we used a cluster template.
This is a YAML configuration file for eksctl (a CLI tool for creating and managing Amazon EKS clusters). It’s designed to provision a Kubernetes cluster on AWS with specific networking, IAM, and node group settings.
Templating:
The configuration uses environment variables (e.g., ${EKS_CLUSTER_NAME}, ${VPC_ID}, etc.) to inject values dynamically. This makes it flexible and reusable across different environments (e.g., dev, staging, prod).
Resources That Will Be Created
EKS Cluster:
A new EKS cluster is created with a specified name, version, and region.
Cluster metadata includes tags for identification and categorization (such as Environment, Application, and Role).
VPC & Networking:
VPC Configuration: Uses a pre-existing VPC (via ${VPC_ID}) with defined CIDRs.
Subnets:
Private Subnets: Three subnets (private-one, private-two, private-three) for worker nodes.
Public Subnets: Three public subnets for resources that might need internet connectivity.
Endpoint Access: Cluster endpoints are configured for private access only (public access is disabled).
IAM Configuration & Service Accounts:
OIDC: The cluster is configured to work with OIDC, which is essential for associating IAM roles with Kubernetes service accounts.
Service Accounts: Multiple service accounts are defined for specific roles:
Cluster Autoscaler: For automatically adjusting the number of nodes.
EBS CSI Controller: For managing persistent storage volumes.
AWS Load Balancer Controller: To manage AWS load balancers.
External DNS, CloudWatch Exporter, Cert Manager, Secrets Manager, Parameter Store, and others: Each with tailored IAM policies (either pre-defined “wellKnownPolicies” or custom policies via inline JSON).
Addons:
The vpc-cni addon is included with an attached policy for managing networking on EKS worker nodes.
Managed Node Groups:
Core Node Group:
Designed to run primary workloads.
Uses Bottlerocket AMI for enhanced security and performance.
Configured with multiple instance types, private networking, EBS volumes (with encryption), scaling parameters (min, desired, max sizes), and specific labels/tags (including those for cluster autoscaler integration).
CloudWatch Logging:
Enables cluster logging for all available log types, which is crucial for monitoring and troubleshooting.
Patterns and Structure
Modular Design:
The configuration cleanly separates different concerns:
Cluster and VPC settings (networking, endpoints)
IAM and Service Accounts (roles, policies)
Node Groups (resource definitions, scaling, labels)
Addons and Logging
Environment-Driven Templating:
Using placeholders for values allows this file to be easily adapted to different environments or clusters by simply setting environment variables during deployment.
Best Practices:
Security: Private endpoints and encrypted volumes.
Scalability: Defined node groups with autoscaling tags.
Observability: CloudWatch logging is enabled for full cluster visibility.
Separation of Responsibilities: Distinct IAM roles for different services minimize permissions and adhere to least-privilege principles.
While configuration sets up the core EKS cluster, IAM roles, managed node groups, and logging, the following additions can help to achieve a more production-ready environment:
Secrets Encryption: Encrypt Kubernetes secrets using a customer-managed KMS key.
Network Policies: Enforce pod-to-pod and pod-to-external communication restrictions.
Enhanced RBAC and Audit Logging: Refine RBAC rules and enable detailed audit logs.
Refined Security Groups: Use restrictive security groups, including at the pod level.
AWS Integrations: Leverage CloudTrail, GuardDuty, and managed add-ons for improved security and observability.
Backup/DR Planning: Implement backup strategies to safeguard your cluster and workloads.
Top comments (0)