AWS EKS use farget nodes as pod runtime environments

For greater isolation and convenience, we can use farget as the run time environment for eks.

Create eks farget execute role

  • named: AmazonEKSFargatePodExecutionRole
  • the TrustPolicy statements like following
 1# trust policy
 2{
 3    "Version": "2012-10-17",
 4    "Statement": [
 5        {
 6            "Effect": "Allow",
 7            "Principal": {
 8                "Service": [
 9                    "ssm.amazonaws.com",
10                    "eks-fargate-pods.amazonaws.com"
11                ]
12            },
13            "Action": "sts:AssumeRole",
14            "Condition": {
15                "ArnLike": {
16                    "aws:SourceArn": "arn:aws:eks:us-east-1:{accountId}:fargateprofile/{clusterName}/*"
17                }
18            }
19        }
20    ]
21}
  • attach the AWS managed policy to farget execution Role
    • AmazonEKSClusterPolicy
    • AmazonEKSFargatePodExecutionRolePolicy

Create EKS farget profile in eks console

select eks cluster and navigate the compute tab. and config farget profile to add new item

  • select farget pod execution role
  • specific the namespace and prefer to label for pod selector label for: placed: farget
  • the namespace can ‘*’ for all namespaces

Test the pod place to farget

 1apiVersion: v1
 2kind: Pod
 3metadata:
 4  name: test-farget-pod
 5  generateName: test-farget-pod
 6  namespace: test-farget
 7  labels:
 8    placed: farget
 9spec:
10    containers:
11    - name: nginx
12      image: >-
13                nginx:latest
14      ports:
15        - name: http-80
16          containerPort: 80
17          protocol: TCP

Setting up the logs

the EKS farget logs can collect to cloudwatch and other tools use fluentbit configurations first create aws-observability namespace and apply aws-logging configmap

  • the namesapce config
1kind: Namespace
2apiVersion: v1
3metadata:
4  name: aws-observability
5  labels:
6    aws-observability: enabled
  • the logs configmap object
 1kind: ConfigMap
 2apiVersion: v1
 3metadata:
 4  name: aws-logging
 5  namespace: aws-observability
 6data:
 7  flb_log_cw: "false"  # Set to true to ship Fluent Bit process logs to CloudWatch.
 8  filters.conf: |
 9    [FILTER]
10        Name parser
11        Match *
12        Key_name log
13        Parser crio
14    [FILTER]
15        Name kubernetes
16        Match kube.*
17        Merge_Log On
18        Keep_Log Off
19        Buffer_Size 0
20        Kube_Meta_Cache_TTL 300s    
21  output.conf: |
22    [OUTPUT]
23        Name cloudwatch_logs
24        Match   kube.*
25        region region-code
26        log_group_name my-logs
27        log_stream_prefix from-fluent-bit-
28        log_retention_days 60
29        auto_create_group true    
30  parsers.conf: |
31    [PARSER]
32        Name crio
33        Format Regex
34        Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>P|F) (?<log>.*)$
35        Time_Key    time
36        Time_Format %Y-%m-%dT%H:%M:%S.%L%z