This is an unoffical Cloudformation template to build BottleRocket-based of node group for the convenience of upgrading existing Ubuntu/Amazon-Linux-based workernode to BottleRocket-based seamlessly.
Most of this is one-time setup. If you already have an EKS cluster, and familar with Cloudformation, please download the template and skip to the last step.
The tools required to implement the whole cluster and workernode group is very simple. Just the latest version of awscli and web browser that can access AWS WebConsole is enough.
Both CloudFormation Template for on-demand instances autoscaling group and spot instances autoscaling group are availiable here:
Yes, we support SPOT instances!!!
New EKS cluster Installation
-
Create EKS-role that include the follow permission to allow EKS cluster to manage resources in EKS (ie: arn:aws:iam::XXXXXXXXXX:role/eksServiceRole)
arn:aws:iam::aws:policy/AmazonEKSClusterPolicy arn:aws:iam::aws:policy/AmazonEKSServicePolicy arn:aws:iam::aws:policy/AmazonEKSVPCResourceController -
Create EC2-role that include the follow permission in order to create and control the EKS cluster on the baston host (ie: arn:aws:iam::XXXXXXXXX:role/eks-controller-prd)
Policy 1: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:", "eks:" ], "Resource": "" }, { "Effect": "Allow", "Action": "iam:", "Resource": "arn:aws:iam::XXXXXXXXXX:role/eksServiceRole" } ] }
Policy 2: AmazonEKSClusterPolicy
-
Execute the following command to create a new EKS private cluster
aws eks create-cluster --name [EKS cluster name] \ --role-arn "[EKS role in Step 2]" \ --resources-vpc-config subnetIds=[Internal Subnet 1,Internal Subnet 2,Internal Subnet 3],securityGroupIds=[New SG that enable traffic within SG],endpointPublicAccess=false,endpointPrivateAccess=true --tags [Tag] --region=[AWS Region] -
Gather the EKS Cluster information in AWS WebConsole
-
Open CloudFormation Webconsole in Web Browser
-
Click Create Stack => With existing resources (standard) to enter Create stack page
-
Select "Template is ready", "Upload a template file"
-
In the dialogue, choose the template downloaded from the git
-
Fill in the blanks and select the desired sizing of the EC2 instance of the EKS WorkerNode group
-
Confirm the information before creating resources related to the CloudFormation Template.
-
Check the new IAM role attached on new workernode in EC2 webconsole (for new workernode group only)
# aws-auth-cm.yaml apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: <IAM role of the workernode> username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes -
Apply the configuration. This command may take a few minutes to finish
kubectl apply -f aws-auth-cm.yaml
This is licensed under GNU GENERAL PUBLIC LICENSE.