在安装Karpenter之前,需要完成以下工作:
service account
等资源。先将集群名称、帐号id等信息保存到环境变量:
export CLUSTER_NAME=${eks_cluster_name}
export ACCOUNT_ID=$(aws sts get-caller-identity --output text --query Account)
export AWS_REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r '.region')
Karpenter会发现tag标记为 kubernetes.io/cluster/$CLUSTER_NAME
的子网,所以要提前在EKS集群的子网上打上这个tag。下面命令从cloudformation中取回子网id,并为其创建tag:
SUBNET_IDS=$(aws cloudformation describe-stacks \
--stack-name eksctl-${CLUSTER_NAME}-cluster \
--query 'Stacks[].Outputs[?OutputKey==`SubnetsPrivate`].OutputValue' \
--output text)
aws ec2 create-tags \
--resources $(echo $SUBNET_IDS | tr ',' '\n') \
--tags Key="kubernetes.io/cluster/${CLUSTER_NAME}",Value=
由Karpenter创建的实例必须绑 KarpenterNodeRole-${ClusterName}
这个InstanceProfile,来为实例授予创建容器、配置网络等相关权限:
TEMPOUT=$(mktemp)
export KARPENTER_VERSION=v0.7.3
curl -fsSL https://karpenter.sh/"${KARPENTER_VERSION}"/getting-started/getting-started-with-eksctl/cloudformation.yaml > $TEMPOUT \
&& aws cloudformation deploy \
--stack-name Karpenter-${CLUSTER_NAME} \
--template-file ${TEMPOUT} \
--capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides ClusterName=${CLUSTER_NAME}
# This command adds the Karpenter node role to your aws-auth configmap, allowing nodes with this role to connect to the cluster.
eksctl create iamidentitymapping \
--username system:node:{{EC2PrivateDNSName}} \
--cluster ${CLUSTER_NAME} \
--arn arn:aws:iam::${ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME} \
--group system:bootstrappers \
--group system:nodes
# You can verify the entry is now in the AWS auth map by running the following command.
kubectl describe configmap -n kube-system aws-auth
由于Karpenter需要有创建实例的权限,这里使用IRSA机制——创建一个service account,用于给后面的karpenter pod绑定:
eksctl utils associate-iam-oidc-provider --cluster ${CLUSTER_NAME} --approve
eksctl create iamserviceaccount \
--cluster $CLUSTER_NAME --name karpenter --namespace karpenter \
--attach-policy-arn arn:aws:iam::$ACCOUNT_ID:policy/KarpenterControllerPolicy-$CLUSTER_NAME \
--approve
从IAM控制台看到,这个KarpenterControllerPolicy
具有创建EC2 Fleet等权限:
这一步将花费大概两分钟,创建完成后,可以执行以下命令来检查创建的service account:
kubectl get serviceaccounts --namespace karpenter