Skip to content

EKS - Elastic Kubernetes Service#

This section describes how to create and configure the Kubernetes cluster that runs, manages, and orchestrates the several application containers.

After the creation of the basic network resources, we need to create the Kubernetes Cluster that will run and manage the several application containers of the Critical Manufacturing MES. To that end, we will use Amazon EKS.

Amazon Elastic Kubernetes Service#

The Amazon Elastic Kubernetes Service (EKS) is AWS's managed Kubernetes cloud platform.

In the DevOps Center, you can remotely deploy a Customer Environment to an EKS cluster.

Note

More information: https://docs.aws.amazon.com/eks/ ⧉

Cluster Nodes#

Cluster Nodes are the actual machines that provide computational power to the cluster, it's where the pods and containers are deployed and run.

For EKS, Critical Manufacturing recommends the usage of Managed nodes. Managed nodes are EC2 instances that AWS automatically provisions, manages, and scales within a Kubernetes cluster. These nodes are part of EKS Managed Node Groups, which simplify node lifecycle management, including upgrades and security patches, while integrating with Kubernetes and EC2 features.

EKS Managed nodes have several key features, highlighting the following:

  • Automated Provisioning

    • AWS automatically creates EC2 instances, registers them with the Kubernetes control plane, and configures them to run as worker nodes in the cluster.

  • Simplified Upgrades

    • Managed node groups allow easy updates to the latest Amazon EKS-optimized AMI versions, which include the latest Kubernetes versions, security patches, and performance enhancements.

    • During updates, nodes are drained (pods are evicted), upgraded, and then brought back online with minimal disruption.

  • Auto-scaling

    • Managed node groups integrate with EC2 Auto Scaling, enabling automatic scaling of nodes based on workload demands. If more compute capacity is needed, the node group scales out; when demand drops, it scales in to optimize resource usage and cost.

  • Integrated Security

    • Managed nodes are launched with the latest EKS-optimized AMI, which includes built-in security configurations for enhanced protection.
    • IAM roles can be assigned to the nodes to control access to AWS resources.
    • Managed node groups can be configured with Security Groups to define network traffic rules.

Warning

Currently, Fargate nodes are not supported. Critical Manufacturing recommends the usage of Managed nodes.

Network#

The network in an EKS cluster is built using Amazon VPC (Virtual Private Cloud), and it leverages AWS networking services for scaling, security, and performance.

You can find more information on the subject in Network.

High Availability#

High availability in an EKS cluster ensures that workloads and applications remain accessible, even in the event of failures or disruptions. EKS, running on AWS, allows the building of highly available clusters with several built-in features.

  • Multi-AZ (Availability Zone) Deployments

    • Node Groups: EKS enables the creation of worker node groups spread across multiple Availability Zones (AZs) within a region. By distributing nodes across AZs, the impact of an outage in a single zone is minimized.

    • Load Balancing: AWS Load Balancers can route traffic across nodes in multiple AZs to ensure consistent traffic handling even if some nodes go down.

  • Managed Control Plane

    • Master Nodes: EKS provides a managed Kubernetes control plane (master nodes), which is distributed across multiple AZs within a region by default. AWS automatically maintains and ensures the high availability of the control without manual intervention.

    • Scaling: The EKS control plane scales horizontally and can handle disruptions due to hardware failure or updates, ensuring continuous availability.

  • Auto Scaling

    • Cluster Autoscaler: Dynamically adjusts the number of worker nodes (EC2 Instances) in the cluster based on resource demand. It can automatically add new nodes when workloads require more capacity and remove them when demand decreases.

Cluster Configuration#

To create the EKS cluster, it is assumed that a VPC has already been configured according to Network section.

  1. On AWS Management Console ⧉ search for EKS and open
  2. Click Add cluster, "Create" Create EKS cluster
  3. Set a Cluster Name and a Cluster IAM role
  4. On the Networking section, select the VPC, and the appropriate subnets
  5. Proceed until the end of the wizard and create the EKS cluster
  6. After a few minutes the cluster is created and ready.

Note

The following command must be run on the same console window as the VPC creation; otherwise, the variables value must be set manually.

  1. Create the required IAM Roles ⧉

    # Create IAM Role for EKS Cluster
echo "Creating IAM Role for EKS Cluster..."
EKS_ROLE_NAME="eks-cluster-role"
EKS_ROLE_ARN=$(aws iam create-role \
    --role-name $EKS_ROLE_NAME \
    --assume-role-policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "eks.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }' \
    --query 'Role.Arn' --output text)
echo "IAM Role ARN for EKS Cluster: $EKS_ROLE_ARN"

# Attach necessary policies to the EKS role
echo "Attaching AmazonEKSClusterPolicy to EKS Cluster Role..."
aws iam attach-role-policy --role-name $EKS_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
aws iam attach-role-policy --role-name $EKS_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEKSServicePolicy

# Create IAM Role for EKS Node Group
echo "Creating IAM Role for EKS Node Group..."
NODE_ROLE_NAME="eks-nodegroup-role"
NODE_ROLE_ARN=$(aws iam create-role \
    --role-name $NODE_ROLE_NAME \
    --assume-role-policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }' \
    --query 'Role.Arn' --output text)
echo "IAM Role ARN for EKS Node Group: $NODE_ROLE_ARN"

# Attach necessary policies to the Node Group role
echo "Attaching AmazonEKSWorkerNodePolicy and other policies to EKS Node Group Role..."
aws iam attach-role-policy --role-name $NODE_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
aws iam attach-role-policy --role-name $NODE_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
aws iam attach-role-policy --role-name $NODE_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

  2. Create the EKS cluster

    # Ensure you have the necessary environment variables set up from the previous script:
# VPC_ID, SUBNET_PUBLIC1, SUBNET_PUBLIC2, SUBNET_PRIVATE1, SUBNET_PRIVATE2, EKS_ROLE_ARN, NODE_ROLE_ARN

# Create EKS Cluster (public and private cluster endpoint access)
echo "Creating EKS Cluster 'cm-cluster'..."
aws eks create-cluster \
    --name cm-cluster \
    --role-arn $EKS_ROLE_ARN \
    --resources-vpc-config subnetIds=$SUBNET_PUBLIC1,$SUBNET_PUBLIC2,$SUBNET_PRIVATE1,    $SUBNET_PRIVATE2,endpointPublicAccess=true,endpointPrivateAccess=true \
    --kubernetes-version 1.31 \
    --region eu-east-1

# Wait for the EKS Cluster to be active (this can take a few minutes)
echo "Waiting for the EKS cluster to become ACTIVE..."
aws eks wait cluster-active --name cm-cluster

# Create Node Group (with 2 nodes of type m5.large)
echo "Creating Node Group 'cm-nodegroup' with 2 m5.large instances..."
aws eks create-nodegroup \
    --cluster-name cm-cluster \
    --nodegroup-name cm-nodegroup \
    --scaling-config minSize=2,maxSize=2,desiredSize=2 \
    --disk-size 20 \
    --subnets $SUBNET_PUBLIC1 $SUBNET_PUBLIC2 \
    --instance-types m5.large \
    --ami-type AL2_x86_64 \
    --node-role $NODE_ROLE_ARN \
    --region eu-east-1

# Wait for the Node Group to be active
echo "Waiting for the Node Group to become ACTIVE..."
aws eks wait nodegroup-active --cluster-name cm-cluster --nodegroup-name cm-nodegroup

echo "EKS Cluster and Node Group successfully created!"

Note

The following command must be run on the same console window as the VPC creation; otherwise, the variables value must be set manually.

eksctl create cluster \
       --name cm-cluster \
       --region us-east-1 \
       --vpc-public-subnets $SUBNET_PUBLIC1,$SUBNET_PUBLIC2 \
       --vpc-private-subnets $SUBNET_PRIVATE1,$SUBNET_PRIVATE2 \
       --managed \
       --node-type m5.large \
       --nodes 2 \
       --node-private-networking

Cluster creation takes several minutes but some output lines can be seen. When all operations are done, the following line is shown:

Screenshot showing a configuration interface for creating a cluster.

After this, your EKS cluster is running and ready.

Troubleshooting#

A user can follow several steps to troubleshoot issues with the cluster.

  1. Verify the cluster status to ensure it is 'Active'. cluster_health_status

  2. On the Compute tab of the EKS Cluster page, check the node status to confirm they are 'Ready'. nodes_health_status If a node is not 'Ready,' you can click on it to view its events at the bottom of the page.