4
eksctl utils associate-iam-oidc-provider --cluster mexico --approve

策略:

]# aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://iam_policy.json
{
    "Policy": {
        "PolicyName": "AWSLoadBalancerControllerIAMPolicy",
        "PolicyId": "ANPAQWDHG3XXXXXXXXXXXXXX",
        "Arn": "arn:aws:iam::011111111111:policy/AWSLoadBalancerControllerIAMPolicy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2023-03-13T07:22:07+00:00",
        "UpdateDate": "2023-03-13T07:22:07+00:00"
    }
}

创建serviceaccount:

]# eksctl create iamserviceaccount \
> --cluster=mexico \
> --namespace=kube-system \
> --name=aws-load-balancer-controller \
> --role-name AmazonEKSLoadBalancerControllerRole \
> --attach-policy-arn=arn:aws:iam::01111111111:policy/AWSLoadBalancerControllerIAMPolicy \
> --approve
2023-03-13 15:28:47 [ℹ]  1 iamserviceaccount (kube-system/aws-load-balancer-controller) was included (based on the include/exclude rules)
2023-03-13 15:28:47 [!]  serviceaccounts that exist in Kubernetes will be excluded, use --override-existing-serviceaccounts to override
2023-03-13 15:28:47 [ℹ]  1 task: { 
    2 sequential sub-tasks: { 
        create IAM role for serviceaccount "kube-system/aws-load-balancer-controller",
        create serviceaccount "kube-system/aws-load-balancer-controller",
    } }2023-03-13 15:28:47 [ℹ]  building iamserviceaccount stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2023-03-13 15:28:47 [ℹ]  deploying stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2023-03-13 15:28:48 [ℹ]  waiting for CloudFormation stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2023-03-13 15:29:19 [ℹ]  waiting for CloudFormation stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2023-03-13 15:29:20 [ℹ]  created serviceaccount "kube-system/aws-load-balancer-controller"

用helm安装:

helm repo add eks https://aws.github.io/eks-charts
helm repo update

安装ingressController

]# helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
>   -n kube-system \
>   --set clusterName=mexico \
>   --set serviceAccount.create=false \
>   --set serviceAccount.name=aws-load-balancer-controller
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
NAME: aws-load-balancer-controller
LAST DEPLOYED: Mon Mar 13 15:41:36 2023
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
AWS Load Balancer controller installed!

]# kubectl get ingressclass

NAME    CONTROLLER             PARAMETERS   AGE
alb     ingress.k8s.aws/alb    <none>       49s

查看资源:

]# kubectl get pods -n kube-system -l app.kubernetes.io/instance=aws-load-balancer-controller
NAME                                            READY   STATUS    RESTARTS   AGE
aws-load-balancer-controller-797bbbd7fc-jgwtq   1/1     Running   0          2m9s
aws-load-balancer-controller-797bbbd7fc-njvpk   1/1     Running   0          2m9s

aws ingress配置:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-1:011111111:certificate/xxxxxxx-c1ae-xxxxxxxx-xxxxxxxx
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    # 需要配置子网subnet或在子网中加上标签,否者不会自动创建alb,详见 docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
    alb.ingress.kubernetes.io/subnets: subnet-05008fbb31930c7c0, subnet-071e07e83dd5146f5
    alb.ingress.kubernetes.io/target-type: ip
  name: admin-api
  namespace: prd
spec:
  ingressClassName: alb
  rules:
  - host: api.scriptjc.com
    http:
      paths:
      - backend:
          service:
            name: api
            port:
              number: 80
        path: /
        pathType: Prefix

参考文档:

docs.aws.amazon.com/zh_cn/eks/latest/userguide/aws-load-balancer-controller.html 
docs.aws.amazon.com/zh_cn/eks/latest/userguide/eksctl.html

# ingress annotations 的配置
kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/#annotations

aws上安装prometheus监控:包括创建iam角色,gp2的csi插件等。

dev.to/aws-builders/monitoring-eks-cluster-with-prometheus-and-grafana-1kpb