如何创建不需要访问互联网的 Amazon EKS 集群和节点组?

上次更新时间:2020 年 7 月 10 日

我想要创建启用 PrivateOnly 联网的 Amazon Elastic Kubernetes Service (Amazon EKS) 集群和节点组。我不想使用互联网网关或网络地址转换 (NAT) 网关。

简短描述

您可以使用 AWS PrivateLink 创建 Amazon EKS 集群及其节点组,而不使用至互联网的路由。

解决方法

为您的 Amazon EKS 集群创建 Amazon Virtual Private Cloud (Amazon VPC)

1.    使用以下模板创建 AWS CloudFormation 堆栈

https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-06-10/amazon-eks-fully-private-vpc.yaml

该堆栈创建的 VPC 具有三个 PrivateOnly 子网以及用于所需服务的 VPC 终端节点。PrivateOnly 子网拥有包含默认本地路由的路由表,且无法访问互联网。

重要提示:AWS CloudFormation 模板创建拥有完整访问策略的 VPC 终端节点,但是您可以根据自己的要求进一步限制策略

提示:要在创建堆栈后检查所有 VPC 终端节点,打开 Amazon VPC 控制台,然后从导航窗格中选择终端节点

2.    打开 AWS CloudFormation 控制台

3.    在导航窗格中,选择堆栈

4.    选择堆栈,然后选择输出选项卡。此选项卡包含关于您随后还将需要的子网的信息,包括 VPC ID。

配置 Amazon EKS 集群的配置文件,然后创建集群和节点组

1.    在以下配置文件中,更新 AWS 区域以及在为您的 Amazon EKS 集群创建 VPC 部分中创建的三个 PrivateOnly 子网。在配置文件中,您还可以修改其他属性或添加更多属性。例如,您可以更新 nameinstanceTypedesiredCapacity

示例配置文件:

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: prod
  region: us-east-1   
nodeGroups:
  - name: ng-1
    instanceType: m5.xlarge
    desiredCapacity: 2
    privateNetworking: true
vpc:
  subnets:
    private:
      us-east-1a:
        id: "subnet-0111111111111111"
      us-east-1b:
        id: "subnet-0222222222222222"
      us-east-1c:
        id: "subnet-0333333333333333"
  clusterEndpoints:
    publicAccess:  true
    privateAccess: true

在前面的配置文件中,对于 nodeGroups,将 privateNetworking 设置为 true。对于 clusterEndpoints,将 privateAccess 设置为 true

重要提示:在此解决方法中 eksctl 不是必需工具。您可以使用其他工具或 Amazon EKS 控制台创建 Amazon EKS 集群和节点。如果您使用其他工具或控制台创建工作线程节点,您必须传递 Amazon EKS 的 CA 证书和 API 服务器终端节点作为参数,并且可为该工作线程节点调用引导脚本

2.    要根据在第 1 步中更新后的配置文件创建 Amazon EKS 集群和节点组,请运行以下命令:

$ eksctl create cluster -f config.yaml

上述命令在使用 AWS PrivateLink 且无权访问互联网的 PrivateOnly 网络创建一个 Amazon EKS 集群和节点组。该过程大约需要 30 分钟。

输出与以下类似:

Output
[ℹ]  eksctl version 0.21.0
[ℹ]  using region us-east-1
[✔]  using existing VPC (vpc-01234567) and subnets (private:[subnet-01111111111111111 subnet-02222222222222222 subnet-03333333333333333] public:[])
[!]  custom VPC/subnets will be used; if resulting cluster doesn't function as expected, make sure to review the configuration of VPC/subnets
[ℹ]  nodegroup "ng-1" will use "ami-0ee0652ac0722f0e3" [AmazonLinux2/1.16]
[ℹ]  using Kubernetes version 1.16
[ℹ]  creating EKS cluster "prod" in "us-east-1" region with un-managed nodes
[ℹ]  1 nodegroup (ng-1) was included (based on the include/exclude rules)
[ℹ]  will create a CloudFormation stack for cluster itself and 1 nodegroup stack(s)
[ℹ]  will create a CloudFormation stack for cluster itself and 0 managed nodegroup stack(s)
[ℹ]  if you encounter any issues, check CloudFormation console or try 'eksctl utils describe-stacks --region=us-east-1 --cluster=prod'
[ℹ]  CloudWatch logging will not be enabled for cluster "prod" in "us-east-1"
[ℹ]  you can enable it with 'eksctl utils update-cluster-logging --region=us-east-1 --cluster=prod'
[ℹ]  Kubernetes API endpoint access will use provided values {publicAccess=true, privateAccess=true} for cluster "prod" in "us-east-1"
[ℹ]  2 sequential tasks: { create cluster control plane "prod", 2 sequential sub-tasks: { update cluster VPC endpoint access configuration, create nodegroup "ng-1" } }
[ℹ]  building cluster stack "eksctl-prod-cluster"
[ℹ]  deploying stack "eksctl-prod-cluster"
[ℹ]  building nodegroup stack "eksctl-prod-nodegroup-ng-1"
[ℹ]  --nodes-min=2 was set automatically for nodegroup ng-1
[ℹ]  --nodes-max=2 was set automatically for nodegroup ng-1
[ℹ]  deploying stack "eksctl-prod-nodegroup-ng-1"
[✔]  all EKS cluster resources for "prod" have been created
[✔]  saved kubeconfig as "/Users/garpunee/.kube/config"
[ℹ]  adding identity "arn:aws:iam::444444444444:role/eksctl-prod-nodegroup-ng-1-NodeInstanceRole-H37FWX4H84GH" to auth ConfigMap
[ℹ]  nodegroup "ng-1" has 0 node(s)
[ℹ]  waiting for at least 2 node(s) to become ready in "ng-1"
[ℹ]  nodegroup "ng-1" has 2 node(s)
[ℹ]  node "ip-192-168-254-139.ec2.internal" is ready
[ℹ]  node "ip-192-168-60-191.ec2.internal" is ready
[ℹ]  kubectl command should work with "/Users/<>/.kube/config", try 'kubectl get nodes'
[✔]  EKS cluster "prod" in "us-east-1" region is ready

注意:您还可以使用控制台eksctl 在您的集群内创建托管或非托管节点组。有关 eksctl 的更多信息,请参阅 Weaveworks 网站上的管理节点组


这篇文章对您有帮助吗?


您是否需要账单或技术支持?