Amazon Linux

Basic

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: finance-eks-cluster
  region: ap-northeast-2
  version: "1.32"

secretsEncryption:
  keyARN: kms_arn

cloudWatch:
  clusterLogging:
    enableTypes: ["*"]

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: aws-load-balancer-controller
        namespace: kube-system
      wellKnownPolicies:
        awsLoadBalancerController: true
    - metadata:
        name: cert-manager
        namespace: cert-manager
      wellKnownPolicies:
        certManager: true

vpc:
  securityGroup: sg_id # https 통신
  subnets:
    private:
      ap-northeast-2a: { id: private_a }
      ap-northeast-2b: { id: private_b }
  clusterEndpoints:
    publicAccess: false
    privateAccess: true

managedNodeGroups:
  - name: finance-app-ng
    labels: { type: app }
    instanceName: finance-app-node
    instanceType: c5.large
    desiredCapacity: 2
    minSize: 2
    maxSize: 10
    privateNetworking: true

  - name: finance-addon-ng
    labels: { type: data }
    instanceName: finance-addon-node
    instanceType: m5.large
    desiredCapacity: 2
    minSize: 2
    maxSize: 10
    privateNetworking: true

fargateProfiles:
  - name: finance-fargate-profile
    selectors:
      - namespace: kube-system
        labels:
          type: addon
YAML
복사

Karpenter

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: finance-eks-cluster
  region: ap-northeast-2
  version: "1.32"
  tags:
    karpenter.sh/discovery: finance-eks-cluster

secretsEncryption:
  keyARN: kms_arn

cloudWatch:
  clusterLogging:
    enableTypes: ["*"]

iam:
  withOIDC: true
  podIdentityAssociations:
  - namespace: "kube-system"
    serviceAccountName: karpenter
    roleName: finance-eks-cluster-karpenter
    permissionPolicyARNs:
    - arn:aws:iam::362708816803:policy/KarpenterControllerPolicy-finance-eks-cluster
  serviceAccounts:
    - metadata:
        name: aws-load-balancer-controller
        namespace: kube-system
      wellKnownPolicies:
        awsLoadBalancerController: true
    - metadata:
        name: cert-manager
        namespace: cert-manager
      wellKnownPolicies:
        certManager: true

karpenter:
  version: '1.3.3'
  createServiceAccount: true

vpc:
  securityGroup: sg_id # https 통신
  subnets:
    private:
      ap-northeast-2a: { id: private_a }
      ap-northeast-2b: { id: private_b }
  clusterEndpoints:
    publicAccess: false
    privateAccess: true

iamIdentityMappings:
- arn: "arn:aws:iam::362708816803:role/KarpenterNodeRole-finance-eks-cluster"
  username: system:node:{{EC2PrivateDNSName}}
  groups:
  - system:bootstrappers
  - system:nodes

managedNodeGroups:
  - name: finance-app-ng
    labels: { type: app }
    instanceName: finance-app-node
    amiFamily: AmazonLinux2023
    instanceType: c5.large
    desiredCapacity: 2
    minSize: 2
    maxSize: 10
    privateNetworking: true
    iam:
      attachPolicyARNs:
         - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
         - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
         - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
         - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

  - name: finance-addon-ng
    labels: { type: data }
    instanceName: finance-addon-node
    amiFamily: AmazonLinux2023
    instanceType: m5.large
    desiredCapacity: 2
    minSize: 2
    maxSize: 10
    privateNetworking: true
    iam:
      attachPolicyARNs:
         - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
         - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
         - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
         - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

fargateProfiles:
  - name: finance-fargate-profile
    selectors:
      - namespace: kube-system
        labels:
          type: addon

addons:
- name: eks-pod-identity-agent
YAML
복사

private_a=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=finance-private-sn-a" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)
private_b=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=finance-private-sn-c" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)
sg_id=$(aws ec2 describe-security-groups --query "SecurityGroups[?GroupName=='control-plane-sg'].GroupId" --output text)
keys=$(aws kms list-keys --output json)
key_ids=$(echo $keys | jq -r '.Keys[].KeyId')
for key_id in $key_ids; do
    name_tag=$(aws kms list-resource-tags --key-id $key_id --query "Tags[].TagValue" --output text 2> /dev/null)
    if [ "$name_tag" == "finance-kms" ]; then
        kms_arn=$(aws kms describe-key --key-id $key_id --query "KeyMetadata.Arn" --output text)
    fi
done

sed -i "s|sg_id|$sg_id|g" cluster.yaml
sed -i "s|kms_arn|$kms_arn|g" cluster.yaml
sed -i "s|private_a|$private_a|g" cluster.yaml
sed -i "s|private_b|$private_b|g" cluster.yaml

eksctl create cluster -f cluster.yaml
Shell
복사