目前負責維運 Private 環境的 EKS 將近一年,趁著這次鐵人賽分享一些維運的鍋跟經驗。Day 1先帶大家了解一下架構。我們會建立一套 EKS,放在 VPC Private 環境內,並且用 Internet Gateway 對外連接。為了對 EKS 下指令,我們也用 EC2 作為跳板機放在同一個 VPC 內,並使用 role 授予權限,並將 SSH key 存放在 local 端供維運人員使用。此套方法為剛進公司時的架構,後面篇章我們會來陸續優化他。
在 AWS 的環境裡面,基底為 VPC,你可以將它視為一塊領土
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.1.2"
name = local.cluster_name
cidr = "10.0.0.0/16"
azs = ["ap-northeast-1a", "ap-northeast-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
output "private_subnets_from_vpc" {
value = module.vpc.private_subnets
}
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "19.16.0"
cluster_name = local.cluster_name
subnet_ids = module.vpc.private_subnets
tags = {
Terraform = "true"
Cluster = local.cluster_name
}
vpc_id = module.vpc.vpc_id
# manage_aws_auth_configmap = true
aws_auth_roles = [
{
rolearn = "arn:aws:iam::038528481894:role/eks-bastion-role"
username = "role1"
groups = ["system:masters"]
},
]
eks_managed_node_groups = {
# blue = {}
green = {
min_size = 1
max_size = 3
desired_size = 1
instance_types = ["t3.small"]
capacity_type = "ON_DEMAND"
}
}
depends_on = [module.vpc]
}
output "ecr_registry_id" {
value = aws_ecr_repository.this.registry_id
}
resource "aws_iam_role" "bastion" {
name = "eks-bastion-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "eks_describe" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.bastion.name
}
resource "aws_iam_instance_profile" "bastion" {
name = "eks-bastion-instance-profile"
role = aws_iam_role.bastion.name
}
resource "aws_iam_policy" "custom_eks_policy" {
name = "CustomEKSPolicy"
description = "A custom policy for describing EKS clusters"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "custom_eks_policy" {
policy_arn = aws_iam_policy.custom_eks_policy.arn
role = aws_iam_role.bastion.name
}
resource "aws_instance" "bastion" {
ami = "ami-0c056d433176c20ec" # Replace with the desired Amazon Linux 2 AMI ID for your region
instance_type = "t2.micro"
key_name = "alvin-test-eks" # Set the key pair name which includes the public key for SSH access
vpc_security_group_ids = [aws_security_group.bastion_sg.id]
subnet_id = module.vpc.public_subnets[0]
iam_instance_profile = aws_iam_instance_profile.bastion.name
tags = {
Name = "${local.cluster_name}-bastion"
}
}
resource "aws_eip" "bastion" {
instance = aws_instance.bastion.id
tags = {
Name = "${local.cluster_name}-bastion-eip"
}
}
resource "aws_security_group" "bastion_sg" {
name = "${local.cluster_name}-bastion-sg"
description = "Allow SSH access to bastion host"
vpc_id = module.vpc.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Change this to restrict access to specific IP addresses or CIDR ranges
}
egress {
from_port = 0 # Allow all outbound traffic
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "EKS-Bastion-SG"
}
}
output "bastion_elastic_ip" {
value = aws_eip.bastion.public_ip
description = "Elastic IP of the bastion host"
}
ssh -i "alvin-test-eks.pem" ubuntu@ec2-52-195-241-64.ap-northeast-1.compute.amazonaws.com
aws eks update-kubeconfig --region ap-northeast-1 --name alvin-develop-test-eks
kubectl get nodes
iThome鐵人賽
看影片追技術