This how-to guide is an example AWS Kubernetes deployment. This is not the only way to deploy a Kubernetes cluster.
Follow your organization's security requirements for Kubernetes clusters.
The following Azure resources are used in this example deployment.
- AWS CLI
- EKSCTL
- AWS S3 Bucket
The AWS Command-Line Interface (CLI) allows you to interact with AWS resources from a terminal or command prompt.
Select your operating system to view installation instructions. Note: Instructions for Windows systems will be available soon.
Install curl using Brew.
# Install Brew /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Install Curl brew install curlInstall the AWS CLI.
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/installConfirm the installation by checking the app version.
aws --version
You must authenticate to your AWS account to access AWS resources using the AWS CLI.
This example uses the us-east-1 region. This is the default region for Model Scanner.
Configure the AWS CLI. (Note: This step has you manually entering your data. Using a configuration file may be more secure.)
aws configureEnter your:
a. AWS Access Key ID b. AWS Secret Access Key c. Default Region d. Default Output Format
- The default bucket name for Model Scanner is hl-modelscan. To change the default bucket name, set the HL_MODEL_SCAN_BUCKET environment variable in the yaml file.
- This example uses the us-east-1 region. This is the default region for Model Scanner.
Create an S3 bucket for Model Scanner.
aws s3 mb s3://hl-modelscanCreate the IAM user. Save the output for later use.
aws iam create-user --user-name HLModelScannerRun the following command to write an IAM policy document to allow the Model Scanner to access the S3 bucket. Replace
<bucket>with the S3 bucket name you created earlier. This outputs a file namedhl-modelscanner-s3-policy.jsonto the current folder.echo -e '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::<bucket>/*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::<bucket>" } ] }' > hl-modelscanner-s3-policy.jsonAttach the IAM policy for the S3 bucket to the previously created user.
Generate Access Keys for the user.
aws iam create-access-key --user-name HLModelScannerSave the AccessKeyId and SecretAccessKey fields from the aws iam create-access-key response. They will be used later as the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY when deploying the Model Scanner.
EKSCTL is a command line tool that helps you create an EKS cluster, including the supporting resources for that cluster. It is used for this demonstration to help simplify the process.
Select your operating system to view installation instructions. Note: Instructions for Windows systems will be available soon.
Install the Weaveworks Tap and Weaveworks EKSCTL.
brew tap weaveworks/tap brew install weaveworks/tap/eksctl
Creating an EKS cluster using EKSCTL only requires one command. Replace
<cluster-name>with the name you want to give the cluster. Replace<aws-region>with the region you want to deploy the cluster in. Creating the cluster can take some time.eksctl create cluster --name <cluster-name> --region <aws-region>
Use the following command to connect your local kubectl instance to your AWS EKS cluster. Replace
<aws-region>and<cluster-name>with the information you used in the previous step.aws eks update-kubeconfig --region <aws-region> --name <cluster-name>
A default storage class is needed for some of the Model Scanner pods, like the Redis pods. Setting a default storage class allows clusters to be created without needing to be assigned to the storage class.
When creating an EKS cluster using EKSCTL, a GP2 storage class is also created.
Get a list of the StorageClasses in the cluster.
kubectl get storageclassMake the GP2 storage class the default. This allows pods to be automatically assigned to the storage resource.
kubectl patch storageclass gp2 -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
To use AWS Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster's OIDC issuer URL.
Create an IAM OIDC identity provider for your cluster with the following command. Replace
<aws-region>with the region you want to deploy the cluster in. Replace<cluster-name>with the name of the cluster.eksctl utils associate-iam-oidc-provider --region=<aws-region> --cluster=<cluster-name> --approve
The Amazon EBS CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EBS storage for your cluster.
Use the following command to create an IAM role and attach the managed policy to it. Replace
<aws-region>with the region you want to deploy the cluster in. Replace<cluster-name>with the name of the cluster.eksctl create iamserviceaccount \ --region <aws-region> \ --name ebs-csi-controller-sa \ --namespace kube-system \ --cluster <cluster-name> \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ --approve \ --role-only \ --role-name AmazonEKS_EBS_CSI_DriverRole
Create AWS EBS CSI add-ons to manage your EKS cluster.
Replace
<cluster-name>with the name of the cluster.eksctl create addon --name aws-ebs-csi-driver --cluster <cluster-name> --service-account-role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/AmazonEKS_EBS_CSI_DriverRole --force