akhil mittalTo set up an Amazon EKS (Elastic Kubernetes Service) cluster with eksctl, including a node group and IAM OIDC (OpenID Connect) provider, follow these detailed steps. This guide will cover everything from installing eksctl to configuring IAM roles and deploying a node group.
1) Install AWSCLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
sudo apt install unzip
unzip awscliv2.zip
sudo ./aws/install
aws configure
2) Install KUBECTL
curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.19.6/2021-01-05/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin
kubectl version --short --client
3) Install EKSCTL
Macos:
brew tap weaveworks/tap
brew install weaveworks/tap/eksctl
Linux:
curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.143.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
Windows
Download the latest eksctl binary from the releases page and add it to your PATH.
4) Create an EKS Cluster
Use eksctl to create a new EKS cluster. This will automatically set up the IAM OIDC provider.
eksctl create cluster --name=my-eks22 \
--region=ap-south-1 \
--zones=ap-south-1a,ap-south-1b \
--version=1.30 \
--without-nodegroup
eksctl utils associate-iam-oidc-provider \
--region ap-south-1 \
--cluster my-eks22 \
--approve
eksctl create nodegroup --cluster=my-eks22 \
--region=ap-south-1 \
--name=node2 \
--node-type=t3.medium \
--nodes=3 \
--nodes-min=2 \
--nodes-max=4 \
--node-volume-size=20 \
--ssh-access \
--ssh-public-key=Key \
--managed \
--asg-access \
--external-dns-access \
--full-ecr-access \
--appmesh-access \
--alb-ingress-access
--name: Name of your EKS cluster.
--region: AWS region where the cluster will be created.
--nodegroup-name: Name of the node group.
--node-type: EC2 instance type for nodes.
--nodes: Initial number of nodes in the node group.
--nodes-min: Minimum number of nodes.
--nodes-max: Maximum number of nodes.
--managed: Indicates that the node group is managed by EKS.
--with-oidc: Enables the OIDC provider for IAM roles.
Open INBOUND TRAFFIC IN ADDITIONAL Security Group
Create Servcie account/ROLE/BIND-ROLE/Token
5) Update kubeconfig
After creating the cluster, configure your kubeconfig file to manage the cluster with kubectl.
aws eks --region us-west-2 update-kubeconfig --name my-cluster
Alternatively, eksctl can automatically update your kubeconfig:
eksctl utils write-kubeconfig --cluster my-cluster --region us-west-2
6) Verify Cluster
Check that the cluster is running and that kubectl is properly configured.
kubectl get nodes
7) Create IAM Roles for Service Accounts (Optional)
If your applications require AWS IAM permissions, create IAM roles and associate them with Kubernetes service accounts using OIDC.
Create an IAM Policy: Define a policy that grants permissions (e.g., access to S3).
Example policy for S3 access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Create IAM Role and Associate with EKS Service Account:
eksctl create iamserviceaccount \
--region us-west-2 \
--name my-service-account \
--namespace default \
--cluster my-cluster \
--attach-policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
--approve
--name: Name of the service account.
--namespace: Kubernetes namespace for the service account.
--cluster: Name of your EKS cluster.
--attach-policy-arn: ARN of the IAM policy to attach.
--approve: Automatically approve the creation.
8) Create Service Account, Role & Assign that role, And create a secret for Service Account and geenrate a Token
Creating Service Account:
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: webapps
Creating Role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-role
namespace: webapps
rules:
- apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
resources:
- pods
- secrets
- componentstatuses
- configmaps
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- jobs
- limitranges
- namespaces
- nodes
- pods
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Bind the Role to ServiceAccount:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-rolebinding
namespace: webapps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: app-role
subjects:
- namespace: webapps
kind: ServiceAccount
name: jenkins
9) Install Helm (Optional)
Helm is a package manager for Kubernetes, useful for deploying and managing applications.
Macos:
brew install helm
Linux:
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Windows:
Download the latest Helm binary from the Helm releases page and add it to your PATH.
10) Deploy Applications with Helm (Optional)
Use Helm to deploy applications to your EKS cluster. For example, to install the NGINX ingress controller:
Add Help Repository:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
Update Helm Repository:
helm repo update
Install Nginx Ingress Controller:
helm install my-ingress ingress-nginx/ingress-nginx
11) Delete the Cluster (If Needed)
If you need to delete the cluster, you can do so with eksctl:
eksctl delete cluster --name my-cluster --region us-west-2
Summary
These steps should cover the complete process of setting up an EKS cluster with eksctl, including node group management and IAM OIDC integration.
