aws(学习笔记第二十八课) aws eks使用练习(hands on)

aws(学习笔记第二十八课)

使用aws eks

学习内容：

什么是aws eks
aws eks的hands on
aws eks的创建application
eks和kubernetes简介

1. 使用`aws eks`

什么是aws eks
- aws eks的概念
  aws eks是kubernetes在aws上包装出来的新的方式，旨在更加方便结合aws，在aws上使用 kubernetes。实际上aws eks是aws上的managed service。作为执行container的server来说，可以使用EC2或者Fargate都是可以的。
- aws eks和ECS的区别
  区别在于orchestration tool‌的不同，aws eks使用的kubernetes作为orchestration tool‌，如果onpromise上使用的是kubernetes，那么同样的架构能够在aws同样使用。
  ECS使用的orchestration tool‌是aws独自的，智能在aws上使用。
- 什么是orchestration tool‌
  ‌orchestration tool‌是指一种用于协调和管理系统资源、服务和应用程序的工具，以确保它们能够高效、可靠地运行。这种工具通常用于自动化和优化资源的分配和管理，特别是在云计算和容器化环境中。
aws eks的架构
aws上的示例程序
aws上提供了示例程序，能够使用练习eks
eks的示例程序

2. `aws eks`的`hands on`

环境(软件安装)准备

练习用的ec2
这里依然采用方便的cloudshell进行练习
aws cli的版本确认
```
aws --version
```

安装eksctl

curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
eksctl version

安装kubectl
如果使用cloudshell，不用安装kubectl，如果使用的EC2，那么执行下面的命令。

curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.18.8/2020-09-18/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin
kubectl version --client

对于需要的权限设定role进行作成

eksClusterRole的创建
这里的role主要是赋予给eks服务足够的权利。role的名字是eksClusterRole。
保存到文件，之后使用cloudformation进行创建role的操作。

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Amazon EKS Cluster Role'

Resources:
  eksClusterRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - eks.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy

Outputs:
  RoleArn:
    Description: 'The role that Amazon EKS will use to create AWS resources for Kubernetes clusters'
    Value: !GetAtt eksClusterRole.Arn
    Export:
      Name: !Sub '${AWS::StackName}-RoleArn'

eks-nodegroup-role的创建
还需要创建work node的需要的权限role，这个代码由aws提供。
-> aws work node role link

AWSTemplateFormatVersion: "2010-09-09"

Description: Amazon EKS - Node Group Role

Mappings:
  ServicePrincipals:
    aws-cn:
      ec2: ec2.amazonaws.com.cn
    aws-us-gov:
      ec2: ec2.amazonaws.com
    aws:
      ec2: ec2.amazonaws.com

Resources:
  NodeInstanceRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - !FindInMap [ServicePrincipals, !Ref "AWS::Partition", ec2]
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy"
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
      Path: /

Outputs:
  NodeInstanceRole:
    Description: The node instance role
    Value: !GetAtt NodeInstanceRole.Arn

创建eks所在的vpc

使用cloudformation来创建vpc
这个vpc的创建json由aws提供示例代码。->eks所在的vpc示例json
这里在subnet指定采用了hardcoding，如果不进行hardcoding发现总是提示错误，暂定对应。

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Amazon EKS Sample VPC - Public subnets only'

Parameters:

  VpcBlock:
    Type: String
    Default: 192.168.0.0/16
    Description: The CIDR range for the VPC. This should be a valid private (RFC 1918) CIDR range.

  Subnet01Block:
    Type: String
    Default: 192.168.64.0/18
    Description: CidrBlock for subnet 01 within the VPC

  Subnet02Block:
    Type: String
    Default: 192.168.128.0/18
    Description: CidrBlock for subnet 02 within the VPC

  Subnet03Block:
    Type: String
    Default: 192.168.192.0/18
    Description: CidrBlock for subnet 03 within the VPC. This is used only if the region has more than 2 AZs.

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      -
        Label:
          default: "Worker Network Configuration"
        Parameters:
          - VpcBlock
          - Subnet01Block
          - Subnet02Block
          - Subnet03Block

Conditions:
  Has2Azs:
    Fn::Or:
      - Fn::Equals:
        - {Ref: 'AWS::Region'}
        - ap-south-1
      - Fn::Equals:
        - {Ref: 'AWS::Region'}
        - ap-northeast-2
      - Fn::Equals:
        - {Ref: 'AWS::Region'}
        - ca-central-1
      - Fn::Equals:
        - {Ref: 'AWS::Region'}
        - cn-north-1
      - Fn::Equals:
        - {Ref: 'AWS::Region'}
        - sa-east-1
      - Fn::Equals:
        - {Ref: 'AWS::Region'}
        - us-west-1

  HasMoreThan2Azs:
    Fn::Not:
      - Condition: Has2Azs

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock:  !Ref VpcBlock
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
      - Key: Name
        Value: !Sub '${AWS::StackName}-VPC'

  InternetGateway:
    Type: "AWS::EC2::InternetGateway"

  VPCGatewayAttachment:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC

  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
      - Key: Name
        Value: Public Subnets
      - Key: Network
        Value: Public

  Route:
    DependsOn: VPCGatewayAttachment
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  Subnet01:
    Type: AWS::EC2::Subnet
    Metadata:
      Comment: Subnet 01
    Properties:
      MapPublicIpOnLaunch: true
      AvailabilityZone:  ap-northeast-1a
      CidrBlock:
        Ref: Subnet01Block
      VpcId:
        Ref: VPC
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-Subnet01"
      - Key: kubernetes.io/role/elb
        Value: 1

  Subnet02:
    Type: AWS::EC2::Subnet
    Metadata:
      Comment: Subnet 02
    Properties:
      MapPublicIpOnLaunch: true
      AvailabilityZone: ap-northeast-1c
      CidrBlock:
        Ref: Subnet02Block
      VpcId:
        Ref: VPC
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-Subnet02"
      - Key: kubernetes.io/role/elb
        Value: 1

  Subnet03:
    Condition: HasMoreThan2Azs
    Type: AWS::EC2::Subnet
    Metadata:
      Comment: Subnet 03
    Properties:
      MapPublicIpOnLaunch: true
      AvailabilityZone:  ap-northeast-1d
      CidrBlock:
        Ref: Subnet03Block
      VpcId:
        Ref: VPC
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-Subnet03"
      - Key: kubernetes.io/role/elb
        Value: 1

  Subnet01RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref Subnet01
      RouteTableId: !Ref RouteTable

  Subnet02RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref Subnet02
      RouteTableId: !Ref RouteTable

  Subnet03RouteTableAssociation:
    Condition: HasMoreThan2Azs
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref Subnet03
      RouteTableId: !Ref RouteTable

  ControlPlaneSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Cluster communication with worker nodes
      VpcId: !Ref VPC

Outputs:

  SubnetIds:
    Description: All subnets in the VPC
    Value:
      Fn::If:
      - HasMoreThan2Azs
      - !Join [ ",", [ !Ref Subnet01, !Ref Subnet02, !Ref Subnet03 ] ]
      - !Join [ ",", [ !Ref Subnet01, !Ref Subnet02 ] ]

  SecurityGroups:
    Description: Security group for the cluster control plane communication with worker nodes
    Value: !Join [ ",", [ !Ref ControlPlaneSecurityGroup ] ]

  VpcId:
    Description: The VPC Id
    Value: !Ref VPC

在eks所在的vpc中创建eks cluster
- 选择自定义配置
  注意，这里千万不要选择EKS自治模式-全新，如果选择，后面创建的work node会出现错误！
- 设定cluster名字和role
  这里设定eks-cluster，role选择上面创建的eksClusterRole。
- 设置IAM角色
  这里设置administor的权限，ec-role。
- ec2-role的权限设定
- 设置vpc
  这里设置前面已经创建的vpc。
- 集群端点访问设定
  这里设置成public
- 等待cluster创建
  这里大概要等待10分钟
在eks所在的cluster中创建kubeconfig
- 作成kubeconfig文件
  如果不做成kubeconfig文件，无法访问eks cluster。
```
aws eks --region ap-northeast-1 update-kubeconfig --name eks-cluster
```
尝试链接eks所在的cluster
- 链接测试
```
kubectl get svc
```
作成eks cluster中的work node
- 启动work node group
- 这是work node group的名字和IAM role
  这里设定的role就是前面创建的role。名字设置为work-node-group。
- 设定ec2 type，节点数和磁盘大小
- 等待work node group创建，这里需要5分钟
- 检查ec2
  可以看到这里作成了三个ec2 instances。

3. `aws eks`的创建`application`

部署redis数据库

使用下面的github上的官方sample程序
redis-master-controller

git clone https://github.com/kubernetes/examples.git
cd examples/guestbook-go

之后进入example文件夹，启动redis controller
```
kubectl apply -f redis-master-controller.yaml
```

启动redis service

kubectl apply -f redis-master-service.yaml

部署guest-book服务

启动guest-book

kubectl apply -f guestbook-controller.yaml
kubectl apply -f guestbook-service.yaml

确定external ip

kubectl get pod,svc -o wide

这里看出external ip没有已经成功。

[cloudshell-user@ip-10-132-94-203 guestbook-go]$ kubectl get pod,svc -o wide
NAME                     READY   STATUS    RESTARTS   AGE   IP                NODE                                                 NOMINATED NODE   READINESS GATES
pod/guestbook-fpcrt      1/1     Running   0          36s   192.168.140.31    ip-192-168-187-37.ap-northeast-1.compute.internal    <none>           <none>
pod/guestbook-gm9sh      1/1     Running   0          36s   192.168.115.254   ip-192-168-101-164.ap-northeast-1.compute.internal   <none>           <none>
pod/guestbook-l8hkb      1/1     Running   0          36s   192.168.200.226   ip-192-168-226-52.ap-northeast-1.compute.internal    <none>           <none>
pod/redis-master-tl8wh   1/1     Running   0          70s   192.168.190.37    ip-192-168-187-37.ap-northeast-1.compute.internal    <none>           <none>

NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP                                                                    PORT(S)          AGE    SELECTOR
service/guestbook      LoadBalancer   10.100.160.68    a2a85261d601c46049d98728d4861990-1486435799.ap-northeast-1.elb.amazonaws.com   3000:30560/TCP   26s    app=guestbook
service/kubernetes     ClusterIP      10.100.0.1       <none>                                                                         443/TCP          169m   <none>
service/redis-master   ClusterIP      10.100.153.210   <none>                                                                         6379/TCP         49s    app=redis,role=master

访问guest-book服务

http://a2a85261d601c46049d98728d4861990-1486435799.ap-northeast-1.elb.amazonaws.com:3000

guest-book服务启动成功。在这里插入图片描述

4. `aws eks`和`kubernetes`简介

关于 aws eks和kubernetes
EKS（Elastic Kubernetes Service）就是aws提供的managed Kubenetes服务。通过aws的managed封装，能够便利的管理Kubenetes服务，减轻运用的负担。并且，通过aws的managed服务，更好的利用kubenetes提供的各种resource。
Kubenetes(K8S)是Google公司开发的Borg项目为基础的OSS(Open Source Software)。Kubenetes(K8S)能够对container化的应用程序进行部署(deploy)，自动的scaling，并且进行管理。非常多的云(cloud)提供商的系统本身就是使用的Kubenetes。
以下是Kubenetes的整体架构。
什么是Control Plain(master node)
Control Plain(master node)就是集群cluster内部的work node和container管理的节点node。在eks cluster之后存在着两种节点。
- Control Plain(master node)
- work node
Control Plain(master node)保持着kubernetes中对象的状态，接受从client来的command，进行API Action的执行，进行container部署。或者，schduler在Control Plain(master node)进行动作，通知work node上的kubelet(agent)进行动作。kubelet(agent)，接受Control plain(master)的指示启动container。
什么是work node
work node就是实际上就是接受Control Plain(master node) 的指示，启动container。work node既可以选择ec2，也可以选择fargate。
aws eks的构成