1 ec2를 만든다. 명령서버에서 쿠버네티스를 만들어야 쿠버네티스 권한을 받게 된다. 그래서 명령서버를 받는다. eksctl도 , cloudformaion도 명령서버에서 쿠버네티스를 만들어야 쿠버네티스 권한을 받게 된다. gui로 쿠버네티스 만들고 권한 주는 법도 있으나 번거롭다. 2 # 클러스터를 만든다. 3 # publci eks cat <<'EOF' > eks-full-public-ipfixed.yaml AWSTemplateFormatVersion: '2010-09-09' Description: "EKS Public Node + VPC CIDR (fixed subnet scheme)" Parameters: VpcCidr: Type: String Default: 10.0.0.0/20 NamePrefix: Type: String Default: ha-compact Resources: # ---------------- VPC ---------------- VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Sub "${NamePrefix}-vpc" IGW: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Sub "${NamePrefix}-igw" IGWAttach: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref IGW # ---------------- Subnets ---------------- PublicSubnetA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 16, 8]] AvailabilityZone: !Select [0, !GetAZs ""] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub "${NamePrefix}-pub-a" - Key: kubernetes.io/role/elb Value: '1' - Key: !Sub "kubernetes.io/cluster/${NamePrefix}-eks" Value: shared PublicSubnetB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 16, 8]] AvailabilityZone: !Select [1, !GetAZs ""] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub "${NamePrefix}-pub-b" - Key: kubernetes.io/role/elb Value: '1' - Key: !Sub "kubernetes.io/cluster/${NamePrefix}-eks" Value: shared AppSubnetA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 4, 10]] AvailabilityZone: !Select [0, !GetAZs ""] Tags: - Key: Name Value: !Sub "${NamePrefix}-app-a" AppSubnetB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 4, 10]] AvailabilityZone: !Select [1, !GetAZs ""] Tags: - Key: Name Value: !Sub "${NamePrefix}-app-b" DBSubnetA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [12, !Cidr [!Ref VpcCidr, 16, 8]] AvailabilityZone: !Select [0, !GetAZs ""] Tags: - Key: Name Value: !Sub "${NamePrefix}-db-a" DBSubnetB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [13, !Cidr [!Ref VpcCidr, 16, 8]] AvailabilityZone: !Select [1, !GetAZs ""] Tags: - Key: Name Value: !Sub "${NamePrefix}-db-b" # ---------------- Route ---------------- PublicRT: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC PublicRoute: Type: AWS::EC2::Route DependsOn: IGWAttach Properties: RouteTableId: !Ref PublicRT DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref IGW PublicAssocA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnetA RouteTableId: !Ref PublicRT PublicAssocB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnetB RouteTableId: !Ref PublicRT # ---------------- IAM ---------------- ClusterRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: eks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy NodeRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy # ---------------- EKS ---------------- EKS: Type: AWS::EKS::Cluster DependsOn: - PublicAssocA - PublicAssocB - ClusterRole Properties: Name: !Sub "${NamePrefix}-eks" Version: "1.34" RoleArn: !GetAtt ClusterRole.Arn AccessConfig: AuthenticationMode: API_AND_CONFIG_MAP BootstrapClusterCreatorAdminPermissions: true ResourcesVpcConfig: SubnetIds: - !Ref PublicSubnetA - !Ref PublicSubnetB EndpointPublicAccess: true Tags: - Key: Name Value: !Sub "${NamePrefix}-eks" NodeGroup: Type: AWS::EKS::Nodegroup DependsOn: - EKS - NodeRole Properties: ClusterName: !Ref EKS NodegroupName: !Sub "${NamePrefix}-ng-public" NodeRole: !GetAtt NodeRole.Arn AmiType: AL2023_x86_64_STANDARD CapacityType: ON_DEMAND InstanceTypes: - t3.small ScalingConfig: MinSize: 1 DesiredSize: 2 MaxSize: 2 Subnets: - !Ref PublicSubnetA - !Ref PublicSubnetB Tags: Name: !Sub "${NamePrefix}-ng-public" Outputs: ClusterName: Value: !Ref EKS EOF -------- 4 # 퍼블릭 배포 aws cloudformation deploy \ --template-file eks-full-public-ipfixed.yaml \ --stack-name eks-infrastructure-stack \ --capabilities CAPABILITY_NAMED_IAM \ --parameter-overrides \ VpcCidr=10.0.0.0/20 \ NamePrefix=ha-compact4 \ --region ap-northeast-2 ------------ Public Subnet 2개: pub-a, pub-b App Private Subnet 2개: app-a, app-b DB Private Subnet 2개: db-a, db-b NAT Gateway 0개 --------- 퍼블릭 구축이나 NAT는 없음. 비용 절감. App Private Subnet에 EKS Cluster / NodeGroup 배치 DB Subnet은 격리 라우팅 테이블 유지 파라미터는 VpcCidr, NamePrefix만 사용 Node 타입은 요청 흐름대로 t3.small EKS 버전은 1.34 고정 5 접속 aws eks update-kubeconfig \ --region ap-northeast-2 \ --name ha-compact4-eks kubectl get nodes