2024 지방기능경기대회 1과제 솔루션

•

문제지

Loading PDF…

EKS-2024-Jibang

`Web Service Provisioning`

VPC Create
Security Group Create
IAM Role.. Create
scp 배포 자료 업로드
EC2 Instance Create
Elastic Cache Create (sg checking, port change) 
Amazon DocumentDB Create (sg checking, port change)
Secret Manager
Cluster apply
eksctl setting
manifest deploy
Secret Manager Checking
Token Endpoint Upload
Ingress apply
alb Request Checking
조건 체크
Markdown
복사

#!/bin/bash
public_a=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=skills-public-subnet-a" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)
public_b=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=skills-public-subnet-b" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)
private_a=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=skills-private-subnet-a" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)
private_b=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=skills-private-subnet-b" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)

sed -i "s|public_a|$public_a|g" cluster.yaml
sed -i "s|public_b|$public_b|g" cluster.yaml
sed -i "s|private_a|$private_a|g" cluster.yaml
sed -i "s|private_b|$private_b|g" cluster.yaml
Shell
복사

REGION_CORD="ap-northeast-2"
CLUSTER_NAME="skills-eks-cluster"

# IAM OIDC 제공자 연결
eksctl utils associate-iam-oidc-provider --region=ap-northeast-2 --cluster=skills-eks-cluster --approve

# IAM 정책 생성
cat >secret-policy.json <<EOF
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"secretsmanager:GetResourcePolicy",
				"secretsmanager:GetSecretValue",
				"secretsmanager:DescribeSecret",
				"secretsmanager:ListSecretVersionIds"
			],
			"Resource": ["*"]
		},
      {
        "Effect": "Allow",
        "Action": ["kms:Decrypt"],
        "Resource": ["*"]
      }
    ]
}
EOF

# IAM 서비스 계정 생성
POLICY_ARN=$(aws --region "$REGION_CORD" --query Policy.Arn --output text iam create-policy --policy-name secretsmanager-policy --policy-document file://secret-policy.json)

eksctl create iamserviceaccount \
    --name external-secrets-cert-controller \
    --region="$REGION_CORD" \
    --cluster "$CLUSTER_NAME" \
    --namespace=skills \
    --attach-policy-arn "$POLICY_ARN" \
    --override-existing-serviceaccounts \
    --approve

# Helm 저장소 추가 및 업데이트
helm repo add external-secrets https://charts.external-secrets.io

# 서비스 계정에 주석 및 라벨 추가
kubectl annotate serviceaccount external-secrets-cert-controller \
  meta.helm.sh/release-name=external-secrets \
  meta.helm.sh/release-namespace=skills \
  -n skills \
  --overwrite

kubectl label serviceaccount external-secrets-cert-controller \
  app.kubernetes.io/managed-by=Helm \
  -n skills \
  --overwrite

# values.yaml 파일 생성
cat > values.yaml <<EOF
{
  "installCRDs": true,
  "nodeSelector": {
    "eks.amazonaws.com/nodegroup": "skills-eks-addon-nodegroup"
  },
  "webhook": {
    "nodeSelector": {
      "eks.amazonaws.com/nodegroup": "skills-eks-addon-nodegroup"
    }
  },
  "certController": {
    "nodeSelector": {
      "eks.amazonaws.com/nodegroup": "skills-eks-addon-nodegroup"
    }
  }
}
EOF

# External Secrets 설치
helm install external-secrets \
   external-secrets/external-secrets \
   -n kube-system \
   -f values.yaml \
   --set serviceAccount.create=false

cat <<\EOF> secretstore.yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets
  namespace: skills
spec:
  provider:
    aws:
      service: SecretsManager
      region: ap-northeast-2
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-cert-controller
EOF

kubectl apply -f secretstore.yaml

cat <<\EOF> token.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: token
  namespace: skills
spec:
  refreshInterval: 30s
  secretStoreRef:
    name: aws-secrets
    kind: SecretStore
  target:
    name: token
    creationPolicy: Owner
  data:
    - secretKey: REDIS_HOST 
      remoteRef:
        key: redis/credentials
        property: host
    - secretKey: REDIS_PORT
      remoteRef:
        key: redis/credentials
        property: port
EOF

kubectl apply -f token.yaml

cat <<\EOF> user.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: user
  namespace: skills
spec:
  refreshInterval: 30s
  secretStoreRef:
    name: aws-secrets
    kind: SecretStore
  target:
    name: user
    creationPolicy: Owner
  data:
    - secretKey: MONGODB_USERNAME 
      remoteRef:
        key: mongodb/credentials
        property: username
    - secretKey: MONGODB_PASSWORD
      remoteRef:
        key: mongodb/credentials
        property: password
    - secretKey: MONGODB_HOST
      remoteRef:
        key: mongodb/credentials
        property: host
    - secretKey: MONGODB_PORT
      remoteRef:
        key: mongodb/credentials
        property: port
    - secretKey: AWS_REGION
      remoteRef:
        key: mongodb/credentials
        property: region
    - secretKey: AWS_SECRET_NAME
      remoteRef:
        key: mongodb/credentials
        property: secret_name
    - secretKey: TOKEN_ENDPOINT
      remoteRef:
        key: mongodb/credentials
        property: token_endpoint
EOF

kubectl apply -f user.yaml

# secret manager 값 확인
aws secretsmanager get-secret-value --secret-id mongodb/credentials --query SecretString --output text
aws secretsmanager get-secret-value --secret-id redis/credentials --query SecretString --output text


# 노드 그룹에 Secret 권한 부여
aws iam attach-role-policy --role-name eksctl-skills-eks-cluster-nodegrou-NodeInstanceRole-l7cHr1FkGb7N --policy-arn arn:aws:iam::362708816803:policy/secretsmanager-policy
Shell
복사

Cluster.yaml

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: skills-eks-cluster
  region: ap-northeast-2
  version: "1.29"

secretsEncryption:
  keyARN: kms_arn

cloudWatch:
  clusterLogging:
    enableTypes: ["*"]

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: aws-load-balancer-controller
        namespace: kube-system
      wellKnownPolicies:
        awsLoadBalancerController: true
    - metadata:
        name: cert-manager
        namespace: cert-manager
      wellKnownPolicies:
        certManager: true
vpc:
  securityGroup: sg_id # https 통신
  subnets:
    public:
      ap-northeast-2a: { id: public_a }
      ap-northeast-2b: { id: public_b }
    private:
      ap-northeast-2a: { id: private_a }
      ap-northeast-2b: { id: private_a }
  clusterEndpoints:
    publicAccess: false
    privateAccess: true

managedNodeGroups:
  - name: skills-eks-app-nodegroup
    instanceName: skills-eks-app-node
    instanceType: t4g.large
    desiredCapacity: 2
    minSize: 2
    maxSize: 10

  - name: skills-eks-addon-nodegroup
    instanceName: skills-eks-addon-node
    instanceType: m6.large
    desiredCapacity: 2
    minSize: 2
    maxSize: 10

fargateProfiles:
  - name: skills-eks-app-profile
    selectors:
      - namespace: skills
        labels:
          app: token
YAML
복사

솔루션

# k8s

TOKEN_ENDPOINT Cluster IP
addon 노드그룹 처리

# Secret

External Secret

# ElasticCache

TLS 전송 중 암호화 활성화 하기
클러스터 모드 활성화 하기
Markdown
복사

3-4 profiler
4-5 1개만 뜸
5-4 MUTABLE 뜸
6-1 부분 다 틀림
8-2 0.5vCPU 1GB가 출력안됨 (0.25vCPU 0.5GB)
9-1, 9-2 An error occurred (ResourceNotFoundException) when calling the FilterLogEvents operation: The specified log group does not exist.
10-1, 10-3 Pod 안늘어남.

60점 / 46.5점
Markdown
복사