# EKS Workshop https://hackmd.io/@allamand/EKSDAY ## Page d'inscription des events AWS France https://aws-experience.com/emea/france/events ## Generative AI on EKS [WORKSHOP LINK](https://catalog.workshops.aws/genai-on-eks/en-US) ## Accelerate Platform Engineering on Amazon EKS [WORKSHOP LINK](https://catalog.us-east-1.prod.workshops.aws/workshops/95007d58-823f-4cc7-a259-78f05ac86cf8/en-US) ## AI On EKS Website https://awslabs.github.io/ai-on-eks/ ## EKS Best Practice Guide - AI/ML https://docs.aws.amazon.com/eks/latest/best-practices/aiml.html ## Install k9s ```bash curl -sS https://webinstall.dev/k9s | bash ``` ## Install eks-node-viewer ```bash sudo curl -L https://github.com/awslabs/eks-node-viewer/releases/download/v0.7.1/eks-node-viewer_Linux_x86_64 -o /usr/local/bin/eks-node-viewer && sudo chmod +x $_ alias eks-node-viewer='eks-node-viewer -extra-labels=karpenter.sh/nodepool,kubernetes.io/hostname,beta.kubernetes.io/arch,topology.kubernetes.io/zone' eks-node-viewer ``` ## Install Q-Chat ```bash curl --proto '=https' --tlsv1.2 -sSf "https://desktop-release.q.us-east-1.amazonaws.com/latest/q-x86_64-linux.zip" -o "/tmp/q.zip" unzip /tmp/q.zip -d /tmp /tmp/q/install.sh --no-confirm ``` ![image](https://hackmd.io/_uploads/rylZ-2ZTkg.png) ## Accessing the app > If you're experiencing 500 HTTP error from the UI app, this might be because the catalog component didn't bootstrap properly (as it uses local data, and not an actual EBS volume which you'll get to experiment with in the next section). To fix it, simply restart the deployment of the catalog app by running the following command: ```bash kubectl rollout restart deployment retail-store-app-catalog ``` <!-- # WorkShop Security Mot de passse Wifi : BrokenWires@@2019 **Survey : https://pulse.aws/survey/1UUON9PN** > Connectez vous sur cette page : https://hackmd.io/@allamand/EKSDAY Sondage : https://ahaslides.com/EKSSECU On va l'utiliser pour partager des informations / urls / codes.. [Lien accès aux labs](https://catalog.us-east-1.prod.workshops.aws/join?access-code=2a01-0a32b6-33) **Quelques ressources utiles** : - https://aws.github.io/aws-eks-best-practices/security/docs/ - https://kubernetes.io/docs/concepts/security/security-checklist/ - https://catalog.workshops.aws/eks-security-immersionday - https://aws.amazon.com/blogs/containers/blue-green-or-canary-amazon-eks-clusters-migration-for-stateless-argocd-workloads/ - ## LLama-Farmer: Add nodegroups with console - install eksdemo and deploy load balancer controller - Tags VPC public subnets to support load balancer controller ```bash aws ec2 create-tags \ --resources subnet-05bb354ee8f014953 subnet-00b770d58c1258642 subnet-0feb6d1d8862bcccf \ --tags Key=kubernetes.io/cluster/llama-farm,Value=shared Key=kubernetes.io/role/elb,Value=1 ``` - Update Karpenter ec2nc with subnet selector `LlamaFarmerVPC-Private*` ```bash eksctl utils associate-iam-oidc-provider --cluster llama-farm --approve eksdemo install aws-lb-controller --cluster llama-farm eksdemo install karpenter --cluster llama-farm ``` Install eks-node-viewer ```bash wget https://github.com/awslabs/eks-node-viewer/releases/download/v0.6.0/eks-node-viewer_Linux_x86_64 sudo mv eks-node-viewer_Linux_x86_64 /usr/local/bin/eks-node-viewer sudo chmod +x /usr/local/bin/eks-node-viewer eks-node-viewer -extra-labels karpenter.sh/provisioner-name,topology.kubernetes.io/zone,eks.amazonaws.com/nodegroup ``` Deploy penpatroller ```yaml --- apiVersion: apps/v1 kind: Deployment metadata: name: penpatroller namespace: penpatroller spec: selector: matchLabels: app: penpatroller replicas: 8 template: metadata: labels: app: penpatroller spec: containers: - image: 759909076932.dkr.ecr.us-east-1.amazonaws.com/penpatroller:latest name: penpatroller ports: - containerPort: 8000 resources: requests: memory: 128Mi cpu: 256m --- apiVersion: v1 kind: Service metadata: name: penpatroller-service namespace: penpatroller annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" spec: type: ClusterIP selector: app: penpatroller ports: - port: 80 targetPort: 8000 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: penpatroller-ingress namespace: penpatroller annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip spec: defaultBackend: service: name: penpatroller-service port: number: 80 ``` ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ], "Resource": [ "arn:aws:sqs:us-east-1:759909076932:LlamaConveyorBeltSource" ], "Effect": "Allow" }, { "Action": [ "sqs:SendMessage", "sqs:GetQueueAttributes" ], "Resource": [ "arn:aws:sqs:us-east-1:759909076932:LlamaConveyorBeltDestination" ], "Effect": "Allow" } ] } ``` --> <!-- # Workshop EKS Blueprint terraform output -raw configure_kubectl | bash EKS Security Workshop install yq with binary: ``` sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq ``` AWS console access to EKS cluster : show that we can't see resources before adding the role https://catalog.workshops.aws/eks-security-immersionday/en-US/2-identity-and-access-management/1-iam-groups-roles-to-manage-eks-access/8-console-credentials https://us-west-2.console.aws.amazon.com/eks/home?region=us-west-2#/clusters/eksworkshop-eksctl?selectedTab=cluster-resources-tab&selectedResourceId=replicasets ![](https://hackmd.io/_uploads/SJ5zug2gT.png) IRSA : link to CFN is not working https://console.aws.amazon.com/cloudformation/ Fix the page :https://catalog.workshops.aws/eks-security-immersionday/en-US/6-network-security/1-network-policies **For more details, check out the Github page foraws-network-policy-agent ** Programmability ? vpc-cni If you already install managed add-ons, you can just update the configuration ``` aws eks update-addon --cluster-name eksworkshop-eksctl --addon-name vpc-cni --addon-version v1.14.1-eksbuild.1 --resolve-conflicts OVERWRITE --configuration-values '{"enableNetworkPolicy": "true", "nodeAgent": {"enableCloudWatchLogs": "true"}}' ``` > Utiliser VPA dynamique pour modifier à la baisse les specs d'un pod java très gourmand en cpu au demarrage Use case #1: Restrict privileged containers in the cluster When using this rule, we can't create pods like vpc-cni aws-node daemonset because ti break the rule. We should add some exceptions to allow in the default rule Fix: kubectl get pod -n amazon-guardduty fix: reqquires Fix: Account assigned GuardDuty Agent pod for the does not have any annotation with an IAM Role. --- This page : https://hackmd.io/@allamand/EKSDAY Survey: https://www.pulse.aws/survey/HKZHCM6G https://immersiondaysfrance.splashthat.com/ Event: https://catalog.us-east-1.prod.workshops.aws/join?access-code=f965-0a54b9-9b .terraform/modules/eks_cluster.kubernetes_addons/modules/kubernetes-addons/aws-load-balancer-controller/data.tf change line 254: ``` statement { sid = "" effect = "Allow" resources = [ "*" ] actions = [ "elasticloadbalancing:AddTags", "elasticloadbalancing:RemoveTags", ] } ``` Survey: https://aws.amazon.com/blogs/containers/blue-green-or-canary-amazon-eks-clusters-migration-for-stateless-argocd-workloads/ ## Poll link - https://ahaslides.com/EKSPOLL ## Workshop Link <!-- - Accessing the lab: - https://catalog.us-east-1.prod.workshops.aws/join?access-code=06e0-059b94-69 - Accessing the Instructions: - https://eksworkshop.com/docs/introduction/ide/ - https://eksworkshop.com - https://catalog.us-east-1.prod.workshops.aws/join?access-code=cfc2-040422-3d - Pod Readiness GAte - https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.1/deploy/pod_readiness_gate/ --> <!-- ## Agenda * 9H30 - 10H00: Accueil * 10H00 - 10H45: Présentation : EKS Introduction and Deepdive * 10H45 - 12H15: Lab: Introduction / Lab fundamentals: * Setup * Accessing IDE * Getting Started * Managed Node Group * Pod Affinity * Taints * Exposing Applications * Ingress * 12H15 - 12H45: Présentation AutoScaling * Cluster Autoscaler * Karpenter * 12H45 - 13H45: Déjeuner * 13H45 - 14H30: Lab: Autoscaling * Autoscaling * HPA * Karpenter * 14H30 - 14H45: Présentation Sécurité & Networking * 14H45 - 15H15: Networking * Sécurity * IRSA * Networking * Security Group for Pods * 15H15 - 15H30: Pause * 15H30 - 15H45: Présentation : GitOps * 15H45 - 16H30: Lab: Automation * Automation * Flux ou Argo * 16H30 - 17H00: Observability * Cost visibility with Kubecost * 17H00 - 17H30: Résumé et conclusion --> <!-- | Module | Link | Time | | -------- | -------- | -- | | Introduction | https://build-ee0efb6.eksworkshop.com/docs/introduction | 30mn | |Fundamentals|https://build-ee0efb6.eksworkshop.com/docs/fundamentals/|1h | |Autoscaling|https://build-ee0efb6.eksworkshop.com/docs/autoscaling/|1h| <!-- |Observability|https://build-ee0efb6.eksworkshop.com/docs/observability/|| |Security|https://build-ee0efb6.eksworkshop.com/docs/security/|| |Networking|https://build-ee0efb6.eksworkshop.com/docs/networking/|| |Automation|https://build-ee0efb6.eksworkshop.com/docs/automation/|| --> <!-- |Helm|https://catalog.workshops.aws/eks-immersionday/en-US/helm| --> <!-- # Additional commands You can install additional tools ([k9s](https://k9scli.io/), [eks-nodeviewer](https://github.com/awslabs/eks-node-viewer)) ``` # install k9s curl -sS https://webinstall.dev/k9s | bash ``` example: k9s filter to see our applications only: ``` assets|carts|catalog|checkout|orders|other|rabbitmq|ui ``` Visualise the nodes ``` # go install github.com/awslabs/eks-node-viewer/cmd/eks-node-viewer@latest #https://github.com/awslabs/eks-node-viewer/releases/download/v0.6.0/eks-node-viewer_Linux_x86_64 #wget https://github.com/awslabs/eks-node-viewer/releases/download/v0.6.0/eks-node-viewer_Linux_x86_64 #sudo mv eks-node-viewer_Linux_x86_64 /usr/local/bin/eks-node-viewer #sudo chmod +x /usr/local/bin/eks-node-viewer eks-node-viewer -extra-labels karpenter.sh/provisioner-name,topology.kubernetes.io/zone,eks.amazonaws.com/nodegroup ``` or uses this setup script ``` aws s3 cp s3://ee-assets-prod-us-east-1/modules/3f05fe2b344a49cda0eb4c465c609b58/v3/eksinit.sh . chmod 755 eksinit.sh ./eksinit.sh source ~/.bashrc ``` or ``` curl -sSLO https://gist.githubusercontent.com/allamand/2c40b51c4cf24bd370ba51b826752b9e/raw/0e0a1d415d81265ca723291be48ae03cd537249e/eksinit.sh ``` # Next events - [23/06/2023] [Immersion Day EKS Blueprint Terraform](https://immersionday-cont-eks-juin23.splashthat.com/) # Survey CSAT Please, take the survey to tell us how we did today. https://pulse.buildon.aws/survey/U1XFRJ4Z -->