Integrating with EKS
Infrastructure Optimizer supports Amazon EKS 1.28 or newer.
If you don’t have an existing EKS cluster, you can use the following command to provision one that uses the eksctl default cluster parameters:
eksctl create cluster --name pocclusterThe following tools are required to complete the integration setup:
EKS Nodegroup IAM
By default, the EKS node group should have the following AWS-managed IAM roles attached:
AmazonEC2ContainerRegistryReadOnly→ This allows read-only access to Amazon EC2 Container Registry repositoriesAmazonEKS_CNI_Policy→ This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodesAmazonEKSWorkerNodePolicy→ This allows Amazon EKS worker nodes to connect to Amazon EKS ClustersAmazonSSMManagedInstanceCore→ This is to enable AWS Systems Manager service core functionality
AWS IAM Authenticator
Apply the following changes to the EKS cluster’s aws-auth ConfigMap to ensure the dynamic X-Compute EKS nodes can join the cluster:
Edit the
aws-authConfigMap in thekube-systemnamespace:BASHkubectl edit configmap aws-auth -n kube-systemInsert the following groups into the
mapRolessection and replace the role ARN values with the outputs generated at this prerequisite step.YAML- groups: - system:masters rolearn: <Insert the Role ARN of your Worker IAM Role> username: admin - groups: - system:masters rolearn: <Insert the Role ARN of your Controller IAM Role> username: admin
Amazon VPC CNI
Infrastructure Optimizer supports the Amazon VPC CNI plugin v1.18.2-eksbuild.1 or newer.
Download and run this configure-aws-nodes.sh script to:
Configure the node affinity rules of the
aws-nodeDaemonSet to not run onx-computenodesInstall and configure the
exo-aws-nodeDaemonSet to run onx-computenodes
This script will restart the Amazon VPC CNI DaemonSet
Amazon VPC CNI Plugin With IRSA
OPTIONAL - This section is required only if your cluster customized the IAM roles used by the Amazon VPC CNI plugin’s service account (IRSA). For more information about the EKS IRSA, see documentation here.
Determine whether an IAM OpenID Connect (OIDC) provider is already associated with your EKS cluster:
oidc_id=$(aws eks describe-cluster --name poccluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) && aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4If the final command returns a non-empty output, then your EKS cluster already has an IAM OIDC provider attached.
Otherwise, enable an OIDC using the next command:
eksctl utils associate-iam-oidc-provider --cluster poccluster --approveRun this command to the inline IAM policy to a JSON file named cni_iam.json:
cat > cni_iam.json <<EOT
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:UnassignPrivateIpAddresses",
"Resource": "*"
}
]
}
EOTThis user-defined policy ensures that the Amazon VPC CNI doesn’t unassign the IP address of your workloads running on Infrastructure Optimizer sandboxes by denying the ability to perform such unassignments.
Use the following command to create the policy:
aws iam create-policy --policy-name cni_iam_policy --policy-document file://cni_iam.jsonThen use eksctl to override the existing Amazon VPC CNI IRSA settings:
new_policy_arn=$(aws iam list-policies --query 'Policies[?PolicyName==`cni_iam_policy`].[Arn]' --scope Local --no-cli-pager --output text)eksctl update iamserviceaccount \ (ivan@isim-dev2.us-west-1.eksctl.io/default)
--name aws-node \
--namespace kube-system \
--cluster poccluster \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
--attach-policy-arn "${new_policy_arn}" \
--approve