Kubernetes (EKS) Fundamentals - In-Depth Guide
This guide will cover everything you need to successfully deploy a secure application on Amazon Elastic Kubernetes Service (EKS) while following AWS best practices.
- EKS Cluster Setup To deploy a secure Kubernetes cluster on AWS, you need to: ✅ Set up a VPC with private and public subnets ✅ Create an EKS cluster ✅ Add worker nodes in private subnets ✅ Configure IAM roles and security groups
Step 1: Create a VPC for EKS
AWS Elastic Kubernetes Service (EKS) requires a custom VPC with both public and private subnets across multiple Availability Zones (AZs).
You can create the VPC manually or use eksctl:
eksctl create cluster \
--name my-eks-cluster \
--region us-east-1 \
--vpc-private-subnets subnet-abc123,subnet-def456 \
--without-nodegroup
This command creates:
An EKS cluster in us-east-1
Private subnets for worker nodes
No default node group (so we manually add worker nodes later)
Step 2: Create an EKS Node Group in Private Subnets
Worker nodes must only exist in private subnets (no public IPs).
Use eksctl to create a private node group:
eksctl create nodegroup \
--cluster my-eks-cluster \
--name private-nodes \
--node-type t3.medium \
--nodes 2 \
--nodes-min 2 \
--nodes-max 4 \
--node-private-networking
This provisions 2 worker nodes in private subnets.
The --node-private-networking flag ensures no public IPs.
✅ Now your EKS cluster has worker nodes only accessible within the VPC.
- Kubernetes Manifests (Deployments, Services, Ingress) What are Kubernetes Manifests? A manifest file is a YAML file that defines Kubernetes resources like:
Deployments (to run applications)
Services (to expose applications inside the cluster)
Ingress (to expose applications externally via ALB)
Step 1: Create a Deployment
We deploy an Nginx web app using a Deployment manifest:
`yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-app
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80`
Creates 2 replicas of Nginx
Labels help services find this deployment
Ports define where the container listens
Apply the deployment:
kubectl apply -f deployment.yaml
Step 2: Create a Service
A Service allows other Kubernetes components to access the Deployment:
`yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
type: NodePort`
This exposes Nginx internally within the cluster.
Apply the service:
kubectl apply -f service.yaml
Step 3: Configure an Ingress with AWS ALB
To expose the service externally via ALB, use an Ingress manifest:
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
alb.ingress.kubernetes.io/ssl-redirect: "443"
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:your-certificate-arn
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-service
port:
number: 80
Uses AWS ALB for external traffic
Redirects HTTP (80) to HTTPS (443)
Uses an SSL certificate from ACM
Apply the ingress:
kubectl apply -f ingress.yaml
Now your app is publicly accessible over HTTPS via the ALB.
- AWS ALB Ingress Controller AWS provides an Ingress Controller that integrates ALB with Kubernetes.
Step 1: Install ALB Ingress Controller
Using helm:
helm repo add eks https://aws.github.io/eks-charts
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
--set clusterName=my-eks-cluster \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller
Step 2: Verify Deployment
kubectl get pods -n kube-system
✅ You should see aws-load-balancer-controller running.
Now, Ingress rules will automatically create and configure an ALB.
- Kubernetes Network Policies By default, all pods can communicate with each other. To restrict intra-cluster communication, use NetworkPolicy rules.
Step 1: Restrict Pod Communication
Example: Only allow ALB → Nginx, block other traffic.
`yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nginx-network-policy
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress ingress:
- from:
- ipBlock: cidr: 10.0.0.0/16 ports:
- protocol: TCP port: 80` Blocks all pod-to-pod traffic except from ALB. Ensures that only the Load Balancer can reach Nginx. Apply the policy:
`sh
kubectl apply -f network-policy.yaml`
Final Steps
✅ Check ALB
`sh
aws elbv2 describe-load-balancers`
✅ Check Deployment
`sh
kubectl get pods
kubectl get svc
kubectl get ingress`
✅ Test HTTPS Visit: https://myapp.example.com
Should only be accessible over HTTPS
HTTP should redirect to HTTPS
🚀 Summary
✔ EKS Cluster Setup with private worker nodes
✔ Kubernetes Manifests (Deployments, Services, Ingress)
✔ ALB Ingress Controller to expose applications
✔ Network Policies to restrict communication
Top comments (0)