-
Notifications
You must be signed in to change notification settings - Fork 0
/
clusterEC2.ts
94 lines (82 loc) · 4.02 KB
/
clusterEC2.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
import cdk = require("aws-cdk-lib");
import { Construct } from 'constructs';
import * as eks from 'aws-cdk-lib/aws-eks';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as iam from 'aws-cdk-lib/aws-iam';
import { VpcProvider } from '../vpc';
export interface EksWithWorkerNodeStackProps extends cdk.StackProps {
readonly cluster_version: string;
readonly cluster_instance_type: string;
readonly cluster_spot_instance_type: string;
readonly cluster_spot_price: string;
readonly cluster_spot_instance_min_capacity: number;
readonly addon_vpc_cni_version: string;
readonly addon_kube_proxy_version: string;
readonly addon_core_dns_version: string;
}
export class EksWithWorkerNodeStack extends cdk.Stack {
constructor(scope: Construct, id: string, props: EksWithWorkerNodeStackProps) {
super(scope, id, props);
const vpc = ec2.Vpc.fromLookup(this, 'ExistingVPC', { vpcName: 'vpcSample/Vpc' }) || VpcProvider.createSimple(this);
const mastersRole = new iam.Role(this, 'AdminRole', {
assumedBy: new iam.AccountRootPrincipal()
});
const cluster = new eks.Cluster(this, 'Cluster', {
vpc,
vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }],
defaultCapacity: 1,
mastersRole,
version: eks.KubernetesVersion.of(props.cluster_version),
endpointAccess: eks.EndpointAccess.PRIVATE // No access outside of your VPC.
});
cluster.addAutoScalingGroupCapacity('spot-worker-node', {
vpcSubnets: { subnets: vpc.isolatedSubnets },
instanceType: new ec2.InstanceType(props.cluster_spot_instance_type),
maxInstanceLifetime: cdk.Duration.days(7),
spotPrice: props.cluster_spot_price,
minCapacity: props.cluster_spot_instance_min_capacity,
})
cluster.addAutoScalingGroupCapacity('demand-worker-node', {
instanceType: new ec2.InstanceType(props.cluster_instance_type),
maxInstanceLifetime: cdk.Duration.days(7),
minCapacity: props.cluster_spot_instance_min_capacity,
})
// Patch aws-node daemonset to use IRSA via EKS Addons, do before nodes are created
// https://aws.github.io/aws-eks-best-practices/security/docs/iam/#update-the-aws-node-daemonset-to-use-irsa
const awsNodeTrustPolicy = new cdk.CfnJson(this, 'aws-node-trust-policy', {
value: {
[`${cluster.openIdConnectProvider.openIdConnectProviderIssuer}:aud`]: 'sts.amazonaws.com',
[`${cluster.openIdConnectProvider.openIdConnectProviderIssuer}:sub`]: 'system:serviceaccount:kube-system:aws-node',
},
});
const awsNodePrincipal = new iam.OpenIdConnectPrincipal(cluster.openIdConnectProvider).withConditions({
StringEquals: awsNodeTrustPolicy,
});
const awsNodeRole = new iam.Role(this, 'aws-node-role', {
assumedBy: awsNodePrincipal
})
awsNodeRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKS_CNI_Policy'))
// Addons
new eks.CfnAddon(this, 'vpc-cni', {
addonName: 'vpc-cni',
resolveConflicts: 'OVERWRITE',
clusterName: cluster.clusterName,
addonVersion: props.addon_vpc_cni_version,
serviceAccountRoleArn: awsNodeRole.roleArn
});
new eks.CfnAddon(this, 'kube-proxy', {
addonName: 'kube-proxy',
resolveConflicts: 'OVERWRITE',
clusterName: cluster.clusterName,
addonVersion: props.addon_kube_proxy_version,
});
new eks.CfnAddon(this, 'core-dns', {
addonName: 'coredns',
resolveConflicts: 'OVERWRITE',
clusterName: cluster.clusterName,
addonVersion: props.addon_core_dns_version,
});
new cdk.CfnOutput(this, 'Region', { value: cdk.Stack.of(this).region })
new cdk.CfnOutput(this, 'ClusterVersion', { value: props.cluster_version })
}
}