【Day 24】建立 EKS on Outpost 的步骤(上)

tags: `铁人赛` `AWS` `Outposts` `EKS` `Kubernetes`

前情提要

昨天稍微提及了关於 EKS 和 EKS on Outpost 的限制
今天我们会来纪录建立的步骤细节

EKS cluster build steps

切换到 EKS console

因为这座 Outpost 直连网路接到东京的关系，所以 cluster 也要选择东京
老样子，选橘色按钮！
- Create 和 Register 二个选择，选 Create
- Register 是新功能，就是单纯使用 EKS

很重要的一点，这边特别提醒！！
如果你使用的是 root account 而非 iam user 的话、
赶快去建立一个并且切换过去！

不然之後再分配权限的时候，会很麻烦。
不确定我在说什麽的可以在下方提问，
或者是参考 Managing users or IAM roles for your cluster 文件

步骤 1: Configure cluster

帮丛集取名字
选择 K8S 的版本，关於版本的更新频率，可以参考 Updates to Amazon EKS Version Lifecycle

A new Kubernetes version is released as generally available by the Kubernetes project every 70 and 130 days (we take the average of 90 days for simplicity).

接着是帮这个服务本身，建立一组角色来，并且配置角色可以使用哪些服务喔。

服务选择 EKS (Elastic Kubernetes Service) 的 Cluster
Policy 选择 AmazonEKSClusterPolicy

可以点开来看这组 AWS 的所提供的政策包含哪些内容

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:UpdateAutoScalingGroup",
                "ec2:AttachVolume",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateRoute",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteRoute",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteVolume",
                "ec2:DescribeInstances",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVpcs",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DetachVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyVolume",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeInternetGateways",
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                "elasticloadbalancing:AttachLoadBalancerToSubnets",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:CreateLoadBalancerPolicy",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DetachLoadBalancerFromSubnets",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
                }
            }
        }
    ]
}

上半部提到的，允许这个 eksClusterRole 去建立操作删除 EC2、ELB 等、读取 KMS 的行为都可以理解。
而下半部的允许 iam:AWSServiceName 是 elasticloadbalancing.amazonaws.com 的资源，去建立 iam:CreateServiceLinkedRole 是因为建立 ELB 的时候，需要同时去建立那个 ELB 所对应的 Service Linked Role。不然的话，ELB 会建不起来。

然後是额外的加密功能、帮 EKS cluster 打标签。
- 加密这个功能感觉很重要，建议阅读Amazon EKS 使用 AWS KMS 为密码新增信封加密。
  Enabling secrets encryption allows you to use AWS Key Management Service (KMS) keys to provide envelope encryption of Kubernetes secrets stored in etcd for your cluster. This encryption is in addition to the EBS volume encryption that is enabled by default for all data (including secrets) that is stored in etcd as part of an EKS cluster.
  
  Using secrets encryption for your EKS cluster allows you to deploy a defense in depth strategy for Kubernetes applications by encrypting Kubernetes secrets with a KMS key that you define and manage.
  
  Using Secrets Encryption
  - Use AWS KMS to create a KMS key in the same region as your cluster or use an existing key.
  - You cannot modify or remove encryption from a cluster once it has been enabled.
  - All Kubernetes secrets stored in the cluster where secrets encryption is enabled will be encrypted with the KMS key you provide.
- 今天时间有限，以後专做文章给各位说明。

步骤 2: Specify networking

这边要注意，Control plane 不能建立在 Outpost 上的原因，上一篇已经说过，因为全托管服务，亚马逊他这个 console 网页伺服是 region 上的东西。
所以这边要另外去建立新的子网段，放在 Tokyo region 而且至少要跨两个 AZ。

Choose the subnets in your VPC where the control plane may place elastic network interfaces (ENIs) to facilitate communication with your cluster. The specified subnets must span at least two availability zones.
- 建立新的子网段，为了避免夜长梦多，我先配三个分别放在不同 AZ！！
- 记得指定 AZ，否则三个网段都抽到同一区
建好网段如下
Endpoint 的部分昨天也提到罗，选混合模式。