def __create_eks_control_plane(self, vpc: ec2.Vpc) -> eks.Cluster: # This role is used to connect to the cluster with admin access # It is be associated to system:masters kubernetes RBAC group masters_role = iam.Role( self, 'eksClusterAdmin', role_name='eks-cluster-admin-'+self._config['stage'], assumed_by=iam.AccountRootPrincipal() ) # Control plane role # It provides permissions for the Kubernetes control plane # to make calls to AWS API operations on your behalf. role = self.__create_eks_control_plane_role() eks_config = self._config['compute']['eks'] self._cluster = eks.Cluster( scope=self, id="ControlPlane", cluster_name=self._config['name'], role=role, masters_role=masters_role, version=eks.KubernetesVersion.of(eks_config['version']), vpc=vpc, vpc_subnets=list( map(lambda group_name: ec2.SubnetSelection(subnet_group_name=group_name), eks_config['subnetGroupNames']) ), default_capacity=0, )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc(self, "EKS_Kafka_PocClusterVPC") private_subnets = [snet_id.subnet_id for snet_id in vpc.private_subnets] bngi = msk.CfnCluster.BrokerNodeGroupInfoProperty(instance_type="kafka.m5.large", client_subnets=private_subnets) msk_cluster = msk.CfnCluster(self, "EKS_KafkaPocMSKCluster", broker_node_group_info=bngi, cluster_name="EKSKafkaPOCMKSCluster", kafka_version="2.3.1", number_of_broker_nodes=3) eks_admin_role = iam.Role(self, "EKS_Kafka_PocCluster-AdminRole", assumed_by=iam.AccountPrincipal(account_id=self.account)) eks_cluster = eks.Cluster(self, "EKS_Kafka_PocEKSCluster", cluster_name="EKS_Kafka_PocCluster", masters_role=eks_admin_role, kubectl_enabled=True, version="1.15", vpc=vpc) eks_cluster.add_capacity("worker", instance_type=ec2.InstanceType("t3.large"), min_capacity=1, max_capacity=10)
def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) cluster_admin = iam.Role(self, 'ClusterAdmin', assumed_by=iam.AccountRootPrincipal(), role_name='eks_cdk_admin') # The code that defines your stack goes here example_cluster = eks.Cluster(self, 'Example', version=eks.KubernetesVersion.V1_19, masters_role=cluster_admin) example_cluster.aws_auth.add_user_mapping(user=iam.User.from_user_name( self, 'K8SUser', 'k8s'), groups=['system:masters']) example_cluster.add_fargate_profile( 'ExampleFargate', selectors=[{ 'namespace': 'kube-system' }], fargate_profile_name='ExampleFargate')
def __init__(self, scope: core.Construct, construct_id: str, my_service_details={}, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) self.my_service_details = my_service_details masters_role = iam.Role( self, "clusterAdmin", role_name="demo_EKS_cluster_role", assumed_by=iam.AccountRootPrincipal() ) k8s_cluster = eks.Cluster( self, "defaultCluster", cluster_name="DemoEKS", version=eks.KubernetesVersion.V1_19, default_capacity=1, default_capacity_type=eks.DefaultCapacityType.EC2, default_capacity_instance=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.SMALL), masters_role=masters_role ) k8s_cluster.add_fargate_profile( "FargateEnabled", selectors=[ eks.Selector( namespace="eksdemo", labels={"fargate":"enabled"}) ] ) my_service = EksServices(self, "myService", eks_cluster=k8s_cluster, service=self.my_service_details)
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) cdk_id = self.cdk_id ng_cdk_id = self.ng_cdk_id if cdk_id not in EKS_Cluster_List: return cluster_config, worker_node_config = EKS_Cluster_List[cdk_id] cluster_name, k8s_version = cluster_config instance_type, min_size, max_size, desired_size, disk_size = worker_node_config cluster = aws_eks.Cluster( self, cdk_id, version=k8s_version, default_capacity=0, cluster_name=cluster_name, ) cluster.add_nodegroup_capacity( ng_cdk_id, instance_types=[instance_type], min_size=min_size, max_size=max_size, desired_size=desired_size, disk_size=disk_size, )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # import default VPC #vpc = aws_ec2.Vpc.from_lookup(self, 'VPC', is_default=True) vpc = aws_ec2.Vpc(self, 'EKS-CDK-VPC', cidr='10.0.0.0/16', nat_gateways=1) # create an admin role eks_admin_role = aws_iam.Role(self, 'AdminRole', assumed_by=aws_iam.AccountPrincipal( account_id=self.account) ) # create the cluster cluster = aws_eks.Cluster(self, 'cluster', masters_role=eks_admin_role, vpc=vpc, default_capacity=0, version='1.14', output_cluster_name=True ) cluster.add_capacity('ondemand', instance_type=aws_ec2.InstanceType('t3.large'), max_capacity=1, bootstrap_options=aws_eks.BootstrapOptions( kubelet_extra_args='--node-labels myCustomLabel=od' ) ) cluster.add_capacity('spot', instance_type=aws_ec2.InstanceType('t3.large'), max_capacity=1, spot_price='0.1094', bootstrap_options=aws_eks.BootstrapOptions( kubelet_extra_args='--node-labels myCustomLabel=spot' ) )
def __init__(self, scope: core.Construct, id: str, cluster_configuration, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.cluster_configuration = cluster_configuration def determine_cluster_size(self): """ return instance_size, node_count """ if self.cluster_configuration['capacity_details'] == 'small': # default to fargate only instance_details = aws_ec2.InstanceType.of(aws_ec2.InstanceClass.BURSTABLE3, aws_ec2.InstanceSize.SMALL) instance_count = 3 elif self.cluster_configuration['capacity_details'] == 'medium': instance_details = aws_ec2.InstanceType.of(aws_ec2.InstanceClass.COMPUTE5, aws_ec2.InstanceSize.LARGE) instance_count = 3 elif self.cluster_configuration['capacity_details'] == 'large': instance_details = aws_ec2.InstanceType.of(aws_ec2.InstanceClass.COMPUTE5, aws_ec2.InstanceSize.LARGE) instance_count = 6 elif self.cluster_configuration['capacity_details'] == 'small': instance_details = aws_ec2.InstanceType.of(aws_ec2.InstanceClass.BURSTABLE3, aws_ec2.InstanceSize.SMALL) instance_count = 3 else: # For a non specified capacity cluster, we will default to zero nodes and fargate only instance_count = 2 instance_details = aws_ec2.InstanceType.of(aws_ec2.InstanceClass.BURSTABLE3, aws_ec2.InstanceSize.SMALL) self.cluster_configuration['fargate_enabled'] == True return { 'default_capacity': instance_count, 'default_capacity_instance': instance_details } capacity_details = determine_cluster_size(self) # Create an EKS cluster with default nodegroup configuration self.cluster = aws_eks.Cluster( self, "EKSCluster", version = self.cluster_configuration['eks_version'], cluster_name = self.cluster_configuration['cluster_name'], **capacity_details ) # If fargate is enabled, create a fargate profile if self.cluster_configuration['fargate_enabled'] is True: self.cluster.add_fargate_profile( "FargateEnabled", selectors = [ aws_eks.Selector( namespace = 'default', labels = { 'fargate': 'enabled' } ) ] ) # If bottle rocket is enabled, build a self managed nodegroup if self.cluster_configuration.get('bottlerocket_asg') is True: self.cluster.add_auto_scaling_group_capacity( "BottleRocketASG", instance_type=aws_ec2.InstanceType.of(aws_ec2.InstanceClass.BURSTABLE3, aws_ec2.InstanceSize.SMALL), machine_image_type=aws_eks.MachineImageType.BOTTLEROCKET, desired_capacity=3, )
def __init__(self, scope: core.Construct, name: str, vpc: ec2.IVpc, **kwargs) -> None: super().__init__(scope, name, **kwargs) cluster = eks.Cluster( self, 'jenkins-workshop-eks-control-plane', vpc=vpc, default_capacity=0 ) asg_worker_nodes = cluster.add_capacity( 'worker-node', instance_type=ec2.InstanceType('t3.medium'), desired_capacity=2, ) asg_jenkins_slave = cluster.add_capacity( 'worker-node-jenkins-slave', instance_type=ec2.InstanceType('t3.medium'), desired_capacity=1, bootstrap_options=eks.BootstrapOptions( kubelet_extra_args='--node-labels jenkins=slave --register-with-taints jenkins=slave:NoSchedule', docker_config_json=read_docker_daemon_resource('kubernetes_resources/docker-daemon.json') ) ) asg_jenkins_slave.add_to_role_policy(iam.PolicyStatement( actions=[ 'ecr:CompleteLayerUpload', 'ecr:InitiateLayerUpload', 'ecr:PutImage', 'ecr:UploadLayerPart' ], resources=["*"] ) ) asg_worker_nodes.connections.allow_from( asg_jenkins_slave, ec2.Port.all_traffic() ) asg_jenkins_slave.connections.allow_from( asg_worker_nodes, ec2.Port.all_traffic() ) eks_master_role = iam.Role( self, 'AdminRole', assumed_by=iam.ArnPrincipal(get_eks_admin_iam_username()) ) cluster.aws_auth.add_masters_role(eks_master_role) helm_tiller_rbac = eks.KubernetesResource( self, 'helm-tiller-rbac', cluster=cluster, manifest=read_k8s_resource('kubernetes_resources/helm-tiller-rbac.yaml') )
def create_eks(self, vpc): # create eks cluster with amd nodegroup cluster = eks.Cluster( self, "EKS", vpc=vpc, version=eks.KubernetesVersion.V1_18, default_capacity_instance=ec2.InstanceType("m5.large"), default_capacity=1) # add arm/graviton nodegroup cluster.add_nodegroup_capacity( "graviton", desired_size=1, instance_type=ec2.InstanceType("m6g.large"), nodegroup_name="graviton", node_role=cluster.default_nodegroup.role) # add secret access to eks node role cluster.default_nodegroup.role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "SecretsManagerReadWrite")) # create service account sa = cluster.add_service_account("LBControllerServiceAccount", name="aws-load-balancer-controller", namespace="kube-system") sa_annotated = self.add_helm_annotation(cluster, sa) # create policy for the service account statements = [] with open('backend/iam_policy.json') as f: data = json.load(f) for s in data["Statement"]: statements.append(iam.PolicyStatement.from_json(s)) policy = iam.Policy(self, "LBControllerPolicy", statements=statements) policy.attach_to_role(sa.role) # add helm charts ingress = cluster.add_helm_chart( "LBIngress", chart="aws-load-balancer-controller", release="aws-load-balancer-controller", repository="https://aws.github.io/eks-charts", namespace="kube-system", values={ "clusterName": cluster.cluster_name, "serviceAccount.name": "aws-load-balancer-controller", "serviceAccount.create": "false" }) ingress.node.add_dependency(sa_annotated) return cluster
def provision( self, name: str, eks_version: eks.KubernetesVersion, private_api: bool, vpc: ec2.Vpc, bastion_sg: ec2.SecurityGroup, ): eks_sg = ec2.SecurityGroup( self.scope, "EKSSG", vpc=vpc, security_group_name=f"{name}-EKSSG", allow_all_outbound=False, ) # Note: We can't tag the EKS cluster via CDK/CF: https://github.com/aws/aws-cdk/issues/4995 cluster = eks.Cluster( self.scope, "eks", cluster_name=name, vpc=vpc, endpoint_access=eks.EndpointAccess.PRIVATE if private_api else None, vpc_subnets=[ec2.SubnetType.PRIVATE], version=eks_version, default_capacity=0, security_group=eks_sg, ) if bastion_sg: cluster.cluster_security_group.add_ingress_rule( peer=bastion_sg, connection=ec2.Port( protocol=ec2.Protocol("TCP"), string_representation="API Access", from_port=443, to_port=443, ), ) cdk.CfnOutput(self.scope, "eks_cluster_name", value=cluster.cluster_name) cdk.CfnOutput( self.scope, "eks_kubeconfig_cmd", value= f"aws eks update-kubeconfig --name {cluster.cluster_name} --region {self.scope.region} --role-arn {cluster.kubectl_role.role_arn}", ) return cluster
def __init__( self, scope: cdk.Construct, construct_id: str, vpc: ec2.IVpc, instance_type: str = "m5.xlarge", **kwargs, ) -> None: super().__init__(scope, construct_id, **kwargs) self.cluster_name = "data-team" # EKS cluster self.cluster = eks.Cluster( self, "EksForSpark", cluster_name=self.cluster_name, version=eks.KubernetesVersion.V1_19, default_capacity=0, endpoint_access=eks.EndpointAccess.PUBLIC_AND_PRIVATE, vpc=vpc, vpc_subnets=[ ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE) ], ) # Default node group ng = self.cluster.add_nodegroup_capacity( "base-node-group", instance_types=[ec2.InstanceType(instance_type)], min_size=1, max_size=20, disk_size=50, ) self.add_admin_role_to_cluster() self.add_cluster_admin() # Cluster AutoScaling FTW ClusterAutoscaler(self.cluster_name, self, self.cluster, ng).enable_autoscaling() # We like to use the Kubernetes Dashboard self.enable_dashboard() # Install Airflow as well # TODO: Make this optional # self.enable_airflow() # This is emr-specific, but we have to do it here to prevent circular dependencies self.map_iam_to_eks()
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.encryptionKey = kms.Key(self, 'KubeClusterKey') self.cluster = eks.Cluster( self, 'KubeCluster', version=eks.KubernetesVersion.V1_18, vpc=vpc, default_capacity=0, secrets_encryption_key=self.encryptionKey, endpoint_access=eks.EndpointAccess.PRIVATE, vpc_subnets=[ec2.SubnetSelection(subnet_group_name='Kubes')])
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.__vpc = ec2.Vpc(self, 'MyVpc', cidr='10.10.0.0/16') self.__eks = eks.Cluster(self, 'WinCtrEksCluster', version=eks.KubernetesVersion.V1_18, default_capacity=0, vpc=self.vpc, endpoint_access=eks.EndpointAccess.PUBLIC) self.__private_subnet_ids = [] for net in self.eks_cluster.vpc.private_subnets: self.__private_subnet_ids.append(net.subnet_id)
def __init__(self, scope: core.Construct, construct_id: str, vpc: ec2.Vpc, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # The code that defines your stack goes here env_name = self.node.try_get_context("env") eks_role = iam.Role( self, "eksadmin", assumed_by=iam.ServicePrincipal(service='ec2.amazonaws.com'), role_name='eks-cluster-role', managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( managed_policy_name='AdministratorAccess') ]) eks_instance_profile = iam.CfnInstanceProfile( self, 'instanceprofile', roles=[eks_role.role_name], instance_profile_name='eks-cluster-role') cluster = eks.Cluster( self, 'prod', cluster_name='ie-prod-snow-common', version=eks.KubernetesVersion.V1_19, vpc=vpc, vpc_subnets=[ ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE) ], default_capacity=0, masters_role=eks_role) nodegroup = cluster.add_nodegroup_capacity( 'eks-nodegroup', instance_types=[ ec2.InstanceType('t3.large'), ec2.InstanceType('m5.large'), ec2.InstanceType('c5.large') ], disk_size=50, min_size=2, max_size=2, desired_size=2, subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE), remote_access=eks.NodegroupRemoteAccess( ssh_key_name='ie-prod-snow-common'), capacity_type=eks.CapacityType.SPOT)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc.from_lookup(self,'vpc', vpc_id='vpc-082a9f3f7200f4513' ) k8s_admin = iam.Role(self, "k8sadmin", assumed_by=iam.ServicePrincipal(service='ec2.amazonaws.com'), role_name='eks-master-role', managed_policies=[iam.ManagedPolicy.from_aws_managed_policy_name( managed_policy_name='AdministratorAccess' ) ] ) k8s_instance_profile = iam.CfnInstanceProfile(self, 'instanceprofile', roles=[k8s_admin.role_name], instance_profile_name='eks-master-role' ) cluster = eks.Cluster(self, 'dev', cluster_name='eks-cdk-demo', version='1.15', vpc=vpc, vpc_subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE)], default_capacity=0, kubectl_enabled=True, #security_group=k8s_sg, masters_role= k8s_admin ) #cluster.aws_auth.add_user_mapping(adminuser, {groups['system:masters']}) ng = cluster.add_nodegroup('eks-ng', nodegroup_name='eks-ng', instance_type=ec2.InstanceType('t3.medium'), disk_size=5, min_size=1, max_size=1, desired_size=1, subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE), remote_access=eks.NodegroupRemoteAccess(ssh_key_name='k8s-nodes') )
def __init__(self, scope, id, *, description=None, env=None, tags=None, synthesizer=None): super().__init__(scope, id, description=description, env=env, tags=tags, synthesizer=synthesizer) vpc = ec2.Vpc( self, f"kodexa-vpc-{id}", max_azs=2, cidr="10.10.0.0/16", subnet_configuration=[ ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.PUBLIC, name="Public", cidr_mask=24), ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.PRIVATE, name="Private", cidr_mask=24) ], nat_gateways=1, ) core.CfnOutput(self, "Output", value=vpc.vpc_id) # Create K8S cluster cluster_admin = iam.Role(self, f"kodexa-eks-adminrole-{id}", assumed_by=iam.AccountRootPrincipal()) cluster = eks.Cluster(self, id=f'kodexa-eks-cluster-{id}', cluster_name=f'kodexa-eks-cluster-{id}', version=eks.KubernetesVersion.V1_17, vpc=vpc, default_capacity=4, masters_role=cluster_admin)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) cluster_admin = iam.Role(self, "AdminRole", assumed_by=iam.AccountRootPrincipal()) vpc = ec2.Vpc(self, "EKSVpc", cidr="10.2.0.0/16") eksCluster = eks.Cluster( self, "fedcluster", vpc=vpc, cluster_name="awsfedcluster", kubectl_enabled=True, masters_role=cluster_admin, default_capacity=2, default_capacity_instance=ec2.InstanceType("t3.large"))
def __init__(self, scope: core.Construct, id: str, vpc, instance_type, managed_worker_nodes_nubmer, cluster_name, unmanaged_worker_nodes_number, spot_price, key_pair, **kwargs) -> None: super().__init__(scope, id, **kwargs) #Create key pair that will be used for the K8S worker nodes self.key = KeyPair( self, "EKSKey", name=key_pair, description="This is a Key Pair for EKS worker nodes") #Create KMS key for secrets encryption self.kms_eks = kms.Key( self, 'kms_eks', alias='kms_eks', ) #Get the IAM role which will be added to the aws_auth # masters_role = iam.Role.from_role_arn( # self, 'MasterRole', # role_arn = masters_role # ) #Create EKS cluster with managed/unmanaged worker nodes self.eks_cluster = eks.Cluster( self, 'eks', cluster_name=cluster_name, version=eks.KubernetesVersion.V1_18, # masters_role = masters_role, default_capacity=managed_worker_nodes_nubmer, secrets_encryption_key=self.kms_eks, vpc=vpc) self.eks_role = self.eks_cluster.node.try_find_child('Role') self.eks_role.add_to_policy(statement=iam.PolicyStatement( actions=["ec2:DescribeVpcs"], resources=["*"])) if unmanaged_worker_nodes_number > 0: self.asg = self.eks_cluster.add_auto_scaling_group_capacity( "EKSAutoScalingGroup", instance_type=ec2.InstanceType(instance_type), spot_price=spot_price, desired_capacity=unmanaged_worker_nodes_number, key_name=self.key.name) self.asg.add_to_role_policy( iam.PolicyStatement(actions=["route53:*"], resources=["*"]))
def setup_eks_cluster(self): self.cluster = aws_eks.Cluster( self, self.config["eks_cluster_name"], version=aws_eks.KubernetesVersion.V1_21, default_capacity=self.config.get("eks_nodegroup_capacity", 2), default_capacity_instance=ec2.InstanceType.of( instance_class=ec2.InstanceClass.BURSTABLE2, instance_size=ec2.InstanceSize.SMALL), vpc=self.vpc, vpc_subnets=self.vpc.private_subnets, endpoint_access=aws_eks.EndpointAccess.PUBLIC) # add worker task roles to masters group in the EKS cluster so that workers can launch pods self.cluster.aws_auth.add_role_mapping( self.worker_service.task_definition.task_role, groups=["system:masters"]) # add any needed policies to give permissions to EKS nodes self.cluster.default_nodegroup.role.add_to_policy( self.athena_access_policy())
def __init__(self, scope: core.Construct, id: str, vpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Create SecurityGroup for the Control Plane ENIs eks_security_group = ec2.SecurityGroup( self, "EKSSecurityGroup", vpc=vpc, allow_all_outbound=True ) eks_security_group.add_ingress_rule( ec2.Peer.ipv4('10.0.0.0/16'), ec2.Port.all_traffic() ) eks_security_group.add_ingress_rule( ec2.Peer.ipv4(c9_ip), ec2.Port.all_traffic() ) self.cluster = eks.Cluster(self, "EKSGraviton2", version=eks.KubernetesVersion.V1_18, default_capacity=0, endpoint_access=eks.EndpointAccess.PUBLIC_AND_PRIVATE, vpc=vpc, security_group=eks_security_group ) self.ng_x86 = self.cluster.add_nodegroup_capacity("x86-node-group", instance_types=[ec2.InstanceType("m5.large")], desired_size=2, min_size=1, max_size=3 ) self.ng_arm64 = self.cluster.add_nodegroup_capacity("arm64-node-group", instance_types=[ec2.InstanceType("m6g.large")], desired_size=2, min_size=1, max_size=3 )
def __init__(self, scope, id, *, description=None, env=None, tags=None, synthesizer=None, iam_user=None, vpc_id=None, default_capacity=4, default_instance_type='t3a.large'): super().__init__(scope, id, description=description, env=env, tags=tags, synthesizer=synthesizer) if vpc_id: vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=vpc_id) else: vpc = ec2.Vpc(self, f"kodexa-vpc-{id}", max_azs=2, cidr="10.10.0.0/16", subnet_configuration=[ec2.SubnetConfiguration( subnet_type=ec2.SubnetType.PUBLIC, name="Public", cidr_mask=24 ), ec2.SubnetConfiguration( subnet_type=ec2.SubnetType.PRIVATE, name="Private", cidr_mask=24 )], nat_gateways=1, ) core.CfnOutput(self, "Output", value=vpc.vpc_id) # Create K8S cluster cluster_admin = iam.Role(self, f"kodexa-eks-adminrole-{id}", assumed_by=iam.AccountRootPrincipal()) cluster = eks.Cluster(self, id=f'kodexa-eks-cluster-{id}', cluster_name=f'kodexa-eks-cluster-{id}', version=eks.KubernetesVersion.V1_17, vpc=vpc, default_capacity_instance=ec2.InstanceType(default_instance_type), default_capacity=default_capacity, masters_role=cluster_admin) if iam_user: admin_user = iam.User.from_user_name(id='cluster-admin-iam-user', user_name=iam_user, scope=self) cluster.aws_auth.add_user_mapping(admin_user, groups=['system:masters'])
def create_eks(self, vpc): # create eks cluster with amd nodegroup cluster = eks.Cluster( self, "EKS", vpc=vpc, version=eks.KubernetesVersion.V1_18, default_capacity_instance=ec2.InstanceType("m5.large"), default_capacity=1) # add arm/graviton nodegroup cluster.add_nodegroup_capacity( "graviton", desired_size=1, instance_type=ec2.InstanceType("m6g.large"), nodegroup_name="graviton", node_role=cluster.default_nodegroup.role) # add secret access to eks node role cluster.default_nodegroup.role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "SecretsManagerReadWrite")) # create service account sa = self.add_service_account(cluster=cluster, name="aws-load-balancer-controller", namespace="kube-system") # add helm charts ingress = cluster.add_helm_chart( "LBIngress", chart="aws-load-balancer-controller", release="aws-load-balancer-controller", repository="https://aws.github.io/eks-charts", namespace="kube-system", values={ "clusterName": cluster.cluster_name, "serviceAccount.name": "aws-load-balancer-controller", "serviceAccount.create": "false" }) return cluster
def __init__(self,scope: core.Construct, id:str, eksname: str, eksvpc: ec2.IVpc, noderole: IRole, eks_adminrole: IRole, region:str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # 1.Create EKS cluster without node group self._my_cluster = eks.Cluster(self,'EKS', vpc= eksvpc, cluster_name=eksname, masters_role=eks_adminrole, output_cluster_name=True, version= eks.KubernetesVersion.V1_19, endpoint_access= eks.EndpointAccess.PUBLIC_AND_PRIVATE, default_capacity=0 ) # 2.Add Managed NodeGroup to EKS, compute resource to run Spark jobs _managed_node = self._my_cluster.add_nodegroup_capacity('onDemand-mn', nodegroup_name = 'etl-ondemand', node_role = noderole, desired_size = 1, max_size = 5, disk_size = 50, instance_types = [ec2.InstanceType('m5.xlarge')], labels = {'app':'spark', 'lifecycle':'OnDemand'}, subnets = ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE,one_per_az=True), tags = {'Name':'OnDemand-'+eksname,'k8s.io/cluster-autoscaler/enabled': 'true', 'k8s.io/cluster-autoscaler/'+eksname: 'owned'} ) # 3. Add Spot managed NodeGroup to EKS (Run Spark exectutor on spot) _spot_node = self._my_cluster.add_nodegroup_capacity('spot-mn', nodegroup_name = 'etl-spot', node_role = noderole, desired_size = 1, max_size = 30, disk_size = 50, instance_types=[ec2.InstanceType("r5.xlarge"),ec2.InstanceType("r4.xlarge"),ec2.InstanceType("r3.xlarge")], labels = {'app':'spark', 'lifecycle':'Ec2Spot'}, capacity_type=eks.CapacityType.SPOT, tags = {'Name':'Spot-'+eksname, 'k8s.io/cluster-autoscaler/enabled': 'true', 'k8s.io/cluster-autoscaler/'+eksname: 'owned'} )
def __init__(self, scope: core.Construct, id: str, params: typing.Optional[Stack_Parameter_Group] = None, **kwargs) -> None: super().__init__(scope, id, **kwargs) cluster_vpc = None cluster_id = id + '-cluster' cluster_subnets = [] if params is not None: cluster_vpc = ec2.Vpc.from_lookup(self, 'VPC', vpc_id=params.vpc_id) cluster_id = params.cluster_id cluster_subnets = params.cluster_subnets self._cluster_subnets = cluster_subnets self._kip_cluster = eks.Cluster( self, id=cluster_id, default_capacity=0, kubectl_enabled=True, cluster_name=cluster_id, core_dns_compute_type=None, # masters_role=None, output_cluster_name=False, output_config_command=True, output_masters_role_arn=False, # role=None, # security_group=None, # version=None, vpc=cluster_vpc, vpc_subnets=[ec2.SubnetSelection(subnets=cluster_subnets)])
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(app, id, **kwargs) vpc = ec2.Vpc.from_lookup(self, "DefaultVpc", is_default=True) eks_cluster = eks.Cluster(self, "EksCluster", cluster_name="eks-cluster", # managed by ASG default_capacity=0, kubectl_enabled=True, version=eks.KubernetesVersion.V1_17, vpc=vpc, # default vpc only has public subnets vpc_subnets=vpc.select_subnets( subnet_type=ec2.SubnetType.PUBLIC, one_per_az=True).subnets ) asg = autoscaling.AutoScalingGroup(self, "EksASG", min_capacity=1, max_capacity=2, instance_type=ec2.InstanceType("t3.small"), machine_image=eks.EksOptimizedImage( kubernetes_version="1.17" ), update_type=autoscaling.UpdateType.ROLLING_UPDATE, vpc=vpc ) node_group = eks.Nodegroup(self, "NodeGroup", nodegroup_name="eks-worker", cluster=eks_cluster, instance_type=ec2.InstanceType("t3.small"), min_size=1, max_size=2, tags={"Name": "eks-worker"} )
def __init__(self, scope: core.Construct, id: str, vpc, eks_version=aws_eks.KubernetesVersion.V1_18, cluster_name=None, capacity_details='small', fargate_enabled=False, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.vpc = vpc self.eks_version = eks_version self.cluster_name = cluster_name self.capacity_details = capacity_details self.fargate_enabled = fargate_enabled self.cluster_config = { 'eks_version': self.eks_version, 'cluster_name': self.cluster_name, 'capacity_details': self.capacity_details, 'fargate_enabled': self.fargate_enabled } def determine_cluster_size(self): if self.cluster_config['capacity_details'] == 'small': instance_details = aws_ec2.InstanceType.of( aws_ec2.InstanceClass.BURSTABLE3, aws_ec2.InstanceSize.SMALL) instance_count = 3 elif self.cluster_config['capacity_details'] == 'medium': instance_details = aws_ec2.InstanceType.of( aws_ec2.InstanceClass.COMPUTE5, aws_ec2.InstanceSize.LARGE) instance_count = 3 elif self.cluster_config['capacity_details'] == 'large': instance_details = aws_ec2.InstanceType.of( aws_ec2.InstanceClass.COMPUTE5, aws_ec2.InstanceSize.LARGE) instance_count = 6 else: instance_details = aws_ec2.InstanceType.of( aws_ec2.InstanceClass.BURSTABLE3, aws_ec2.InstanceSize.SMALL) instance_count = 1 return { 'default_capacity': instance_count, 'default_capacity_instance': instance_details } capacity_details = determine_cluster_size(self) self.cluster = aws_eks.Cluster( self, "EKSCluster", version=self.cluster_config['eks_version'], cluster_name=self.cluster_config['cluster_name'], vpc=vpc, vpc_subnets=vpc.isolated_subnets, **capacity_details) # If fargate is enabled, create a fargate profile if self.cluster_config['fargate_enabled'] is True: self.cluster.add_fargate_profile( "FargateEnabled", selectors=[ aws_eks.Selector(namespace='default', labels={'fargate': 'enabled'}) ])
def _create_resource(self): self.cluster = eks.Cluster( scope=self, id=self._cluster_name, version=eks.KubernetesVersion.V1_18 )
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, runnerrole: iam.IRole, **kwargs) -> None: super().__init__(scope, id, **kwargs) # The code that defines your stack goes here clusterAdmin = iam.Role(self, "AdminRole", assumed_by=iam.AccountRootPrincipal()) cluster = eks.Cluster(self, 'ekscdkdemo', vpc=vpc, default_capacity=0) asg_worker_nodes = cluster.add_capacity( 'eksspot-cdkdemo', spot_price="0.0544", instance_type=ec2.InstanceType('t3.medium'), desired_capacity=2, bootstrap_options=eks.BootstrapOptions( docker_config_json=read_docker_daemon_resource( 'eksbaseresource/docker-daemon.json'))) alb_rbac = eks.KubernetesResource( self, 'alb-rbac', cluster=cluster, manifest=read_k8s_resource('eksbaseresource/alb-rbac.yml')) asg_worker_nodes.add_to_role_policy(iampolicy) cluster.aws_auth.add_masters_role(clusterAdmin) cluster.aws_auth.add_masters_role(runnerrole) service_account = cluster.add_service_account("external-dns-sa", name='external-dns-sa') wellnessuser_irsa = cluster.add_service_account("wellnessuser", name='wellnessuser') service_account.add_to_principal_policy(dnspolicy) deployment = { "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "labels": { "app.kubernetes.io/name": "alb-ingress-controller" }, "name": "alb-ingress-controller", "namespace": "kube-system" }, "spec": { "selector": { "matchLabels": { "app.kubernetes.io/name": "alb-ingress-controller" } }, "template": { "metadata": { "labels": { "app.kubernetes.io/name": "alb-ingress-controller" } }, "spec": { "containers": [{ "name": "alb-ingress-controller", "args": [ "--ingress-class=alb", "--cluster-name=" + cluster.cluster_name ], "image": "docker.io/amazon/aws-alb-ingress-controller:v1.1.8" }], "serviceAccountName": "alb-ingress-controller" } } } } alb_service = cluster.add_resource('alb-ingress-controller', deployment) external_dns = eks.KubernetesResource( self, 'external-dns', cluster=cluster, manifest=read_k8s_resource('eksbaseresource/external-dns.yml')) alb_service.node.add_dependency(alb_rbac) external_dns.node.add_dependency(service_account) core.CfnOutput(self, 'ClusterAdmin_Role_ARN', value=clusterAdmin.role_arn) core.CfnOutput( self, 'Getupdateeks', value="aws eks update-kubeconfig --name " + cluster.cluster_name + " --region ap-northeast-1 --role-arn " + clusterAdmin.role_arn) wellness_kns_stream = kinesis.Stream( self, 'WellnessKnsStream', retention_period=core.Duration.hours(24), shard_count=1, stream_name='event.member.appointment.devInfo') wellness_kns_stream.grant_read_write(wellnessuser_irsa) core.CfnOutput(self, 'kinesis_stream_arn', value=wellness_kns_stream.stream_arn) core.CfnOutput(self, 'kinesis_stream_name', value=wellness_kns_stream.stream_name)
def __init__(self, scope: core.Construct, id: str, vpc, config, **kwargs) -> None: super().__init__(scope, id, **kwargs) prj_name = self.node.try_get_context("project_name") env_name = self.node.try_get_context("env") name = config['ec2']['name'] key = config['ec2']['ssh_key'] eks_cluster = eks.Cluster( self, 'eks-cluster', version=eks.KubernetesVersion.V1_19, cluster_name=prj_name + env_name + '-eks-cluster', vpc=vpc, vpc_subnets=[ ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE) ], output_cluster_name=True, default_capacity=0) # This code block will provision worker nodes with launch configuration eks_cluster.add_auto_scaling_group_capacity( 'spot-asg-az-a', auto_scaling_group_name=prj_name + env_name + '-spot-az-a', min_capacity=1, max_capacity=1, desired_capacity=1, key_name=f"{key}", instance_type=ec2.InstanceType('t3.small'), vpc_subnets=ec2.SubnetSelection( availability_zones=["ap-southeast-1a"], subnet_type=ec2.SubnetType.PRIVATE), bootstrap_options={ "kubelet_extra_args": "--node-labels=node.kubernetes.io/lifecycle=spot,daemonset=active,app=general --eviction-hard imagefs.available<15% --feature-gates=CSINodeInfo=true,CSIDriverRegistry=true,CSIBlockVolume=true,ExpandCSIVolumes=true" }) # This code block will provision worker nodes with launch templates eks_cluster.add_nodegroup_capacity( 'spot-nodegroup-az-a', nodegroup_name=prj_name + env_name + '-spot-az-a', instance_types=[ ec2.InstanceType('t3a.small'), ec2.InstanceType('t3.small') ], disk_size=100, min_size=1, max_size=1, desired_size=1, capacity_type=eks.CapacityType.SPOT, subnets=ec2.SubnetSelection(availability_zones=["ap-southeast-1a"], subnet_type=ec2.SubnetType.PRIVATE), ) eks_cluster.add_nodegroup_capacity( 'spot-nodegroup-az-b', nodegroup_name=prj_name + env_name + '-spot-az-b', instance_types=[ ec2.InstanceType('t3a.small'), ec2.InstanceType('t3.small') ], min_size=1, max_size=1, desired_size=1, capacity_type=eks.CapacityType.SPOT, subnets=ec2.SubnetSelection(availability_zones=["ap-southeast-1b"], subnet_type=ec2.SubnetType.PRIVATE)) eks_cluster.add_nodegroup_capacity( 'spot-nodegroup-az-c', nodegroup_name=prj_name + env_name + '-spot-az-c', instance_types=[ ec2.InstanceType('t3a.small'), ec2.InstanceType('t3.small') ], min_size=1, max_size=1, desired_size=1, capacity_type=eks.CapacityType.SPOT, subnets=ec2.SubnetSelection(availability_zones=["ap-southeast-1c"], subnet_type=ec2.SubnetType.PRIVATE))
def __init__(self, scope: cdk.Construct, construct_id: str, stack_log_level, vpc, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # Create EKS Cluster Role # https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html self._eks_cluster_svc_role = _iam.Role( self, "c_SvcRole", assumed_by=_iam.ServicePrincipal("eks.amazonaws.com"), managed_policies=[ _iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonEKSClusterPolicy"), _iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonEKS_CNI_Policy"), _iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonEKSVPCResourceController") ]) self._eks_node_role = _iam.Role( self, "c_NodeRole", assumed_by=_iam.ServicePrincipal("ec2.amazonaws.com"), managed_policies=[ _iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonEKSWorkerNodePolicy"), _iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonEC2ContainerRegistryReadOnly"), _iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonEKS_CNI_Policy"), _iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSSMManagedInstanceCore"), _iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonS3FullAccess"), _iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSQSFullAccess") # Yes, yes...I know. :) ]) c_admin_role = _iam.Role( self, "c_AdminRole", assumed_by=_iam.CompositePrincipal( _iam.AccountRootPrincipal(), _iam.ServicePrincipal("ec2.amazonaws.com"))) c_admin_role.add_to_policy( _iam.PolicyStatement(effect=_iam.Effect.ALLOW, actions=["eks:DescribeCluster"], resources=["*"])) # Create Security Group for EKS Cluster SG self.eks_cluster_sg = _ec2.SecurityGroup( self, "eksClusterSG", vpc=vpc, description="EKS Cluster security group", allow_all_outbound=True, ) cdk.Tags.of(self.eks_cluster_sg).add("Name", "eks_cluster_sg") # https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html self.eks_cluster_sg.add_ingress_rule( peer=self.eks_cluster_sg, connection=_ec2.Port.all_traffic(), description="Allow incoming within SG") clust_name = "c_1_event_processor" self.eks_cluster_1 = _eks.Cluster( self, f"{clust_name}", cluster_name=f"{clust_name}", version=_eks.KubernetesVersion.V1_18, vpc=vpc, vpc_subnets=[ _ec2.SubnetSelection(subnet_type=_ec2.SubnetType.PUBLIC), _ec2.SubnetSelection(subnet_type=_ec2.SubnetType.PRIVATE) ], default_capacity=0, masters_role=c_admin_role, role=self._eks_cluster_svc_role, security_group=self.eks_cluster_sg, endpoint_access=_eks.EndpointAccess.PUBLIC # endpoint_access=_eks.EndpointAccess.PUBLIC_AND_PRIVATE ) node_grp_1 = self.eks_cluster_1.add_nodegroup_capacity( f"n_g_{clust_name}", nodegroup_name=f"{clust_name}_n_g", instance_types=[ _ec2.InstanceType("t3.medium"), _ec2.InstanceType("t3.large"), ], disk_size=20, min_size=1, max_size=6, desired_size=2, labels={ "app": "miztiik_ng", "lifecycle": "on_demand", "compute_provider": "ec2" }, subnets=_ec2.SubnetSelection(subnet_type=_ec2.SubnetType.PUBLIC), ami_type=_eks.NodegroupAmiType.AL2_X86_64, # remote_access=_eks.NodegroupRemoteAccess(ssh_key_name="eks-ssh-keypair"), capacity_type=_eks.CapacityType.ON_DEMAND, node_role=self._eks_node_role # bootstrap_options={"kubelet_extra_args": "--node-labels=node.kubernetes.io/lifecycle=spot,daemonset=active,app=general --eviction-hard imagefs.available<15% --feature-gates=CSINodeInfo=true,CSIDriverRegistry=true,CSIBlockVolume=true,ExpandCSIVolumes=true"} ) # This code block will provision worker nodes with Fargate Profile configuration fargate_n_g_3 = self.eks_cluster_1.add_fargate_profile( "FargateEnabled", fargate_profile_name="miztiik_n_g_fargate", selectors=[ _eks.Selector(namespace="default", labels={"fargate": "enabled"}) ]) self.add_cluster_admin() # We like to use the Kubernetes Dashboard self.enable_dashboard() ########################################### ################# OUTPUTS ################# ########################################### output_0 = cdk.CfnOutput( self, "AutomationFrom", value=f"{GlobalArgs.SOURCE_INFO}", description= "To know more about this automation stack, check out our github page." ) output_1 = cdk.CfnOutput(self, "eksClusterAdminRole", value=f"{c_admin_role.role_name}", description="EKS Cluster Admin Role") output_2 = cdk.CfnOutput( self, "eksClusterSvcRole", value=f"{self._eks_cluster_svc_role.role_name}", description="EKS Cluster Service Role")