AWS EKS use farget nodes as pod runtime environments
For greater isolation and convenience, we can use farget as the run time environment for eks.
Create eks farget execute role
- named: AmazonEKSFargatePodExecutionRole
- the TrustPolicy statements like following
1# trust policy
2{
3 "Version": "2012-10-17",
4 "Statement": [
5 {
6 "Effect": "Allow",
7 "Principal": {
8 "Service": [
9 "ssm.amazonaws.com",
10 "eks-fargate-pods.amazonaws.com"
11 ]
12 },
13 "Action": "sts:AssumeRole",
14 "Condition": {
15 "ArnLike": {
16 "aws:SourceArn": "arn:aws:eks:us-east-1:{accountId}:fargateprofile/{clusterName}/*"
17 }
18 }
19 }
20 ]
21}
- attach the AWS managed policy to farget execution Role
- AmazonEKSClusterPolicy
- AmazonEKSFargatePodExecutionRolePolicy
Create EKS farget profile in eks console
select eks cluster and navigate the compute tab. and config farget profile to add new item
- select farget pod execution role
- specific the namespace and prefer to label for pod selector
label for:
placed: farget
- the namespace can ‘*’ for all namespaces
Test the pod place to farget
1apiVersion: v1
2kind: Pod
3metadata:
4 name: test-farget-pod
5 generateName: test-farget-pod
6 namespace: test-farget
7 labels:
8 placed: farget
9spec:
10 containers:
11 - name: nginx
12 image: >-
13 nginx:latest
14 ports:
15 - name: http-80
16 containerPort: 80
17 protocol: TCP
Setting up the logs
the EKS farget logs can collect to cloudwatch and other tools use fluentbit configurations
first create aws-observability
namespace and apply aws-logging
configmap
- the namesapce config
1kind: Namespace
2apiVersion: v1
3metadata:
4 name: aws-observability
5 labels:
6 aws-observability: enabled
- the logs configmap object
1kind: ConfigMap
2apiVersion: v1
3metadata:
4 name: aws-logging
5 namespace: aws-observability
6data:
7 flb_log_cw: "false" # Set to true to ship Fluent Bit process logs to CloudWatch.
8 filters.conf: |
9 [FILTER]
10 Name parser
11 Match *
12 Key_name log
13 Parser crio
14 [FILTER]
15 Name kubernetes
16 Match kube.*
17 Merge_Log On
18 Keep_Log Off
19 Buffer_Size 0
20 Kube_Meta_Cache_TTL 300s
21 output.conf: |
22 [OUTPUT]
23 Name cloudwatch_logs
24 Match kube.*
25 region region-code
26 log_group_name my-logs
27 log_stream_prefix from-fluent-bit-
28 log_retention_days 60
29 auto_create_group true
30 parsers.conf: |
31 [PARSER]
32 Name crio
33 Format Regex
34 Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>P|F) (?<log>.*)$
35 Time_Key time
36 Time_Format %Y-%m-%dT%H:%M:%S.%L%z