aws eks create-addon --cluster-name wsc2024-eks-cluster --addon-name eks-pod-identity-agent --addon-version v1.0.0-eksbuild.1
Shell
복사
export AWS_REGION="us-east-1"
export CLUSTER_NAME="wsc2024-eks-cluster"
export CLUSTER_SG=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.resourcesVpcConfig.clusterSecurityGroupId" --output text)
PREFIX_LIST_ID=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=='com.amazonaws.$AWS_REGION.vpc-lattice'].PrefixListId" --output text)
PREFIX_LIST_ID_IPV6=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=='com.amazonaws.$AWS_REGION.ipv6.vpc-lattice'].PrefixListId" --output text)
Shell
복사
aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID}}],IpProtocol=-1" > /dev/null
aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID_IPV6}}],IpProtocol=-1" > /dev/null
Shell
복사
curl https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/recommended-inline-policy.json -o recommended-inline-policy.json
Shell
복사
aws iam create-policy \
--policy-name VPCLatticeControllerIAMPolicy \
--policy-document file://recommended-inline-policy.json
Shell
복사
export VPCLatticeControllerIAMPolicyArn=$(aws iam list-policies --query 'Policies[?PolicyName==`VPCLatticeControllerIAMPolicy`].Arn' --output text)
Shell
복사
kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/deploy-namesystem.yaml
Shell
복사
cat >trust-relationship.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
EOF
Shell
복사
aws iam create-role --role-name VPCLatticeControllerIAMRole --assume-role-policy-document file://trust-relationship.json
Shell
복사
aws iam attach-role-policy --role-name VPCLatticeControllerIAMRole --policy-arn=$VPCLatticeControllerIAMPolicyArn
Shell
복사
eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --approve --region $AWS_REGION
Shell
복사
eksctl create iamserviceaccount \
--cluster=$CLUSTER_NAME \
--namespace=aws-application-networking-system \
--name=gateway-api-controller \
--attach-policy-arn=$VPCLatticeControllerIAMPolicyArn \
--override-existing-serviceaccounts \
--region $AWS_REGION \
--approve
Shell
복사
wget https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/deploy-v1.0.6.yaml
Shell
복사
sed -i '8222,8227d' deploy-v1.0.6.yaml
Shell
복사
kubectl apply -f deploy-v1.0.6.yaml
Shell
복사
kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/gatewayclass.yaml
Shell
복사
aws vpc-lattice create-service-network --name wsc2024-lattice-svc-net
Shell
복사
SERVICE_NETWORK_ID=$(aws vpc-lattice list-service-networks --query "items[?name=='wsc2024-lattice-svc-net'].id" --output text)
MA_VPC_ID=$(aws ec2 describe-vpcs --filter Name=tag:Name,Values=wsc2024-ma-vpc --query "Vpcs[].VpcId" --output text)
Shell
복사
aws vpc-lattice create-service-network-vpc-association --service-network-identifier $SERVICE_NETWORK_ID --vpc-identifier $MA_VPC_ID
Shell
복사
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: wsc2024-lattice-svc-net
namespace: wsc2024
annotations:
application-networking.k8s.aws/lattice-vpc-association: "true"
spec:
gatewayClassName: amazon-vpc-lattice
listeners:
- name: http
protocol: HTTP
port: 80
YAML
복사
kubectl apply -f gateway.yaml
Shell
복사
apiVersion: application-networking.k8s.aws/v1alpha1
kind: TargetGroupPolicy
metadata:
name: wsc2024-policy
namespace: wsc2024
spec:
targetRef:
group: ""
kind: Service
name: customer-svc
protocol: HTTP
protocolVersion: HTTP1
healthCheck:
enabled: true
intervalSeconds: 10
timeoutSeconds: 1
healthyThresholdCount: 3
unhealthyThresholdCount: 2
path: "/healthcheck"
port: 8080
protocol: HTTP
protocolVersion: HTTP1
statusMatch: "200"
YAML
복사
kubectl apply -f targetgrouppolicy.yaml
Shell
복사
apiVersion: application-networking.k8s.aws/v1alpha1
kind: IAMAuthPolicy
metadata:
name: wsc2024-iam-auth-policy
namespace: wsc2024
spec:
targetRef:
group: "gateway.networking.k8s.io"
kind: HTTPRoute
name: wsc2024-lattice-svc
namespace: wsc2024
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "BASTION/32"
}
}
}
]
}
YAML
복사
BASTION_IP=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=wsc2024-bastion-ec2" --query "Reservations[0].Instances[0].PrivateIpAddress" --output text)
Shell
복사
sed -i "s|BASTION|$BASTION_IP|g" iamauthpolicy.yaml
Shell
복사
kubectl apply -f iamauthpolicy.yaml
Shell
복사
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: wsc2024-lattice-svc
namespace: wsc2024
spec:
parentRefs:
- name: wsc2024-lattice-svc-net
sectionName: http
rules:
- backendRefs:
- name: customer-svc
kind: Service
port: 8080
matches:
- path:
type: PathPrefix
value: /healthcheck
YAML
복사
kubectl apply -f httproute.yaml
Shell
복사
kubectl wait -n wsc2024 --timeout=3m \
--for=jsonpath='{.status.parents[-1:].conditions[-1:].reason}'=ResolvedRefs httproute/wsc2024-lattice-svc
Shell
복사