統合後のウェブサイトはこちらをご覧ください。
df -hT lsblk sudo growpart /dev/xvda 1 lsblk df -h sudo xfs_growfs -d / df -h
また、AdministratorAccess権限をもつIAMロールを作成し、Cloud9にアタッチします。
sudo curl --silent --location -o /usr/local/bin/kubectl \ https://amazon-eks.s3.cn-north-1.amazonaws.com.cn/1.18.8/2020-09-18/bin/linux/amd64/kubectl sudo chmod +x /usr/local/bin/kubectl sudo pip install --upgrade awscli && hash -r sudo curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp sudo mv -v /tmp/eksctl /usr/local/bin eksctl version
apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: sgp-cluster region: us-west-2 version: "1.18" iam: withOIDC: true managedNodeGroups: - name: nodegroup instanceType: m5.large desiredCapacity: 1 privateNetworking: true
※yamlの書き方はこちらが参考になります。
eksctl create cluster -f cluster.yml
作成できたら、EKSのクラスタロールにAmazonEKSVPCResourceControllerがアタッチされていることを確認します。このIAMポリシーは、セキュリティグループをポッドに適用する上で前提条件となっているようです。
VPCID=$(aws eks describe-cluster --name sgp-cluster \ --query "cluster.resourcesVpcConfig.vpcId" \ --region us-west-2 \ --output text) echo $VPCID
RDSSG=$(aws ec2 create-security-group --group-name RDSDbAccessSG \ --description "Security group to apply to apps that need access to RDS" --vpc-id $VPCID \ --region us-west-2 \ --query "GroupId" \ --output text) echo $RDSSG
sudo yum -y install postgresql.x86_64 psql \ -h database-1.xxxxxxxxxx.us-west-2.rds.amazonaws.com \ -p 5432 \ -U postgres \ -d testdb CREATE USER db_userx; GRANT rds_iam TO db_userx; \q
apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: sgp-cluster region: us-west-2 iam: withOIDC: true serviceAccounts: - metadata: name: rds-db-access namespace: default labels: {role: "backend"} attachPolicyARNs: - "arn:aws:iam::ACCOUNTID:policy/rds-auth-for-pod"
eksctl create iamserviceaccount -f serviceaccount.yaml --approve
kubectl describe sa | grep eksctl -3 Name: rds-db-access Namespace: default Labels: role=backend Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNTID>:role/eksctl-sgp-cluster-addon-iamserviceaccount-XXXXXXXXXX ~~~
kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true
CLUSTERSG=$(aws eks describe-cluster --name sgp-cluster \ --query "cluster.resourcesVpcConfig.clusterSecurityGroupId" \ --region us-west-2 \ --output text) # print security group IDs echo $CLUSTERSG $RDSSG
sgp-policy.yaml
apiVersion: vpcresources.k8s.aws/v1beta1 kind: SecurityGroupPolicy metadata: name: my-sg-policy spec: serviceAccountSelector: matchLabels: role: backend securityGroups: groupIds: - sg-yyyyyy - sg-zzzzzz
kubectl apply -f sgp-policy.yaml
import os import boto3 import psycopg2 HOST = os.getenv('HOST') PORT = "5432" USER = os.getenv('USER') REGION = "us-west-2" DBNAME = os.getenv('DATABASE') session = boto3.Session() client = boto3.client('rds', region_name=REGION) token = client.generate_db_auth_token(DBHostname=HOST, Port=PORT, DBUsername=USER, Region=REGION) conn = None try: conn = psycopg2.connect(host=HOST, port=PORT, database=DBNAME, user=USER, password=token, connect_timeout=3) cur = conn.cursor() cur.execute("""SELECT version()""") query_results = cur.fetchone() print(query_results) cur.close() except Exception as e: print("Database connection failed due to {}".format(e)) finally: if conn is not None: conn.close()
FROM python:3.8.5-slim-buster ADD postgres_test_iam.py / RUN pip install psycopg2-binary boto3 CMD [ "python", "-u", "./postgres_test_iam.py" ]
cd <フォルダ名> docker build -t postgres-test . aws ecr create-repository --repository-name postgres-test-demo --region us-west-2 aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin <ACCOUNTID>.dkr.ecr.us-west-2.amazonaws.com docker tag postgres-test <ACCOUNTID>.dkr.ecr.us-west-2.amazonaws.com/postgres-test-demo:latest docker push <ACCOUNTID>.dkr.ecr.us-west-2.amazonaws.com/postgres-test-demo:latest
apiVersion: v1 kind: Pod metadata: name: postgres-test spec: serviceAccountName: rds-db-access containers: - name: postgres-test image: <コピーしたイメージURI> env: - name: HOST value: "RDSのエンドポイント" - name: DATABASE value: "testdb" - name: USER value: "db_userx"
cd ../ kubectl apply -f postgres-test.yaml
kubectl logs postgres-test ('PostgreSQL 12.4 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-11), 64-bit',)
apiVersion: v1 kind: Pod metadata: name: postgres-test spec: # serviceAccountName: rds-db-access containers: - name: postgres-test image: <コピーしたイメージURI> env: - name: HOST value: "RDSのエンドユーザエンドポイント" - name: DATABASE value: "testdb" - name: USER value: "db_userx"
kubectl delete -f postgres-test.yaml kubectl apply -f postgres-test.yaml
kubectl logs postgres-test Database connection failed due to timeout expired
apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: sgp-cluster region: us-west-2 iam: withOIDC: true serviceAccounts: - metadata: name: rds-db-access namespace: default # labels: {role: "backend"} attachPolicyARNs: - "arn:aws:iam::775154630116:policy/rds-auth-for-pod"
no-iam-sa.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: no-iam-sa namespace: default labels: app: backend
RDS、RDSに割り当てていたセキュリティグループ、ECRリポジトリ、podに割り当てたRDS接続用セキュリティグループ(RDSDbAccessSG)を消した上で、Cloud9から eksctl delete cluster -f cluster.yaml コマンドを打ち、クラスタとVPC等の関連リソースを削除します。
※順番を誤って消し残しがあった場合はCloudFormationからスタック-リソースを確認して手動でリソースを削除します。
最後にCloud9を削除します。