EKS Setup using EKSCTL

akhil mittal - Sep 17 - - Dev Community

To set up an Amazon EKS (Elastic Kubernetes Service) cluster with eksctl, including a node group and IAM OIDC (OpenID Connect) provider, follow these detailed steps. This guide will cover everything from installing eksctl to configuring IAM roles and deploying a node group.

1) Install AWSCLI

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
sudo apt install unzip
unzip awscliv2.zip
sudo ./aws/install
aws configure
Enter fullscreen mode Exit fullscreen mode

2) Install KUBECTL

curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.19.6/2021-01-05/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin
kubectl version --short --client
Enter fullscreen mode Exit fullscreen mode

3) Install EKSCTL
Macos:

brew tap weaveworks/tap
brew install weaveworks/tap/eksctl

Enter fullscreen mode Exit fullscreen mode

Linux:

curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.143.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin

Enter fullscreen mode Exit fullscreen mode

Windows
Download the latest eksctl binary from the releases page and add it to your PATH.

4) Create an EKS Cluster
Use eksctl to create a new EKS cluster. This will automatically set up the IAM OIDC provider.

eksctl create cluster --name=my-eks22 \
                      --region=ap-south-1 \
                      --zones=ap-south-1a,ap-south-1b \
                      --version=1.30 \
                      --without-nodegroup

eksctl utils associate-iam-oidc-provider \
    --region ap-south-1 \
    --cluster my-eks22 \
    --approve

eksctl create nodegroup --cluster=my-eks22 \
                       --region=ap-south-1 \
                       --name=node2 \
                       --node-type=t3.medium \
                       --nodes=3 \
                       --nodes-min=2 \
                       --nodes-max=4 \
                       --node-volume-size=20 \
                       --ssh-access \
                       --ssh-public-key=Key \
                       --managed \
                       --asg-access \
                       --external-dns-access \
                       --full-ecr-access \
                       --appmesh-access \
                       --alb-ingress-access

Enter fullscreen mode Exit fullscreen mode

--name: Name of your EKS cluster.
--region: AWS region where the cluster will be created.
--nodegroup-name: Name of the node group.
--node-type: EC2 instance type for nodes.
--nodes: Initial number of nodes in the node group.
--nodes-min: Minimum number of nodes.
--nodes-max: Maximum number of nodes.
--managed: Indicates that the node group is managed by EKS.
--with-oidc: Enables the OIDC provider for IAM roles.
Open INBOUND TRAFFIC IN ADDITIONAL Security Group
Create Servcie account/ROLE/BIND-ROLE/Token

5) Update kubeconfig
After creating the cluster, configure your kubeconfig file to manage the cluster with kubectl.

aws eks --region us-west-2 update-kubeconfig --name my-cluster

Enter fullscreen mode Exit fullscreen mode

Alternatively, eksctl can automatically update your kubeconfig:

eksctl utils write-kubeconfig --cluster my-cluster --region us-west-2

Enter fullscreen mode Exit fullscreen mode

6) Verify Cluster
Check that the cluster is running and that kubectl is properly configured.

kubectl get nodes

Enter fullscreen mode Exit fullscreen mode

7) Create IAM Roles for Service Accounts (Optional)
If your applications require AWS IAM permissions, create IAM roles and associate them with Kubernetes service accounts using OIDC.

Create an IAM Policy: Define a policy that grants permissions (e.g., access to S3).

Example policy for S3 access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Enter fullscreen mode Exit fullscreen mode

Create IAM Role and Associate with EKS Service Account:

eksctl create iamserviceaccount \
  --region us-west-2 \
  --name my-service-account \
  --namespace default \
  --cluster my-cluster \
  --attach-policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
  --approve

Enter fullscreen mode Exit fullscreen mode

--name: Name of the service account.
--namespace: Kubernetes namespace for the service account.
--cluster: Name of your EKS cluster.
--attach-policy-arn: ARN of the IAM policy to attach.
--approve: Automatically approve the creation.

8) Create Service Account, Role & Assign that role, And create a secret for Service Account and geenrate a Token
Creating Service Account:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
  namespace: webapps
Enter fullscreen mode Exit fullscreen mode

Creating Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: app-role
  namespace: webapps
rules:
  - apiGroups:
        - ""
        - apps
        - autoscaling
        - batch
        - extensions
        - policy
        - rbac.authorization.k8s.io
    resources:
      - pods
      - secrets
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Enter fullscreen mode Exit fullscreen mode

Bind the Role to ServiceAccount:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: app-rolebinding
  namespace: webapps 
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: app-role 
subjects:
- namespace: webapps 
  kind: ServiceAccount
  name: jenkins 
Enter fullscreen mode Exit fullscreen mode

9) Install Helm (Optional)
Helm is a package manager for Kubernetes, useful for deploying and managing applications.

Macos:

brew install helm

Enter fullscreen mode Exit fullscreen mode

Linux:

curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

Enter fullscreen mode Exit fullscreen mode

Windows:
Download the latest Helm binary from the Helm releases page and add it to your PATH.

10) Deploy Applications with Helm (Optional)
Use Helm to deploy applications to your EKS cluster. For example, to install the NGINX ingress controller:
Add Help Repository:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

Enter fullscreen mode Exit fullscreen mode

Update Helm Repository:

helm repo update

Enter fullscreen mode Exit fullscreen mode

Install Nginx Ingress Controller:

helm install my-ingress ingress-nginx/ingress-nginx

Enter fullscreen mode Exit fullscreen mode

11) Delete the Cluster (If Needed)
If you need to delete the cluster, you can do so with eksctl:

eksctl delete cluster --name my-cluster --region us-west-2

Enter fullscreen mode Exit fullscreen mode

Summary

These steps should cover the complete process of setting up an EKS cluster with eksctl, including node group management and IAM OIDC integration.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .