-
Notifications
You must be signed in to change notification settings - Fork 4
/
simple.yaml
81 lines (65 loc) · 3.02 KB
/
simple.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: simple
region: us-west-2
version: "1.23"
iam:
withOIDC: true
vpc:
# When we don't put in any subnet data, EKSCTL will create a new VPC and subnets automatically
clusterEndpoints:
publicAccess: true
privateAccess: true
nodeGroups:
# eksctl create nodegroup --config-file=./simple.yaml --include "primary-on-demand-uw2a-v1"
# eksctl delete nodegroup --config-file=./simple.yaml --include "primary-on-demand-uw2a-v1"
# Volume Encryption and Root Volume Size 100GB
- name: primary-on-demand-uw2a-v1
# Items for this node group only
availabilityZones: ["us-west-2a"]
# Items for the primary on-demand instances
<<: &primaryOnDemandInstanceConfiguration
labels:
role: primary
minSize: 1
desiredCapacity: 1
maxSize: 8
privateNetworking: true
# disablePodIMDS: true # This makes it so pods can't "escalate" permissions by using the node IAM role automatically. This AKA disabled the AWS http metadata endpoint which is how the AWS API gets permissions/access. This requires some changes and testing before enabling, often easier if used from day-one than down the road
volumeSize: 100
volumeEncrypted: true
asgSuspendProcesses:
- AZRebalance # This makes sure we don't kill instances for rebalancing, bad practice in Kubernetes
tags:
k8s.io/cluster-autoscaler/enabled: "true"
k8s.io/cluster-autoscaler/simple: "true"
kubernetes.io/cluster/simple: "owned"
iam:
withAddonPolicies: # DON'T USE THIS WITH DISABLE POD IMDS
ebs: true
cloudWatch: true
attachPolicyARNs:
# These first two are required and are defined by default, but you must put them here
- arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
- arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
- arn:aws:iam::aws:policy/AmazonEKSVPCResourceController # Pod security groups support
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly # Read from Container Registry
# eksctl create nodegroup --config-file=./simple.yaml --include "primary-on-demand-uw2b-v1"
# eksctl delete nodegroup --config-file=./simple.yaml --include "primary-on-demand-uw2b-v1"
- name: primary-on-demand-uw2b-v1
# Items for this node group only
availabilityZones: ["us-west-2b"]
# Import all defaults from above
<<: *primaryOnDemandInstanceConfiguration
# eksctl create nodegroup --config-file=./simple.yaml --include "primary-on-demand-uw2c-v1"
# eksctl delete nodegroup --config-file=./simple.yaml --include "primary-on-demand-uw2c-v1"
- name: primary-on-demand-uw2c-v1
# Items for this node group only
availabilityZones: ["us-west-2c"]
# Import all defaults from above
<<: *primaryOnDemandInstanceConfiguration
# Valid entries are: "api", "audit", "authenticator", "controllerManager", "scheduler", "all", "*".
cloudWatch:
clusterLogging:
enableTypes: ["api", "authenticator"]