创建private cluster

EKS部署在私有子网需要考虑的VPC Endpoint

要提前设置的vpc endpoint:

Service Endpoint
Amazon EC2 com.amazonaws.region-code.ec2
Amazon Elastic Container Registry (for pulling container images) com.amazonaws.region-code.ecr.api, com.amazonaws.region-code.ecr.dkr, and com.amazonaws.region-code.s3
Application Load Balancers and Network Load Balancers com.amazonaws.region-code.elasticloadbalancing
EC2 autoscalng com.amazonaws.region.autoscaling
Amazon CloudWatch Logs com.amazonaws.region-code.logs
AWS Security Token Service (required when using IAM roles for service accounts) com.amazonaws.region-code.sts

参考: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

创建Private Subnet Cluster

使用CloudFormation部署VPC + Private Subnet + VPC Endpoint: https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-06-10/amazon-eks-fully-private-vpc.yaml

部署完成后,从CloudFormation的输出找到subnet的id:

image-20231009100244801

将下面文件保存为private-cluster.yaml, subnet id作相应替换:

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: prod
  region: us-east-1   
managedNodeGroups:
  - name: ng-1
    instanceType: m5.xlarge
    desiredCapacity: 2
    privateNetworking: true
vpc:
  subnets:
    private:
      us-east-1a:
        id: "subnet-xxxx"
      us-east-1b:
        id: "subnet-xxxx"
      us-east-1c:
        id: "subnet-xxxx"
  clusterEndpoints:
    publicAccess:  true
    privateAccess: true

创建集群:

eksctl create cluster -f private-cluster.yaml
  • 由于 clusterEndpointsprivateAccess 和publicAccess都设置为 true, 所以在外网也可以执行kubectl 来访问集群。

  • 由于VPC下没有到公网的路由,所以如果镜像在公网,则会创建失败:

image-20231009101311084

使用ECR中的镜像创建pod:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat
  labels:
    app: tomcat
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tomcat
  template:
    metadata:
      labels:
        app: tomcat
    spec:
      containers:
      - name: tomcat
        image: 145197526627.dkr.ecr.us-east-1.amazonaws.com/java-app
        imagePullPolicy: Always
        env:
        - name: ALLOW_EMPTY_PASSWORD
          value: "yes"
        ports:
        - containerPort: 80
          protocol: TCP

集群通过ECR的endpoint,拉取到镜像并部署成功:

image-20231009102207231