ACK

AWS EKS ์Šคํ„ฐ๋”” 7์ฃผ์ฐจ - Automation
  • kkumtree

2023-06-10T15:13:19+09:00

EKS ์Šคํ„ฐ๋””๋„ ๋งˆ์ง€๋ง‰ 7์ฃผ์ฐจ๋ฅผ ๋งž์ดํ–ˆ์Šต๋‹ˆ๋‹ค.

์ด๋ฒˆ์—๋Š” AWS Controller for k8s(ACK)์™€ flux๋ฅผ ๊ฐ€๋ณ๊ฒŒ ์‹ค์Šตํ•ด๋ณด๊ณ 
์ž๋™ํ™”์— ๋Œ€ํ•ด ๋ง›๋ณด๊ธฐ๋ฅผ ํ•ด๋ณด์•˜์Šต๋‹ˆ๋‹ค.

์•ž์„œ ํ•™์Šตํ•ด๋ณธ IRSA ๊ฐœ๋… ์™ธ์—๋„ CRD(CustomResourceDefinition)์„ ํ™œ์šฉํ•ฉ๋‹ˆ๋‹ค.

1. ์‹ค์Šตํ™˜๊ฒฝ ๋ฐฐํฌ

์‹ค์Šต์„ ์œ„ํ•œ YAMLํŒŒ์ผ์ด ๋ณ€๊ฒฝ๋œ๊ฑฐ ๋ง๊ณ ๋Š” 6์ฃผ์ฐจ์™€ ์œ ์‚ฌํ•ฉ๋‹ˆ๋‹ค.

curl -O https://s3.ap-northeast-2.amazonaws.com/cloudformation.cloudneta.net/K8S/eks-oneclick6.yaml

# ์ดํ•˜ ์ค‘๋žต

# CERT_ARN(ACM)์˜ ๊ฒฝ์šฐ์—๋Š” /etc/profile์— ํ™˜๊ฒฝ๋ณ€์ˆ˜ ์ €์žฅ์„ ์•ˆํ•ด๋‘ฌ์„œ  
# ์„ธ์…˜์ด ๋งŒ๋ฃŒ๋˜๋ฉด, ๋‹ค์‹œ ์žฌ์„ค์ • ํ•„์š”

CERT_ARN=`aws acm list-certificates --query 'CertificateSummaryList[].CertificateArn[]' --output text`
echo $CERT_ARN

2. ACK(AWS Controller for k8s)

  • ์›น์ฝ˜์†”์— ์ ‘๊ทผํ•˜์ง€ ์•Š๊ณ ๋„, AWS ์„œ๋น„์Šค ๋ฆฌ์†Œ์Šค๋ฅผ ์ง์ ‘ k8s์—์„œ ์ •์˜ ๋ฐ ์‚ฌ์šฉ๊ฐ€๋Šฅ
  • ์ˆœ์„œ: ACK ์ปจํŠธ๋กค๋Ÿฌ ์„ค์น˜ -> IRSA ์„ค์ • -> AWS ๋ฆฌ์†Œ์Šค ์ปจํŠธ๋กค
    • ๊ฐ™์€ ํŒจํ„ด์œผ๋กœ ์ด๋ฃจ์–ด์ ธ์žˆ๋Š”๋ฐ, Cloudformation์„ ์“ฐ๋‹ค๋ณด๋‹ˆ ์ค‘๊ฐ„์ค‘๊ฐ„ ๋Œ€๊ธฐ ์‹œ๊ฐ„ ๋ฐœ์ƒ
  • (23/05/29) GA: 17๊ฐœ ์„œ๋น„์Šค, Preview: 10๊ฐœ ์„œ๋น„์Šค

2-1. S3

  • [ACK S3 Controller ์„ค์น˜]
# ์„œ๋น„์Šค๋ช… ๋ณ€์ˆ˜ ์ง€์ •
export SERVICE=s3

# helm ์ฐจํŠธ ๋‹ค์šด๋กœ๋“œ
export RELEASE_VERSION=$(curl -sL https://api.github.com/repos/aws-controllers-k8s/$SERVICE-controller/releases/latest | grep '"tag_name":' | cut -d'"' -f4 | cut -c 2-)
helm pull oci://public.ecr.aws/aws-controllers-k8s/$SERVICE-chart --version=$RELEASE_VERSION
tar xzvf $SERVICE-chart-$RELEASE_VERSION.tgz

# helm chart ํ™•์ธ
tree ~/$SERVICE-chart

# ACK S3 Controller ์„ค์น˜
export ACK_SYSTEM_NAMESPACE=ack-system
export AWS_REGION=ap-northeast-2
helm install --create-namespace -n $ACK_SYSTEM_NAMESPACE ack-$SERVICE-controller --set aws.region="$AWS_REGION" ~/$SERVICE-chart

# ์„ค์น˜ ํ™•์ธ
helm list --namespace $ACK_SYSTEM_NAMESPACE
kubectl -n ack-system get pods
kubectl get crd | grep $SERVICE

kubectl get all -n ack-system
kubectl get-all -n ack-system
kubectl describe sa -n ack-system ack-s3-controller
  • [IRSA ์„ค์ •] AmazonS3FullAccess
    • ์„ค์ • ํ›„์—๋Š” rollout์œผ๋กœ ๋ฐ˜์˜ํ•ด์ฃผ์–ด์•ผํ•จ
# Create an iamserviceaccount - AWS IAM role bound to a Kubernetes service account
eksctl create iamserviceaccount \
  --name ack-$SERVICE-controller \
  --namespace ack-system \
  --cluster $CLUSTER_NAME \
  --attach-policy-arn $(aws iam list-policies --query 'Policies[?PolicyName==`AmazonS3FullAccess`].Arn' --output text) \
  --override-existing-serviceaccounts --approve

# ํ™•์ธ
eksctl get iamserviceaccount --cluster $CLUSTER_NAME
kubectl get sa -n ack-system
kubectl describe sa ack-$SERVICE-controller -n ack-system

# Restart ACK service controller deployment using the following commands.
kubectl -n ack-system rollout restart deploy ack-$SERVICE-controller-$SERVICE-chart

# IRSA ์ ์šฉ์œผ๋กœ Env, projected Volume ์ถ”๊ฐ€ ํ™•์ธ
kubectl describe pod -n ack-system -l k8s-app=$SERVICE-chart

ISRA with override

kkumtree

Source code on GitHub

ยฉ 2025 kkumtree and contributors All rights reserved.
Licensed under
CC BY-NC-ND 4.0