EKS cluster setup

Overview

This section provides instructions for setting up the Elastic Kubernetes Service  (EKS) for use with the CAST Imaging helm charts installation scripts described in Installation on Amazon Web Services via EKS.

Configure IAM user and permissions

According to Amazon Web Services best practices you should never use your root account for working with AWS services, and instead access should be provided via an IAM user managed in the https://console.aws.amazon.com/iam . There are two ways to do this:

Attach default AdministratorAccess policy

This method will provides all required permissions, but also gives additional “admin” type permissions:

• Create a new IAM user in the AWS Console by clicking Create user
• Use the Attach policies directly option and attach the default AdministratorAccess policy:

Attach custom policies

Use this method if you need to “lock down” the IAM user and grant it only the permissions necessary to operate the EKS cluster. You will need to create two custom policies as follows:

EKS-Admin-policy:

{
   "Version": "2012-10-17",
   "Statement": [
   	{
   		"Effect": "Allow",
   		"Action": [
   			"eks:*"
   		],
   		"Resource": "*"
   	}
   ]
}

CloudFormation-Admin-policy:

{
   "Version": "2012-10-17",
   "Statement": [
   	{
   		"Effect": "Allow",
   		"Action": [
   			"cloudformation:*"
   		],
   		"Resource": "*"
   	}
   ]
}

• Use the Create policy option to do so:

• Create a new IAM user in the AWS Console by clicking Create user
• Use the Attach policies directly option and attach the two custom policies you have just created:

• Finally, attach the following additional default policies to your IAM user:
  • AmazonEC2FullAccess
  • IAMFullAccess
  • AmazonVPCFullAccess
• Giving you this result:

Create an IAM role

• Use the IAM console https://console.aws.amazon.com/iam  to create a new role choosing AWS Service > EKS Service:

• The new role will be automatically called AWSServiceRoleForAmazonEKS.

Create a key pair

• Use the EC2 console https://console.aws.amazon.com/ec2  to create a new key pair under Network & Security > Key Pairs called eks-mykeypair.
• Choose .pem format and leave all other options at their default:

Create access key/secret access key

• Use the IAM console https://console.aws.amazon.com/iam  to create create a new access key for your IAM user:

• Ensure you download the .csv file containing the access key and secret access key.

Setup AWS cli

• Follow the instructions provided here: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html .
• Test the cli is working by running: aws --version
• Configure AWS access by running: aws configure. You will need to provide the following:
  • Access key ID
  • Default region name (us-east-2)
  • Default output format (.json)

Setup eksctl

• Install eksctl (this utility will use the same credentials file as created for the AWS cli, located under ~/.aws/credentials):
  • for a non-Linux OS you can find a binary download here: https://github.com/weaveworks/eksctl/releases 
  • for Linux, execute:

curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/latest_release/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp  
	 
sudo mv /tmp/eksctl /usr/local/bin

• Test the cli is working by running: eksctl version

Install kubectl - commandline K8s tool

• Follow the instructions provided here: https://kubernetes.io/docs/tasks/tools/ 
• Test the cli is working by running: kubectl version --short --client (Linux) or kubectl.exe version --short --client (Microsoft Windows)

Install Helm

• Follow the instructions provided here: https://helm.sh/docs/intro/quickstart/ . The binary download is provided here: https://github.com/helm/helm/releases 

Create a new cluster

• Update fields in ex_eks-mycluster.yaml to match values from your environment, including VPC ID, subnets, EC2 key etc.
• Create the new cluster by running: eksctl create cluster -f ex_eks-mycluster.yaml

Enable EBS and EFS CSI driver

• Use the EKS console https://console.aws.amazon.com/eks/  to access the new cluster called eks-mycluster
• Click Get more add-ons
• Tick the Amazon EBS CSI Driver checkbox
• Tick the Amazon EFS CSI Driver checkbox
• Click Confirm to proceed.