#AWS EKS 创建k8s生产环境实例
- 在AWS部署海外节点, 图简单使用web控制台创建VPC和k8s集群出错(k8s), 使用cli命令行工具创建成功
- 本实例为复盘, 记录aws命令行工具创建eks, 安装efs驱动、LBS、ingress-nginx,使用ECR镜像储存等
#安装命令行工具
| #安装aws cli |
| cd /tmp |
| curl -kL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" |
| unzip awscliv2.zip |
| sudo ./aws/install |
| aws --version |
| #配置aws key |
| aws configure |
| #查看配置 |
| aws configure list |
| |
| #安装kubectl |
| curl -o kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.6/2022-03-09/bin/linux/amd64/kubectl |
| chmod +x ./kubectl |
| mv kubectl /usr/local/bin |
| kubectl version --short --client |
| |
| #安装eksctl |
| curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp |
| sudo mv /tmp/eksctl /usr/local/bin |
| eksctl version |
| |
#创建VPC网络和子网
#创建VPC网络和子网已单独发帖
aws命令行cli创建VPC网络、公有子网、私有子网、nat网关+EIP - Elvin™ - 博客园
#创建k8s集群
| #env |
| k8s_name=aws-k8s |
| Region=ap-southeast-1 #新加坡 |
| #获取aws账户id |
| OwnerId=$(aws ec2 describe-vpcs --region ${Region} |jq -r ".Vpcs[0].OwnerId") |
| #使用已有子网 |
| private-subnets-id="subnet-lan-a-xxx,subnet-lan-b-xxx" |
| public-subnets-id="subnet-public-a-xxx,subnet-public-b-xxx" |
| # k8s cluster |
| eksctl create cluster \ |
| --region ${Region} \ |
| --name ${k8s_name} \ |
| --version 1.22 \ |
| --vpc-private-subnets ${private-subnets-id} \ |
| --vpc-public-subnets ${public-subnets-id} \ |
| --managed \ |
| --without-nodegroup \ |
| --dry-run |
| |
| # 查看 |
| eksctl get cluster --name ${k8s_name} --region ${Region} |
| |
| # 出错或不要了,可删除 |
| # eksctl delete cluster --name=${k8s_name} |
| |
| # --dry-run 试运行,正式创建时去掉 |
| # --without-nodegroup 不创建node节点 |
| # --vpc-xx 添加已有网络,若不指定会自动创建 |
| # 建议使用多个可用区网络,k8s集群创建后无法更改 |
| # eksctl create cluster --help #查看帮助 |
#创建k8s计算节点组
| #创建b区k8s节点 |
| #k8s nodegroup test |
| eksctl create nodegroup \ |
| --region ${Region} \ |
| --cluster ${k8s_name} \ |
| --name k8s-work-test \ |
| --node-type m5.large \ |
| --nodes 1 \ |
| --nodes-min 1 \ |
| --nodes-max 10 \ |
| --instance-name test-node-b \ |
| --node-ami-family Ubuntu2004 \ |
| --node-private-networking \ |
| --node-zones ${Region}b \ |
| --node-security-groups sg-xxxxxxx \ |
| --ssh-access \ |
| --ssh-public-key aws-bastion \ |
| --full-ecr-access \ |
| --managed \ |
| --dry-run |
| |
| # --nodes 1 创建1个node节点, 规格 m5.large 2核8G |
| # --node-ami-family Ubuntu2004 操作系统Ubuntu20.04 |
| # --node-private-networking 使用私有子网 |
| # --node-zones 可用区 |
| # --node-security-groups 使用已创建的安全组 |
| # --full-ecr-access ECR镜像仓库权限,一定要 |
| # eksctl create nodegroup --help #查看帮助 |
| |
| #节点扩容 |
| eksctl scale nodegroup --region ${Region} \ |
| --cluster ${k8s_name} --nodes=2 --name k8s-work-test |
| |
| # 测试正常就可以删除, 创建配置更高的正式节点 |
| # delete node |
| # eksctl delete nodegroup --cluster=${k8s_name} --name=k8s-work-test |
| |
| #创建b区正式节点组 |
| eksctl create nodegroup \ |
| --region ${Region} \ |
| --cluster ${k8s_name} \ |
| --name k8s-work-b \ |
| --node-type m5.4xlarge \ |
| --nodes 2 \ |
| --nodes-min 1 \ |
| --nodes-max 10 \ |
| --instance-name k8s-node-b \ |
| --max-pods-per-node 110 \ |
| --node-ami-family Ubuntu2004 \ |
| --node-private-networking \ |
| --node-zones ${Region}b \ |
| --node-security-groups sg-xxxxxxx \ |
| --ssh-access \ |
| --ssh-public-key aws-bastion \ |
| --full-ecr-access \ |
| --external-dns-access \ |
| --managed \ |
| --dry-run |
| |
| #规格m5.4xlarge 16核64G |
| #node-zones创建多区,可用于高可用 |
#为k8s集群创建IAM OIDC提供商
| # IAM OIDC即 AWS Identity and Access Management (IAM) OpenID Connect (OIDC) |
| # 创建IMA权限角色时,需要此功能开启 |
| |
| #查看是否有OIDC,没有则创建 |
| oidc_id=$(aws eks describe-cluster --name ${k8s_name} --query "cluster.identity.oidc.issuer" --output text |cut -d'/' -f 5) |
| if [ $(aws iam list-open-id-connect-providers | grep $oidc_id | wc -l ) -eq 0 ]; then |
| eksctl utils associate-iam-oidc-provider --cluster ${k8s_name} --approve |
| fi |
#eks安装efs csi驱动
- k8s使用AWS EFS储存时用到csi驱动
- efs可使用nfs协议挂载,但k8s节点默认没安装nfs客户端
| #创建IAM policy和角色 |
| curl -o iam-policy-efs.json \ |
| https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/docs/iam-policy-example.json |
| |
| aws iam create-policy \ |
| --policy-name EKS_EFS_CSI_Driver_Policy \ |
| --policy-document file://iam-policy-efs.json |
| |
| #创建权限 |
| eksctl create iamserviceaccount \ |
| --cluster ${k8s_name} \ |
| --namespace kube-system \ |
| --name efs-csi-controller-sa \ |
| --attach-policy-arn arn:aws:iam::${OwnerId}:policy/EKS_EFS_CSI_Driver_Policy \ |
| --approve \ |
| --region ${Region} |
| |
| # 更新kubeconfig ~/.kube/config |
| aws eks update-kubeconfig --region ${Region} --name ${k8s_name} |
| |
| #下载yaml文件 |
| kubectl kustomize \ |
| "github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.4" > aws-eks-efs-csi.1.4.yaml |
| |
| # vim aws-eks-efs-csi.1.4.yaml |
| # 手动删除如下部分 |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| labels: |
| app.kubernetes.io/name: aws-efs-csi-driver |
| name: efs-csi-controller-sa |
| namespace: kube-system |
| --- |
| |
| #部署efs csi |
| kubectl apply -f aws-eks-efs-csi.1.4.yaml |
#使用efs创建pvc实例
| apiVersion: v1 |
| kind: PersistentVolume |
| metadata: |
| name: aws-efs-test |
| spec: |
| capacity: |
| storage: 2000Gi |
| accessModes: |
| - ReadWriteMany |
| persistentVolumeReclaimPolicy: Retain |
| csi: |
| driver: efs.csi.aws.com |
| volumeHandle: fs-xxx:/data |
| --- |
| apiVersion: v1 |
| kind: PersistentVolumeClaim |
| metadata: |
| name: aws-efs-test |
| spec: |
| accessModes: |
| - ReadWriteMany |
| resources: |
| requests: |
| storage: 2000Gi |
| |
| # fs-xxx 为efs实例id,需要单独创建 |
| # 创建efs后需添加子网和安全组,否则无法访问 |
#安装AWS LB Controller
- AWS LoadBalancer默认使用Classic Load Balancer模式
- 使用NLB、ALB模式的负载均衡器,和绑定EIP(绑定固定IP),必须安装LB controller
| #创建IAM角色 |
| curl -o iam_lbs_v2.4.2.json \ |
| https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.2/docs/install/iam_policy.json |
| |
| aws iam create-policy \ |
| --policy-name iam_lbs_v2.4.2 \ |
| --policy-document file://iam_lbs_v2.4.2.json |
| |
| eksctl create iamserviceaccount \ |
| --cluster=${k8s_name} \ |
| --namespace=kube-system \ |
| --name=aws-load-balancer-controller \ |
| --role-name "AmazonEKSLoadBalancerControllerRole" \ |
| --attach-policy-arn=arn:aws:iam::${OwnerId}:policy/iam_lbs_v2.4.2 \ |
| --approve |
| |
| #安装cert-manager |
| kubectl apply \ |
| --validate=false \ |
| -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml |
| |
| #下载yaml |
| curl -Lo aws-load-balancer-controller_2.4.2.yaml \ |
| https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.4.2/v2_4_2_full.yaml |
| |
| #更改k8s集群名称 |
| sed -i.bak -e "s|your-cluster-name|${k8s_name}|" aws-load-balancer-controller_2.4.2.yaml |
| |
| #手动删除如下部分 |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| labels: |
| app.kubernetes.io/component: controller |
| app.kubernetes.io/name: aws-load-balancer-controller |
| name: aws-load-balancer-controller |
| namespace: kube-system |
| --- |
| |
| #部署lbs |
| kubectl apply -f aws-load-balancer-controller_2.4.2.yaml |
| |
| #查看 |
| kubectl get deployment -n kube-system aws-load-balancer-controller |
| |
#安装ingress-nginx-controller
| #下载yaml |
| curl -o aws-ingress-nginx.nlb.v1.3.0.yml \ |
| https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/aws/deploy.yaml |
| |
| #增加spec.ipFamilyPolicy: SingleStack |
#修改LoadBalancer部分的Service如下
| --- |
| apiVersion: v1 |
| kind: Service |
| metadata: |
| annotations: |
| #负载均衡器自定义名称 |
| service.beta.kubernetes.io/aws-load-balancer-name: k8s-ingress-slb |
| #负载均衡 NLB模式 |
| service.beta.kubernetes.io/aws-load-balancer-type: "external" |
| service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" |
| #使用EIP,互联网模式 |
| service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" |
| #public子网 |
| service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-axxx, subnet-bxxx |
| #弹性IP地址 |
| service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-axxx, eipalloc-bxxx |
| #获取客户端真事IP |
| service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true |
| labels: |
| app.kubernetes.io/component: controller |
| app.kubernetes.io/instance: ingress-nginx |
| app.kubernetes.io/name: ingress-nginx |
| app.kubernetes.io/part-of: ingress-nginx |
| app.kubernetes.io/version: 1.3.0 |
| name: ingress-nginx-controller |
| namespace: ingress-nginx |
| spec: |
| type: LoadBalancer |
| # externalTrafficPolicy: Local |
| ipFamilyPolicy: SingleStack |
| ipFamilies: |
| - IPv4 |
| ports: |
| - appProtocol: http |
| name: http |
| port: 80 |
| protocol: TCP |
| targetPort: http |
| - appProtocol: https |
| name: https |
| port: 443 |
| protocol: TCP |
| targetPort: https |
| selector: |
| app.kubernetes.io/component: controller |
| app.kubernetes.io/instance: ingress-nginx |
| app.kubernetes.io/name: ingress-nginx |
| |
| #部署 |
| kubectl apply -f aws-ingress-nginx.nlb.v1.3.0.yml |
| |
| #查看,获得得到EXTERNAL-IP地址 |
| kubectl get svc ingress-nginx-controller -n ingress-nginx |
| |
| #ping测试EXTERNAL-IP地址ip是否为自己的EIP地址 |
| ping k8s-ingress-slb-xxx.elb.${Region}.amazonaws.com |
| |
| #访问测试 |
| curl -I k8s-ingress-slb-xxx.elb.${Region}.amazonaws.com |
#使用私有镜像仓库,并部署服务测试
| #创建存储库nginx |
| aws ecr create-repository \ |
| --repository-name nginx \ |
| --region $Region |
| |
| #登录储存库(缓存的登录凭证有效期12小时) |
| aws ecr get-login-password --region $Region \ |
| | docker login --username AWS --password-stdin ${OwnerId}.dkr.ecr.${Region}.amazonaws.com |
| |
| #下载公共镜像, 改tag为私有储存库地址 |
| docker pull public.ecr.aws/nginx/nginx:alpine |
| docker tag public.ecr.aws/nginx/nginx:alpine \ |
| ${OwnerId}.dkr.ecr.${Region}.amazonaws.com/nginx:alpine |
| |
| #push镜像到新建的储存库 |
| docker push ${OwnerId}.dkr.ecr.${Region}.amazonaws.com/nginx:alpine |
| |
| #deploy test |
| kubectl create deployment nginx --port=80 \ |
| --image=${OwnerId}.dkr.ecr.${Region}.amazonaws.com/nginx:alpine |
| |
| #查看 |
| kubectl get pod |
| |
| #生命周期策略示例,保持5个镜像版本(tag) |
| cat >aws-ecr-policy.json <<EOF |
| { |
| "rules": [ |
| { |
| "rulePriority": 1, |
| "description": "Keep only 3 image", |
| "selection": { |
| "tagStatus": "any", |
| "countType": "imageCountMoreThan", |
| "countNumber": 3 |
| }, |
| "action": { |
| "type": "expire" |
| } |
| } |
| ] |
| } |
| EOF |
| #创建策略 |
| aws ecr put-lifecycle-policy --region $Region \ |
| --repository-name nginx \ |
| --lifecycle-policy-text file://aws-ecr-policy.json |
| |
| #删除清理pod |
| kubectl delete deploy/nginx |
| |
| #删除存储库 |
| aws ecr delete-repository \ |
| --region $Region --force \ |
| --repository-name nginx |
- k8s有pull私有镜像仓库权限,是因为创建参数--full-ecr-access
- AWS ECR镜像储存服务不支持目录,只能分别给每个镜像创建储存库
- aws ecr get-login-password生成的凭证有效期12小时,可使用定时任务每天登录2次解决
