amazon eks - 使用者指南...amazon eks 使用者指南 amazon eks 控制平面架構什麼是...

Amazon EKS - Amazon EKS
Amazon EKS
Amazon EKS
Amazon EKS: Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon Amazon Amazon Amazon Amazon Amazon Amazon Amazon
Amazon EKS
Table of Contents Amazon EKS ........................................................................................................................ 1
Amazon EKS .......................................................................................................... 1 EKS ............................................................................................................... 1 Pricing ...................................................................................................................................... 2 Kubernetes Amazon EKS ............................................................... 2
Amazon EKS .............................................................................................................................. 3 eksctl ............................................................................................................................. 3
Prerequisites ...................................................................................................................... 3 1 ...................................................................................................... 3 2 ............................................................................................................... 5 3 ...................................................................................................... 7 ............................................................................................................................ 7
AWS CLI .............................................................................................................. 7 Prerequisites ...................................................................................................................... 7 1 ............................................................................................................... 8 2 ......................................................................................................... 9 3 OIDC .................................................................................................. 9 4 .............................................................................................................. 10 5 .............................................................................................................. 13 6 ..................................................................................................... 13 .......................................................................................................................... 14
................................................................................................................................................ 15 .................................................................................................................................. 15 .................................................................................................................................. 21
Kubernetes ........................................................................................................ 21 Amazon EKS ............................................................................................... 30 ................................................................................................. 31
.................................................................................................................................. 34 ............................................................................................................................ 36
.............................................................................................................. 37 API ................................................................................................... 40
Cluster Autoscaler ..................................................................................................................... 40 Prerequisites .................................................................................................................... 41 IAM ......................................................................................................... 41 Cluster Autoscaler ..................................................................................................... 43 Cluster Autoscaler .............................................................................................. 44 .......................................................................................................................... 44
............................................................................................................................ 49 .................................................................................................... 50 ....................................................................................................... 51
Kubernetes ....................................................................................................................... 52 EKS ...................................................................................... 52 Kubernetes 1.19 ............................................................................................................... 52 Kubernetes 1.18 ............................................................................................................... 53 Kubernetes 1.17 ............................................................................................................... 54 Kubernetes 1.16 ........................................................................................................... 55 EKS ............................................................................................ 55 EKS ......................................................................................... 56
.................................................................................................................................. 57 Kubernetes 1.19 ........................................................................................................... 58 Kubernetes 1.18 ........................................................................................................... 59 Kubernetes 1.17 ........................................................................................................... 61 Kubernetes 1.16 ........................................................................................................... 63
Windows .......................................................................................................................... 65
Considerations .................................................................................................................. 65 Windows ........................................................................................................... 66 Windows ............................................................................................... 69
API ................................................................................................................. 71 .................................................................................................................................. 71
Requirements ................................................................................................................... 72 Considerations .................................................................................................................. 72 .................................................................................................... 72 VPC ............................................................................................... 73
................................................................................................................................................ 74 View ................................................................................................................................ 76 ............................................................................................................................ 78
.............................................................................................................. 78 ....................................................................................................... 79 .............................................................................................................. 81 .............................................................................................................. 85 .................................................................................................................... 88 .............................................................................................................. 91
............................................................................................................................ 91 Amazon Linux .................................................................................................................. 92 ................................................................................................................................ 97 Windows .......................................................................................................................... 98 .............................................................................................................................. 103
AWS Fargate .......................................................................................................................... 110 Fargate .......................................................................................................................... 110 Fargate ...................................................................................................................... 111 Fargate Sport ................................................................................................................. 114 Fargate Pod ............................................................................................................ 117 ..................................................................................................................... 118 Fargate Sport ................................................................................................................. 119
Amazon EKS AMI ......................................................................................................... 123 Amazon Linux ................................................................................................................. 124 Ubuntu Linux .................................................................................................................. 139 .............................................................................................................................. 139 Windows ........................................................................................................................ 143
Storage .......................................................................................................................................... 156 ............................................................................................................................. 156 Amazon EBS CSI ...................................................................................................... 157 Amazon EFS CSI ...................................................................................................... 163
IAM ....................................................................................................... 164 EFS ................................................................................................. 166 Amazon EFS ............................................................................................. 167 () ................................................................................................... 169
Amazon FSx for Lustre CSI ......................................................................................... 173 .............................................................................................................................................. 179
Amazon EKS VPC ....................................................................................................... 180 Amazon EKS VPC ............................................................................................... 181 ........................................................................................................................ 183
VPC ....................................................................................................................... 183 VPC IP ................................................................................................................... 184 ..................................................................................................................... 185 VPC ................................................................................................................. 185
Amazon EKS ...................................................................................................... 185 .................................................................................................................. 185 ................................................................................................ 186
(CNI) ........................................................................................................................ 188 SNAT ..................................................................................................................... 189
v
Amazon EKS
IAM ................................................................................................. 190 ...................................................................................................... 193 CNI .................................................................................................................. 203 CNI ............................................................................................................ 206 CNI ........................................................................................................................ 208 CNI ................................................................................................. 210
AWS Load Balancer ...................................................................................................... 210 CoreDNS ............................................................................................................... 215
CoreDNS ................................................................................................................ 216 Amazon EKS Calico .................................................................................................. 217
..................................................................................................................... 219 Workloads ...................................................................................................................................... 223
.......................................................................................................................... 223 .................................................................................................................... 225 Vertical Pod Autoscaler ............................................................................................................ 228
Vertical Pod Autoscaler ............................................................................................. 228 Vertical Pod Autoscaler ............................................................................... 230
Horizontal Pod Autoscaler ........................................................................................................ 233 Horizontal Pod Autoscaler ...................................................................... 233
.......................................................................................................................... 235 — ............................................................................................. 237 — IP ..................................................................................................... 238
.................................................................................................................... 239 IP ........................................................................................................ 242 .............................................................................................................. 244 .......................................................................................................................... 245
.................................................................................................................. 246 () EFA ....................................................................................... 249
.......................................................................................................................... 250 Considerations ................................................................................................................ 250 Prerequisites .................................................................................................................. 251 ........................................................................................................................ 251 () TensorFlow Serving ..................................................................... 252 () TensorFlow Serving ............................................................... 253
........................................................................................................................................ 255 IAM ................................................................................................... 255 OIDC .................................................................................................................... 258
OIDC ............................................................................................ 259 OIDC ................................................................................... 260 IAM ................................................................................................................. 261
kubeconfig Amazon EKS ....................................................................................... 262 kubeconfig ..................................................................................................... 262 kubeconfig ..................................................................................................... 263
aws-iam-authenticator ................................................................................................ 265 ........................................................................................................................................ 269
kubectl ......................................................................................................................... 269 eksctl ........................................................................................................................... 273
eksctl ......................................................................................................... 273 Kubernetes ............................................................................................ 275
Prerequisites .................................................................................................................. 276 2 Kubernetes ....................................................................................... 276 3eks-admin ................................................................ 277 4Connect ............................................................................................... 278 5 ............................................................................................................ 279
............................................................................................................................. 279 Prometheus ..................................................................................................................... 280
.................................................................................................................. 280
Prometheus ............................................................................................................. 280 Helm .............................................................................................................................. 283 ......................................................................................................................... 283
.................................................................................................................. 284 ................................................................................................................. 284 ........................................................................................................................ 285 ......................................................................................................... 285 CLIAPI eksctl ............................................. 286
................................................................................................................................ 287 .................................................................................................................................... 288
........................................................................................................................................... 289 Identity and Access Management .............................................................................................. 289
Audience ........................................................................................................................ 290 ............................................................................................................... 290 ......................................................................................................... 291 Amazon EKS IAM .................................................................................... 293 ............................................................................................................... 295 ............................................................................................................ 299 IAM ................................................................................................................ 302 IAM ................................................................................................................ 304 Pod ................................................................................................................. 306 IAM ....................................................................................................... 307 ........................................................................................................................ 318
............................................................................................................................. 318 ................................................................................................................................ 318 ...................................................................................................................................... 319 .......................................................................................................................... 319 ....................................................................................................................... 320 ................................................................................................................................ 320
................................................................................................... 320 .......................................................................................................................... 323
Amazon EKS ........................................................................................ 323 .................................................................................................................................. 328
AWS CloudFormation EKS ......................................................................... 328 EKS AWS CloudFormation .......................................................................... 328 AWS CloudFormation ...................................................................................... 328
AWS CloudTrail Amazon EKS API ....................................................................... 328 Amazon EKS CloudTrail .......................................................................................... 329 Amazon EKS ....................................................................................... 329
AWS Outposts Amazon EKS ............................................................................................. 331 Prerequisites .................................................................................................................. 331 Considerations ................................................................................................................ 331 .................................................................................................................................... 332
AWS App Mesh ............................................................................................................... 332 AWS Local Zones ................................................................................................................... 332 Deep Learning ................................................................................................................. 333
........................................................................................................................................ 334 ................................................................................................................................ 334 .................................................................................................................... 334 (kubectl) ................................................................................................. 334 aws-iam-authenticator ............................................................................................. 335 hostname doesn't match ................................................................................................... 335 getsockopt: no route to host ....................................................................................... 335 .................................................................................................................... 336 CNI .................................................................................................................... 338 ........................................................................................................ 339 TLS ......................................................................................................................... 340
vii
Amazon EKS ........................................................................................................................... 2 ........................................................................................................................................ 344
................................................................................................................................ 344 eksctl ............................................................................................................................. 344 AWS ...................................................................................... 344 ........................................................................................................................... 344 Kubernetes CDK .............................................................................................. 344
Networking ............................................................................................................................. 344 Amazon VPC CNI Kubernetes .................................................................... 345 Kubernetes AWS Load Balancer ............................................................... 345 ExternalDNS ................................................................................................................... 345 App Mesh ............................................................................................................ 345
Security ................................................................................................................................. 345 AWS IAM ...................................................................................................... 345
................................................................................................................................ 346 Kubeflow ........................................................................................................................ 346
Monitoring .............................................................................................................................. 346 Prometheus .................................................................................................................... 346
EKS ................................................................................................................ 348 .................................................................................................................................. 349 .................................................................................................................................................. ccclvi
viii
Amazon EKS Amazon EKS
Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) AWS Kubernetes Kubernetes Kubernetes Amazon EKS:
• AWS Kubernetes •
• AWS
• ECR • Elastic Load Balancing • IAM • Amazon VPC
• Kubernetes Kubernetes Amazon EKS Kubernetes Kubernetes Amazon EKS
Amazon EKS Amazon EKS Kubernetes AWS API etcd Amazon EKS:
• • • AWS Amazon EKS API SLA
Amazon EKS Amazon VPC AWS Kubernetes RBAC Amazon EKS
EKS
Amazon EKS
1. AWS AWS CLI AWS Amazon EKS 2. Amazon EC2 AWS Fargate 3. Kubernetes kubectl 4. Amazon EKS Kubernetes
AWS
Amazon EKS (p. 3)
Pricing Amazon EKS Amazon EC2 AWS Fargate Amazon EKS Amazon EC2 Fargate
• — Amazon EC2 AWS Fargate
• Savings Plans— Saving Plans
Kubernetes Amazon EKS
Amazon EKS Amazon EKS Kubernetes Amazon EKS Amazon EKSetcdCoreDNS CNI CSI Kubernetes EKS EKS Kubernetes
Note
Amazon EKS GitHub EKS website Amazon EKS GitHub
Amazon EKS Amazon EKS Kubernetes
• Amazon EKS —eksctl (p. 3)— Amazon EKS eksctl Amazon EKS Kubernetes Amazon EKS Amazon EKS
• Amazon EKS — AWS AWS CLI (p. 7)— AWS AWS CLI Amazon EKS Amazon EKS
Amazon EKS —eksctl Amazon Elastic Kubernetes Service eksctl Amazon EKS Kubernetes Amazon EKS
AWS AWS Amazon EKS — AWS AWS CLI (p. 7)
Prerequisites Amazon EKS
• kubectl— Kubernetes 1.19 kubectl (p. 269)
• eksctl— EKS 0.47.0 eksctl (p. 273)
• IAM — IAM Amazon EKS IAM AWS CloudFormation VPC Amazon Elastic Container Service for Kubernetes IAM
1 Amazon EKS
Important
Amazon EKS (p. 15) Amazon EKS (p. 74)
Amazon EKS (p. 74)
Amazon EKS 1
• Fargate — Linux— AWS Fargate Linux • — Linux— Amazon EC2 Amazon Linux
Windows (p. 98) (p. 97) Windows Linux

Fargate Linux
1. EKS the section called “Fargate Sport” (p. 114)the section called “Pod ” (p. 306)Replacemy-cluster Amazon EKS () us-west-2
eksctl create cluster \ --name my-cluster \ --region us-west-2 \ --fargate
Fargate eksctl- <my-cluster>-clustereksctl create cluster -heksctl )

... [] EKS cluster "my-cluster" in "us-west-2" region is ready
(p. 334)
2.
Managed nodes – Linux
• Linux Replacemy-clusterus-west-2 Amazon EKS () () () () AWS AWS STS
Replace<your-key>( <>) key pair key pair us-west-2 Amazon EC2 Linux Linux
SSH AWS CLI 2.1.26 1.19.7 AWS CLI AWS
aws ec2 create-key-pair --region us-west-2 --key-name myKeyPair
Amazon EKS () us-west-2
eksctl create cluster \ --name my-cluster \ --region us-west-2 \ --with-oidc \ --ssh-access \ --ssh-public-key <your-key> \ --managed
Amazon EKS eksctl-<my-cluster>-cluster AWS CloudFormation https:// console.aws.amazon.com/cloudformationeksctl create cluster -heksctl)

... [] EKS cluster "my-cluster" in "us-west-2" region is ready
eksctlkubectl config~/.kubeconfig ~/.kube
2 1.
kubectl get nodes -o wide
Amazon EC2
ip-192-168-72-129.us-west-2.compute.internal Ready <none> 6m4s v1.18.9-eks-d1db3c 192.168.72.129 44.242.140.21 Amazon Linux 2 4.14.209-160.335.amzn2.x86_64 docker://19.3.6
Fargate
the section called “View ” (p. 76) 2.
kubectl get pods --all-namespaces -o wide
Amazon EC2
Fargate
the section called “” (p. 223)
6
3 the section called “” (p. 7)

Amazon EKS Kubernetes
• IAM () Kubernetes RBAC ( system:masters IAM Kubernetes API kubectlaws-auth ConfigMap IAM (p. 255)
• IMDS (p. 320)— IAM Kubernetes Amazon EC2 (IMDS) IMDS the section called “ IAM ” (p. 307) the section called “” (p. 320)
• Cluster Autoscaler (p. 40)— Kubernetes Cluster Autoscaler
• Linux (p. 225)— Linux Linux • (p. 269)—
Amazon EKS — AWS AWS CLI
AWS AWS CLI Amazon EKS
eksctlCLI Amazon EKS —eksctl (p. 3)
Prerequisites Amazon EKS
• AWS CLI— AWS Amazon EKS 2.1.26 1.19.7 AWS CLI AWS AWS CLI AWS AWS
• kubectl— Kubernetes 1.19 kubectl (p. 269)
• IAM — IAM Amazon EKS IAM AWS CloudFormation VPC Amazon Elastic Container
Service for Kubernetes IAM
1 Amazon EKS Amazon EKS
Important
Amazon EKS (p. 15) Amazon EKS (p. 74)

aws cloudformation create-stack \ --stack-name my-eks-vpc-stack \ --template-url https://s3.us-west-2.amazonaws.com/amazon-eks/ cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml
2. IAM Amazon EKS IAM Amazon EKS Kubernetes AWS
a. cluster-role-trust-policy.json
b.
c. Amazon EKS IAM
aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \ --role-name myAmazonEKSClusterRole
[] () us-west-2Amazon EKS () us-west-2
4. EKS my- cluster
5. my-cluster (my-cluster) for
6. vpc-00x0000x000x0x000 | my-eks-vpc-stack-VPCVPC( )
7. 8. Review and create ()

Note
2 kubeconfigkubectlCLI

aws eks update-kubeconfig \ --region us-west-2 \ --name my-cluster
config~/.kubeconfig~/.kube 2.
kubectl get svc

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 1m
3 IAM OpenID Connect (OIDC) IAM OpenID Connect (OIDC) Kubernetes AWS
1. 2. OpenID Connect 3. IAM https://console.aws.amazon.com/iam/ 4.
Amazon EKS 4
5. 6. OpenID Connect 7. 2 OIDC URL 8. sts.amazonaws.com
4 Amazon EKS (p. 74)
• Fargate — Linux— AWS Fargate Linux • — Linux— Amazon EC2 Amazon Linux
Windows (p. 98) (p. 97) Windows Linux

Fargate
1. IAM Amazon EKS IAM Fargate Pod Fargate AWS API Amazon ECR Amazon EKS Pod IAM
a. pod-execution-role-trust-policy.json
b. Pod IAM
aws iam create-role \ --role-name myAmazonEKSFargatePodExecutionRole \ --assume-role-policy-document file://"pod-execution-role-trust-policy.json"
c. Amazon EKS IAM
aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy \ --role-name myAmazonEKSFargatePodExecutionRole
10
Amazon EKS 4
3. Fargate 4. URFargate Fargate 5. Fargate
a. Fargate my-profile (my-profile). b. Pod 1 c. Public Fargate
Poods 6. Configure pods selection ( Pod ) Next ()
• Namespace () default 7. Review and create () Fargate
Managed nodes – Linux
Amazon EC2 Linux
1. Amazon VPC CNI IAM Amazon EKS IAM Amazon EKS VPC CNI Kubernetes VPC IP
a. cni-role-trust- policy.jsonReplace<111122223333>(<>) ID <XXXXXXXXXX45D83924220DC4815XXXXX>/OpenID Connect (p. 9)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<111122223333>:oidc-provider/oidc.eks.us- west-2.amazonaws.com/id/<XXXXXXXXXX45D83924220DC4815XXXXX>" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.us-west-2.amazonaws.com/ id/<XXXXXXXXXX45D83924220DC4815XXXXX>:sub": "system:serviceaccount:kube- system:aws-node" } } } ] }
aws iam create-role \ --role-name myAmazonEKSCNIRole \ --assume-role-policy-document file://"cni-role-trust-policy.json"
c. Amazon EKS IAM
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \ --role-name myAmazonEKSCNIRole
2. VPC CNI Kubernetes IAM Replace<111122223333>(<>) ID
aws eks update-addon \ --cluster-name my-cluster \ --addon-name vpc-cni \ --service-account-role-arn arn:aws:iam::<111122223333>:role/myAmazonEKSCNIRole
3. IAM Amazon EKS IAM Amazon EKS kubelet AWS API IAM API
a. node-role-trust-policy.json
b. IAM
c. Amazon EKS IAM
aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy \ --role-name myAmazonEKSNodeRole aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \ --role-name myAmazonEKSNodeRole
(my-cluster). 6. 7. Add 8.
• — my-nodegroup • IAM — myAmazonEKSNodeRole
9. 10. SSH key pair key pair
us-west-2 Amazon EC2 Linux
12
Linux SSH
aws ec2 create-key-pair --region us-west-2 --key-name myKeyPair
11. Review and create () Create ( )
12.
5 Kubernetes

2. the section called “View ” (p. 76)
3. Amazon EKS the section called “ ” (p. 223)
6 the section called “” (p. 14)

• • Fargate
2.
3. VPC AWS CloudFormation
a. https://console.aws.amazon.com/cloudformation AWS CloudFormation b. VPC c.
4. IAM
13
myAmazonEKSFargatePodExecutionRole myAmazonEKSNodeRole myAmazonEKSCNIRole ()
• IAM () Kubernetes RBAC ( system:masters IAM Kubernetes API kubectlaws-auth ConfigMap IAM (p. 255)
• IMDS (p. 320)— IAM Kubernetes Amazon EC2 (IMDS) IMDS the section called “ IAM ” (p. 307) the section called “” (p. 320)
• Cluster Autoscaler (p. 40)— Kubernetes Cluster Autoscaler
• Linux (p. 225)— Linux Linux • (p. 269)—
14
• Amazon EKS • Amazon EKS
Amazon EKS Kubernetes () etcd Kubernetes API AWS Kubernetes API Amazon EKS Amazon EKS Amazon EC2
etcd Amazon EBS AWS KMS Elastic Load Balancing Amazon EKS VPC (kubectl execlogsproxy)
Amazon EKS AWS API
Note
Amazon EKS Amazon EKS (p. 179)
Amazon EKS Amazon EKS Amazon EKS Amazon EKS (p. 3) Amazon EKS
Important
Amazon EKS IAM () Kubernetes RBAC (system:masters IAM Kubernetes API kubectl IAM (p. 255) IAM AWS kubectl
eksctlAWS AWS CLI
eksctl
Prerequisite
eksctl 0.47.0 the section called “ eksctl” (p. 273)
Amazon EKS Kubernetes <example- values>(<><1.19> (p. 52)
15
Tip
eksctl eksctl create cluster --help eksctl) GitHub
Important
AWS OutpostsAWS Wavelength AWS Local Zones Amazon EKS VPC--vpc-private- subnets ID AWS Outposts AWS Wavelength AWS Local Zones VPC VPC eksctl)
Warning
secretsEncryption ( AWS Key Management Service ) Kubernetes (CMK) CMK CMK CMK CMKAWS Key Management Service AWS KMS CMK Kubernetes Kubernetes 1.13 create-key AWS KMS create-cluster API kms:DescribeKey kms:CreateGrant Amazon EKS kms:GrantIsForAWSResource

[] EKS cluster "<my-cluster>" in "<region-code>" region is ready
AWS Management Console
Prerequisites
• Amazon EKS VPC VPC (p. 183) Amazon EKS (p. 185) VPC Amazon EKS VPC (p. 180)
• Amazon EKS IAM Amazon EKS IAM (p. 295)

16
Amazon EKS
• — • Kubernetes — Kubernetes • — Amazon EKS Kubernetes AWS
Amazon EKS IAM (p. 302) • — () AWS Key Management Service (AWS KMS) Kubernetes
Kubernetes (CMK) CMK CMK CMK CMKAWS Key Management Service
AWS KMS CMK Kubernetes Kubernetes 1.13
Note
create-key AWS KMS create- cluster API kms:DescribeKey kms:CreateGrant Amazon EKS kms:GrantIsForAWSResource
Warning
CMK CMK
• Tags ()— () EKS (p. 283)
4. Next () 5. Specify networking ()
• VPC— VPC Amazon EKS VPC (p. 180)
• — VPC Amazon EKS VPC (p. 183)
Important
• Amazon EKS AWS CloudFormation VPC 2020 3 26 Amazon EKS VPC (p. 180)
• AWS OutpostsAWS Wavelength AWS Local Zones AWS OutpostsAWS Wavelength AWS Local Zones VPC Outposts
—SecurityGroups AWS CloudFormation VPC (p. 180) ControlPlaneSecurityGroup
Important
AWS CloudFormation Amazon EKS ()
• () Kubernetes IP IPv4 CIDR Kubernetes IP CIDR
• 10.0.0.0/8172.16.0.0/12 192.168.0.0/16 • /24 /12 • VPC CIDR
CIDR VPC Kubernetes 10.100.0.0/16 172.20.0.0/16 CIDR IP
Important
CIDR • —
• — Kubernetes API VPC Kubernetes API IP CIDR ( 192.168.0.0/16) Advanced settings () Add source ()
• — Kubernetes API VPC Kubernetes API VPC
Important
(p. 37) 6. Kubernetes 1.17 1.18
AWS VPC (p. 188)Amazon EKS 1.18 Amazon EKS Amazon EKS Kubernetes Kubernetes 1.18 Kubernetes
Important
AWS VPC CNI EKS IAM (p. 304) Amazon EC2 AmazonEKS_CNI_PolicyIAM IAM Kubernetes IAM IAM VPC CNI IAM (p. 190) IAM (p. 30) IAM
7. Next () 8. Configure logging ()
(Disabled) Amazon EKS (p. 49)
9. Next () 10. Review and create ()
Edit () Create ()Status ( ) CREATING ()
Note
11. kubeconfig Amazon EKS (p. 262)18
Amazon EKS
12. () Amazon EKS Kubernetes IAM OpenID Connect (OIDC) OIDC the section called “ OIDC ” (p. 312) OIDC Amazon EKS Amazon EKS (p. 30) IAM (p. 308)
13. () AWS VPC CNI IAM (p. 307) the section called “ IAM ” (p. 190)
AWS CLI
Prerequisites
• Amazon EKS VPC VPC (p. 183) Amazon EKS (p. 185) VPC Amazon EKS VPC (p. 180)
• Amazon EKS IAM Amazon EKS IAM (p. 295)
• AWS CLI 2.1.26 1.19.7 AWS CLI AWS AWS CLI AWS AWS
AWS CLI
1. Amazon EKS IAM Amazon Resource Name (ARN)Amazon EKS IAM (p. 302) VPC ID Amazon EKS VPC (p. 180)Replace<my-cluster>( <> <region-code><1.19> (p. 52)
subnetIds AWS OutpostsAWS Wavelength AWS Local Zones AWS OutpostsAWS Wavelength AWS Local Zones VPC Outposts
aws eks create-cluster \ --region <region-code> \ --name <my-cluster> \ --kubernetes-version <1.19> \ --role-arn <arn:aws:iam::111122223333:role/eks-service-role- AWSServiceRoleForAmazonEKS-EXAMPLEBKZRQR> \ --resources-vpc-config subnetIds=<subnet- a9189fe2>,<subnet-50432629>,securityGroupIds=<sg-f5c54184>
Note
IAM Amazon EKS API Amazon EKS (p. 295)

Note
Amazon EKS (p. 334)
AWS Key Management Service (AWS KMS) (CMK) Kubernetes operation.
MY_KEY_ARN=$(aws kms create-key --query KeyMetadata.Arn —-output text)
Note
create-key AWS KMS create- cluster API kms:DescribeKey kms:CreateGrant Amazon EKS kms:GrantIsForAWSResource
--encryption-configaws eks create-cluster Kubernetes
--encryption-config '[{"resources":["secrets"],"provider":{"keyArn":"< $MY_KEY_ARN>"}}]'
keyArn CMK ARNCMK CMK CMK CMKAWS Key Management Service AWS KMS CMK Kubernetes Kubernetes 1.13
Warning
2. ACTIVE
aws eks --region <region-code> describe-cluster --name <my-cluster> --query "cluster.status"
a. endpoint
b. certificateAuthority.data
aws eks --region <region-code> describe-cluster --name <my-cluster> --query "cluster.certificateAuthority.data" --output text
4. kubeconfig Amazon EKS (p. 262) 5. () Amazon EKS Kubernetes IAM
OpenID Connect (OIDC) OIDC the section called “ OIDC ” (p. 312) OIDC Amazon EKS Amazon EKS (p. 30) IAM (p. 308)
6. () AWS VPC CNI IAM (p. 307) the section called “ IAM ” (p. 190)
Kubernetes
Amazon EKS Kubernetes Amazon EKS Kubernetes
Important
Amazon EKS Kubernetes (p. 52) Kubernetes
Kubernetes Kubernetes Kubernetes
Amazon EKS Kubernetes API Amazon EKS Amazon EKS Kubernetes Amazon EKS Kubernetes
Amazon EKS IP IP
Note
Amazon EKS API Kubernetes API API API
21
Amazon EKS Kubernetes Kubernetes
Kubernetes 1.19 1.18 1.17 1.16
Amazon VPC 1.7 ( )
1.7 ( )
1.7 ( )
1.7 ( )
KubeProxy 1.19.6 1.18.8 1.17.9 1.16.13

Kubernetes
• Kubernetes
kubectl version --short
• Kubernetes Amazon EC2 Fargate Fargate
kubectl get nodes
Kubernetes Fargate Kubernetes 1.18 1.17 1.18 Kubernetes 1.19 the section called “” (p. 85) the section called “” (p. 103) Fargate
2. Amazon EKS Pod Pod
kubectl get psp eks.privileged
Error from server (NotFound): podsecuritypolicies.extensions "eks.privileged" not found
3. Kubernetes 1.17 CoreDNS
a. CoreDNS upstream
kubectl get configmap coredns -n kube-system -o jsonpath='{$.data.Corefile}' | grep upstream
upstream
b. configmapupstream
kubectl edit configmap coredns -n kube-system -o yaml
4. eksctlAWS AWS CLI
Important
• Amazon EKS Kubernetes 1.17 1.19 1.18 1.18 1.19
• kubelet Kubernetes
• AWS Fargate kubelet 1.16 1.16 1.17 Fargate kubelet 1.16 1.17
• 1.16 Kubernetes 1.16 (p. 28)
•
eksctl
eksctl version
eksctl eksctl (p. 273)
Amazon EKS Kubernetes Replace <my-cluster> ( <>
eksctl upgrade cluster --name <my-cluster> --approve

23
AWS CLI
aws eks update-cluster-version \ --region <region-code> \ --name <my-cluster> \ --kubernetes-version <1.19>

b. ID Successful
aws eks describe-update \ --region <region-code> \ --name <my-cluster> \ --update-id <b5f0ba18-9a87-4450-b5a0-825e6e84496f>

24
}
Kubernetes 1.19 1.18 1.17 1.16
KubeProxy 1.19.6 1.18.8 1.17.9 1.16.13
a. kube-proxy
kubectl get daemonset kube-proxy --namespace kube-system - o=jsonpath='{$.spec.template.spec.containers[:1].image}'

602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/kube-proxy:v1.18.8-eksbuild.1
b. kube-proxy 602401143452, us-west-2 com 1.19.6 kube-proxy 1.19.6 2 eksbuild.1
kubectl set image daemonset.apps/kube-proxy \ -n kube-system \ kube-proxy=602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/kube- proxy:v1.19.6-eksbuild.2
c. () x86 Arm 2020 8 17 kube-proxy 2020 8 17 kube-proxy
kubectl edit -n kube-system daemonset/kube-proxy
CNI Kubernetes
- key: "beta.kubernetes.io/arch" operator: In values: - amd64 - arm64
d. () Kubernetes v1.14 kube-proxyAffinity Rule Kubernetes 1.13 Amazon EKS Fargate kube-proxy NodeAffinitykube-proxy Affinity Rule kube-proxy
kubectl edit -n kube-system daemonset/kube-proxy
Affinity RuleDaemonset spec CNI
25
- key: eks.amazonaws.com/compute-type operator: NotIn values: - fargate
6. DNS Kubernetes 1.10 kube-dns DNS 1.10 DNS CoreDNS CoreDNS kube-dns
CoreDNS
coredns CoreDNS CoreDNS (p. 215) CoreDNS 7-8
7. coredns
kubectl describe deployment coredns --namespace kube-system | grep Image | cut -d "/" - f 3

CoreDNS 1.8.0 1.7.0 1.6.6 1.6.6
8. coredns 1.5.0 1.5.0corednsforwardproxy
a.
b. Replaceproxyforward
kubectl set image --namespace kube-system deployment.apps/coredns \ coredns=602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/coredns:v1.8.0- eksbuild.1
26
11. x86 Arm 2020 8 17 coredns 2020 8 17 coredns
kubectl edit -n kube-system deployment/coredns
CNI
- key: "beta.kubernetes.io/arch" operator: In values: - amd64 - arm64
12. Kubernetes Amazon VPC CNI CNI
kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" - f 2

amazon-k8s-cni:<1.6.3>
CNI 1.7 CNI 1.7 ( GitHub )
Important
• () (cn-north-1) () (cn-northwest-1)
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/ release-1.7/config/v1.7/aws-k8s-cni-cn.yaml
• AWS GovCloud () (us-gov-east-1)
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/ release-1.7/config/v1.7/aws-k8s-cni-us-gov-east-1.yaml
• AWS GovCloud () (us-gov-west-1)
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/ release-1.7/config/v1.7/aws-k8s-cni-us-gov-west-1.yaml
• <account>the section called “ ” (p. 244) (602401143452
sed -i.bak -e 's/602401143452/<account>/' aws-k8s-cni.yaml
•
13. () Kubernetes Cluster Autoscaler Cluster Autoscaler Kubernetes
a. Cluster Autoscaler Kubernetes Cluster Autoscaler Kubernetes 1.19 1.19 Cluster Autoscaler (<1.19.n>)
b. Cluster Autoscaler 1.19.n
kubectl -n kube-system set image deployment.apps/cluster-autoscaler cluster- autoscaler=k8s.gcr.io/autoscaling/cluster-autoscaler:v1.19.n
14. ( GPU ) GPU (p3.2xlarge) Kubernetes NVIDIA
kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/v0.8.0/ nvidia-device-plugin.yml
15. Kubernetes (p. 103) (p. 85)Fargate Poods kubelet
Kubernetes 1.16 Kubernetes 1.15 1.16 API API 1.16
Warning
• 1.16 extensions/v1beta1 NetworkPolicy networking.k8s.io/ v1 API 1.8 networking.k8s.io/v1 API
• 1.16 extensions/v1beta1 PodSecurityPolicy policy/v1beta1 API 1.10 policy/v1beta1 API
• 1.16 extensions/v1beta1apps/v1beta1 apps/v1beta2 DaemonSetDeploymentStatefulSet ReplicaSet apps/v1 API 1.9 apps/v1 API apps/ v1beta1 Deployment
kubectl convert -f ./<my-deployment.yaml> --output-version apps/v1
Note
Kubernetes 1.11 Amazon EKS --resource- containerkube-proxyDaemonSet Kubernetes 1.16 kube-proxy Kubernetes 1.16 kube-proxyKubernetes 1.16 Kubernetes 1.16
1.16
• YAML API • API • API
API audit (p. 49) v1beta1.10 Kubernetes API API
• --resource-container=""kube-proxyDaemonSet Kubernetes 1.11 Kube-proxy kube-proxy
kubectl get daemonset kube-proxy --namespace kube-system -o yaml | grep 'resource- container='
--resource-container="" kube-proxy
kubectl edit daemonset kube-proxy --namespace kube-system
--resource-container="" kube-proxy
curl -o kube-proxy-daemonset.yaml https://amazon-eks.s3-us-west-2.amazonaws.com/ cloudformation/2020-06-10/kube-proxy-daemonset.yaml

29
kubectl apply -f kube-proxy-daemonset.yaml
Amazon EKS Kubernetes Amazon EKS AWS Amazon EKS Amazon EKS API Kubernetes 1.18 eks.3. Amazon EKS Kubernetes Kubernetes 1.18 Kubernetes
eksctl eksctl AWS
eksctl
b. Amazon EKS <name-of-addon> --force IAM ARN Kubernetes eksctl
eksctl create addon --name <name--of-addon-from-previous-command> -- cluster <my-cluster> --force
2. eksctl update addon -h
a.
b.
3. Amazon EKS
a.
b. Amazon EKS IAM
eksctl delete addon --cluster <my-cluster> --name <addon-name-from-previous- command>
1. Amazon EKS https://console.aws.amazon.com/eks/home#/clusters 2. Amazon EKS 3. 4. Amazon EKS Amazon EKS
Edit ()Remove ()
a. Amazon EKS b. Amazon EKS c. IAM the
section called “ IAM ” (p. 304) IAM
vpc-cni AmazonEKS_CNI_Policy IAM AWS CNI IAM (p. 191) Kubernetes IAM API IAM
Important
IAM IAM OpenID Connect (OIDC) OIDC the section called “ OIDC ” (p. 312)
d. Amazon EKS Amazon EKS Amazon EKS Amazon EKS
e. Add
Kubernetes AWS Key Management Service (KMS) (CMK) CMK CMK CMK CMKAWS Key Management Service Kubernetes 1.13.
Warning

• .yaml

6. [
AWS CLI
1. AWS CLI <example-values> ( <>)
aws eks associate-encryption-config \ --cluster-name <my-cluster> \ --encryption-config '[{"resources":["secrets"],"provider": {"keyArn":"arn:aws:kms:<Region-code>:<account>:key/<key>"}}]'
2. cluster nameupdate ID Successful
aws eks describe-update \ --region <Region-code> \ --name <my-cluster> \ --update-id <3141b835-8103-423a-8e68-12c2521ffa4d>

3. describe-cluster EncryptionConfig
aws eks describe-cluster --region <Region-code> --name <my-cluster>

kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - kms- encryption-timestamp="<time value>"
33
create-key AWS KMS create-cluster API kms:DescribeKey kms:CreateGrant Amazon EKS kms:GrantIsForAWSResource
Amazon EKS
Important
eksctlAWS AWS CLI
eksctl
eksctl version
1.
2. EXTERNAL-IP Elastic Load Balancing Kubernetes
kubectl delete svc <service-name>
eksctl delete cluster --name <prod>

1.
3. Fargate

(p. 78) d. Fargate
Fargate 4. AWS CloudFormation
a. https://console.aws.amazon.com/cloudformation AWS CloudFormation b. c. Delete Stack () Yes, Delete ()
5.
a. Amazon EKS https://console.aws.amazon.com/eks/home#/clusters b. Delete () c. Delete ()
6. () VPC AWS CloudFormation
a. VPC Actions () Delete Stack () b. Delete Stack () Yes, Delete ()
AWS CLI
1.
3. Fargate
Note
aws eks delete-nodegroup --nodegroup-name <my-nodegroup> --cluster-name <my- cluster>
c. Fargate
d. Fargate Fargate
aws eks delete-fargate-profile --fargate-profile-name <my-fargate-profile> -- cluster-name <my-cluster>
4. AWS CloudFormation
a. AWS CloudFormation
aws cloudformation list-stacks --query "StackSummaries[].StackName"
b. <node-stack>
aws cloudformation delete-stack --stack-name <node-stack>
5. <my-cluster>
aws eks delete-cluster --name <my-cluster>
6. () VPC AWS CloudFormation
a. AWS CloudFormation VPC
aws cloudformation list-stacks --query "StackSummaries[].StackName"
b. VPC <my-vpc-stack> VPC VPC
aws cloudformation delete-stack --stack-name <my-vpc-stack>
Amazon EKS Amazon EKS Kubernetes API
36
Amazon EKS
Amazon EKS Kubernetes API Kubernetes (kubectl API AWS (IAM) Kubernetes (RBAC)
Kubernetes API API VPC API IP API
Note
Kubernetes API AWS API AWS PrivateLink Amazon VPC
Amazon EKS Route 53 VPC Amazon EKS Route 53 API VPC enableDnsHostnames enableDnsSupport true VPC DHCP AmazonProvidedDNS VPC DNS Amazon VPC
API API
API
API
Enabled • Amazon EKS
• VPC ( ) Kubernetes API VPC Amazon
• API CIDR CIDR CIDR Fargate Pod ()
Enabled Enabled • VPC Kubernetes API ( ) VPC
• API CIDR
Enabled • API VPC
• API kubectl VPC
Amazon EKS
Behavior () API (p. 40)
• DNS API VPC IP VPC
VPC IP •
IP
• (p. 21)
AWS AWS CLI API
1. Amazon EKS https://console.aws.amazon.com/eks/home#/clusters 2. 3. Configuration () 4. Private access () Kubernetes API
VPC Kubernetes API VPC
5. Public access () Kubernetes API Kubernetes API VPC
6. () Advanced Settings () CIDR <203.0.113.5/32> Add source () CIDR Amazon EKS (p. 287) API (0.0.0.0/0) IP CIDR Fargate Pod () CIDR VPC NAT NAT IP CIDR
7. Update ()
AWS CLI
AWS CLI API
AWS CLI 1.19.7 aws --version AWS CLI AWS CLI
1. AWS CLI API endpointPublicAccess=true () publicAccessCidrs CIDR CIDR CIDR
38
Amazon EKS
API CIDR Amazon EKS (p. 287) CIDR Fargate Pod () CIDR VPC NAT NAT IP CIDR CIDR API (0.0.0.0/0) IP
Note
API IP <203.0.113.5/32> CIDR CIDR
aws eks update-cluster-config \ --region <region-code> \ --name <my-cluster> \ --resources-vpc-config endpointPublicAccess=<true>,publicAccessCidrs="<203.0.113.5/32>",endpointPrivateAccess=<true>

2. ID Successful
aws eks describe-update \ --region <region-code> \ --name <my-cluster> \ --update-id <e6f0905f-a5d4-4a2a-8c49-EXAMPLE00000>

39
Amazon EKS API
{ "type": "EndpointPublicAccess", "value": "<true>" }, { "type": "EndpointPrivateAccess", "value": "<true"> }, { "type": "publicAccessCidrs", "value": "[\<203.0.113.5/32>\"]" } ], "createdAt": <1576874258.137>, "errors": [] } }
API Kubernetes API VPC API Kubernetes API
• — Connect VPCAWS Transit Gateways Amazon EKS 443
• Amazon EC2 — VPC Amazon EC2 SSH kubectl AWS Linux Amazon EKS 443 Amazon EKS (p. 185)
kubectl AWS RBAC IAM RBAC IAM (p. 255) (kubectl) (p. 334)
• AWS Cloud9— AWS Cloud9 (IDE) VPC AWS Cloud9 IDE IDE AWS Cloud9 Amazon EKS 443 IDE Amazon EKS (p. 185)
kubectl AWS Cloud9 RBAC IDE IAM RBAC IAM (p. 255) (kubectl) (p. 334)
Cluster Autoscaler KubernetesCluster Autoscaler Kubernetes AWS .DesiredReplicas Amazon EC2 Auto Scaling ()
Kubernetes AWS
• Kubernetes Kubernetes Kubernetes ( GitHub )
Amazon EKS Prerequisites
• AWS —Kubernetes AWS ( Amazon EC2) Kubernetes AWS ( GitHub )
• — Kubernetes Kubernetes API
• Amazon EC2 Auto Scaling — AWS Auto Scaling Amazon EC2 Auto Scaling Kubernetes Kubernetes API
(p. 78) Amazon EC2 Auto Scaling
Amazon EKS Amazon EC2 Auto Scaling
Prerequisites
• Kubernetes — Amazon EKS (p. 15) • IAM OIDC
IAM OIDC (p. 312) • Auto Scaling — Auto Scaling
eksctl eksctl Auto Scaling Amazon EC2 Amazon EC2 Linux
Key
k8s.io/cluster-autoscaler/enabled TRUE
IAM IAM IAM <example-values>(<>
1. IAM
a. cluster-autoscaler-policy.json eksctl--asg-access 2
"autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow" } ] }
aws iam create-policy \ --policy-name AmazonEKSClusterAutoscalerPolicy \ --policy-document file://cluster-autoscaler-policy.json
ARN 2. IAM IAM eksctl AWS

eksctl
eksctl create iamserviceaccount \ --cluster=<my-cluster> \ --namespace=kube-system \ --name=cluster-autoscaler \ --attach-policy-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:policy/ <AmazonEKSClusterAutoscalerPolicy> \ --override-existing-serviceaccounts \ --approve
2. --asg-accesseksctlthe section called “ IAM ” (p. 304)thateksctl IAM IAM Amazon EC2 Linux
a. IAM https://console.aws.amazon.com/iam/ b. c. Select type of trusted entity () Web identity (Web ) d. Choose a Web identity provider ( Web )
i. Identity provider () URL ii. Audience () sts.amazonaws.com
e. : f. AmazonEKSClusterAutoscalerPolicy
g. : Tags () h. Add tags (optional) ( ()) : i. AmazonEKSClusterAutoscalerRole
j.
42
Amazon EKS Cluster Autoscaler
k. Trust Relationships () Edit Trust Relationship () l.
"oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:aud": "sts.amazonaws.com"
"oidc.eks.<region-code>.amazonaws.com/id/<EXAMPLED539D4633E53DE1B716D3041E>:sub": "system:serviceaccount:kube-system:cluster-autoscaler"
Cluster Autoscaler (p. 44)
Cluster Autoscaler
2. cluster-autoscaler ( IAM ARN) <example values>
kubectl annotate serviceaccount cluster-autoscaler \ -n kube-system \ eks.amazonaws.com/role- arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<AmazonEKSClusterAutoscalerRole>
3. cluster-autoscaler.kubernetes.io/safe-to-evict
cluster-autoscaler<YOUR CLUSTER NAME>( <>)
• --balance-similar-node-groups
- --v=4 - --stderrthreshold=info - --cloud-provider=aws - --skip-nodes-with-local-storage=false - --expander=least-waste - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/ cluster-autoscaler/<YOUR CLUSTER NAME> - --balance-similar-node-groups - --skip-nodes-with-system-pods=false
5. Cluster Autoscaler Kubernetes Cluster
Autoscaler Kubernetes 1.19 1.19 Cluster Autoscaler (1.19.n)
6. Cluster Autoscaler Replace 1.19n
kubectl set image deployment cluster-autoscaler \ -n kube-system \ cluster-autoscaler=k8s.gcr.io/autoscaling/cluster-autoscaler:v<1.19.n>
Cluster Autoscaler Cluster Autoscaler
Cluster Autoscaler

Amazon EBS Amazon EC2 GPU

•
(p. 78) Amazon EC2
EBS
() Amazon EBS Kubernetes Amazon EKS Amazon EBS () Amazon EC2
• balance-similar-node-groups=true • Amazon EBS

• balance-similar-node-groups=false.

kubelet
• kubelet GPU --node-labels k8s.amazonaws.com/accelerator= $ACCELERATOR_TYPE
•

Key: k8s.io/cluster-autoscaler/node-template/resources/$RESOURCE_NAME Value: 5 Key: k8s.io/cluster-autoscaler/node-template/label/$LABEL_KEY Value: $LABEL_VALUE Key: k8s.io/cluster-autoscaler/node-template/taint/$TAINT_KEY Value: NoSchedule

Autoscaler
Kubernetes

( 1,000 )

• • • podResourceRequestsResourceLimits •

( 10 ) API Kubernetes API Amazon EC2 Auto Scaling Amazon EKS API API Kubernetes
10 AWS 6x API 38%

...
...
• —
• —
Spot
Amazon EC2AWS Kubernetes Kubernetes API
M4M5M5a,M5n CPU Amazon EC2 Amazon EC2 ( GitHub )
Amazon EC2 Auto Scaling Amazon EC2 Amazon EC2 Auto Scaling
-- expander=least-waste
Auto Scaling
apiVersion: v1 kind: ConfigMap metadata: name: cluster-autoscaler-priority-expander namespace: kube-system data:
Amazon EC2 Auto Scaling p2-node-group --max-node-provision-time Amazon EC2 Auto Scaling p3- node-group 15
Overprovisioning

preferredDuringSchedulingIgnoredDuringExecution AntiAffinity
30 Amazon EC2 30 30 Amazon EC2 Amazon EC2 Auto Scaling

Amazon EKS Amazon EKS Amazon EKS CloudWatch Logs CloudWatch Amazon EKS
Amazon EKS Amazon EKS AWS AWS CLI (1.16.139 ) Amazon EKS API Amazon EKS CloudWatch Logs
Amazon EKS Amazon EKS CloudWatch Logs CloudWatch Log AWS Amazon EC2 Amazon EBS
Kubernetes Kubernetes Kubernetes
• Kubernetes API (api)— API Kubernetes API Kubernetes kube-apiserver
• (audit)— Kubernetes Kubernetes
• (authenticator)— EKS Amazon EKS Kubernetes (RBAC) (p. 255)
• (controllerManager)— Kubernetes Kubernetes kube-controller-manager
• (scheduler)— Kubernetes kube-scheduler
CloudWatch Logs CloudWatch Logs CloudWatch
2
1. Amazon EKS https://console.aws.amazon.com/eks/home#/clusters 2. 3. 4. UR 5. Enabled () Disabled ()
(Disabled) 6.
AWS CLI
aws --version
AWS CLI 1.16.139 AWS CLI AWS AWS
2. AWS CLI
Note

3. ID Successful
aws eks --region <region-code> describe-update --name <prod> --update-id <883405c8-65c6-4758-8cee-2a7c1340a6d9>

Amazon EKS CloudWatch
CloudWatch Amazon CloudWatch Logs
CloudWatch
Note
• Kubernetes API (api)–kube-apiserver-<nnn...> • (audit)–kube-apiserver-audit-<nnn...> • (authenticator)–authenticator-<nnn...>
• (controllerManager)–kube-controller-manager-<nnn...> • (scheduler)–kube-scheduler-<nnn...>
Amazon EKS Kubernetes Kubernetes Kubernetes 1.19
EKS Amazon EKS Kubernetes
• 1.19.8 • 1.18.16 • 1.17.17 • 1.16.15
Kubernetes Amazon EKS Kubernetes Amazon EKS Kubernetes (p. 21) EKS (p. 55) EKS (p. 56)
Kubernetes 1.19 Kubernetes 1.19 Amazon EKS Kubernetes 1.19
Important
• 1.19 EKS kubernetes.io/cluster/<cluster-name> Kubernetes AWS Load Balancer Amazon EKS the section called “ VPC ” (p. 183) • 1.19 • AWS Load Balancer v2.1.1 <cluster-name> v2.1.2
AWS Load Balancer the section called “AWS Load Balancer ” (p. 210) the section called “” (p. 239)the section called “ ” (p. 235)
• Web IAM the section called “ IAM ” (p. 307) ( GitHub )
• webhook GitHub webhook GitHub
• Amazon EKS 1.19 CoreDNS Ns 1.8.0 Amazon EKS 1.19 the section called “ CoreDNS” (p. 215)
• EKS Linux 2 AMI 1.19 Linux 5.4 the section called “Amazon EKS Amazon Linux AMI” (p. 132)
• CertificateSigningRequest APIcertificates.k8s.io/v1
• spec.signerNamekubernetes.io/legacy- unknowncertificates.k8s.io/v1API
• kubectl1.18.8
Amazon EKS Kubernetes Kubernetes
Kind
ClusterRolebinding kubelet kubectl execkubectl logs
Kubernetes 1.19 Amazon EKS Kubernetes
• ExtendedResourceToleration ( GPU) Kubernetes
• Kubernetes (CLB NLB) GitHub service.beta.kubernetes.io/aws-load-balancer-target-node-labels ELB Kubernetes
• Kubernetes
• API Kubernetes • EndPointSlices API
IP Kubernetes
• ConfigMap ConfigMap API ConfigMapSecret Kubernetes
Kubernetes 1.19 https://github.com/kubernetes/kubernetes/blob/master/ CHANGELOG/CHANGELOG-1.19.md
• CPU Kubernetes
• Kubernetes Kubernetes
• pathTypeIngressClass AWS Load Balancer (p. 239)( ALB Ingress Controller) API
• Support Kubernetes
• 1.18 AWS_DEFAULT_REGION=<region-code> Pod Web
Important
• EKS CSIMigrationAWS CSI Kubernetes
• AWS Fargate kubelet 1.16 1.16 1.17 Fargate kubelet 1.16 1.17 1.15 Kubernetes
kubectl rollout restart deployment <deployment-name>
Kubernetes 1.17 Amazon Kubernetes
• () beta GA Kubernetes • .I/ • .IO/ • .ONE /ZONE
• ResourceQuotaScopeSelectors
• TaintNodesByCondition
• LoadBalancer
Windows
Important
• Kubernetes 1.16 API 1.16 1.16 (p. 28)
• 1.16 Amazon EKS SAN X.509 EKS CA SAN x509
• CSI Beta CSI Kubernetes CSI EBS CSI Amazon EKS 1.16
• Windows GMSA Alpha Beta Amazon EKS Kubernetes Windows Pod GMSA
• service.beta.kubernetes.io/aws-load-balancer-eip-allocations LoadBalancer IP AWS NLB EIP GitHub
• Kubernetes Webhook Kubernetes
• Beta Kubernetes
• CustomResourceDefaulting Beta apiextensions.k8s.io/v1 API Kubernetes
Kubernetes Amazon EKS Amazon EKS
1.16 2019 9 8 2020 4 30 2021 7
1.17 2019 12 9 2021 9
1.18 2020 3 23 2020 10 13 2021 11
Kubernetes Amazon EKS Amazon EKS
1.19 2020 8 26 2021 2 16 2022 4
1.20 2021 5 2022 6
EKS Kubernetes Kubernetes Amazon EKS Kubernetes 60 Kubernetes Kubernetes Amazon EKS Amazon EKS Kubernetes Kubernetes
Q: EKS Kubernetes
A: Amazon EKS Kubernetes 14 Kubernetes Amazon EKS Amazon EKS Kubernetes
Q: Amazon EKS Kubernetes
A: Amazon EKS Amazon EKS Kubernetes 12 AWS Personal Health Dashboard 60
Q:
A: Amazon EKS Amazon EKS Amazon EC2 the section called “ ” (p. 22)
Q:
A: EKS Amazon EKS the section called “” (p. 21)
Q: Kubernetes
Q: EKS Kubernetes
A: Amazon EKS Kubernetes API Alpha
Q: Amazon EKS
56
Kubernetes 1.17 1.19 Kubernetes Kubernetes Kubernetes
Q: Fargate
Fargate AWS EKS (p. 289) EKS Kubernetes API Fargate API Kubernetes EKS Kubernetesdelete pod Fargate Kubernetes Kubernetes kubelet
Important
Fargate Fargate Fargate kubelet
Amazon EKS Amazon EKS Kubernetes API Kubernetes Kubernetes Amazon EKS Kubernetes
Amazon EKS Kubernetes ( 1.19) Kubernetes Amazon EKS eks.1Amazon EKS Kubernetes
Amazon EKS
• Amazon EKS (eks.<n+1> • Amazon EKS Kubernetes • Amazon EKS AMI Kubernetes
EKS AMI
Amazon EKS
Amazon EKS Amazon EKS Amazon EKS
Amazon EKS (eks.<n>) Kubernetes Kubernetes Kubernetes Amazon EKS
Amazon EKS
Kubernetes 1.19
1.19.8 eks.4 NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, ResourceQuota, DefaultTolerationSeconds, NodeRestriction, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, PodSecurityPolicy, TaintNodesByCondition, Priority, StorageObjectInUseProtection, PersistentVolumeClaimResize, ExtendedResourceToleration
EKS Kubernetes 1.19
58
Kubernetes Amazon EKS ResourceQuota, DefaultTolerationSeconds, NodeRestriction, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, PodSecurityPolicy, TaintNodesByCondition, Priority, StorageObjectInUseProtection, PersistentVolumeClaimResize, ExtendedResourceToleration
Kubernetes 1.19 (p. 52)
Kubernetes 1.18
1.18.16 eks.6 NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, ResourceQuota, DefaultTolerationSeconds, NodeRestriction, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, PodSecurityPolicy, TaintNodesByCondition, Priority, StorageObjectInUseProtection, PersistentVolumeClaimResize

EKS Kubernetes 1.18 Kubernetes 1.18 (p. 53)
60
Kubernetes 1.17
Fargate Sport (p. 119)
(p. 193) vpc-resource- controllerVPC
LoadBalancer Amazon EFS Fargate AWS NLB UDP
Kubernetes 1.16

Kubernetes Amazon EKS ResourceQuota, DefaultTolerationSeconds, NodeRestriction, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, PodSecurityPolicy, TaintNodesByCondition, Priority, StorageObjectInUseProtection, PersistentVolumeClaimResize
LoadBalancer NLB AWS NLB UDP
Windows Windows Amazon EKS
Considerations Windows
• Amazon EC2 C3C4D2I2M4 ( m4.16xlarge) R3 Windows
• Windows • Amazon EKS Linux Linux
coredns VPC • kubelet kube-proxy EKS Windows 200 MB
• (p. 193) Windows • Windows elastic network interface Windows Pod
elastic network interface IP 1 IP Amazon EC2 Linux
• 1.16 Amazon EKS Windows Pod (GMSA) Kubernetes Alpha 1.16
Amazon EKS Windows
• Amazon EKS 64 IP Amazon EC2 Windows
• Windows Fargate Windows the section called “Windows” (p. 98)
Windows Amazon EKS Windows eksctlWindows macOS Linux Windows
eksctl
Prerequisite
eksctl version
eksctl eksctl (p. 273)
1. Amazon EKS Windows eksctlReplace my-cluster Amazon EKS Windows VPC VPC webhook
eksctl utils install-vpc-controllers --cluster my-cluster --approve
2. Windows Windows Windows (p. 98)
Windows Pod Linux Pod
nodeSelector: kubernetes.io/os: linux kubernetes.io/arch: amd64
Windows Pod
Windows
us-west-2
66
a.
b. OpenSSL jq c. VPC webhook
./Setup-VPCAdmissionWebhook.ps1 -DeploymentTemplate ".\vpc-admission-webhook- deployment.yaml"
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: eks:kube-proxy-windows labels: k8s-app: kube-proxy eks.amazonaws.com/component: kube-proxy subjects: - kind: Group name: "eks:kube-proxy-windows" roleRef: kind: ClusterRole name: system:node-proxier apiGroup: rbac.authorization.k8s.io

kubectl apply -f eks-kube-proxy-windows-crb.yaml
Windows Pod
macOS and Linux
openssl jq JSON
<region-code>
1. VPC
a.
chmod +x webhook-create-signed-cert.sh webhook-patch-ca-bundle.sh
e. webhook
kubectl apply -f vpc-admission-webhook.yaml
kubectl get clusterrolebinding eks:kube-proxy-windows
Error from server (NotFound) eks-kube-proxy-windows-crb.yaml
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: eks:kube-proxy-windows labels: k8s-app: kube-proxy eks.amazonaws.com/component: kube-proxy subjects: - kind: Group name: "eks:kube-proxy-windows" roleRef: kind: ClusterRole name: system:node-proxier apiGroup: rbac.authorization.k8s.io

kubectl apply -f eks-kube-proxy-windows-crb.yaml
Windows Pod
Windows Windows
1. - .yaml
apiVersion: apps/v1 kind: Deployment
metadata: name: windows-server-iis spec: selector: matchLabels: app: windows-server-iis tier: backend track: stable replicas: 1 template: metadata: labels: app: windows-server-iis tier: backend track: stable spec: containers: - name: windows-server-iis image: mcr.microsoft.com/windows/servercore:1809 ports: - name: http containerPort: 80 imagePullPolicy: IfNotPresent command: - powershell.exe - -command - "Add-WindowsFeature Web-Server; Invoke-WebRequest -UseBasicParsing -Uri 'https://dotnetbinaries.blob.core.windows.net/servicemonitor/2.0.1.6/ ServiceMonitor.exe' -OutFile 'C:\\ServiceMonitor.exe'; echo '<html><body><br/ ><br/><marquee><H1>Hello EKS!!!<H1><marquee></body><html>' > C:\\inetpub\\wwwroot\ \default.html; C:\\ServiceMonitor.exe 'w3svc'; " nodeSelector: kubernetes.io/os: windows --- apiVersion: v1 kind: Service metadata: name: windows-server-iis-service namespace: default spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: windows-server-iis tier: backend track: stable sessionAffinity: None type: LoadBalancer
2.
Pod Running 4. External IPwindows-server-iis-service ( IP)

70
Note
5. IP IIS
Note
DNS
API Amazon EKS API Amazon EKS (p. 49) Amazon CloudWatch Amazon EKS API
API API API CloudWatch Logs
API
a. Amazon EKS https://console.aws.amazon.com/eks/home#/clusters b. c. d. API server (API ) Enabled () e.
2. CloudWatch https://console.aws.amazon.com/cloudwatch/ 3. ()
4. kube-apiserver-<example-ID-288ec988b77a59d70ec77>
Last Event Time () 5. () API
Note
API API API API CloudWatch Kubernetes API CloudWatch
Amazon EKS Amazon EKS
71
Requirements Amazon EKS
• Amazon Elastic Container Registry (Amazon ECR) VPC (p. 72)
• Amazon EKS (p. 36)
• VPC (p. 73) VPC • Amazon EKS
VPC Amazon EKS API <cluster-endpoint> <cluster-certificateauthority> Amazon EKS
--apiserver-endpoint <cluster-endpoint> --b64-cluster-ca <cluster-certificate-authority>
• aws-auth ConfigMap VPC aws-auth ConfigMap IAM (p. 255)
Considerations Amazon EKS
• AWS X-Ray • Amazon CloudWatch Logs Amazon CloudWatch Logs VPC
VPC (p. 73) • (p. 91) VPC
VPC CIDR VPC
• IAM (p. 307) STS VPC VPC (p. 73)
• Amazon EBS CSI (p. 157) .yaml Amazon EKS
• Amazon EFS CSI (p. 163) .yaml Amazon EKS
• Amazon FSx for Lustre CSI (p. 173) • AWS Fargate (p. 110) STS VPC
VPC (p. 73) AWS AWS IP Fargate the section called “” (p. 239) the section called “ — IP ” (p. 238)
• App Mesh App Mesh Envoy VPC VPC (p. 73) • Kubernetes App Mesh App Mesh (
GitHub ) • Kubernetes App Mesh App Mesh ( GitHub
)
Amazon ECR Amazon ECR VPC Amazon ECR Docker AWS CLI

1. Amazon ECR 2. docker pull 3. Amazon ECR docker tag 4. 5. Amazon ECRdocker push
Note

aws ecr create-repository --repository-name amazon/aws-node-termination-handler docker pull amazon/aws-node-termination-handler:v1.3.1-linux-amd64 docker tag amazon/aws-node-termination-handler <111122223333>.dkr.ecr.<region- code>.amazonaws.com/amazon/aws-node-termination-handler:v1.3.1-linux-amd64 aws ecr get-login-password --region <region-code> | docker login --username AWS -- password-stdin <111122223333>.dkr.ecr.<region-code>.amazonaws.com docker push <111122223333>.dkr.ecr.<region-code>.amazonaws.com/amazon/aws-node- termination-handler:v1.3.1-linux-amd64
VPC VPC
• com.amazonaws.<region>.ec2
• com.amazonaws.<region>.ecr.api
• com.amazonaws.<region>.ecr.dkr
Amazon EKS Amazon EKS (p. 91), Amazon EKS (p. 78)AWS Fargate (p. 110) Amazon EKS View (p. 76)
EKS AWS Fargate
AWS Outposts — AWS Outposts Amazon EKS (p. 331)

AWS — AWS Local Zones (p. 332)

(p. 65)— () Linux

Inferentia (p. 250)— Amazon Linux
(p. 250)— Amazon Linux

GPU (p. 130)— Amazon Linux
(p. 130)— Amazon Linux

Arm (p. 131) (p. 131)
AWS (p. 97) —
—
—
—
Pod
— vCPU
Amazon EC2 (p. 81)— EKS AMI
— Amazon EKS AWS
Amazon EKS
EKS AWS Fargate EKS AMI
CloudFormation Linux (x86) (p. 92)Linux () (p. 131), Windows (p. 65)
Amazon EC2

— (p. 88) AMI
- ( GitHub )
—
— (p. 88) AMI
CNI (p. 203)
—
SSH — SSH
AMI — (p. 88)
—
—
AMI — Amazon EKS AMI Amazon EKS AMI Amazon EKS
- Amazon EKS Amazon EKS
—
EKS AWS Fargate
Kubernetes — Amazon EKS AMI Amazon EKS AMI Amazon EKS
— Amazon EKS Amazon EKS
—
Amazon EBS Podds (p. 157) (p. 157)
Amazon EFS Podds (p. 163) (p. 163) (p. 163)
Amazon FSx for Lustre
(p. 173) (p. 173)
Network Load Balancer
(p. 235) (p. 235) the section called “ — IP ” (p. 238)
Pods
VPC

HostPortHostNetwork
EKS
EKS (p. 110)
EC2
Amazon EC2 Amazon EC2
Amazon EC2 Amazon EC2
Fargate CPU AWS Fargate
View Amazon EKS Amazon EKS Fargate Kubernetes API
Amazon EKS View
Kubernetes Amazon EKS (p. 223) (p. 74)
Prerequisites
• eks:AccessKubernetesApi IAM IAM the section called “ AWS ” (p. 297)
• aws-auth configmap the section called “ IAM ” (p. 255)
• IAM Kubernetes roleclusterrole Kubernetes RBAC clusterroleclusterrolebindingrolerolebinding • Kubernetes — eks-console-dashboard-full- access-group IAM aws-authConfigMap IAM • •
• Kubernetes — default eks-console-dashboard- restricted-access-group IAM aws-authConfigMap IAM • •
AWS
Important
Note
• Amazon EC2Kubelet OS
• Amazon EC2 Amazon EKS () • •
Kubernetes Amazon EKS Kubernetes 40
• — FALSETRUE • — FALSETRUE() • PID — FALSETRUE
ID PID • —

amazon eks - 使用者指南...amazon eks 使用者指南 amazon eks 控制平面架構 什麼是...

Documents

amazon eks - 使用者指南...amazon eks 使用者指南 amazon eks 控制平面架構什麼是...