在AWS使用EKS中
本文链接地址: 在AWS使用EKS - 慢慢的回味
使用AWS的EKS来托管Kubernetes是比较复杂,按照如下的方法可以创建出一个满足大部分使用环境的EKS。
Content: 5 设置EKS的存储EFS5.1 创建接入EFS的策略(Root用户操作)5.2 创建访问EFS的角色(Root用户操作)5.3 为OpenID Connect创建Identity Provider(Root用户操作)5.4 在EKS中创建服务账户(IAM用户)5.5 创建EFS CSI 插件(IAM用户)5.6 创建EFS文件系统(Root用户操作)5.7 创建Kubernetes里面的存储类(IAM用户) 6 部署Jenkins来测试(IAM用户)6.1 部署Jenkins6.2 验证结果
5 设置EKS的存储EFS5.1 创建接入EFS的策略(Root用户操作)
自定义一策略:"TestEKSAccessEFSPolicy" { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:CreateAccessPoint" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/efs.csi.aws.com/cluster": "true" } } }, { "Effect": "Allow", "Action": "elasticfilesystem:DeleteAccessPoint", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/efs.csi.aws.com/cluster": "true" } } } ] }5.2 创建访问EFS的角色(Root用户操作)
创建角色"TestEKSAccessEFSRole"并分配策略"TestEKSAccessEFSPolicy"。
在信任关系"Trust relationships"中,修改如下内容。
替换"oidc.eks.us-east-1.amazonaws.com/id/98F61019E9B399FA9B7A43A19B56DF14″为你EKS的"OpenID Connect provider URL"。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::675892200046:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/98F61019E9B399FA9B7A43A19B56DF14" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.us-east-1.amazonaws.com/id/98F61019E9B399FA9B7A43A19B56DF14:sub": "system:serviceaccount:kube-system:efs-csi-controller-sa" } } } ] }
5.3 为OpenID Connect创建Identity Provider(Root用户操作)
填入提供URL和审计URL "sts.amazonaws.com", 点击"Get thumbprint", 然后单击"Add provider"。
5.4 在EKS中创建服务账户(IAM用户)
创建文件"efs-service-account.yaml",包含如下内容,然后"kubectl apply -f efs-service-account.yaml"创建账户,注意修改account id。 apiVersion: v1 kind: ServiceAccount metadata: name: efs-csi-controller-sa namespace: kube-system labels: app.kubernetes.io/name: aws-efs-csi-driver annotations: eks.amazonaws.com/role-arn: arn:aws:iam::675892200046:role/TestEKSAccessEFSRole5.5 创建EFS CSI 插件(IAM用户)
执行如下命令获取EFS插件的安装yaml文件:driver.yaml kubectl kustomize "github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/ecr?ref=release-1.3" > driver.yaml
上面已经创建了服务账号,所以driver.yaml文件里面的"efs-csi-controller-sa"段可以去掉。
接着运行命令 "kubectl apply -f driver.yaml"创建CSI插件。 apiVersion: v1 kind: ServiceAccount metadata: name: efs-csi-controller-sa namespace: kube-system labels: app.kubernetes.io/name: aws-efs-csi-driver annotations: eks.amazonaws.com/role-arn: arn:aws:iam::675892200046:role/TestEKSAccessEFSRole --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: aws-efs-csi-driver name: efs-csi-node-sa namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: aws-efs-csi-driver name: efs-csi-external-provisioner-role rules: - apiGroups: - "" resources: - persistentvolumes verbs: - get - list - watch - create - delete - apiGroups: - "" resources: - persistentvolumeclaims verbs: - get - list - watch - update - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - list - watch - create - patch - apiGroups: - storage.k8s.io resources: - csinodes verbs: - get - list - watch - apiGroups: - "" resources: - nodes verbs: - get - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - watch - list - delete - update - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: aws-efs-csi-driver name: efs-csi-provisioner-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: efs-csi-external-provisioner-role subjects: - kind: ServiceAccount name: efs-csi-controller-sa namespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/name: aws-efs-csi-driver name: efs-csi-controller namespace: kube-system spec: replicas: 2 selector: matchLabels: app: efs-csi-controller app.kubernetes.io/instance: kustomize app.kubernetes.io/name: aws-efs-csi-driver template: metadata: labels: app: efs-csi-controller app.kubernetes.io/instance: kustomize app.kubernetes.io/name: aws-efs-csi-driver spec: containers: - args: - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=2 - --delete-access-point-root-dir=false env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver:v1.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: healthz initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 name: efs-plugin ports: - containerPort: 9909 name: healthz protocol: TCP securityContext: privileged: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=$(ADDRESS) - --v=2 - --feature-gates=Topology=true - --extra-create-metadata - --leader-election env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-provisioner:v2.1.1 imagePullPolicy: IfNotPresent name: csi-provisioner volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - --health-port=9909 image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/livenessprobe:v2.2.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: - mountPath: /csi name: socket-dir hostNetwork: true nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical serviceAccountName: efs-csi-controller-sa volumes: - emptyDir: {} name: socket-dir --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app.kubernetes.io/name: aws-efs-csi-driver name: efs-csi-node namespace: kube-system spec: selector: matchLabels: app: efs-csi-node app.kubernetes.io/instance: kustomize app.kubernetes.io/name: aws-efs-csi-driver template: metadata: labels: app: efs-csi-node app.kubernetes.io/instance: kustomize app.kubernetes.io/name: aws-efs-csi-driver spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: eks.amazonaws.com/compute-type operator: NotIn values: - fargate containers: - args: - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=2 env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver:v1.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: healthz initialDelaySeconds: 10 periodSeconds: 2 timeoutSeconds: 3 name: efs-plugin ports: - containerPort: 9809 name: healthz protocol: TCP securityContext: privileged: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: kubelet-dir - mountPath: /csi name: plugin-dir - mountPath: /var/run/efs name: efs-state-dir - mountPath: /var/amazon/efs name: efs-utils-config - mountPath: /etc/amazon/efs-legacy name: efs-utils-config-legacy - args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --v=2 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/efs.csi.aws.com/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-node-driver-registrar:v2.1.0 imagePullPolicy: IfNotPresent name: csi-driver-registrar volumeMounts: - mountPath: /csi name: plugin-dir - mountPath: /registration name: registration-dir - args: - --csi-address=/csi/csi.sock - --health-port=9809 - --v=2 image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/livenessprobe:v2.2.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: - mountPath: /csi name: plugin-dir dnsPolicy: ClusterFirst hostNetwork: true nodeSelector: beta.kubernetes.io/os: linux priorityClassName: system-node-critical serviceAccountName: efs-csi-node-sa tolerations: - operator: Exists volumes: - hostPath: path: /var/lib/kubelet type: Directory name: kubelet-dir - hostPath: path: /var/lib/kubelet/plugins/efs.csi.aws.com/ type: DirectoryOrCreate name: plugin-dir - hostPath: path: /var/lib/kubelet/plugins_registry/ type: Directory name: registration-dir - hostPath: path: /var/run/efs type: DirectoryOrCreate name: efs-state-dir - hostPath: path: /var/amazon/efs type: DirectoryOrCreate name: efs-utils-config - hostPath: path: /etc/amazon/efs type: DirectoryOrCreate name: efs-utils-config-legacy --- apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: annotations: helm.sh/hook: pre-install, pre-upgrade helm.sh/hook-delete-policy: before-hook-creation helm.sh/resource-policy: keep name: efs.csi.aws.com spec: attachRequired: false
等一会,"efs-csi-controller*"应该就绪了。
5.6 创建EFS文件系统(Root用户操作)
在Amazon EFS产品中,点击"Create file system"开始创建:
选择"Standard"作为存储类,这样可用区里面的所有节点都可以访问。
创建完成后,等待"Network"可用,然后点击"Manage"按钮添加集群安全组。
5.7 创建Kubernetes里面的存储类(IAM用户)
安装如下内容创建"storageclass.yaml",并运行"kubectl apply -f storageclass.yaml"来创建。
注意修改"fileSystemId"成你自己的,通过如下图查询。
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: efs-sc provisioner: efs.csi.aws.com parameters: provisioningMode: efs-ap fileSystemId: fs-04470c1ed1eab275c directoryPerms: "700" gidRangeStart: "1000" # optional gidRangeEnd: "2000" # optional basePath: "/dynamic_provisioning" # optional6 部署Jenkins来测试(IAM用户)6.1 部署Jenkins
注意设置存储类为efs-sc。
helm repo add jenkinsci https://charts.jenkins.io/
helm install my-jenkins jenkinsci/jenkins –version 4.1.17 –set persistence.storageClass=efs-sc 6.2 验证结果
等Jenkins启动后,可以采用端口转发来临时访问。 [awscli@bogon ~]$ kubectl port-forward svc/my-jenkins --address=0.0.0.0 8081:8080 Forwarding from 0.0.0.0:8081 -> 8080 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081 Handling connection for 8081
王子的国道行(十六)1(一座城市的重生)本人打算用三到五年的时间把咱们国家的国道都走一遍,这篇系列游记有我以前走过的地方,有即将要走的地方,都记录下来与大家分享。这是本人的第14季的国道行,敬请关注。205国道(或国道2
历史上的旅游达人(10)柳宗元14年被贬永州柳州,是游记之祖3月13日,星期一,多云,气温27,空气湿度52。昨天,游览美丽之冠白鹭公园。在广西柳州,有祭祀柳宗元的柳侯祠,柳宗元的雕像,柳宗元的衣冠冢。后来人们把柳宗元也称呼为柳柳州。广西柳
谁还记得中超有支球队叫四川全兴?拥有国内狂热的球迷和足球文化1994年,首届中国足球职业联赛开幕,到2023年,前后经历过近三十年的发展,各级联赛先后涌现了数百支职业球队,他们曾经登上历史舞台,却又成为匆匆过客。每当讨论国内足球文化时,曾傲
浏览器跨网络访问网站的简易配置最近很火爆的聊天AI总是不能愉快的使用,很多网站总是玩一会就提示错误。咱也是搞技术的,多少懂点网络,加上好奇心,就试着自己弄个HTTP代理来实现跨网络访问。以系统centos7。6
Docker安装Redis实战1Docker拉取镜像命令dockerpull镜像名称版本号dockerpullredis三Docker挂载配置文件接下来就是要将redis的配置文件进行挂载,以配置文件方式启动r
缩链短链接社群运营降本增效企业定制短链系统助力短信营销社群运营降本增效快速低成本搭建自有短链接及二维码系统,支持绑定企业二级域名和海量域名,可API对接,可设置短链按条件跳转,解决公共域名短链点击率低部分地
红米K60E降价有效了吗?一加Ace2V首销当天,高管晒出成绩单!今年前3个月,一加真的是动作相当大,从一加11到最新的一加Ace2V,几乎款款新机都能交出不错的答卷。3月13日是一加Ace2V的首销日,京东天猫双平台开售6分钟,斩获近一年23K
金融时报库克已敲定2023年发布VRMR头显(映维网Nweon2023年03月13日)彭博社和著名苹果爆料人士郭明錤等情报源纷纷指出,苹果有望在今年WWDC大会发布首款ARVR头显。但金融时报引述两位匿名消息人士称,苹果工业
与国内山寨版ChatGPT和正版ChatGPT对话职业打假最近国内ai行业因为ChatGPT的出现风云再起,很多国内大厂纷纷宣布下一步将重点投资ai,也有一些小的厂家做出了新的ai产品,并开放测试,经试用之后感觉与正版ChatGPT差距很
加大力度促进科技成果转化建真言谋良策这些年,各区域科技创新中心发展势头强劲,但与同梯队全球科技创新中心相比,还存在区域创新系统功能布局不完善,创新系统成长动力不充足等问题。为此,建议形成都市圈(城市群)城
山东棉纺市场春季调研棉价走弱金三银四旺季落空?南华研究院边舒扬(Z0012647)陈嘉宁(F03094811)2022年受疫情及疆棉禁令等问题影响,纺织行业始终处于困境,下游需求持续疲软,企业经营压力巨大,自12月疫情管控政策