Prerequisites for Configuring AWS EKS Clusters
The prerequisites for configuring AWS EKS clusters are as follows:
Amazon Resource Requirements
The following table describes the default limits for the Amazon resources that you may need to increase depending on your Cisco Container Platform deployment requirements.
Note |
To increase the limits for a specific resource, you need to contact Amazon support. |
Amazon Resource |
Default Limit |
Description |
||
---|---|---|---|---|
Network Address Translation (NAT) gateway for each AWS account |
14 |
Each EKS cluster uses three NAT gateways. With the default setting, you are limited to four clusters. |
||
Amazon Virtual Private Cloud (Amazon VPC) for each AWS account |
3 |
Each tenant cluster requires a separate Amazon VPC. |
||
Amazon Elastic Container Service for Kubernetes (Amazon EKS) cluster for each AWS account |
3 |
|
||
Elastic IP address for each region |
5 |
Each EKS cluster uses three elastic IP addresses. For more information, see Amazon VPC Limits. |
||
Internet gateway for each region |
5 |
Each EKS cluster uses one internet gateway. |
Adding AMI Files to your Amazon Account
Cisco Container Platform generates a specific AMI (Amazon Machine Image) file with each product release. The AMI file ensures that compatible packages are available for successful tenant cluster creation.
To make the AMI file available to your Amazon account, you must submit a support case that includes your 12 digit Amazon account ID. You will be notified when the AMI is available within your Amazon account.
Creating AWS Roles
Procedure
Step 1 |
Log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. |
Step 2 |
From the navigation pane of the IAM console, click Roles, and then click Create role. |
Step 3 |
Under Select type of trusted entity, click Another AWS account. |
Step 4 |
In the Account ID field, enter your AWS Account ID, and then click Next. |
Step 5 |
Skip the screen to choose permission policies and permission boundary and click Next. |
Step 6 |
Add metadata to the role by attaching tags of your choice as key–value pairs and click Next. |
Step 7 |
In the Role name field, enter the name for the role as |
Step 8 |
In the Description field, enter a description of your choice and click Create role. |
Step 9 |
After the role is created, navigate to the created role and verify the following details of the role: |
AWS Account Policy Requirements
Provider permissions
If the AWS provider account is not a root account then you must ensure that the account has the permissions needed to create the EKS and EC2 resources.
The minimum permissions needed are included in the sample aws-provider-policy.json file. You can create and import this file to configure the necessary permissions.
Sample aws-provider-policy.json File
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*",
"elasticloadbalancing:*",
"autoscaling:*",
"ec2:*",
"eks:*",
"ecr:*",
"ecs:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:List*",
"iam:Get*",
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:*AccessKey*",
"iam:*MFA*"
],
"Resource": "*"
}
]
}