公网原地迁移

过程: 创建EKS + unmanaged nodegroup(部署在公网) => 创建endpoints => 关掉公网的自动分配public ip => 创建新的公网非托管节点组进行确认 => 扩容原来的公网非托管节点组进行确认。

创建VPC

创建vpc,(3个公网 + 3个私网),不安装NAT, 默认创建S3 Gateway Endpoint:

image-20231010165330505

image-20231009212139752

创建完成后,记录下三个公网和三个私网的subnet id。

在公网创建EKS节点组时,先开启auto-assign IPv4

image-20231010190308926

创建EKS + public subnet nodegroup

创建EKS集群,并创建一个公网非托管节点组(将vpc id和subnet id做对应替换):

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: eks-private-subnet
  region: us-east-1

vpc:
  id: "vpc-0fb2f18727d563b49"
  clusterEndpoints:
    publicAccess: true
    privateAccess: true
  subnets:
    private:
      private-1a:
          id: "subnet-0ccc71adb888fbb6e"
      private-1b:
          id: "subnet-06a427d7bcff200f8"
      private-1c:
          id: "subnet-0d729073422fe2952"
    public:
      public-1a:
          id: "subnet-0f11f8787de11fe89"
      public-1b:
          id: "subnet-0320b2a6239af84b1"
      public-1c:
          id: "subnet-0a082988cacbad513"

nodeGroups:
  - name: ng-2
    instanceType: m5.xlarge
    subnets:
      - public-1a
      - public-1b
    desiredCapacity: 2

创建集群:

eksctl create cluster -f cluster.yaml

创建interface endpoints

创建interface endpoint时要指定security group,先提前创建一个,允许vpc网段的443端口访问(私网下面的EC2通过https访问endpoint服务):

image-20231010225214218

要创建的endpoint如下:

Service Endpoint
Amazon EC2 com.amazonaws.region-code.ec2
Amazon Elastic Container Registry (for pulling container images) com.amazonaws.region-code.ecr.api, com.amazonaws.region-code.ecr.dkr, and com.amazonaws.region-code.s3
Application Load Balancers and Network Load Balancers com.amazonaws.region-code.elasticloadbalancing
EC2 autoscalng com.amazonaws.region-code.autoscaling
Amazon CloudWatch Logs com.amazonaws.region-code.logs
AWS Security Token Service (required when using IAM roles for service accounts) com.amazonaws.region-code.sts

由于要创建多个endpoint,这里不在控制台重复操作。使用命令行创建:

aws ec2 create-vpc-endpoint --region us-east-1 \
    --vpc-id vpc-0fb2f18727d563b49 \
    --vpc-endpoint-type Interface \
    --service-name com.amazonaws.us-east-1.logs  \
    --subnet-ids  subnet-0f11f8787de11fe89 subnet-0320b2a6239af84b1 subnet-0a082988cacbad513  \
    --security-group-id sg-003f39fae9ec72745

subnet-ids为三个私网的id,security-group-id为上面创建出来的安全组的id。

分别将service-name替换为:

  • com.amazonaws.us-east-1.ecr.dkr
  • com.amazonaws.us-east-1.sts
  • com.amazonaws.us-east-1.ec2
  • com.amazonaws.us-east-1.elasticloadbalancing
  • com.amazonaws.us-east-1.ecr.api
  • com.amazonaws.us-east-1.autoscaling

重复执行上面命令六次,创建出对应的endpoint。在控制台检查创建出来的endpoint,大概1-2分钟生效:

image-20231010222143881

关掉自动分配ip

上面创建出来的公有子网都设置了自动分配公共IP,这里再把它们关掉:

aws ec2 modify-subnet-attribute --subnet-id subnet-0f11f8787de11fe89 --region us-east-1 --no-map-public-ip-on-launch
aws ec2 modify-subnet-attribute --subnet-id subnet-0320b2a6239af84b1 --region us-east-1 --no-map-public-ip-on-launch
aws ec2 modify-subnet-attribute --subnet-id subnet-0a082988cacbad513 --region us-east-1 --no-map-public-ip-on-launch

进行确认:

image-20240120183936515

增加新的非托管节点组

增加一个新的节点组ng-1:

nodeGroups:
  - name: ng-2
    instanceType: m5.xlarge
    subnets:
      - public-1a
      - public-1b
    desiredCapacity: 2

  - name: ng-1
    instanceType: m5.xlarge
    subnets:
      - public-1a
      - public-1b
    desiredCapacity: 2

然后执行eksctl create nodegroup -f xxx.yaml

新创建出来的两个节点都可以注册到eks:

image-20240120192423791

而且这两个节点上都没有公网IP:

image-20240120192508997

扩容原来的nodegroup

将原来的ng-2的节点数量由2个扩成3个:

 eksctl scale nodegroup --cluster=eks-private-subnet --nodes=3 --name=ng-2   --region us-east-1 --nodes-min=3 --nodes-max=5 --wait

image-20240120192143644

新增一个节点,检测会不会自动分配ip,在控制台上确认新创建出来的node上也没有分配公网IP,但它可以注册到EKS集群,并拉取ECR镜像:

image-20240120192229146