Prerequisites for Configuring Clusters on AWS EKS
The prerequisites for configuring clusters on AWS EKS are as follows:
See also Adding Amazon Provider Profile.
Amazon Resource Requirements
The following table describes the default limits for the Amazon resources that you may need to increase depending on your Cisco Container Platform deployment requirements.
Note |
To increase the limits for a specific resource, you need to contact Amazon support. |
Amazon Resource |
Default Limit |
Description |
||
---|---|---|---|---|
Network Address Translation (NAT) gateway for each AWS account |
14 |
Each EKS cluster uses three NAT gateways. With the default setting, you are limited to four clusters. |
||
Amazon Virtual Private Cloud (Amazon VPC) for each AWS account |
3 |
Each tenant cluster requires a separate Amazon VPC. |
||
Amazon Elastic Container Service for Kubernetes (Amazon EKS) cluster for each AWS account |
3 |
|
||
Elastic IP address for each region |
5 |
Each EKS cluster uses three elastic IP addresses. For more information, see Amazon VPC Limits. |
||
Internet gateway for each region |
5 |
Each EKS cluster uses one internet gateway. |
Configuring Storage Class for EKS Clusters
You can configure additional storage classes to allow Kubernetes clusters running on AWS to manage the lifecycle of Amazon EFS file systems by installing the Amazon EFS Container Storage Interface (CSI) driver.
Note |
Cisco TAC support is not available for the AWS EFS CSI storage. |
For more information, see Amazon EFS CSI driver.
Adding AMI Files to your Amazon Account
Cisco Container Platform generates a specific AMI (Amazon Machine Image) file with each product release. The AMI file ensures that compatible packages are available for successful tenant cluster creation.
To make the AMI file available to your Amazon account, you must submit a support case that includes your 12 digit Amazon account ID. You will be notified when the AMI is available within your Amazon account.
Creating AWS Roles
Procedure
Step 1 |
Log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. |
Step 2 |
In the navigation pane of the IAM console, click Roles, and then click Create role. |
Step 3 |
Under Select type of trusted entity, click Another AWS account. |
Step 4 |
In the Account ID field, enter your AWS Account ID, and then click Next. |
Step 5 |
Skip the screen to choose permission policies and permission boundary and click Next. |
Step 6 |
Add metadata to the role by attaching tags of your choice as key–value pairs and click Next. |
Step 7 |
In the Role name field, enter the name for the role as |
Step 8 |
In the Description field, enter a description of your choice and click Create role. |
Step 9 |
After the role is created, navigate to the created role and verify the following details of the role: |
Configuring Permissions for AWS Account
If the AWS provider account is not a root account, you must ensure that the account has the permissions needed to create the EKS and EC2 resources.
The following sample aws-provider-policy.json file shows configuring the minimum permissions required for your AWS account. You need to create and import this file to configure the necessary permissions.
Sample aws-provider-policy.json File
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*",
"elasticloadbalancing:*",
"autoscaling:*",
"ec2:*",
"eks:*",
"ecr:*",
"ecs:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:List*",
"iam:Get*",
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:*AccessKey*",
"iam:*MFA*"
],
"Resource": "*"
}
]
}
For more information on user privileges on AWS, see Minimum User Privileges on AWS.
Creating Access Keys
Access keys are required to authenticate your requests to the AWS Provider. An access key consists of two parts — an access key ID and a secret access key.
You can use the AWS IAM system in one of the following ways:
-
Using a single user or personal account
See Creating Access Keys for a Single User Account, for creating access keys to allow access to AWS resources.
-
Using a federated login account, for enterprises or corporate entities
See Creating Access Keys for Federated Login Accounts, for creating access keys to allow programmatic access to AWS resources.
Creating Access Keys for a Single User Account
Procedure
Step 1 |
Log in to the AWS Management Console at https://console.aws.amazon.com. |
Step 2 |
From the Username drop-down list on the top-right corner, choose My Security Credentials. |
Step 3 |
Expand the Access keys section. |
Step 4 |
Click Create New Access Key. |
Step 5 |
Click Download Credentials, and download the CSV file that contains the access keys and save it on your computer. |
Creating Access Keys for Federated Login Accounts
Procedure
Step 1 |
Log in to the AWS Management Console at https://console.aws.amazon.com. |
Step 2 |
In the left pane, click Add User to create a new user, which Cisco Container Platform will use to login. |
Step 3 |
In the Set user details section, enter a username in the Username field. |
Step 4 |
In the Select AWS access type section, set Programmatic Access as the Access Type, and then click Next. |
Step 5 |
In the Set Permissions table, click Add User to Group, and in the lower section, select the group that you created previously (ccp-user), and then click Next. |
Step 6 |
In the Add tags page, click Next. |
Step 7 |
Click Download Credentials, and download the CSV file that contains the access keys and save it on your computer. |