Skip to content

Part 1: Provision

What Will You Do

In part 1, you will:

  • Create a Cloud Credential
  • Configure and Provision an Amazon EKS cluster
  • Access the cluster using the integrated "Kubernetes Resources Dashboard"

Step 1: Create Cloud Credential

Cloud credentials provide the controller with the privileges required to programmatically interact with your Amazon AWS account to manage the lifecycle of infrastructure associated with the Amazon EKS cluster.

  • Follow the step-by-step instructions to create an IAM Role based cloud credential.
  • In our example, our cloud credential is named "demo"
  • Click on "Validate" to verify if the newly created cloud credential to ensure it is configured properly.

Validate Cloud Credential


Step 2: Configure EKS Cluster

In this step, you will configure and provision an Amazon EKS Cluster with the following configuration:

  • A private (cloaked) EKS control plane in the "us-west-2" region
  • Auto create new VPCs and subnets
  • A "managed node group" with two worker nodes based on "t3.large" instance type

The following will be automatically selected by default

  • gp3 storage volumes
  • Amazon Linux2 OS for the worker nodes
  • IAM roles for ASG and ECR access enabled
  • Minimal Cluster Blueprint

Note

You can either use the web console OR use a declarative cluster specification and use the RCTL CLI to provision and manage your EKS cluster.

Login into the controller's web console and into your Org.

  • Navigate to the "defaultproject" and click on "New Cluster"
  • Select "Public Cloud -> AWS -> EKS"

New EKS Cluster

In the cluster configuration wizard,

  • Enter the "name" for the EKS cluster (demo-eks-testing in our case)
  • Select the "cloud credential" from the drop down
  • Select "us-west-2" from the region drop down

EKS Cluster-General Settings

In the node group settings,

  • For the node group name, enter "ng-1"
  • Ensure "Managed Node Group" is selected
  • Enter "t3.large" for the instance type after selecting "custom"

EKS Cluster-Node Group Settings

Click on "Save Changes" and Click on "Provision" to start provisioning the EKS Cluster in your AWS account.

EKS Cluster-Provision

You can monitor the progress of your Amazon EKS cluster being provisioned step by step right in the web console.

EKS Cluster-Provision in Progress

Note

It can take 30-40 minutes to fully provision the EKS Control plane, the worker nodes, the cluster blueprint's resources.

Once provisioning is complete, you should see a healthy EKS cluster with a worker node and all the resources associated with the cluster blueprint.

EKS Cluster-Provision Successful

In this step, we will provide the RCTL CLI with a "declarative cluster specification" for our Amazon EKS Cluster. We will then use the RCTL CLI to send a suitable command to the controller to initiate provisioning or future lifecycle operations.

Save the cluster specification file below to your computer as "eks-cluster-basic.yaml"

kind: Cluster
metadata:
  name: demo-eks-testing
  project: defaultproject
spec:
  type: eks
  cloudprovider: demo
  blueprint: minimal
---
apiVersion: rafay.io/v1alpha5
kind: ClusterConfig

metadata:
  name: demo-eks-testing
  region: us-west-2

managedNodeGroups:
  - name: ng-1
    instanceType: t3.large
    desiredCapacity: 1

Update the following sections of the specification file with details to match your environment.

  • Update the "project" with the name of your project (if you are using a different project other than defaultproject)
  • Update the "cloud credentials" name

Execute the following command to provision the cluster from the specification file previously defined

./rctl apply -f eks-cluster-testing.yaml

If there are no obvious issues with the cluster specification file, the RCTL CLI will initiate provisioning and return the user with a "Task ID". The user can then use the CLI and the task id to check and monitor status.

Example Output

Cluster: demo-eks-testing
{
  "taskset_id": "d2wg4k8",
  "operations": [
    {
      "operation": "NodegroupCreation",
      "resource_name": "ng-1",
      "status": "PROVISION_TASK_STATUS_PENDING"
    },
    {
      "operation": "ClusterCreation",
      "resource_name": "demo-eks-testing",
      "status": "PROVISION_TASK_STATUS_PENDING"
    }
  ],
  "comments": "The status of the operations can be fetched using taskset_id",
  "status": "PROVISION_TASKSET_STATUS_PENDING"
}

To retrieve the status of the CLI operation, enter the below command with the generated "task id"

./rctl status apply <d2wg4k8>

This should provide with current status of the operation. An illustrative example is shown below.

{
  "taskset_id": "d2wg4k8",
  "operations": [
    {
      "operation": "NodegroupCreation",
      "resource_name": "ng-1",
      "status": "PROVISION_TASK_STATUS_PENDING"
    },
    {
      "operation": "ClusterCreation",
      "resource_name": "demo-eks-testing",
      "status": "PROVISION_TASK_STATUS_INPROGRESS"
    }
  ],
  "comments": "Configuration is being applied to the cluster",
  "status": "PROVISION_TASKSET_STATUS_INPROGRESS"
}

Step 3: Zero Trust Kubectl

Important

Provisionioning an EKS cluster's control plane, configured nodes and applying the cluster blueprint can take 30-40 mins of time.

In the cluster specification, we specified our Amazon EKS Cluster's API Server to be private and secure (i.e. cloaked and not directly reachable on the Internet).

Once provisioning is complete and the cluster blueprint has been synchronized, we will attempt to perform Kubectl operations against our "cloaked" EKS cluster operating "behind a firewall".

The controller provides a zero trust kubectl channel for authorized users.

  • Navigate to the EKS Cluster Card in the project where you provisioned the EKS Cluster
  • Click on the "Kubectl" link
  • This will launch a web based shell for you to securely interact with the API server over a zero trust channel
  • Type a kubectl command such as "kubectl get po -A" to list the pods in ALL the namespaces in your EKS cluster
  • You should see something like the following example.

ZTKA to EKS Cluster

Note

Learn more about Zero Trust Access.


Step 4: Kubernetes Resource Dashboards

The cluster dashboard also comes with an integrated "Kubernetes Resources" dashboard.

  • Click on "Resources" on the cluster card and in a few seconds, all the Kubernetes resources, their status etc is retrieved in near real time and presented to the user. You should see something like the screenshot below.

k8s Resources Dashboard

Note

Learn more about the Integrated Kubernetes Dashboard.


Recap

Congratulations! At this point, you have

  • Successfully configured and provisioned an Amazon EKS cluster in your AWS account using the controller
  • Used the zero trust kubectl service to securely interact with the EKS cluster's API server
  • Used the integrated Kubernetes resources dashboard to view the resources operational on the cluster.