t3 패밀리 인스턴스는 불가능
위 링크에서 IsTrunkingCompatible: true 인 인스턴스 타입만 사용 가능함
ENV
EKS_CLUSTER_NAME="<EKS_CLUSTER_NAME>"
EKS_CLUSTER_ROLE=$(aws eks describe-cluster --name $EKS_CLUSTER_NAME --query cluster.roleArn --output text | cut -d / -f 2)
Shell
복사
IAM 역할에 정책 연결
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKSVPCResourceController --role-name $EKS_CLUSTER_ROLE
Shell
복사
Demonset 확인
kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3
Shell
복사
ENV Demonset
kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true
kubectl rollout restart daemonset aws-node -n kube-system
Shell
복사
kubectl -n kube-system patch ds aws-node \
-p '{"spec":{"template":{"spec":{"initContainers":[{"env":[{"name":"DISABLE_TCP_EARLY_DEMUX","value":"true"}],"name":"aws-vpc-cni-init"}],"containers":[{"env":[{"name":"ENABLE_POD_ENI","value":"true"}],"name":"aws-node"}]}}}}'
kubectl -n kube-system rollout status ds aws-node
Shell
복사
노드그룹 확인
kubectl get nodes -o wide -l vpc.amazonaws.com/has-trunk-attached=true
kubectl describe daemonset aws-node -n kube-system | grep ENABLE_POD_ENI
# 첫번째 명령어를 해서 노드가 출력이 되지 않았지만 두번째 명령문이 출력된 경우 수동으로 레이블을 지정
kubectl label nodes <노드 이름> vpc.amazonaws.com/has-trunk-attached=true
kubectl describe no <node> | grep vpc.amazonaws.com/pod-eni
Shell
복사
보안그룹 생성
export VPC_ID=$(aws ec2 describe-vpcs --query "Vpcs[].VpcId[]" --output text)
aws ec2 create-security-group --group-name <SG Name> --description <SG Name> --vpc-id $VPC_ID
aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol icmp --port -1 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-egress --group-id <sg-id> --protocol icmp --port -1 --cidr 0.0.0.0/0
Shell
복사
•
podsgp.yaml
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
name: skills-sgp
namespace: default
spec:
podSelector:
matchLabels:
app: skills-app
securityGroups:
groupIds:
- sg-0b1873134f13b34cb # Security Group ID
YAML
복사
kubectl apply -f podsgp.yaml
Shell
복사
kubectl get sgp -n <Namespace>
Shell
복사
kubectl get po -n <Namespace> -o wide
Shell
복사
•
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: skills-deployment
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: skills-app
template:
metadata:
labels:
app: skills-app
spec:
nodeSelector:
eks.amazonaws.com/nodegroup: skills-app-nodegroup
containers:
- name: skills-app
image: 362708816803.dkr.ecr.ap-northeast-2.amazonaws.com/skills-app
ports:
- containerPort: 8080
YAML
복사
kubectl apply -f deployment.yaml
Shell
복사
•
service.yaml
apiVersion: v1
kind: Service
metadata:
name: skills-svc
namespace: default
spec:
selector:
app: skills-app
type: NodePort
ports:
- name: skills-svc
protocol: TCP
port: 8080
targetPort: 8080
YAML
복사
kubectl apply -f service.yaml
Shell
복사
•
ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: skills-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/load-balancer-name: skills-alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
alb.ingress.kubernetes.io/target-type: instance
alb.ingress.kubernetes.io/subnets: subnet-0cfd1eb9a2584ae76, subnet-0b155c4433eb23024
alb.ingress.kubernetes.io/healthcheck-path: /healthz
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /healthz
pathType: Prefix
backend:
service:
name: skills-svc
port:
number: 8080
- path: /v1/dummy
pathType: Prefix
backend:
service:
name: skills-svc
port:
number: 8080
YAML
복사
kubectl apply -f ingress.yaml
Shell
복사