使用aws cli连接eks
来源:原创
时间:2023-03-11
作者:脚本小站
分类:云原生
使用aws cli连接eks
下载命令行:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
解压:
unzip awscliv2.zip
安装:
./aws/install
配置access_key和access_secret:
]# aws configure
配置文件:
]# cd .aws/ ]# cat config [default] region = us-west-1 ]# cat credentials [default] aws_access_key_id = xxxxxxxxx aws_secret_access_key = xxxxxxxxxxxxxxxxx
更新kubeconfig配置:
aws eks update-kubeconfig --name <cluster-name>
查看资源:
]# kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system aws-node-j8gpf 1/1 Running 0 7h23m kube-system aws-node-pm9dd 1/1 Running 0 7h23m kube-system coredns-db9fb9979-7jmhl 1/1 Running 0 7h21m kube-system coredns-db9fb9979-xq6zn 1/1 Running 0 7h21m kube-system kube-proxy-2rnhl 1/1 Running 0 7h23m kube-system kube-proxy-xzpbm 1/1 Running 0 7h23m
eks上安装aws原生的ingressController
安装eksctl:
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin eksctl version
搞OIDC:
oidc_id=$(aws eks describe-cluster --name mexico --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 eksctl utils associate-iam-oidc-provider --cluster mexico --approve
策略:
]# aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://iam_policy.json { "Policy": { "PolicyName": "AWSLoadBalancerControllerIAMPolicy", "PolicyId": "ANPAQWDHG3XXXXXXXXXXXXXX", "Arn": "arn:aws:iam::011111111111:policy/AWSLoadBalancerControllerIAMPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2023-03-13T07:22:07+00:00", "UpdateDate": "2023-03-13T07:22:07+00:00" } }
创建serviceaccount:
]# eksctl create iamserviceaccount \ > --cluster=mexico \ > --namespace=kube-system \ > --name=aws-load-balancer-controller \ > --role-name AmazonEKSLoadBalancerControllerRole \ > --attach-policy-arn=arn:aws:iam::01111111111:policy/AWSLoadBalancerControllerIAMPolicy \ > --approve 2023-03-13 15:28:47 [ℹ] 1 iamserviceaccount (kube-system/aws-load-balancer-controller) was included (based on the include/exclude rules) 2023-03-13 15:28:47 [!] serviceaccounts that exist in Kubernetes will be excluded, use --override-existing-serviceaccounts to override 2023-03-13 15:28:47 [ℹ] 1 task: { 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system/aws-load-balancer-controller", create serviceaccount "kube-system/aws-load-balancer-controller", } }2023-03-13 15:28:47 [ℹ] building iamserviceaccount stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller" 2023-03-13 15:28:47 [ℹ] deploying stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller" 2023-03-13 15:28:48 [ℹ] waiting for CloudFormation stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller" 2023-03-13 15:29:19 [ℹ] waiting for CloudFormation stack "eksctl-mexico-addon-iamserviceaccount-kube-system-aws-load-balancer-controller" 2023-03-13 15:29:20 [ℹ] created serviceaccount "kube-system/aws-load-balancer-controller"
用helm安装:
helm repo add eks https://aws.github.io/eks-charts helm repo update
安装ingressController
]# helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ > -n kube-system \ > --set clusterName=mexico \ > --set serviceAccount.create=false \ > --set serviceAccount.name=aws-load-balancer-controller WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config NAME: aws-load-balancer-controller LAST DEPLOYED: Mon Mar 13 15:41:36 2023 NAMESPACE: kube-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: AWS Load Balancer controller installed!
]# kubectl get ingressclass
NAME CONTROLLER PARAMETERS AGE alb ingress.k8s.aws/alb <none> 49s
查看资源:
]# kubectl get pods -n kube-system -l app.kubernetes.io/instance=aws-load-balancer-controller NAME READY STATUS RESTARTS AGE aws-load-balancer-controller-797bbbd7fc-jgwtq 1/1 Running 0 2m9s aws-load-balancer-controller-797bbbd7fc-njvpk 1/1 Running 0 2m9s
aws ingress配置:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-1:011111111:certificate/xxxxxxx-c1ae-xxxxxxxx-xxxxxxxx alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]' alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/ssl-redirect: "443" # 需要配置子网subnet或在子网中加上标签,否者不会自动创建alb,详见 docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html alb.ingress.kubernetes.io/subnets: subnet-05008fbb31930c7c0, subnet-071e07e83dd5146f5 alb.ingress.kubernetes.io/target-type: ip name: admin-api namespace: prd spec: ingressClassName: alb rules: - host: api.scriptjc.com http: paths: - backend: service: name: api port: number: 80 path: / pathType: Prefix
参考文档:
docs.aws.amazon.com/zh_cn/eks/latest/userguide/aws-load-balancer-controller.html docs.aws.amazon.com/zh_cn/eks/latest/userguide/eksctl.html # ingress annotations 的配置 kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/#annotations
aws上安装prometheus监控:包括创建iam角色,gp2的csi插件等。
dev.to/aws-builders/monitoring-eks-cluster-with-prometheus-and-grafana-1kpb