Created
June 21, 2019 23:28
-
-
Save daxmc99/c1cfe1ba612a1b9602f9ada942394a66 to your computer and use it in GitHub Desktop.
EKS cloudformation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
AWSTemplateFormatVersion: '2010-09-09' | |
Description: 'Amazon EKS - Node Group' | |
Parameters: | |
KeyName: | |
Description: The EC2 Key Pair to allow SSH access to the instances | |
Type: AWS::EC2::KeyPair::KeyName | |
NodeImageId: | |
Type: AWS::EC2::Image::Id | |
Description: AMI id for the node instances. | |
NodeInstanceType: | |
Description: EC2 instance type for the node instances | |
Type: String | |
Default: t3.medium | |
AllowedValues: | |
- t2.small | |
- t2.medium | |
- t2.large | |
- t2.xlarge | |
- t2.2xlarge | |
- t3.nano | |
- t3.micro | |
- t3.small | |
- t3.medium | |
- t3.large | |
- t3.xlarge | |
- t3.2xlarge | |
- m3.medium | |
- m3.large | |
- m3.xlarge | |
- m3.2xlarge | |
- m4.large | |
- m4.xlarge | |
- m4.2xlarge | |
- m4.4xlarge | |
- m4.10xlarge | |
- m5.large | |
- m5.xlarge | |
- m5.2xlarge | |
- m5.4xlarge | |
- m5.12xlarge | |
- m5.24xlarge | |
- c4.large | |
- c4.xlarge | |
- c4.2xlarge | |
- c4.4xlarge | |
- c4.8xlarge | |
- c5.large | |
- c5.xlarge | |
- c5.2xlarge | |
- c5.4xlarge | |
- c5.9xlarge | |
- c5.18xlarge | |
- i3.large | |
- i3.xlarge | |
- i3.2xlarge | |
- i3.4xlarge | |
- i3.8xlarge | |
- i3.16xlarge | |
- r3.xlarge | |
- r3.2xlarge | |
- r3.4xlarge | |
- r3.8xlarge | |
- r4.large | |
- r4.xlarge | |
- r4.2xlarge | |
- r4.4xlarge | |
- r4.8xlarge | |
- r4.16xlarge | |
- x1.16xlarge | |
- x1.32xlarge | |
- p2.xlarge | |
- p2.8xlarge | |
- p2.16xlarge | |
- p3.2xlarge | |
- p3.8xlarge | |
- p3.16xlarge | |
- r5.large | |
- r5.xlarge | |
- r5.2xlarge | |
- r5.4xlarge | |
- r5.12xlarge | |
- r5.24xlarge | |
- r5d.large | |
- r5d.xlarge | |
- r5d.2xlarge | |
- r5d.4xlarge | |
- r5d.12xlarge | |
- r5d.24xlarge | |
- z1d.large | |
- z1d.xlarge | |
- z1d.2xlarge | |
- z1d.3xlarge | |
- z1d.6xlarge | |
- z1d.12xlarge | |
ConstraintDescription: Must be a valid EC2 instance type | |
NodeAutoScalingGroupMinSize: | |
Type: Number | |
Description: Minimum size of Node Group ASG. | |
Default: 1 | |
NodeAutoScalingGroupMaxSize: | |
Type: Number | |
Description: Maximum size of Node Group ASG. Set to at least 1 greater than NodeAutoScalingGroupDesiredCapacity. | |
Default: 4 | |
NodeAutoScalingGroupDesiredCapacity: | |
Type: Number | |
Description: Desired capacity of Node Group ASG. | |
Default: 3 | |
NodeVolumeSize: | |
Type: Number | |
Description: Node volume size | |
Default: 20 | |
ClusterName: | |
Description: The cluster name provided when the cluster was created. If it is incorrect, nodes will not be able to join the cluster. | |
Type: String | |
BootstrapArguments: | |
Description: Arguments to pass to the bootstrap script. See files/bootstrap.sh in https://github.com/awslabs/amazon-eks-ami | |
Default: "" | |
Type: String | |
NodeGroupName: | |
Description: Unique identifier for the Node Group. | |
Type: String | |
ClusterControlPlaneSecurityGroup: | |
Description: The security group of the cluster control plane. | |
Type: AWS::EC2::SecurityGroup::Id | |
VpcId: | |
Description: The VPC of the worker instances | |
Type: AWS::EC2::VPC::Id | |
Subnets: | |
Description: The subnets where workers can be created. | |
Type: List<AWS::EC2::Subnet::Id> | |
PublicIp: | |
Description: Associate the public IP addresses of the worker nodes | |
Type: String | |
Default: "true" | |
Metadata: | |
AWS::CloudFormation::Interface: | |
ParameterGroups: | |
- | |
Label: | |
default: "EKS Cluster" | |
Parameters: | |
- ClusterName | |
- ClusterControlPlaneSecurityGroup | |
- | |
Label: | |
default: "Worker Node Configuration" | |
Parameters: | |
- NodeGroupName | |
- NodeAutoScalingGroupMinSize | |
- NodeAutoScalingGroupDesiredCapacity | |
- NodeAutoScalingGroupMaxSize | |
- NodeInstanceType | |
- NodeImageId | |
- NodeVolumeSize | |
- KeyName | |
- BootstrapArguments | |
- | |
Label: | |
default: "Worker Network Configuration" | |
Parameters: | |
- VpcId | |
- Subnets | |
Resources: | |
NodeInstanceProfile: | |
Type: AWS::IAM::InstanceProfile | |
Properties: | |
Path: "/" | |
Roles: | |
- !Ref NodeInstanceRole | |
NodeInstanceRole: | |
Type: AWS::IAM::Role | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- ec2.amazonaws.com | |
Action: | |
- sts:AssumeRole | |
Path: "/" | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy | |
- arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy | |
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly | |
NodeSecurityGroup: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: Security group for all nodes in the cluster | |
VpcId: | |
!Ref VpcId | |
Tags: | |
- Key: !Sub "kubernetes.io/cluster/${ClusterName}" | |
Value: 'owned' | |
NodeSecurityGroupIngress: | |
Type: AWS::EC2::SecurityGroupIngress | |
DependsOn: NodeSecurityGroup | |
Properties: | |
Description: Allow node to communicate with each other | |
GroupId: !Ref NodeSecurityGroup | |
SourceSecurityGroupId: !Ref NodeSecurityGroup | |
IpProtocol: '-1' | |
FromPort: 0 | |
ToPort: 65535 | |
NodeSecurityGroupFromControlPlaneIngress: | |
Type: AWS::EC2::SecurityGroupIngress | |
DependsOn: NodeSecurityGroup | |
Properties: | |
Description: Allow worker Kubelets and pods to receive communication from the cluster control plane | |
GroupId: !Ref NodeSecurityGroup | |
SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup | |
IpProtocol: tcp | |
FromPort: 1025 | |
ToPort: 65535 | |
ControlPlaneEgressToNodeSecurityGroup: | |
Type: AWS::EC2::SecurityGroupEgress | |
DependsOn: NodeSecurityGroup | |
Properties: | |
Description: Allow the cluster control plane to communicate with worker Kubelet and pods | |
GroupId: !Ref ClusterControlPlaneSecurityGroup | |
DestinationSecurityGroupId: !Ref NodeSecurityGroup | |
IpProtocol: tcp | |
FromPort: 1025 | |
ToPort: 65535 | |
NodeSecurityGroupFromControlPlaneOn443Ingress: | |
Type: AWS::EC2::SecurityGroupIngress | |
DependsOn: NodeSecurityGroup | |
Properties: | |
Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane | |
GroupId: !Ref NodeSecurityGroup | |
SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup | |
IpProtocol: tcp | |
FromPort: 443 | |
ToPort: 443 | |
ControlPlaneEgressToNodeSecurityGroupOn443: | |
Type: AWS::EC2::SecurityGroupEgress | |
DependsOn: NodeSecurityGroup | |
Properties: | |
Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443 | |
GroupId: !Ref ClusterControlPlaneSecurityGroup | |
DestinationSecurityGroupId: !Ref NodeSecurityGroup | |
IpProtocol: tcp | |
FromPort: 443 | |
ToPort: 443 | |
ClusterControlPlaneSecurityGroupIngress: | |
Type: AWS::EC2::SecurityGroupIngress | |
DependsOn: NodeSecurityGroup | |
Properties: | |
Description: Allow pods to communicate with the cluster API Server | |
GroupId: !Ref ClusterControlPlaneSecurityGroup | |
SourceSecurityGroupId: !Ref NodeSecurityGroup | |
IpProtocol: tcp | |
ToPort: 443 | |
FromPort: 443 | |
NodeGroup: | |
Type: AWS::AutoScaling::AutoScalingGroup | |
Properties: | |
DesiredCapacity: !Ref NodeAutoScalingGroupDesiredCapacity | |
LaunchConfigurationName: !Ref NodeLaunchConfig | |
MinSize: !Ref NodeAutoScalingGroupMinSize | |
MaxSize: !Ref NodeAutoScalingGroupMaxSize | |
VPCZoneIdentifier: | |
!Ref Subnets | |
Tags: | |
- Key: Name | |
Value: !Sub "${ClusterName}-${NodeGroupName}-Node" | |
PropagateAtLaunch: 'true' | |
- Key: !Sub 'kubernetes.io/cluster/${ClusterName}' | |
Value: 'owned' | |
PropagateAtLaunch: 'true' | |
UpdatePolicy: | |
AutoScalingRollingUpdate: | |
MaxBatchSize: '1' | |
MinInstancesInService: !Ref NodeAutoScalingGroupDesiredCapacity | |
PauseTime: 'PT5M' | |
NodeLaunchConfig: | |
Type: AWS::AutoScaling::LaunchConfiguration | |
Properties: | |
AssociatePublicIpAddress: !Ref PublicIp | |
IamInstanceProfile: !Ref NodeInstanceProfile | |
ImageId: !Ref NodeImageId | |
InstanceType: !Ref NodeInstanceType | |
KeyName: !Ref KeyName | |
SecurityGroups: | |
- !Ref NodeSecurityGroup | |
BlockDeviceMappings: | |
- DeviceName: /dev/xvda | |
Ebs: | |
VolumeSize: !Ref NodeVolumeSize | |
VolumeType: gp2 | |
DeleteOnTermination: true | |
Outputs: | |
NodeInstanceRole: | |
Description: The node instance role | |
Value: !GetAtt | |
- NodeInstanceRole | |
- Arn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment