From 8e40bb5019d317f5ccee0a0d2ee574f0fa0aa4e1 Mon Sep 17 00:00:00 2001 From: Justin Garrison Date: Tue, 22 Jun 2021 10:46:54 -0700 Subject: [PATCH 1/8] Updates for example deployment --- docs/aws/README.md | 75 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 57 insertions(+), 18 deletions(-) diff --git a/docs/aws/README.md b/docs/aws/README.md index 80d4633e15e8..801737e89389 100644 --- a/docs/aws/README.md +++ b/docs/aws/README.md @@ -1,6 +1,8 @@ - # AWS -This guide will provide a complete Karpenter installation for AWS. These steps are opinionated and may need to be adapted for your use case. + +This guide will provide a complete Karpenter installation for AWS. +These steps are opinionated and may need to be adapted for your use case. + ## Environment ```bash CLOUD_PROVIDER=aws @@ -11,36 +13,61 @@ export AWS_DEFAULT_OUTPUT=json ``` ### Create a Cluster -Note: If you already have a cluster with version 1.19 or above, you may need to manually tag your subnets for Karpenter to work [detailed here](https://github.com/awslabs/karpenter/issues/404#issuecomment-845283904). -If your cluster version is 1.18 or below, you can skip this step. +Create an EKS cluster ```bash eksctl create cluster \ --name ${CLUSTER_NAME} \ ---version 1.18 \ ---region ${AWS_DEFAULT_REGION} \ --node-type m5.large \ --nodes 1 \ --nodes-min 1 \ --nodes-max 10 \ ---managed +--managed \ +--with-oidc ``` -### Setup IRSA, Karpenter Controller Role, and Karpenter Node Role -We recommend using [CloudFormation](https://aws.amazon.com/cloudformation/) and [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) (IRSA) to manage these permissions. For production use, please review and restrict these permissions for your use case. +Tag the cluster subnets with the required tags for Karpenter auto discovery. + +Note: If you already have a cluster with version 1.19 or below you can skip this step. +More [detailed here](https://github.com/awslabs/karpenter/issues/404#issuecomment-845283904). + +```bash +export SUBNET_IDS=$(aws cloudformation describe-stacks \ + --stack-name eksctl-${CLUSTER_NAME}-cluster \ + --query 'Stacks[].Outputs[?OutputKey==`SubnetsPrivate`].OutputValue' \ + --output text) + +aws ec2 create-tags \ + --resources $(echo $SUBNET_IDS | tr ',' '\n') \ + --tags Key="kubernetes.io/cluster/${CLUSTER_NAME}",Value= +``` + +For existing clusters you may need to add an OIDC provider for the cluster. +We already added one with the `eksctl create cluster` command but it is safe to run again. + ```bash -# Enables IRSA for your cluster. This command is idempotent, but only needs to be executed once per cluster. eksctl utils associate-iam-oidc-provider \ ---region ${AWS_DEFAULT_REGION} \ --cluster ${CLUSTER_NAME} \ --approve +``` + +### Setup IRSA, Karpenter Controller Role, and Karpenter Node Role +We recommend using [CloudFormation](https://aws.amazon.com/cloudformation/) and [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) (IRSA) to manage these permissions. +For production use, please review and restrict these permissions for your use case. + +```bash +export OIDC_PROVIDER=$(aws eks describe-cluster \ + --name ${CLUSTER_NAME} \ + --query 'cluster.identity.oidc.issuer' \ + --output text \ + | sed 's,https://,,') # Creates IAM resources used by Karpenter aws cloudformation deploy \ --stack-name Karpenter-${CLUSTER_NAME} \ - --template-file ./docs/aws/karpenter.cloudformation.yaml \ + --template-file $(git rev-parse --show-toplevel)/docs/aws/karpenter.cloudformation.yaml \ --capabilities CAPABILITY_NAMED_IAM \ - --parameter-overrides ClusterName=${CLUSTER_NAME} OpenIDConnectIdentityProvider=$(aws eks describe-cluster --name ${CLUSTER_NAME} | jq -r ".cluster.identity.oidc.issuer" | cut -c9-) + --parameter-overrides ClusterName=${CLUSTER_NAME} OpenIDConnectIdentityProvider=${OIDC_PROVIDER} # Adds the karpenter node role to your aws-auth configmap, allowing nodes with this role to connect to the cluster. kubectl patch configmap aws-auth -n kube-system --patch "$(cat <<-EOM @@ -59,6 +86,7 @@ EOM ### Install Karpenter ```bash helm repo add karpenter https://awslabs.github.io/karpenter/charts +helm repo update # For additional values, see https://github.com/awslabs/karpenter/blob/main/charts/karpenter/values.yaml helm upgrade --install karpenter charts/karpenter --create-namespace --namespace karpenter \ --set serviceAccount.annotations.'eks\.amazonaws\.com/role-arn'=arn:aws:iam::${AWS_ACCOUNT_ID}:role/KarpenterControllerRole-${CLUSTER_NAME} @@ -66,7 +94,9 @@ helm upgrade --install karpenter charts/karpenter --create-namespace --namespace ### (Optional) Enable Verbose Logging ```bash -kubectl patch deployment karpenter-controller -n karpenter --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": ["--verbose"]}]' +kubectl patch deployment karpenter-controller \ + -n karpenter --type='json' \ + -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": ["--verbose"]}]' ``` ### Create a Provisioner @@ -80,8 +110,8 @@ metadata: spec: cluster: name: ${CLUSTER_NAME} - caBundle: $(aws eks describe-cluster --name ${CLUSTER_NAME} | jq ".cluster.certificateAuthority.data") - endpoint: $(aws eks describe-cluster --name ${CLUSTER_NAME} | jq ".cluster.endpoint") + caBundle: $(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.certificateAuthority.data") + endpoint: $(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.endpoint") EOF kubectl get provisioner default -oyaml ``` @@ -113,13 +143,22 @@ spec: cpu: 1 EOF kubectl scale deployment inflate --replicas 5 -kubectl logs -f -n karpenter $(kubectl get pods -n karpenter -l control-plane=karpenter -ojson | jq -r ".items[0].metadata.name") +kubectl logs -f -n karpenter $(kubectl get pods -n karpenter -l karpenter=controller -o name) ``` ### Cleanup ```bash helm delete karpenter -n karpenter aws cloudformation delete-stack --stack-name Karpenter-${CLUSTER_NAME} -aws ec2 describe-launch-templates | jq -r ".LaunchTemplates[].LaunchTemplateName" | grep Karpenter | xargs -I{} aws ec2 delete-launch-template --launch-template-name {} +aws ec2 describe-launch-templates \ + | jq -r ".LaunchTemplates[].LaunchTemplateName" \ + | grep -i karpenter \ + | xargs -I{} aws ec2 delete-launch-template --launch-template-name {} unset AWS_DEFAULT_OUTPUT ``` + +If you created a cluster during this process you also will need to delete the cluster. +```bash +eksctl delete cluster --name ${CLUSTER_NAME} +``` + From 420c8006250f7be8f95c3512046c2f6982492999 Mon Sep 17 00:00:00 2001 From: Justin Garrison Date: Tue, 22 Jun 2021 17:36:10 -0700 Subject: [PATCH 2/8] rm additional OIDC command --- docs/aws/README.md | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/docs/aws/README.md b/docs/aws/README.md index 801737e89389..e1dea7385cbc 100644 --- a/docs/aws/README.md +++ b/docs/aws/README.md @@ -28,7 +28,7 @@ eksctl create cluster \ Tag the cluster subnets with the required tags for Karpenter auto discovery. -Note: If you already have a cluster with version 1.19 or below you can skip this step. +Note: If you have a cluster with version 1.18 or below you can skip this step. More [detailed here](https://github.com/awslabs/karpenter/issues/404#issuecomment-845283904). ```bash @@ -42,19 +42,12 @@ aws ec2 create-tags \ --tags Key="kubernetes.io/cluster/${CLUSTER_NAME}",Value= ``` -For existing clusters you may need to add an OIDC provider for the cluster. -We already added one with the `eksctl create cluster` command but it is safe to run again. - -```bash -eksctl utils associate-iam-oidc-provider \ ---cluster ${CLUSTER_NAME} \ ---approve -``` - ### Setup IRSA, Karpenter Controller Role, and Karpenter Node Role We recommend using [CloudFormation](https://aws.amazon.com/cloudformation/) and [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) (IRSA) to manage these permissions. For production use, please review and restrict these permissions for your use case. +Note: For IRSA to work your [cluster needs an OIDC provider](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) + ```bash export OIDC_PROVIDER=$(aws eks describe-cluster \ --name ${CLUSTER_NAME} \ From 3721f92e80296d678f087eb96565cd938ac5db1d Mon Sep 17 00:00:00 2001 From: Justin Garrison Date: Wed, 23 Jun 2021 12:26:32 -0700 Subject: [PATCH 3/8] revert cloudformation file path --- docs/aws/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/aws/README.md b/docs/aws/README.md index e1dea7385cbc..24de4d5cddde 100644 --- a/docs/aws/README.md +++ b/docs/aws/README.md @@ -58,7 +58,7 @@ export OIDC_PROVIDER=$(aws eks describe-cluster \ # Creates IAM resources used by Karpenter aws cloudformation deploy \ --stack-name Karpenter-${CLUSTER_NAME} \ - --template-file $(git rev-parse --show-toplevel)/docs/aws/karpenter.cloudformation.yaml \ + --template-file ./docs/aws/karpenter.cloudformation.yaml \ --capabilities CAPABILITY_NAMED_IAM \ --parameter-overrides ClusterName=${CLUSTER_NAME} OpenIDConnectIdentityProvider=${OIDC_PROVIDER} From bda4c85454073f4edc329f7510b16c7d14f2bece Mon Sep 17 00:00:00 2001 From: Justin Garrison Date: Wed, 23 Jun 2021 12:57:07 -0700 Subject: [PATCH 4/8] sed "s/sed/cut/g" :) --- docs/aws/README.md | 2 +- docs/aws/eksctl.yaml | 0 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 docs/aws/eksctl.yaml diff --git a/docs/aws/README.md b/docs/aws/README.md index 24de4d5cddde..977be3ccb89d 100644 --- a/docs/aws/README.md +++ b/docs/aws/README.md @@ -53,7 +53,7 @@ export OIDC_PROVIDER=$(aws eks describe-cluster \ --name ${CLUSTER_NAME} \ --query 'cluster.identity.oidc.issuer' \ --output text \ - | sed 's,https://,,') + | cut -d'/' -f3-) # Creates IAM resources used by Karpenter aws cloudformation deploy \ diff --git a/docs/aws/eksctl.yaml b/docs/aws/eksctl.yaml new file mode 100644 index 000000000000..e69de29bb2d1 From 50af180d1cd69c556d42672d52dc588f72626765 Mon Sep 17 00:00:00 2001 From: Justin Garrison Date: Wed, 23 Jun 2021 15:07:05 -0700 Subject: [PATCH 5/8] Remove WIP eksctl config --- docs/aws/eksctl.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 docs/aws/eksctl.yaml diff --git a/docs/aws/eksctl.yaml b/docs/aws/eksctl.yaml deleted file mode 100644 index e69de29bb2d1..000000000000 From 4bfe389fcc0b6a0a15d9065eb8cfcdd442ef30b5 Mon Sep 17 00:00:00 2001 From: Justin Garrison Date: Wed, 23 Jun 2021 15:20:04 -0700 Subject: [PATCH 6/8] Remove exports and `cut` --- docs/aws/README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/aws/README.md b/docs/aws/README.md index 977be3ccb89d..5fce77eb20fe 100644 --- a/docs/aws/README.md +++ b/docs/aws/README.md @@ -32,7 +32,7 @@ Note: If you have a cluster with version 1.18 or below you can skip this step. More [detailed here](https://github.com/awslabs/karpenter/issues/404#issuecomment-845283904). ```bash -export SUBNET_IDS=$(aws cloudformation describe-stacks \ +SUBNET_IDS=$(aws cloudformation describe-stacks \ --stack-name eksctl-${CLUSTER_NAME}-cluster \ --query 'Stacks[].Outputs[?OutputKey==`SubnetsPrivate`].OutputValue' \ --output text) @@ -49,18 +49,17 @@ For production use, please review and restrict these permissions for your use ca Note: For IRSA to work your [cluster needs an OIDC provider](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) ```bash -export OIDC_PROVIDER=$(aws eks describe-cluster \ +OIDC_PROVIDER=$(aws eks describe-cluster \ --name ${CLUSTER_NAME} \ --query 'cluster.identity.oidc.issuer' \ - --output text \ - | cut -d'/' -f3-) + --output text) # Creates IAM resources used by Karpenter aws cloudformation deploy \ --stack-name Karpenter-${CLUSTER_NAME} \ --template-file ./docs/aws/karpenter.cloudformation.yaml \ --capabilities CAPABILITY_NAMED_IAM \ - --parameter-overrides ClusterName=${CLUSTER_NAME} OpenIDConnectIdentityProvider=${OIDC_PROVIDER} + --parameter-overrides ClusterName=${CLUSTER_NAME} OpenIDConnectIdentityProvider=${OIDC_PROVIDER/https:\/\//} # Adds the karpenter node role to your aws-auth configmap, allowing nodes with this role to connect to the cluster. kubectl patch configmap aws-auth -n kube-system --patch "$(cat <<-EOM From a958ab74e33db3ef48da761b5c0a06db1ab2804a Mon Sep 17 00:00:00 2001 From: Justin Garrison Date: Wed, 23 Jun 2021 15:40:59 -0700 Subject: [PATCH 7/8] remove default AWS output --- docs/aws/README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/aws/README.md b/docs/aws/README.md index 5fce77eb20fe..a0927d6c9520 100644 --- a/docs/aws/README.md +++ b/docs/aws/README.md @@ -9,7 +9,6 @@ CLOUD_PROVIDER=aws AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) CLUSTER_NAME=$USER-karpenter-demo AWS_DEFAULT_REGION=us-west-2 -export AWS_DEFAULT_OUTPUT=json ``` ### Create a Cluster @@ -102,8 +101,8 @@ metadata: spec: cluster: name: ${CLUSTER_NAME} - caBundle: $(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.certificateAuthority.data") - endpoint: $(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.endpoint") + caBundle: $(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.certificateAuthority.data" --output json) + endpoint: $(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.endpoint" --output json) EOF kubectl get provisioner default -oyaml ``` @@ -146,11 +145,9 @@ aws ec2 describe-launch-templates \ | jq -r ".LaunchTemplates[].LaunchTemplateName" \ | grep -i karpenter \ | xargs -I{} aws ec2 delete-launch-template --launch-template-name {} -unset AWS_DEFAULT_OUTPUT ``` If you created a cluster during this process you also will need to delete the cluster. ```bash eksctl delete cluster --name ${CLUSTER_NAME} ``` - From c2224f1f0f39cbe209be793c79344d894d169405 Mon Sep 17 00:00:00 2001 From: Justin Garrison Date: Wed, 23 Jun 2021 16:08:29 -0700 Subject: [PATCH 8/8] Fix chart name for remote helm repo --- docs/aws/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/aws/README.md b/docs/aws/README.md index a0927d6c9520..d75286b62670 100644 --- a/docs/aws/README.md +++ b/docs/aws/README.md @@ -79,7 +79,7 @@ EOM helm repo add karpenter https://awslabs.github.io/karpenter/charts helm repo update # For additional values, see https://github.com/awslabs/karpenter/blob/main/charts/karpenter/values.yaml -helm upgrade --install karpenter charts/karpenter --create-namespace --namespace karpenter \ +helm upgrade --install karpenter karpenter/karpenter --create-namespace --namespace karpenter \ --set serviceAccount.annotations.'eks\.amazonaws\.com/role-arn'=arn:aws:iam::${AWS_ACCOUNT_ID}:role/KarpenterControllerRole-${CLUSTER_NAME} ```