WIXLIB

Amazon EKSUser Guide

Amazon EKS User GuideAmazon EKS: User GuideCopyright Amazon Web Services, Inc. and/or its affiliates. All rights reserved.Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.

Amazon EKS User GuideTable of ContentsWhat is Amazon EKS? . 1Amazon EKS control plane architecture . 1How does Amazon EKS work? . 2Pricing . 2Deployment options . 2Getting started with Amazon EKS . 4Installing kubectl . 4Installing eksctl . 10Installing or upgrading eksctl . 11Using eksctl . 12Prerequisites . 13Step 1: Create cluster and nodes . 13Step 2: View Kubernetes resources . 14Step 4: Delete cluster and nodes . 15Next steps . 15Using the console and AWS CLI . 16Prerequisites . 16Step 1: Create cluster . 16Step 2: Configure cluster communication . 18Step 3: Create nodes . 18Step 4: View resources . 22Step 5: Delete resources . 22Next steps . 23Clusters . 24Creating a cluster . 24Updating a cluster . 32Updating Kubernetes version . 32Kubernetes version 1.22 prerequisites . 32To update the Kubernetes version for your Amazon EKS cluster . 36Enabling secret encryption on an existing cluster . 39Deleting an Amazon EKS cluster . 42Cluster endpoint access . 45Modifying cluster endpoint access . 46Accessing a private only API server . 50Autoscaling . 50Cluster Autoscaler . 50Karpenter . 61Control plane logging . 62Enabling and disabling control plane logs . 63Viewing cluster control plane logs . 64Kubernetes versions . 65Available Amazon EKS Kubernetes versions . 65Kubernetes 1.22 . 65Kubernetes 1.21 . 67Kubernetes 1.20 . 68Kubernetes 1.19 . 69Kubernetes 1.18 . 71Kubernetes 1.17 . 71Amazon EKS Kubernetes release calendar . 72Amazon EKS version support and FAQ . 73Platform versions . 74Kubernetes version 1.22 . 75Kubernetes version 1.21 . 75Kubernetes version 1.20 . 78iii

Amazon EKS User GuideKubernetes version 1.19 . 80Kubernetes version 1.18 . 83Kubernetes version 1.17 . 87Windows support . 90Enabling Windows support . 92Removing legacy Windows support . 93Disabling Windows support . 93Deploying Pods . 94Enabling legacy Windows support . 94Viewing API server flags . 99Private clusters . 100Requirements . 100Considerations . 101Creating local copies of container images . 102AWS STS endpoints for IAM roles for service accounts . 102Nodes . 104View nodes . 107Managed node groups . 109Managed node groups concepts . 110Managed node group capacity types . 111Creating a managed node group . 113Updating a managed node group . 119Node taints on managed node groups . 123Launch template support . 124Deleting a managed node group . 130Self-managed nodes . 131Amazon Linux . 132Bottlerocket . 137Windows . 139Updates . 145AWS Fargate . 152Fargate considerations . 152Getting started with Fargate . 154Fargate profile . 157Fargate pod configuration . 160Fargate pod patching . 161Fargate metrics . 163Fargate logging . 164Instance types . 171Maximum pods . 172Amazon EKS optimized AMIs . 173Dockershim deprecation . 173Amazon Linux . 174Ubuntu Linux . 202Bottlerocket . 203Windows . 208Storage . 223Storage classes . 223Amazon EBS CSI driver . 225Create an IAM policy and role . 225Manage the Amazon EKS add-on . 231Deploy a sample application . 236Amazon EFS CSI driver . 238Create an IAM policy and role . 238Install the Amazon EFS driver . 241Create an Amazon EFS file system . 243Deploy a sample application . 244iv

Amazon EKS User GuideAmazon FSx for Lustre CSI driver .Amazon FSx for NetApp ONTAP CSI driver .Networking .Creating a VPC for Amazon EKS .Creating a VPC for Amazon EKS .VPC considerations .VPC IP addressing .Subnet tagging .Increase available IP addresses .Amazon EKS security group considerations .Cluster security group .Control plane and node security groups .Pod networking (CNI) .Configure plugin for IAM account .Managing VPC CNI add-on .Use cases .CNI metrics helper .Alternate compatible CNI plugins .Installing the AWS Load Balancer Controller add-on .Managing CoreDNS add-on .Adding the Amazon EKS add-on .Updating the Amazon EKS add-on .Removing the Amazon EKS add-on .Updating the self-managed add-on .Managing kube-proxy add-on .Adding the Amazon EKS add-on .Updating the Amazon EKS add-on .Removing the Amazon EKS add-on .Updating the self-managed add-on .Installing the Calico add-on .Install Calico .Stars policy demo .Remove Calico .Workloads .View workloads .Sample application deployment .Vertical Pod Autoscaler .Deploy the Vertical Pod Autoscaler .Test your Vertical Pod Autoscaler installation .Horizontal Pod Autoscaler .Run a Horizontal Pod Autoscaler test application .Network load balancing .Create a network load balancer .(Optional) Deploy a sample application .Application load balancing .(Optional) Deploy a sample application .Restrict service external IP address assignment .Copy an image to a repository .Amazon container image registries .Amazon EKS add-ons .Add-on configuration .Machine learning training .Create node group .(Optional) Deploy a sample EFA compatible application .Machine learning inference .Prerequisites .Create a cluster 81382384385389390390391

Amazon EKS User Guide(Optional) Deploy a TensorFlow Serving application image .(Optional) Make predictions against your TensorFlow Serving service .Cluster authentication .Enabling user and role access .Add users or roles .Apply the aws-auth ConfigMap to your cluster .OIDC identity provider authentication .Associate an OIDC identity provider .Disassociate an OIDC identity provider from your cluster .Example IAM policy .Create a kubeconfig for Amazon EKS .Create kubeconfig file automatically .Create kubeconfig manually .Installing aws-iam-authenticator .Default Amazon EKS roles and users .Cluster management .Tutorial: Deploy Kubernetes Dashboard .Prerequisites .Step 1: Deploy the Kubernetes dashboard .Step 2: Create an eks-admin service account and cluster role binding .Step 3: Connect to the dashboard .Step 4: Next steps .Metrics server .Prometheus metrics .Viewing the raw metrics .Deploying Prometheus .Store your Prometheus metrics in Amazon Managed Service for Prometheus .Using Helm .Tagging your resources .Tag basics .Tagging your resources .Tag restrictions .Working with tags using the console .Working with tags using the CLI, API, or eksctl .Service quotas .Service quotas .Security .Certificate signing .CSR example .Identity and access management .Audience .Authenticating with identities .Managing access using policies .How Amazon EKS works with IAM .Identity-based policy examples .Using service-linked roles .Cluster IAM role .Node IAM role .Pod execution IAM role .Connector IAM role .IAM roles for service accounts .Cross-service confused deputy prevention .AWS managed policies .Troubleshooting .Logging and monitoring .Compliance validation .Resilience 458461473473489489489490

Amazon EKS User GuideInfrastructure security .Configuration and vulnerability analysis .Security best practices .Pod security policy .Amazon EKS default pod security policy .

Amazon EKS User Guide Amazon EKS control plane architecture What is Amazon EKS? Amazon Elastic Kubernetes Service (Amazon E