使用aws cli连接eks
来源:原创
时间:2023-03-11
作者:脚本小站
分类:云原生
使用aws cli连接eks
下载命令行:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
解压:
unzip awscliv2.zip
安装:
./aws/install
配置access_key和access_secret:
]# aws configure
配置文件:
]# cd .aws/ ]# cat config [default] region = us-west-1 ]# cat credentials [default] aws_access_key_id = xxxxxxxxx aws_secret_access_key = xxxxxxxxxxxxxxxxx
更新kubeconfig配置:
aws eks update-kubeconfig --name <cluster-name>
查看资源:
]# kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system aws-node-j8gpf 1/1 Running 0 7h23m kube-system aws-node-pm9dd 1/1 Running 0 7h23m kube-system coredns-db9fb9979-7jmhl 1/1 Running 0 7h21m kube-system coredns-db9fb9979-xq6zn 1/1 Running 0 7h21m kube-system kube-proxy-2rnhl 1/1 Running 0 7h23m kube-system kube-proxy-xzpbm 1/1 Running 0 7h23m
eks上安装aws原生的ingressController
安装eksctl:
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin eksctl version
搞OIDC:
oidc_id=$(aws eks describe-cluster --name mexico --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 eksctl utils associate-iam-oidc-provider --cluster mexico --approve
策略:
]# aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://iam_policy.json
{
"Policy": {
"PolicyName": "AWSLoadBalancerControllerIAMPolicy",
"PolicyId": "ANPAQWDHG3XXXXXXXXXXXXXX",
"Arn": "arn:aws:iam::011111111111:policy/AWSLoadBalancerControllerIAMPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2023-03-13T07:22:07+00:00",
"UpdateDate": "2023-03-13T07:22:07+00:00"
}
}创建serviceaccount:
]# eksctl create iamserviceaccount \
> --cluster=mexico \
> --namespace=kube-system \
> --name=aws-load-balancer-controller \
> --role-name AmazonEKSLoadBalancerControllerRole \
> --attach-policy-arn=arn:aws:iam::01111111111:policy/AWSLoadBalancerControllerIAMPolicy \
> --approve
2023-03-13 15:28:47 [ℹ] 1 iamserviceaccount (kube-system/aws-load-balancer-controller) was included (based on the include/exclude rules)
2023-03-13 15:28:47 [!] serviceaccounts that exist in Kubernetes will be excluded, use --override-existing-serviceaccounts to override
2023-03-13 15:28:47 [ℹ] 1 task: {
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system/aws-load-balancer-controller",
create serviceaccount "kube-system/aws-load-balancer-controller",
} }2023-03-13 15:28:47 [ℹ] building iamserviceaccount stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2023-03-13 15:28:47 [ℹ] deploying stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2023-03-13 15:28:48 [ℹ] waiting for CloudFormation stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2023-03-13 15:29:19 [ℹ] waiting for CloudFormation stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2023-03-13 15:29:20 [ℹ] created serviceaccount "kube-system/aws-load-balancer-controller"用helm安装:
helm repo add eks https://aws.github.io/eks-charts helm repo update
安装ingressController
]# helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ > -n kube-system \ > --set clusterName=mexico \ > --set serviceAccount.create=false \ > --set serviceAccount.name=aws-load-balancer-controller WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config NAME: aws-load-balancer-controller LAST DEPLOYED: Mon Mar 13 15:41:36 2023 NAMESPACE: kube-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: AWS Load Balancer controller installed!
]# kubectl get ingressclass
NAME CONTROLLER PARAMETERS AGE alb ingress.k8s.aws/alb <none> 49s
查看资源:
]# kubectl get pods -n kube-system -l app.kubernetes.io/instance=aws-load-balancer-controller NAME READY STATUS RESTARTS AGE aws-load-balancer-controller-797bbbd7fc-jgwtq 1/1 Running 0 2m9s aws-load-balancer-controller-797bbbd7fc-njvpk 1/1 Running 0 2m9s
aws ingress配置:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-1:011111111:certificate/xxxxxxx-c1ae-xxxxxxxx-xxxxxxxx
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-redirect: "443"
# 需要配置子网subnet或在子网中加上标签,否者不会自动创建alb,详见 docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
alb.ingress.kubernetes.io/subnets: subnet-05008fbb31930c7c0, subnet-071e07e83dd5146f5
alb.ingress.kubernetes.io/target-type: ip
name: admin-api
namespace: prd
spec:
ingressClassName: alb
rules:
- host: api.scriptjc.com
http:
paths:
- backend:
service:
name: api
port:
number: 80
path: /
pathType: Prefix参考文档:
docs.aws.amazon.com/zh_cn/eks/latest/userguide/aws-load-balancer-controller.html docs.aws.amazon.com/zh_cn/eks/latest/userguide/eksctl.html # ingress annotations 的配置 kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/#annotations
aws上安装prometheus监控:包括创建iam角色,gp2的csi插件等。
dev.to/aws-builders/monitoring-eks-cluster-with-prometheus-and-grafana-1kpb