通过eksctl创建eks集群

本文最后更新于 911 天前, 如有失效请评论区留言.

所有操作均在境外环境操作,避免调用aws api超时导致失败。

生成aws secrets

创建一个子账号生成secrets, 给予管理员权限

cat ~/.aws/credentials

[default]
aws_access_key_id=<id>
aws_secret_access_key=<key>

安装 aws-iam-authenticator

# 下载aws-iam-authenticator
curl -o aws-iam-authenticator https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.2/2021-07-05/bin/linux/amd64/aws-iam-authenticator
# 下载校验文件
curl -o aws-iam-authenticator.sha256 https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.2/2021-07-05/bin/linux/amd64/aws-iam-authenticator.sha256
# 校验
openssl sha1 -sha256 aws-iam-authenticator
# 安装到path目录下
mv aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
chmod +x /usr/local/bin/aws-iam-authenticator
# 测试
aws-iam-authenticator --help

安装aws

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install

安装kubectl命令

安装集群中会调用kubectl命令

# 从官方下载
wget https://dl.k8s.io/v1.22.12/kubernetes-client-linux-amd64.tar.gz
tar xzvfC kubernetes-client-linux-amd64.tar.gz /tmp
mv /tmp/kubernetes/client/bin/kubectl /usr/local/bin
rm -rf kubernetes-client-linux-amd64.tar.gz
rm -rf /tmp/kubernetes
# 或者从aws下载,两者差别不大,最好不要跨多个版本
curl -o /usr/local/bin/kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.6/2022-03-09/bin/linux/amd64/kubectl
chmod +x /usr/local/bin/kubectl
# 验证
kubectl version | grep Client | cut -d : -f 5

安装helm

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

安装eksctl

curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
 mv /tmp/eksctl /usr/local/bin
# 测试
eksctl version
0.108.0

创建aws eks集群

仅供参考

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  # eks集群名
  name: demo-us-eks-prod-01
  # eks集群所在region
  region: us-east-1
  # eks 版本
  # version: "1.22"

# 定义ipv4, 支持ipv6
# kubernetesNetworkConfig:
#   ipFamily: IPv4

vpc:
  # 指定子网
  cidr: 10.10.0.0/16
  # 限制public api访问
  # publicAccessCIDRs: ["1.2.3.4/32"]
  # 开启api访问
  clusterEndpoints:
    publicAccess: true
    privateAccess: true
  # nat gateway
  nat:
    gateway: Single  #HighlyAvailable

# 集群插件
addons:
  - name: vpc-cni
  - name: coredns
  - name: kube-proxy

iam:
  withOIDC: true

# 全局可用区,也可以针对某个nodegroup单独设置
availabilityZones: ["us-east-1a", "us-east-1b"]

# 节点池
nodeGroups:
    # 系统节点
  - name: system-1-a    # worker nodegroup名字
    labels: { nodetype: system }  # worker 节点的labels
    instanceType: c6g.2xlarge   # 计划使用的EC2类型
    minSize: 1      # autoscaling 最小值
    desiredCapacity: 1  # autoscaling 常规值
    maxSize: 2 # autoscaling 最大值
    volumeSize: 200 ##系统系统盘大小
    volumeType: gp3 ##系统盘类型
    # availabilityZones: ["us-east-1a", "us-east-1b"] ##nodegroup所在AZ
    privateNetworking: true ##是否使用私有网络
    amiFamily: AmazonLinux2
    containerRuntime: containerd
    securityGroups: ##是否使用自定义安全组
      withShared: true
      withLocal: true
      # attachIDs: ["sg-xxxx"]   ##自定义安全组的名字创建一个默认的安全组
    ssh:
      publicKeyPath: /root/.ssh/id_rsa.pub  ##可以ssh到worker的key名字
    tags:
      'Project': 'Demo' ##定义一个tag,计费使用
      'k8s.io/cluster-autoscaler/enabled': 'true'   ##定义自动扩容的tag
      'k8s.io/cluster-autoscaler/nuclearport-ohio-eks-prod': 'owned'    ##定义自动扩容的tag
    taints:
        uessystem: "true:NoSchedule"    ## 定义个污点
    iam:
      withAddonPolicies:    ##选择eks需要使用的iam权限
        #imageBuilder: true
        autoScaler: true
        externalDNS: true
        certManager: true
        #appMesh: true
        ebs: true
        #fsx: true
        efs: true
        albIngress: true
        #xRay: true
        cloudWatch: true

 # worker节点(一个从0开始的弹性集群)
  - name: worker-1-a    ##worker nodegroup名字
    labels:
      nodetype: worker
    instanceType: c6g.2xlarge   ##计划使用的EC2类型
    minSize: 0      ##autoscaling 最小值
    desiredCapacity: 0  ##autoscaling 常规值
    maxSize: 5 ##autoscaling 最大值
    volumeSize: 200 ##系统系统盘大小
    volumeType: gp3 ##系统盘类型
    privateNetworking: true
    amiFamily: AmazonLinux2
    containerRuntime: containerd
    securityGroups:
      withShared: true
      withLocal: true
      # attachIDs: ["sg-xxxx"]
    ssh:
      # publicKeyName: 'xxxxx'  ##可以ssh到worker的key名字
      publicKeyPath: /root/.ssh/id_rsa.pub
    tags:
      'Project': 'Demo' ##tag
      'k8s.io/cluster-autoscaler/enabled': 'true'
      'k8s.io/cluster-autoscaler/nuclearport-ohio-eks-prod': 'owned'
      k8s.io/cluster-autoscaler/node-template/label/nodetype: worker
      k8s.io/cluster-autoscaler/node-template/taint/feaster: "true:NoSchedule"
    taints:
      useworker: "true:NoSchedule"
    iam:
      withAddonPolicies:
        #imageBuilder: true
        autoScaler: true
        externalDNS: true
        certManager: true
        #appMesh: true
        ebs: true
        #fsx: true
        efs: true
        albIngress: true
        #xRay: true
        cloudWatch: true

# 日志收集组件,类型cls日志收集
cloudWatch:
  clusterLogging:
    # enable specific types of cluster control plane logs
    enableTypes: ["audit", "authenticator", "controllerManager"]
    # all supported types: "api", "audit", "authenticator", "controllerManager", "scheduler"
    # supported special values: "*" and "all"

创建集群

# 大概耗时30-40分钟
eksctl create cluster -f demo.yaml --auto-kubeconfig

销毁集群

eksctl delete cluster -f demo.yaml --force

Sponsor

Like this article? $1 reward

Comments