Skip to main content
Skip table of contents

Integrating with EKS

Prerequisites

The following tools are required to complete the integration setup:

If you don’t have an existing EKS cluster, you can use the following command to provision one that uses the eksctl default cluster parameters:

BASH 
eksctl create cluster --name poccluster

EKS Nodegroup IAM

By default, the EKS node group should have the following AWS-managed IAM roles attached:

  • AmazonEC2ContainerRegistryReadOnly: This allows read-only access to Amazon EC2 Container Registry repositories

  • AmazonEKS_CNI_Policy: This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes

  • AmazonEKSWorkerNodePolicy: This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters

  • AmazonSSMManagedInstanceCore: This is to enable AWS Systems Manager service core functionality

AWS IAM Authenticator

Apply the following changes to the EKS cluster’s aws-auth ConfigMap to ensure the dynamic X-Compute EKS nodes can join the cluster:

  1. Edit the aws-auth ConfigMap in the kube-system namespace:

    BASH 
    kubectl edit configmap aws-auth -n kube-system

  2. Insert the following groups into the mapRoles section and replace the role ARN values with the outputs generated at this prerequisite step.

    YAML 
        - groups:
      - system:masters
      rolearn: <Insert the Role ARN of your Worker IAM Role>
      username: admin
    - groups:
      - system:masters
      rolearn: <Insert the Role ARN of your Controller IAM Role>
      username: admin

AWS Node Termination Handler Configuration for Spot Instances

The AWS Node Termination Handler is a tool that monitors spot instance termination events in AWS. By default, when a spot interruption occurs, the handler drains the affected node and attempts to reschedule the pods on other machines. This behavior can result in all pods on the node being removed and the node eventually being terminated, even if the workload is migrated elsewhere.

To prevent this behavior, you can either:

  1. Uninstall the AWS Node Termination Handler.

  2. Modify its configuration to disable node draining on-spot interruptions.

  • Identify the DaemonSet name.
    Run the following command to find the DaemonSet associated with the AWS Node Termination Handler:

    BASH 
    kubectl -n kube-system get daemonset | grep aws-node-termination-handler

    Example output:

    BASH 
    aws-node-termination-handler-exodemo   4         4         4       4            4           kubernetes.io/os=linux   11d

  • Edit the DaemonSet.
    Use the following command to edit the DaemonSet:

    BASH 
    kubectl -n kube-system edit daemonset aws-node-termination-handler-example

  • Update the configuration.
    In the editor, search for the parameter ENABLE_SPOT_INTERRUPTION_DRAINING and ENABLE_REBALANCE_DRAINING, and set it to false:

    BASH 
    - name: ENABLE_SPOT_INTERRUPTION_DRAINING
  value: "false"
- name: ENABLE_REBALANCE_DRAINING
  value: "false"

Amazon VPC CNI

Infrastructure Optimizer supports the Amazon VPC CNI plugin v1.18.2-eksbuild.1 or newer.

Download and run this configure-aws-nodes.sh script to:

  • Configure the node affinity rules of the aws-node DaemonSet to not run on x-compute nodes

  • Install and configure the exo-aws-node DaemonSet to run on x-compute nodes

If you are using a Mac, please install gnu-sed and replace sed with gsed in the above script.

CODE 
brew install gnu-sed

This script will restart the Amazon VPC CNI DaemonSet.

Amazon VPC CNI Plugin With IRSA

OPTIONAL - This section is required only if your cluster customized the IAM roles used by the Amazon VPC CNI plugin’s service account (IRSA). For more information about the EKS IRSA, see documentation here.

Determine whether an IAM OpenID Connect (OIDC) provider is already associated with your EKS cluster:

BASH 
oidc_id=$(aws eks describe-cluster --name poccluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) && aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

If the final command returns a non-empty output, then your EKS cluster already has an IAM OIDC provider attached.

Otherwise, enable an OIDC using the next command:

BASH 
eksctl utils associate-iam-oidc-provider --cluster poccluster --approve

Run this command to the inline IAM policy to a JSON file named cni_iam.json:

BASH 
cat > cni_iam.json <<EOT 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:UnassignPrivateIpAddresses",
      "Resource": "*"
    }
  ]
}
EOT

This user-defined policy ensures that the Amazon VPC CNI doesn’t unassign the IP address of your workloads running on Infrastructure Optimizer sandboxes by denying the ability to perform such unassignments.

Use the following command to create the policy:

BASH 
aws iam create-policy --policy-name cni_iam_policy --policy-document file://cni_iam.json

Then use eksctl to override the existing Amazon VPC CNI IRSA settings:

CODE 
new_policy_arn=$(aws iam list-policies --query 'Policies[?PolicyName==`cni_iam_policy`].[Arn]' --scope Local --no-cli-pager --output text)
BASH 
eksctl update iamserviceaccount \                                                                                                                          (ivan@isim-dev2.us-west-1.eksctl.io/default)
  --name aws-node \
  --namespace kube-system \
  --cluster poccluster \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
  --attach-policy-arn "${new_policy_arn}" \
  --approve
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close