公有子网模板
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: lemon-eks
region: us-east-1
version: "1.28"
vpc:
id: "vpc-0ef065ab3e684ca71"
subnets:
public:
us-east-1a: { id: subnet-07916a34475c608ad }
us-east-1b: { id: subnet-0544a891d4fc8b4c5 }
us-east-1c: { id: subnet-0785a911aa890b86d }
iam:
withOIDC: true
addons:
- name: vpc-cni
- name: coredns
- name: kube-proxy
managedNodeGroups:
- name: eks-ng-1
amiFamily: AmazonLinux2
labels: { role: workers }
instanceType: t3a.large
desiredCapacity: 2
minSize: 0
maxSize: 10
volumeSize: 50
maxPodsPerNode: 110
ssh:
allow: true
publicKeyName: lemon-fjnyb
私有子网安装模板
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: bosi-eks
region: us-east-1
version: "1.28"
vpc:
id: "vpc-0bfc63261578f25ea"
subnets:
private:
us-east-1d: { id: subnet-0bc6132f3867ce878 }
us-east-1f: { id: subnet-0b870d7b1ee07566c }
iam:
withOIDC: true
addons:
- name: vpc-cni
- name: coredns
- name: kube-proxy
managedNodeGroups:
- name: bosi-ng-1
amiFamily: AmazonLinux2
labels: { role: workers }
instanceType: t3a.large
desiredCapacity: 2
minSize: 0
maxSize: 10
volumeSize: 50
maxPodsPerNode: 110
iam:
instanceRoleARN: "arn:aws:iam::917958955567:role/raymond-eks-ng"
ssh:
allow: true
publicKeyName: lemon-fjnyb
privateNetworking: true
混合安装模板
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: cluster-24
region: us-west-1
vpc:
id: vpc-0c24b1cc77da8f463
subnets:
public:
us-east-1a:
id: subnet-0324095a4f2188967
us-east-1b:
id: subnet-083814b087bad140b
us-east-1c:
id: subnet-03a1260affe6f9944
private:
us-east-1a:
id: subnet-0b870d7b1ee07566c
us-east-1b:
id: subnet-00110ffa3ef259d0c
us-east-1c:
id: subnet-0a96e24163ef2c9c3
nodeGroups:
- name: ng-1
instanceType: m5.xlarge
desiredCapacity: 2
subnets:
- us-east-1a
- subnet-083814b087bad140b
- name: ng-2
instanceType: m5.xlarge
desiredCapacity: 2
privateNetworking: true
subnets:
- us-east-1b
- us-east-1c
自定义启动模板
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: raymond
region: us-east-1
managedNodeGroups:
- name: rm-ng-2
desiredCapacity:
minSize: 1
maxSize: 20
launchTemplate:
id: lt-0cc19078acfb42a3a
version: "1"
iam:
instanceRoleARN: "arn:aws:iam::917958955567:role/eksctl-raymond-nodegroup-rm-ng-1-NodeInstanceRole-q9IiVe14zoeM"
subnets:
- subnet-0bc6132f3867ce878
- subnet-0b870d7b1ee07566c
privateNetworking: true
labels:
role: worker
模板参考
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: ${CLUSTER_NAME}
region: ap-northeast-1
version: "${K8S_VERSION}"
tags:
app: ${CLUSTER_NAME}
kubernetesNetworkConfig:
serviceIPv4CIDR: ${SVC_CIDR}
iam:
withOIDC: true
serviceAccounts:
# Create IAM Role fo Service Account for AWS Load Balancer Controller
- metadata:
name: aws-load-balancer-controller
namespace: kube-system
wellKnownPolicies:
awsLoadBalancerController: true
# Optional: Use pod identity for AWS Load Balancer Controller instead of IRSA
# podIdentityAssociations:
# - namespace:
# serviceAccountName: aws-load-balancer-controller
# attachPolicyARNs:
# - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
accessConfig:
authenticationMode: API_AND_CONFIG_MAP
# Whether to grant k8s cluster admin right to cluster creator
bootstrapClusterCreatorAdminPermissions: true
accessEntries:
- principalARN: ${CLUSTER_ADMIN}
type: STANDARD
accessPolicies:
# Grant k8s cluster admin right to other IAM role/user (principalARN above)
- policyARN: arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy
accessScope:
type: cluster
vpc:
clusterEndpoints:
publicAccess: false
privateAccess: true
id: "${VPC_ID}"
securityGroup: "${SG_ID}"
# Configure subnets for Control plane ENIs
controlPlaneSubnetIDs:
- ${PRI_SUBNET_1}
- ${PRI_SUBNET_2}
- ${PRI_SUBNET_3}
# Configure subnets for data plane (nodes)
subnets:
public:
public-${AZ1}:
id: ${PUB_SUBNET_1}
public-${AZ2}:
id: ${PUB_SUBNET_2}
public-${AZ3}:
id: ${PUB_SUBNET_3}
private:
private-${AZ1}:
id: ${PRI_SUBNET_1}
private-${AZ2}:
id: ${PRI_SUBNET_2}
private-${AZ3}:
id: ${PRI_SUBNET_3}
cloudWatch:
clusterLogging:
enableTypes:
- api
- audit
- authenticator
- controllerManager
- scheduler
logRetentionInDays: 30
# Optional: encrypt k8s secrets by KMS
# secretsEncryption:
# keyARN: ""
addons:
- name: vpc-cni
version: v1.16.3-eksbuild.2
attachPolicyARNs:
- arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
resolveConflicts: overwrite
configurationValues: |-
env:
ENABLE_PREFIX_DELEGATION: "true"
AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG: "true"
ENI_CONFIG_LABEL_DEF: "topology.kubernetes.io/zone"
- name: kube-proxy
version: v1.29.0-eksbuild.1
resolveConflicts: overwrite
- name: eks-pod-identity-agent
version: v1.2.0-eksbuild.1
resolveConflicts: overwrite
- name: coredns
version: v1.11.1-eksbuild.4
resolveConflicts: overwrite
- name: aws-mountpoint-s3-csi-driver
version: v1.4.0-eksbuild.1
resolveConflicts: overwrite
attachPolicy:
Statement:
- Effect: Allow
Sid: MountpointFullBucketAccess
Action:
- s3:ListBucket
Resource: '*'
- Effect: Allow
Sid: MountpointFullObjectAccess
Action:
- s3:GetObject
- s3:PutObject
- s3:AbortMultipartUpload
- s3:DeleteObject
Resource: '*'
- Effect: Allow
Sid: ExpressOneZoneAccess
Action:
- s3express:CreateSession
Resource: '*'
- name: aws-efs-csi-driver
version: v1.7.6-eksbuild.1
resolveConflicts: overwrite
wellKnownPolicies:
efsCSIController: true
- name: aws-ebs-csi-driver
version: v1.28.0-eksbuild.1
resolveConflicts: overwrite
wellKnownPolicies:
ebsCSIController: true
# - name: adot
# version: v0.92.1-eksbuild.1
# resolveConflicts: overwrite
# - name: amazon-cloudwatch-observability
managedNodeGroups:
- name: ${NODEGROUP}
amiFamily: AmazonLinux2
instanceType: c6i.large
minSize: 0
desiredCapacity: 0
maxSize: 3
volumeSize: 50
volumeType: gp3
privateNetworking: true
subnets:
- private-${AZ1}
- private-${AZ2}
- private-${AZ3}
ssh:
allow: true
publicKeyName: ${SSH_KEY_NAME}
tags:
app: eksctl-${CLUSTER_NAME}
propagateASGTags: true
集群创建
# 集群创建命令 eksctl create cluster -f bosi-eks.yaml
Kube-config文件生成
# kube-config配置生成 aws eks update-kubeconfig --region us-east-1 --name bosi-raymond # eksctl生成kube-config模板 eksctl utils write-kubeconfig --cluster=<cluster-name>
自我判定
# | 判定描述 | 自我判定(是/否) |
|---|---|---|
| 1 | 在各搜索引擎中是否能找到知识信息(包括但不限于Google、百度、Bing) | 是 |
| 2 | 是否需要代码集成开发 | 否 |