In this lab excerise we will create a managed kubernetes cluster along with a Container registry on AWS EKS and ECR
Amazon Elastic Kubernetes Service is a service provided for Kubernetes on AWS infrastructure. The Kubernetes resources will be fully managed by AWS, which offloads the burden on maintaining the infrastructure, and makes sure these resources are highly available and reliable at all times
Amazon Elastic Container Registry managed container registry. Like the popular docker registry Dockerhub, ECR also supports private and public repositories. We can either push or pull images to ECR using AWS CLI.
- Check out the available AWS Regions. Decide on a Datacenter region that is closest to you and meets your needs. Check out the AWS latency test! We will need to choose one and input a region name in the following steps.
- Consider a naming and tagging convention to organize your cloud assets to support user identification of shared subscriptions.
Example:
I am located in Denver, Colorado; I will opt to use the Datacenter region
us-west-2 based in US West (Oregon). I could also use the following naming
convention:
<Asset_type>-<your_id_yourname>-<location>-<###>So for my EKS Cluster I will deploy in US West (Oregon), i.e., us-west-2 , and
will name my Cluster eks-armand-us-west-2 or just aks-armand-uswest2 since I
don't intend to have more than one EKS deployment
I will also use the tag user=armand to further identify my asset on our shared
account
We will need AWS Command Line Interface (CLI) installed on your client machine to manage your AWS services. See Installing, updating, and uninstalling the AWS CLI
- Configure client using
aws configure
# Access your "My Security Credentials" section in your profile.
# Create or Obtain your access key
aws configure
AWS Access Key ID [None]: [YOUR KEY]
AWS Secret Access Key [None]: [YOUR KEY]
Default region name [None]: us-west-2
Default output format [None]: jsonWe can inspect the files generated by the CLI using the aws configure
- Check
~/.aws/credentialssettings
cat ~/.aws/credentials
[default]
aws_access_key_id = [YOUR KEY]
aws_secret_access_key = [YOUR KEY]- Check
~/.aws/configsetting
cat ~/.aws/config
[default]
region = us-west-2
output = jsonNote: For file examples with multiple named profiles, see Named profiles.
- Let try our first aws cli command. Get a list of all of the Regions that are enabled for your account:
aws ec2 describe-regions | grep RegionNameYou can deploy a cluster using multiple ways. Check out the See Getting started
with
eksctl
We will only cover the EKS CLI
Amazon Elastic Kubernetes Service (EKS) Setup using eksctl
eksctl is a simple CLI tool for creating clusters on EKS; eksctl is now the official command line for EKS
Check out Installing or upgrading eksctl and review some standard command-line options in the eksctl introduction
- For this demo, we will be creating an EKS cluster using the
eksctltool. We can test that our installation was successful with the following command.
eksctl version- Use
eksctlto create a production-ready EKS cluster with some options in a single command (This will take a while):
MY_REGION=us-west-2
MY_EKS=eks-armand-uswest2
MY_NAME=armand
eksctl create cluster \
--name=$MY_EKS \
--region=$MY_REGION \
--nodes=3 \
--tags user=$MY_NAME \
--version=1.21 # or leave out to install default version- To create or update the
kubeconfigfile for your cluster, run the following command:
MY_REGION=us-west-2
MY_EKS=eks-armand-uswest2
aws eks --region $MY_REGION update-kubeconfig --name $MY_EKS- If you are managing multiple Kubernetes clusters, you can easily change
between context using the
kubectl config set-contextcommand:
# Get a list of kubernetes clusters in you local kube config
kubectl config get-clusters
NAME
local-k8s-cluster
azure-k8s-cluster
do-sfo2-k8s-1-16-2-do-0-sfo2-1573497597413
arn:aws:eks:us-west-2:664341837355:cluster/eks-armand-uswest2
# Set context
kubectl config set-context eks-armand-uswest2
# Check which context you are currently targeting
kubectl config current-context
# Get Nodes in the target kubernetes cluster
kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-192-168-23-171.us-west-2.compute.internal Ready <none> 3m10s v1.18.9-eks-d1db3c
ip-192-168-48-90.us-west-2.compute.internal Ready <none> 3m6s v1.18.9-eks-d1db3c
ip-192-168-89-32.us-west-2.compute.internal Ready <none> 3m5s v1.18.9-eks-d1db3c
For additional registry authentication methods, including the Amazon ECR credential helper, see Registry Authentication. Also, refer to the AWS ECR user guide for tips and best practices for creating the repository.
On Shared Registry and Repositories : The URL for your default registry is
https://$MY_AWS_ACCOUNT_ID.dkr.ecr.$MY_REGION.amazonaws.com , and by default,
your account has read and write access to the repositories in your default
registry. In the next step we can log the registry using the aws ecr command.
On shared corporate accounts you will be using a shared Container
registry and so you should consider prepending a unique name for the a
namespace to group the repository into a category , i.e. your own group. For
example, the repository name may be specified on its own (such as
nginx-web-app) or it can be prepended with a namespace to group the repository
into a category or user (such as armand/nginx-web-app).
- Retrieve an authentication token and authenticate your Docker client to your
registry using the
aws ecrcommand:
MY_AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
MY_REGION=us-west-2
aws ecr get-login-password --region $MY_REGION | docker login --username AWS --password-stdin $MY_AWS_ACCOUNT_ID.dkr.ecr.$MY_REGION.amazonaws.comAt the end of the output you should see Login Succeeded!
We can quickly test the ability to push images to our Private ECR from our client machine
Take note of the image URIs in your private registry that is created from the following steps. We will need it for when we push container images to the registry
- Create an ECR repository for your container images
MY_REGION=us-west-2
MY_REPO="armand/hello-world"
aws ecr create-repository --repository-name $MY_REPO --region $MY_REGION- If you do not have a test container image to push to ECR, you can download a simple container for testing, e.g. armsultan/hello-world
docker pull armsultan/hello-world- Get the image ID so we can tag it on the next step
docker images | grep hello-world
armsultan/hello-world latest 15d53731c307 6 minutes ago 1.23MB- Tag the image with your registry uri
MY_AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
MY_REGION=us-west-2
MY_REPO="armand/hello-world"
MY_IMAGE_ID=15d53731c307
docker tag $MY_IMAGE_ID $MY_AWS_ACCOUNT_ID.dkr.ecr.$MY_REGION.amazonaws.com/$MY_REPO- Your newly tagged image is now listed under
docker images:
docker images | grep hello-world
664341837355.dkr.ecr.us-west-2.amazonaws.com/armand/hello-world latest 15d53731c307 11 minutes ago 1.23MB
armsultan/hello-world latest 15d53731c307 11 minutes ago 1.23MB- Push your tagged image to ECR
# you can get copy the docker image name from the last step
docker push 664341837355.dkr.ecr.us-west-2.amazonaws.com/armand/hello-world - Check it is up there using the aws cli
MY_REGION=us-west-2
aws ecr describe-repositories --region $MY_REGION | grep hello-world
# example output:
"repositoryArn": "arn:aws:ecr:us-west-2:664341837355:repository/armand/hello-world",
"repositoryName": "armand/hello-world",
"repositoryUri": "664341837355.dkr.ecr.us-west-2.amazonaws.com/armand/hello-world",You can easily delete your EKS cluster using the eksctl tool
- Delete the cluster and its associated nodes with the following command,
replacing
$MYwith your cluster name.
$MY_EKS=eks-armand-uswest2
eksctl delete cluster $MY_EKS