The right way to make a EKS cluster Personal and permit Nodes to nonetheless be a part of by means of a NodeGroup

The Idea

To make an Amazon Elastic Kubernetes Service (EKS) cluster non-public and permit nodes to hitch by means of a node group, it’s essential to observe just a few steps. By default, EKS creates a public cluster, however you may configure it to make it non-public for enhanced safety. Right here’s an outline of the method:

1. Create a VPC: Begin by making a Digital Personal Cloud (VPC) in your AWS account if you happen to haven’t already. This VPC can be used to host your non-public EKS cluster.
2. Create non-public subnets: Throughout the VPC, create a number of non-public subnets. These subnets will present the community isolation required for a non-public cluster. Be certain the subnets haven’t any direct web entry and that their route tables wouldn’t have an web gateway hooked up.
3. Create safety teams: Create safety teams to outline the inbound and outbound site visitors guidelines in your EKS cluster and nodes. These safety teams ought to permit communication between the management airplane and the employee nodes, in addition to another crucial community site visitors.
4. Create a NAT gateway: Because the non-public subnets don’t have direct web entry, it’s essential to arrange a Community Deal with Translation (NAT) gateway in a public subnet to allow outbound web connectivity for assets within the non-public subnets.
5. Configure VPC endpoints: Create VPC endpoints for EKS and EC2 to permit non-public communication between your EKS cluster management airplane and the employee nodes. These endpoints will make sure that the management airplane and nodes can talk with out requiring entry to the general public web.
6. Create a non-public EKS cluster: Now, create a non-public EKS cluster utilizing the AWS Administration Console, AWS CLI, or AWS SDKs. Throughout the cluster creation, specify the non-public subnets, safety teams, and VPC endpoints you created earlier. This may make sure that the cluster is deployed inside the non-public subnets and might talk with the nodes through the VPC endpoints.
7. Create a node group: As soon as the cluster is created, you may proceed to create a node group. When creating the node group, specify the non-public subnets and safety teams that you just arrange earlier. The node group can be deployed within the non-public subnets and be a part of the non-public EKS cluster.

Following these steps will lead to a non-public EKS cluster the place the management airplane and employee nodes talk privately by means of the VPC endpoints. The non-public nature of the cluster enhances safety by decreasing publicity to the general public web.

Observe that these steps present a high-level overview of the method, and there could also be further concerns or customizations based mostly in your particular necessities. For detailed directions and essentially the most up-to-date data, it’s advisable to seek advice from the official AWS EKS documentation.

How to do that in Terraform

To create a non-public Amazon EKS cluster and permit nodes to hitch by means of a node group utilizing Terraform, you may observe the steps outlined under:

1. Arrange the mandatory Terraform information: Create a brand new listing in your Terraform configuration and create the principle.tf file inside it.
2. Configure the AWS supplier: In the principle.tf file, configure the AWS supplier to outline your AWS entry credentials and the specified area:

supplier "aws" {
  area = "your_region"
}

3. Create a VPC: Outline a VPC useful resource to create the Digital Personal Cloud:

useful resource "aws_vpc" "my_vpc" {
  cidr_block = "10.0.0.0/16"
}

4. Create non-public subnets: Outline non-public subnets inside the VPC to host your EKS cluster:

useful resource "aws_subnet" "private_subnet" {
  depend = 2
  vpc_id     = aws_vpc.my_vpc.id
  cidr_block = "10.0.${depend.index}.0/24"
}

5. Create safety teams: Outline safety teams to permit inbound and outbound site visitors for the EKS cluster:

useful resource "aws_security_group" "eks_cluster_sg" {
  vpc_id = aws_vpc.my_vpc.id

  # Outline inbound and outbound guidelines as per your necessities
  # Instance:
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

6. Create a NAT gateway: Configure a NAT gateway to supply outbound web entry to assets within the non-public subnets:

useful resource "aws_eip" "nat_eip" {
  vpc      = true
}

useful resource "aws_nat_gateway" "nat_gateway" {
  allocation_id = aws_eip.nat_eip.id
  subnet_id     = aws_subnet.private_subnet[0].id
}

# Create a route desk entry for the NAT gateway
useful resource "aws_route" "private_subnet_nat_route" {
  route_table_id         = aws_subnet.private_subnet[0].route_table_id
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.nat_gateway.id
}

7. Configure VPC endpoints: Create VPC endpoints for EKS and EC2 to allow non-public communication:

useful resource "aws_vpc_endpoint" "eks_endpoint" {
  vpc_id       = aws_vpc.my_vpc.id
  service_name = "com.amazonaws.${var.area}.eks"
}

useful resource "aws_vpc_endpoint" "ec2_endpoint" {
  vpc_id       = aws_vpc.my_vpc.id
  service_name = "com.amazonaws.${var.area}.ec2"
}

8. Create a non-public EKS cluster: Outline the EKS cluster useful resource with the suitable settings:

useful resource "aws_eks_cluster" "my_eks_cluster" {
  title     = "my-cluster"
  role_arn = aws_iam_role.my_eks_role.arn

  vpc_config {
    subnet_ids          = aws_subnet.private_subnet[*].id
    security_group_ids  = [aws_security_group.eks_cluster_sg.id]
    endpoint_private_access = true
    endpoint_public_access  = false
  }

  depends_on = [
    aws_vpc_endpoint.eks_endpoint,
    aws_vpc_endpoint.ec2_endpoint
  ]
}

9. Create a node group: Outline the EKS node group useful resource to hitch the non-public EKS cluster:

useful resource "aws_eks_node_group" "my_eks_nodegroup" {
  cluster_name    = aws_eks_cluster.my_eks_cluster.title
  node_group_name = "my-nodegroup"

  node_group_config {
    instance_type = "your_instance_type"
    desired_size  = 1
    min_size      = 1
    max_size      = 1
    subnet_ids    = aws_subnet.private_subnet[*].id
    ami_type      = "AL2_x86_64"
  }
}

10. Apply the Terraform configuration: Initialize the Terraform working listing and apply the configuration:

terraform init
terraform apply

This configuration will create a non-public VPC, subnets, safety teams, NAT gateway, VPC endpoints, EKS cluster, and a node group that joins the non-public cluster.

Be certain to customise the configuration in response to your particular necessities, similar to VPC CIDR blocks, safety group guidelines, EKS cluster title, node group occasion kind, and so on.

Observe: It is a simplified instance, and there could also be further assets or configuration choices it’s essential to take into account based mostly in your particular wants. It’s advisable to seek advice from the Terraform AWS supplier documentation for detailed data on every useful resource and its attributes.

How to do that in CloudFormation

To create a non-public Amazon EKS cluster and permit nodes to hitch by means of a node group utilizing AWS CloudFormation, you should utilize AWS CloudFormation templates to outline the infrastructure as code. Right here’s an overview of the steps to perform this:

1. Create an AWS CloudFormation template: Create a brand new CloudFormation template in YAML or JSON format. This template will outline the assets required in your non-public EKS cluster.
2. Outline the VPC and subnets: Specify the VPC and personal subnets the place your EKS cluster will reside:

Sources:
  MyVPC:
    Sort: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16

  PrivateSubnet1:
    Sort: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.0.0/24

  PrivateSubnet2:
    Sort: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.1.0/24

3. Create safety teams: Outline the safety teams to regulate inbound and outbound site visitors in your EKS cluster:

Sources:
  EKSSecurityGroup:
    Sort: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: EKS safety group
      VpcId: !Ref MyVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: "-1"
          FromPort: 0
          ToPort: 0
          CidrIp: 0.0.0.0/0

4. Create a NAT gateway: Arrange a NAT gateway to allow outbound web entry for the non-public subnets:

Sources:
  MyEIP:
    Sort: AWS::EC2::EIP
    Properties:
      Area: vpc

  MyNATGateway:
    Sort: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt MyEIP.AllocationId
      SubnetId: !Ref PrivateSubnet1

  PrivateSubnet1RouteTable:
    Sort: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC

  PrivateSubnet1Route:
    Sort: AWS::EC2::Route
    DependsOn: MyNATGateway
    Properties:
      RouteTableId: !Ref PrivateSubnet1RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref MyNATGateway

  PrivateSubnet1Association:
    Sort: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PrivateSubnet1
      RouteTableId: !Ref PrivateSubnet1RouteTable

5. Configure VPC endpoints: Create VPC endpoints for EKS and EC2 to allow non-public communication:

Sources:
  EKSEndpoint:
    Sort: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref MyVPC
      ServiceName: com.amazonaws.<area>.eks

  EC2Endpoint:
    Sort: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref MyVPC
      ServiceName: com.amazonaws.<area>.ec2

6. Create a non-public EKS cluster: Outline the EKS cluster useful resource with the suitable settings:

Sources:
  MyEKSCluster:
    Sort: AWS::EKS::Cluster
    Properties:
      Title: my-cluster
      ResourcesVpcConfig:
        SecurityGroupIds:
          - !Ref EKSSecurityGroup
        SubnetIds:
          - !Ref PrivateSubnet1
          - !Ref PrivateSubnet2
      Model: "1.21"
      RoleArn: arn:aws:iam::123456789012:function/MyEKSClusterRole
      KubernetesNetworkConfig:
        ServiceIpv4Cidr: "10.100.0.0/16"

7. Create a node group: Outline the EKS node group useful resource to hitch the non-public EKS cluster:

Sources:
  MyEKSNodeGroup:
    Sort: AWS::EKS::Nodegroup
    Properties:
      ClusterName: !Ref MyEKSCluster
      NodegroupName: my-nodegroup
      ScalingConfig:
        DesiredSize: 1
        MinSize: 1
        MaxSize: 3
      Subnets:
        - !Ref PrivateSubnet1
        - !Ref PrivateSubnet2
      InstanceTypes:
        - t3.medium
      RemoteAccess:
        Ec2SshKey: my-key-pair

8. Deploy the CloudFormation stack: Use the AWS Administration Console, AWS CLI, or AWS SDKs to deploy the CloudFormation stack together with your template.

Make sure that you customise the configuration based mostly in your particular necessities, similar to VPC CIDR blocks, safety group guidelines, EKS cluster title, node group occasion kind, and so on.

Please be aware that this can be a simplified instance, and extra concerns and customization could also be required based mostly in your particular wants. For extra detailed data on every useful resource and its properties, seek the advice of the AWS CloudFormation documentation.