Aws

SAML for using Amazon Managed Grafana Workspace (To-Do)
  • kkumtree

2024-11-02T21:43:00+09:00

Organization의 μ΄μŠˆκ°€ μžˆμ–΄ Amazon Managed Grafana Workspaceλ₯Ό μ‚¬μš©ν•˜λ €λ©΄ SAML 인증을 κ΅¬μ„±ν•΄μ•Όν•˜λŠ”λ°, SAML 인증 μ œμ–΄κ°€ 되면 κ²€ν† ν•΄λ³΄κ² μŠ΅λ‹ˆλ‹€.

λ‹Ήμ—°νžˆ 거의 4년이 λ‹€λ˜κ°€λ‹ˆ Amazon Managed Grafana – Getting Startedμ™€λŠ” λ‹€λ₯Έ μΈν„°νŽ˜μ΄μŠ€λ₯Ό 확인할 수 μžˆμ—ˆμŠ΅λ‹ˆλ‹€.

ν˜„μž¬ 제 κΆŒν•œμœΌλ‘œλŠ” Organization을 생성할 수 μ—†μ–΄μ„œ, Workspace만 μƒμ„±ν•΄λ³΄μ•˜μŠ΅λ‹ˆλ‹€.
즉, 맀우 λŠμŠ¨ν•œ κΆŒν•œμœΌλ‘œ Workspaceλ₯Ό λ§Œλ“€μ–΄μ£Όκ² λ‹€ μ΄κ²ƒμž…λ‹ˆλ‹€.

1. ‘딸깍’으둜 μ‹œμž‘ν•˜κΈ°

  • Getting Started with 딸깍

amg-workspace

  • μ΄λ¦„λ§Œ 짓고, λ„˜μ–΄κ°€ λ³΄κ² μŠ΅λ‹ˆλ‹€.

step1-ws-name

TFC(Terraform Cloud) drift μ•Œλ¦Ό μ„€μ •
  • kkumtree

2023-10-15T00:10:33+09:00

CloudNet@μ—μ„œμ˜ Terraform μŠ€ν„°λ””κ°€ λλ‚˜κ³  λ‚˜μ„œ,
ν…ŒλΌνΌμ„ μ‹€μ œ 운영 상황에 λ„μž…ν•˜λ©΄μ„œ λ§ˆμ£Όν•  수 밖에 μ—†λŠ” λ“œλ¦¬ν”„νŠΈ(drift) 상황에 λŒ€ν•΄
μ΄ν•΄ν•΄λ³΄λŠ” μ‹œκ°„μ„ κ°€μ‘ŒμŠ΅λ‹ˆλ‹€.

μ°Έκ³ ) TFCμ—μ„œμ˜ Drift Detection κΈ°λŠ₯은 ν˜„μž¬ TFC Plus μ—λ””μ…˜μ—μ„œ μ§€μ›λ©λ‹ˆλ‹€.

1. μš©μ–΄ 이해해보기

사싀은 μž‘λ…„λΆ€ν„° ν…ŒλΌνΌμ„ μ ‘ν•˜κ³ λ‚˜μ„œ, IaCλΌλŠ” κ°œλ…μ— κ½‚νžˆκΈ°λ§Œ ν–ˆμ§€
운영 μž…μž₯μ—μ„œ λ§ˆμ£Όν–ˆμ—ˆλ˜ μˆ˜λ§Žμ€ μ‹œν–‰μ°©μ˜€λ“€μ„ ν”ν•œ μœ μ €μ—λŸ¬λ‘œλ§Œ μƒκ°ν•΄μ™”μ—ˆμŠ΅λ‹ˆλ‹€.
μŠ€ν„°λ””μ— μ°Έμ—¬ν•˜λ©΄μ„œ μ’…μ’… ‘λ“œλ¦¬ν”„νŠΈ’λΌλŠ” 단어λ₯Ό λ“£κ³ , μ°Ύμ•„λ³΄λ‹ˆ
상당뢀뢄이 이에 μ†ν•˜λŠ” μƒν™©μ΄λΌλŠ” 것을 μ•Œ 수 μžˆμ—ˆμŠ΅λ‹ˆλ‹€.

(1) Drift?

κΈ€ μž‘μ„±μ„ μœ„ν•΄ μ°Ύμ•„λ³Έ 기술적 DriftλŠ” 본래 주행에 μžˆμ–΄μ„œμ˜ 그것과
크게 차이가 μ—†μŒμ„ μ•Œ 수 μžˆμ—ˆμŠ΅λ‹ˆλ‹€.

Understanding terraform module
  • kkumtree

2023-10-04T11:24:13+09:00

This week is last week of CloudNet@ group study about terraform.

In this study, my personal goal is making AWS architecture only with terraform and one tfstate file.

  • Basic knowledge about AWS resources is required.

1. Terraform without Module

Before, I already met terraform for maintaining AWS in production level.
But at that time, our team maintain them as folder structure which is used by terraformer

# example structure

$ tree
.
β”œβ”€β”€ alb
β”‚   β”œβ”€β”€ lb.tf
β”‚   β”œβ”€β”€ lb_listener.tf
β”‚   β”œβ”€β”€ lb_target_group.tf
β”‚   β”œβ”€β”€ lb_target_group_attachment.tf
β”‚   β”œβ”€β”€ outputs.tf
β”‚   β”œβ”€β”€ provider.tf
β”‚   └── variables.tf
β”œβ”€β”€ auto_scaling
β”‚   β”œβ”€β”€ autoscaling_group.tf
β”‚   β”œβ”€β”€ launch_template.tf
β”‚   β”œβ”€β”€ outputs.tf
β”‚   β”œβ”€β”€ provider.tf
β”‚   └── variables.tf
β”œβ”€β”€ ec2_instance
β”‚   β”œβ”€β”€ instance.tf
β”‚   β”œβ”€β”€ outputs.tf
β”‚   β”œβ”€β”€ provider.tf
β”‚   └── variables.tf
β”œβ”€β”€ eni
β”‚   β”œβ”€β”€ network_interface.tf
β”‚   β”œβ”€β”€ outputs.tf
β”‚   └── provider.tf
β”œβ”€β”€ igw
β”‚   β”œβ”€β”€ internet_gateway.tf
β”‚   β”œβ”€β”€ outputs.tf
β”‚   β”œβ”€β”€ provider.tf
β”‚   └── variables.tf
β”œβ”€β”€ nacl
β”‚   β”œβ”€β”€ default_network_acl.tf
β”‚   β”œβ”€β”€ outputs.tf
β”‚   β”œβ”€β”€ provider.tf
β”‚   └── variables.tf
β”œβ”€β”€ route_table
β”‚   β”œβ”€β”€ main_route_table_association.tf
β”‚   β”œβ”€β”€ outputs.tf
β”‚   β”œβ”€β”€ provider.tf
β”‚   β”œβ”€β”€ route_table.tf
β”‚   β”œβ”€β”€ route_table_association.tf
β”‚   └── variables.tf
β”œβ”€β”€ s3
β”‚   β”œβ”€β”€ outputs.tf
β”‚   β”œβ”€β”€ provider.tf
β”‚   └── s3_bucket.tf
β”œβ”€β”€ sg
β”‚   β”œβ”€β”€ outputs.tf
β”‚   β”œβ”€β”€ provider.tf
β”‚   β”œβ”€β”€ security_group.tf
β”‚   └── variables.tf
β”œβ”€β”€ subnet
β”‚   β”œβ”€β”€ outputs.tf
β”‚   β”œβ”€β”€ provider.tf
β”‚   β”œβ”€β”€ subnet.tf
β”‚   └── variables.tf
└── vpc
    β”œβ”€β”€ outputs.tf
    β”œβ”€β”€ provider.tf
    └── vpc.tf

At glance, this solution looks like cool.
But, problems were enough critical to think ‘why we have to use terraform?’.

IAM STSλ₯Ό μ΄μš©ν•œ Terraform Cloud κΆŒν•œ λΆ€μ—¬
  • kkumtree

2023-09-13T20:54:28+09:00

μ΄λ²ˆμ—λŠ” Terraform Cloudκ°€ μ–Όλ§ˆλ‚˜ 쒋은지 더 μ•Œμ•„λ³΄κΈ° μœ„ν•΄,
μŠ€ν„°λ””μ—μ„œ μ§€μ†μ μœΌλ‘œ μž₯점이 κ°•μ‘°λ˜μ–΄ μ™”λ˜ Terraform Cloud에
IAM STSλ₯Ό μ΄μš©ν•œ κΆŒν•œ λΆ€μ—¬ 도전 및 적용 성곡에 λŒ€ν•΄ 써보렀고 ν•©λ‹ˆλ‹€.

Terraform의 μƒνƒœ μ €μž₯을 μœ„ν•΄ 보톡 AWS S3λ₯Ό μ‚¬μš©ν•˜λŠ”λ°,
μ•Œλ‹€μ‹œν”Ό S3 기둝은 λ¬΄λ£Œμ§€λ§Œ, λΆˆλŸ¬μ˜€λŠ” 것은 μœ λ£Œμž…λ‹ˆλ‹€.
(μ „κΈ°λŠ” κ΅­μ‚°μ΄μ§€λ§Œ, μ›λ£ŒλŠ” μˆ˜μž…μž…λ‹ˆλ‹€)

κ·Έλž˜μ„œ μŠ€ν„°λ””μš©μœΌλ‘œλŠ” Terraform을 뢈러올 λ•Œλ§ˆλ‹€,
μƒνƒœ 값을 S3말고, λ‘œμ»¬μ— μ €μž₯ν–ˆμ—ˆλŠ”λ°μš”.
λ°–μ—μ„œλŠ” λ…ΈνŠΈλΆ, μ§‘μ—μ„œλŠ” λ°μŠ€ν¬νƒ‘μœΌλ‘œ ν•˜λ €λ‹ˆ
이걸 GitHub의 Private Repo에 μ €μž₯ν• κΉŒ? ν•˜λ‹€κ°€
Terraform Cloudλ₯Ό 써보기둜 ν–ˆμŠ΅λ‹ˆλ‹€. (κ³ ν†΅μ˜ μ‹œμž‘)

AWS EKS μŠ€ν„°λ”” 7μ£Όμ°¨ - Automation
  • kkumtree

2023-06-10T15:13:19+09:00

EKS μŠ€ν„°λ””λ„ λ§ˆμ§€λ§‰ 7μ£Όμ°¨λ₯Ό λ§žμ΄ν–ˆμŠ΅λ‹ˆλ‹€.

μ΄λ²ˆμ—λŠ” AWS Controller for k8s(ACK)와 fluxλ₯Ό κ°€λ³κ²Œ μ‹€μŠ΅ν•΄λ³΄κ³ 
μžλ™ν™”μ— λŒ€ν•΄ 맛보기λ₯Ό ν•΄λ³΄μ•˜μŠ΅λ‹ˆλ‹€.

μ•žμ„œ ν•™μŠ΅ν•΄λ³Έ IRSA κ°œλ… 외에도 CRD(CustomResourceDefinition)을 ν™œμš©ν•©λ‹ˆλ‹€.

1. μ‹€μŠ΅ν™˜κ²½ 배포

μ‹€μŠ΅μ„ μœ„ν•œ YAML파일이 λ³€κ²½λœκ±° λ§κ³ λŠ” 6주차와 μœ μ‚¬ν•©λ‹ˆλ‹€.

curl -O https://s3.ap-northeast-2.amazonaws.com/cloudformation.cloudneta.net/K8S/eks-oneclick6.yaml

# μ΄ν•˜ μ€‘λž΅

# CERT_ARN(ACM)의 κ²½μš°μ—λŠ” /etc/profile에 ν™˜κ²½λ³€μˆ˜ μ €μž₯을 μ•ˆν•΄λ‘¬μ„œ  
# μ„Έμ…˜μ΄ 만료되면, λ‹€μ‹œ μž¬μ„€μ • ν•„μš”

CERT_ARN=`aws acm list-certificates --query 'CertificateSummaryList[].CertificateArn[]' --output text`
echo $CERT_ARN

2. ACK(AWS Controller for k8s)

  • μ›Ήμ½˜μ†”μ— μ ‘κ·Όν•˜μ§€ μ•Šκ³ λ„, AWS μ„œλΉ„μŠ€ λ¦¬μ†ŒμŠ€λ₯Ό 직접 k8sμ—μ„œ μ •μ˜ 및 μ‚¬μš©κ°€λŠ₯
  • μˆœμ„œ: ACK 컨트둀러 μ„€μΉ˜ -> IRSA μ„€μ • -> AWS λ¦¬μ†ŒμŠ€ 컨트둀
    • 같은 νŒ¨ν„΄μœΌλ‘œ μ΄λ£¨μ–΄μ ΈμžˆλŠ”λ°, Cloudformation을 μ“°λ‹€λ³΄λ‹ˆ 쀑간쀑간 λŒ€κΈ° μ‹œκ°„ λ°œμƒ
  • (23/05/29) GA: 17개 μ„œλΉ„μŠ€, Preview: 10개 μ„œλΉ„μŠ€

2-1. S3

  • [ACK S3 Controller μ„€μΉ˜]
# μ„œλΉ„μŠ€λͺ… λ³€μˆ˜ 지정
export SERVICE=s3

# helm 차트 λ‹€μš΄λ‘œλ“œ
export RELEASE_VERSION=$(curl -sL https://api.github.com/repos/aws-controllers-k8s/$SERVICE-controller/releases/latest | grep '"tag_name":' | cut -d'"' -f4 | cut -c 2-)
helm pull oci://public.ecr.aws/aws-controllers-k8s/$SERVICE-chart --version=$RELEASE_VERSION
tar xzvf $SERVICE-chart-$RELEASE_VERSION.tgz

# helm chart 확인
tree ~/$SERVICE-chart

# ACK S3 Controller μ„€μΉ˜
export ACK_SYSTEM_NAMESPACE=ack-system
export AWS_REGION=ap-northeast-2
helm install --create-namespace -n $ACK_SYSTEM_NAMESPACE ack-$SERVICE-controller --set aws.region="$AWS_REGION" ~/$SERVICE-chart

# μ„€μΉ˜ 확인
helm list --namespace $ACK_SYSTEM_NAMESPACE
kubectl -n ack-system get pods
kubectl get crd | grep $SERVICE

kubectl get all -n ack-system
kubectl get-all -n ack-system
kubectl describe sa -n ack-system ack-s3-controller
  • [IRSA μ„€μ •] AmazonS3FullAccess
    • μ„€μ • ν›„μ—λŠ” rollout으둜 λ°˜μ˜ν•΄μ£Όμ–΄μ•Όν•¨
# Create an iamserviceaccount - AWS IAM role bound to a Kubernetes service account
eksctl create iamserviceaccount \
  --name ack-$SERVICE-controller \
  --namespace ack-system \
  --cluster $CLUSTER_NAME \
  --attach-policy-arn $(aws iam list-policies --query 'Policies[?PolicyName==`AmazonS3FullAccess`].Arn' --output text) \
  --override-existing-serviceaccounts --approve

# 확인
eksctl get iamserviceaccount --cluster $CLUSTER_NAME
kubectl get sa -n ack-system
kubectl describe sa ack-$SERVICE-controller -n ack-system

# Restart ACK service controller deployment using the following commands.
kubectl -n ack-system rollout restart deploy ack-$SERVICE-controller-$SERVICE-chart

# IRSA 적용으둜 Env, projected Volume μΆ”κ°€ 확인
kubectl describe pod -n ack-system -l k8s-app=$SERVICE-chart

ISRA with override

AWS EKS μŠ€ν„°λ”” 6μ£Όμ°¨ - Security
  • kkumtree

2023-06-04T06:56:52+09:00

μ΄λ²ˆμ—λŠ” λ³΄μ•ˆμ„ μœ„ν•œ 인증 및 인가, 그리고 IRSAλ₯Ό μ€‘μ‹¬μœΌλ‘œ EKS의 λ³΄μ•ˆμ— λŒ€ν•΄ ν•™μŠ΅ν•΄λ³΄μ•˜μŠ΅λ‹ˆλ‹€.

kops μŠ€ν„°λ”” λ•Œμ—λŠ” 잘 λͺ°λžλŠ”데, RBAC 뿐만 μ•„λ‹ˆλΌ λ³΅κΈ°ν•˜λ‹€λ³΄λ‹ˆ…

  • [4-1] projected Volume
  • [4-2] AWS Load Balancer Controller IRSA 및 LB Pod mutating

μœ„μ˜ 두 가지가 μ€‘μš”ν•œ 파트λ₯Ό μ°¨μ§€ν•˜κ³  μžˆμ—ˆμŒμ„ μ•Œ 수 μžˆμ—ˆμŠ΅λ‹ˆλ‹€.
Network(2μ£Όμ°¨)κ°€ 맀번 λ­”κ°€ 일뢀가 μ•„λ¦¬μ†‘ν•˜μ˜€λ‹€λ©΄
SecurityλŠ” λ³΅κΈ°ν•˜λ‹€κ°€ μ΄λ‘ μ μœΌλ‘œλŠ” 간단(κ³Όμ—°?)해보여도
μ‹€μ œ ꡬ동방식 이해 μžμ²΄κ°€ μ΄ˆλ°˜μ— μ•ˆλ˜μ„œ, μ‚¬ν˜ 남짓 κ±Έλ¦° 덕에 더 μ–΄λ €μ› λ˜ 것 κ°™μŠ΅λ‹ˆλ‹€.

κ·Έ μ™Έ

  1. myeks-bastion-2에 접속 μ‹œ, ν•¨κ»˜ 진행할 λ•ŒλŠ” ssh {Public IP}둜 잘 μ ‘μ†λ˜λŠ” κ±Έ λ΄€λŠ”λ° μ •μž‘ 혼자 ν•  땐 접속이 λ˜μ§€μ•Šμ•˜μŠ΅λ‹ˆλ‹€.
    • Amazon Linuxμ—μ„œλŠ” ssh ec2-user@{Public IP}둜 접속해야함
      (ν•„μš”ν•œ 경우 ssh킀도 포함)
    • AWS Public AMIμ—μ„œ μ œκ³΅λ˜λŠ” Ubuntu AMI의 경우,
      ubuntu@{Public IP}둜 접속가λŠ₯
    • μΆ”μ •: 곡유된 머신에 λ‹€λ₯Έ 섀정이 μ΄μŠˆκ°€ λ˜λŠ” κ²ƒμœΌλ‘œ μΆ”μ •λ©λ‹ˆλ‹€. ssh failure 1 ssh failure 2
  2. IAM User(testuser)λŠ” μ›Ήμ½˜μ†”μ—μ„œ μ‚­μ œν•˜λŠ” 것이 νŽΈλ¦¬ν•©λ‹ˆλ‹€.
    • μ•„λ‹ˆλ©΄, μ•„λž˜μ²˜λŸΌ detach ν•œλ‹€λŠ” λŠλ‚ŒμœΌλ‘œ 순차적 μ‹€ν–‰ν•©λ‹ˆλ‹€.
      • list-attached-role-policies && detach-role-policy
      • list-access-keys && delete-access-key
      • delete-user delete user with cli
  3. CLI둜 IAM Trust Relationship 쑰회
    • μ›Ή μ½˜μ†”μ— ꡳ이 λ“€μ–΄κ°€μ•Όν•˜λ‚˜ ν•˜κ³ , 문득 ν˜ΈκΈ°μ‹¬μ— μ‹œλ„ν•˜λ‹€κ°€ μ‹œκ°„μ΄ λ‚ μ•„κ°”μŠ΅λ‹ˆλ‹€.
    • κ²°λ‘ : ν•˜λ“œμ½”μ–΄ν•œ νŒŒμ‹±..
      • jq -r '.[].status.roleARN' | rev | cut -d '/' -f1 | rev
      • chatGPTμ—κ²Œ μ•„λž˜μ™€ 같이 ꡐ정 λ°›μ•˜μ§€λ§Œ, νƒνƒμΉ˜ μ•ŠμŒ..
        jq -r '.[].status.roleARN' | grep -oE '[^/]+$'
        iam trust relationship with cli

1. μ‹€μŠ΅ ν™˜κ²½ 배포

  • λͺ¨μ˜κ³΅κ²©(?) ν…ŒμŠ€νŠΈλ₯Ό μœ„ν•΄ 2개의 bastion μ„œλ²„κ°€ κ΅¬μ„±λœ ν™˜κ²½ 배포
  • p8s 및 grafana의 경우, μ„ νƒμ μœΌλ‘œ 배포해도 λ˜μ„œ 기술 μƒλž΅
curl -O https://s3.ap-northeast-2.amazonaws.com/cloudformation.cloudneta.net/K8S/eks-oneclick5.yaml

# μ΄ν•˜ μ€‘λž΅

# CERT_ARN(ACM)의 κ²½μš°μ—λŠ” /etc/profile에 ν™˜κ²½λ³€μˆ˜ μ €μž₯을 μ•ˆν•΄λ‘¬μ„œ  
# μ„Έμ…˜μ΄ 만료되면, λ‹€μ‹œ μž¬μ„€μ • ν•„μš”

CERT_ARN=`aws acm list-certificates --query 'CertificateSummaryList[].CertificateArn[]' --output text`
echo $CERT_ARN

2. k8s 인증/인가

  • .kube/config νŒŒμΌμ„ 기반
    • cluster: k8s API μ„œλ²„ 접속정보
    • users: API μ„œλ²„μ— μ ‘μ†ν•˜κΈ° μœ„ν•œ μœ μ € 인증정보 λͺ©λ‘
    • contexts: cluster및 userλ₯Ό 맀핑(μ‘°ν•©)ν•œ 정보

kubeconfig

AWS EKS μŠ€ν„°λ”” 5μ£Όμ°¨ - Autoscaling
  • kkumtree

2023-05-22T19:23:37+09:00

이번 μ£Όμ°¨λŠ” μ˜€ν† μŠ€μΌ€μΌλ§μ„ λ©”μΈμœΌλ‘œ ν•˜μ—¬, μˆ˜ν‰/수직 ν”„λ‘œλΉ„μ €λ‹μ„ ν•™μŠ΅ν•΄λ³΄μ•˜μŠ΅λ‹ˆλ‹€.
λ§ˆμ§€λ§‰μ—λŠ” κ³ μ„±λŠ₯ μ˜€ν† μŠ€μΌ€μΌλŸ¬μΈ Karpenterλ₯Ό λ³„λ„λ‘œ μ‹€μŠ΅ν•΄λ³΄μ•˜μŠ΅λ‹ˆλ‹€. 특히..

  • HPA custom metrics(μ‚¬μš©μž μ •μ˜ λ©”νŠΈλ¦­) 적용

  • YAML 섀정값을 CPU둜 맞좘 것을 잊고, ν”„λ‘œλΉ„μ €λ‹μ„ 잘λͺ» μ˜ˆμΈ‘ν•œ 것도 ν•¨κ»˜ κ³΅μœ ν•©λ‹ˆλ‹€.

  • AutoScaling

    • HPA: Horizontal Pod Autoscaler
    • VPA: Vertical Pod Autoscaler
    • CA: Cluster Autoscaler
      • 각 CSP 의쑴적, μ›Œμ»€ λ…Έλ“œ λ ˆλ²¨μ—μ„œμ˜ μ˜€ν† μŠ€μΌ€μΌλ§

1. μ‹€μŠ΅ ν™˜κ²½ 배포

  • 4주차의 초기 배포 λ‚΄μš©μ— p8s 및 Grafanaλ₯Ό μΆ”κ°€ν•˜μ—¬ 배포
    • verticalPodAutoscaler ν™œμ„±ν™”
    • μΆ”μ²œ λŒ€μ‹œλ³΄λ“œ: 15757, 17900, 15172
curl -O https://s3.ap-northeast-2.amazonaws.com/cloudformation.cloudneta.net/K8S/eks-oneclick4.yaml

# μ΄ν•˜ μ€‘λž΅

## Prometheus & Grafana μ„€μΉ˜

# μΈμ¦μ„œ ARN
CERT_ARN=`aws acm list-certificates --query 'CertificateSummaryList[].CertificateArn[]' --output text`
echo $CERT_ARN

# νŒŒλΌλ―Έν„° 파일 생성 및 배포
cat <<EOT > monitor-values.yaml
prometheus:
  prometheusSpec:
    podMonitorSelectorNilUsesHelmValues: false
    serviceMonitorSelectorNilUsesHelmValues: false
    retention: 5d
    retentionSize: "10GiB"

  verticalPodAutoscaler:
    enabled: true

  ingress:
    enabled: true
    ingressClassName: alb
    hosts: 
      - prometheus.$MyDomain
    paths: 
      - /*
    annotations:
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
      alb.ingress.kubernetes.io/certificate-arn: $CERT_ARN
      alb.ingress.kubernetes.io/success-codes: 200-399
      alb.ingress.kubernetes.io/load-balancer-name: myeks-ingress-alb
      alb.ingress.kubernetes.io/group.name: study
      alb.ingress.kubernetes.io/ssl-redirect: '443'

grafana:
  defaultDashboardsTimezone: Asia/Seoul
  adminPassword: prom-operator

  ingress:
    enabled: true
    ingressClassName: alb
    hosts: 
      - grafana.$MyDomain
    paths: 
      - /*
    annotations:
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
      alb.ingress.kubernetes.io/certificate-arn: $CERT_ARN
      alb.ingress.kubernetes.io/success-codes: 200-399
      alb.ingress.kubernetes.io/load-balancer-name: myeks-ingress-alb
      alb.ingress.kubernetes.io/group.name: study
      alb.ingress.kubernetes.io/ssl-redirect: '443'

defaultRules:
  create: false
kubeControllerManager:
  enabled: false
kubeEtcd:
  enabled: false
kubeScheduler:
  enabled: false
alertmanager:
  enabled: false
EOT

kubectl create ns monitoring
helm install kube-prometheus-stack prometheus-community/kube-prometheus-stack --version 45.27.2 \
--set prometheus.prometheusSpec.scrapeInterval='15s' --set prometheus.prometheusSpec.evaluationInterval='15s' \
-f monitor-values.yaml --namespace monitoring

# metrics-server 배포
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

1-1. EKS Node Viewer μ„€μΉ˜

  • νŒŒλ“œ λ¦¬μ†ŒμŠ€μ— λŒ€ν•œ μš”μ²­ 정보λ₯Ό 확인할 수 μžˆλŠ” λŒ€μ‹œλ³΄λ“œ
    • ν•΄λ‹Ή λ…Έλ“œμ— ν• λ‹Ή κ°€λŠ₯ν•œ μš©λŸ‰μ„ μ‹œκ°μ μœΌλ‘œ ν‘œμ‹œ
  • μ‹€μ œ μ‚¬μš©λŸ‰μ΄ μ•„λ‹ˆλΌ, μš”μ²­λœ λ¦¬μ†ŒμŠ€(CPU, Memory)에 λŒ€ν•œ ν‘œμ‹œ
  • μ‹€μŠ΅ μŠ€μ±… μƒμ—μ„œ go μ„€μΉ˜ 및 λ·°μ–΄ μ„€μΉ˜μ‹œ λ‹€μ†Œ μ‹œκ°„μ΄ μ†Œμš” (μ•½ 5λΆ„)
  • Karpenter μ‹€μŠ΅ μ‹œμ—λ„ μ–ΈκΈ‰λ˜κ² μ§€λ§Œ, EKSκ°€ κ΅¬μΆ•λœ 뒀에 μ‚¬μš©μ΄ κ°€λŠ₯ν•˜λ‹€.
# go 및 EKS Node Viewer μ„€μΉ˜
yum install -y go
go install github.com/awslabs/eks-node-viewer/cmd/eks-node-viewer@latest

# EKS Node Viewer μ‹€ν–‰
tree ~/go/bin
cd ~/go/bin && ./eks-node-viewer

## EKS Node Viewer λͺ…λ Ή μƒ˜ν”Œ
# Display both CPU and Memory Usage
./eks-node-viewer --resources cpu,memory

# Karenter nodes only
./eks-node-viewer --node-selector "karpenter.sh/provisioner-name"

# Display extra labels, i.e. AZ
./eks-node-viewer --extra-labels topology.kubernetes.io/zone

# Specify a particular AWS profile and region
AWS_PROFILE=myprofile AWS_REGION=ap-northeast-2

## κΈ°λ³Έ μ˜΅μ…˜ ν™˜κ²½ λ³€μˆ˜
# select only Karpenter managed nodes
node-selector=karpenter.sh/provisioner-name

# display both CPU and memory
resources=cpu,memory

EKS node viewer

AWS EKS μŠ€ν„°λ”” 4μ£Όμ°¨ - Observability
  • kkumtree

2023-05-21T06:13:52+09:00

이번 μ£Όμ°¨μ—λŠ” Observability에 λŒ€ν•΄ μŠ€ν„°λ””κ°€ μ§„ν–‰λ˜μ—ˆμŠ΅λ‹ˆλ‹€.
μžμ› λͺ¨λ‹ˆν„°λ§ νˆ΄λ“€μ˜ 적용 및 μ‚¬μš©μ΄ μ€‘μ‹¬μž…λ‹ˆλ‹€.

κ·Έλ‚˜μ €λ‚˜ k8s 1.26μ—μ„œ metrics의 일뢀 λͺ…칭이 λ°”λ€ŒλŠ” κ±Έ 보고 μ‹κ²ν–ˆμŠ΅λ‹ˆλ‹€.
(etcd_db_total_size_bytes λŒ€μ‹ , apiserver_storage_db_total_size_in_bytes 으둜 λ³€κ²½)
λ˜ν•œ kubecost의 경우, cloudformation μŠ€νƒ 제거 후에도 λ³Όλ₯¨ 데이터가 λ‚¨μ•„μžˆμ–΄μ„œ λ³„λ„λ‘œ μ‚­μ œν•΄μ•Ό ν–ˆμŠ΅λ‹ˆλ‹€.

1. μ‹€μŠ΅ν™˜κ²½ 배포

  • NATκ²Œμ΄νŠΈμ›¨μ΄, EBS addon, IAM role, ISRA for LB/EFS, PreCommand 포함
  • λ…Έλ“œ: t3.xlarge
    • t3a.xlarge(AMD)λŠ” μ„œμšΈ 리전 b AZ(ap-northeast-2b)μ—μ„œ 미지원
  • 더 λ§Žμ€ 값듀이 μž…λ ₯λ˜μ–΄μ„œ, 생성 μ™„λ£ŒκΉŒμ§€ 더 λ§Žμ€ μ‹œκ°„μ΄ μ†Œμš” (μ•½ 20μ—¬λΆ„ 이내)
curl -O https://s3.ap-northeast-2.amazonaws.com/cloudformation.cloudneta.net/K8S/eks-oneclick3.yaml

# μ΄ν•˜ μƒλž΅, 3μ£Όμ°¨ μ°Έκ³ 

cloudformation

aws-cliλ₯Ό μ΄μš©ν•œ bastion CIDR λ³€κ²½
  • kkumtree

2023-05-18T21:36:19+09:00

0. μš”μ•½

aws ec2 describe-security-groups 
aws ec2 modify-security-group-rules

1. λ°°κ²½

intro

2μ£Ό 전에 문득 이런 μ§ˆλ¬Έμ„ 올렸던 적이 μžˆμ—ˆλ‹€.
λ¬Όλ‘  λ°”κΎΈλ©΄ μ•ˆλ  일은 μ—†μ—ˆλŠ”λ° μ΄λ ‡κ²Œ ν•˜λŠ”κ²Œ λ§žλ‚˜ 확신이 λͺ¨μžλΌμ„œ μ˜κ²¬μ„ μ—¬μ­€λ΄€μ—ˆκ³ ,
이게 λ§žλ‹€λŠ” 확신을 λ°›μ•˜λ‹€.

그리고 였늘… 카페λ₯Ό 두 κ³³μ΄λ‚˜ λ“€λ¦¬λ©΄μ„œ ν•˜λŠλΌ μ•½κ°„μ˜ λ²ˆκ±°λ‘œμ›€λ„ 있고 AWS μ›Ή μ½˜μ†”μ—μ„œ ν•˜λ € ν–ˆλ‹€.

그런데, μœ λ… SGμ—μ„œλ§Œ νŽ˜μ΄μ§€ λ‘œλ”©μ΄ timeout κ±Έλ €μ„œ,
λ„μ €νžˆ μˆ˜μ •μ€ 컀녕 ν•΄λ‹Ή ID도 νŒŒμ•…μ„ ν•˜κΈ° νž˜λ“  상황이 λ˜μ—ˆλ‹€.

AWS EKS μŠ€ν„°λ”” 3μ£Όμ°¨ - Storage
  • kkumtree

2023-05-12T05:36:38+09:00

이번 μ£Όμ°¨μ—λŠ” μŠ€ν† λ¦¬μ§€μ— λŒ€ν•΄ μ‹€μŠ΅μ„ μ§„ν–‰ν•΄λ³΄μ•˜μŠ΅λ‹ˆλ‹€. μ§€λ‚œλ²ˆ kOps μŠ€ν„°λ””μ—μ„œ λ‹€λ£¨μ—ˆλ˜ λ‚΄μš©μ΄μ§€λ§Œ, λΆ€μ‘±ν–ˆλ˜ λ‚΄μš©μ„ λ³΄μΆ©ν•˜λ©΄μ„œ μž‘μ„±μ„ ν•΄λ³΄μ•˜μŠ΅λ‹ˆλ‹€.

μ£Όμš”ν•œ λ‚΄μš©μ€…

  • NodeAffinityλ₯Ό μ΄μš©ν•œ 라벨링
  • AWS EBS controller의 경우, AWS managed policyλ₯Ό ν™œμš©
  • AWS Volume SnapShots Controllerλ₯Ό ν†΅ν•œ λ³Όλ₯¨ λ°±μ—…
  • AWS EFS controllerμ—μ„œμ˜ 동적 ν”„λ‘œλΉ„μ €λ‹
  • AWS EKS μ‹ κ·œ λ…Έλ“œκ·Έλ£Ή 생성

λ³„λ„λ‘œ kube-ops-view의 경우, μ›ΉμœΌλ‘œ 확인할 수 μžˆμ„ λ•ŒκΉŒμ§€ μ‹œκ°„μ΄ μ†Œμš”λœλ‹€λŠ” 점이 μžˆμŠ΅λ‹ˆλ‹€.

1. μ‹€μŠ΅ ν™˜κ²½ 배포

  • 2주차에 μ‹€μŠ΅ν–ˆλ˜ λ‚΄μš©λ“€μ„ 미리 배포
    1. AWS LB
    2. ExternalDNS
    3. kube-ops-view
  • context 이름 λ³€κ²½
    • μ§€λ‚œ λ²ˆκΉŒμ§€ pkosκ°€ λœ¨λŠ” ν˜„μƒμ΄ μžˆμ—ˆλŠ”λ°, λ‹‰λ„€μž„μ„ 별도 지정할 수 있음
  • EFS 생성 κ΄€λ ¨ cloudformation이 μΆ”κ°€λ˜μ—ˆμŒ 
# μ‹€μŠ΅ YAML 파일
curl -O https://s3.ap-northeast-2.amazonaws.com/cloudformation.cloudneta.net/K8S/eks-oneclick2.yaml

# cloudformation μŠ€νƒ 생성
aws cloudformation deploy --template-file eks-oneclick2.yaml --stack-name myeks --parameter-overrides KeyName=aews SgIngressSshCidr=$(curl -s ipinfo.io/ip)/32  MyIamUserAccessKeyID=AKIA5... MyIamUserSecretAccessKey=CVNa2... ClusterBaseName=myeks --region ap-northeast-2

ssh -i ~/.ssh/aews.pem ec2-user@$(aws cloudformation describe-stacks --stack-name myeks --query 'Stacks[*].Outputs[0].OutputValue' --output text)

# default λ„€μž„μŠ€νŽ˜μ΄μŠ€ 적용
kubectl ns default

# (μ˜΅μ…˜) context 이름 λ³€κ²½
NICK=kkumtree
kubectl ctx
kubectl config rename-context [email protected] $NICK@myeks

# EFS 확인 : AWS κ΄€λ¦¬μ½˜μ†” EFS 확인
EfsFsId=$(aws efs describe-file-systems --query 'FileSystems[*].FileSystemId' --output text)
echo $EfsFsId
mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport $EfsFsId.efs.ap-northeast-2.amazonaws.com:/ /mnt/myefs
df -hT --type nfs4
mount | grep nfs4
echo "Test efs exist with file " > /mnt/myefs/memo.txt
cat /mnt/myefs/memo.txt
rm -f /mnt/myefs/memo.txt

# μŠ€ν† λ¦¬μ§€ν΄λž˜μŠ€ 및 CSI λ…Έλ“œ 확인
kubectl get sc
kubectl get sc gp2 -o yaml | yh
kubectl get csinodes

# λ…Έλ“œ 정보 확인
kubectl get node --label-columns=node.kubernetes.io/instance-type,eks.amazonaws.com/capacityType,topology.kubernetes.io/zone
eksctl get iamidentitymapping --cluster myeks

# λ…Έλ“œ IP 확인 및 PrivateIP λ³€μˆ˜ 지정
N1=$(kubectl get node --label-columns=topology.kubernetes.io/zone --selector=topology.kubernetes.io/zone=ap-northeast-2a -o jsonpath={.items[0].status.addresses[0].address})
N2=$(kubectl get node --label-columns=topology.kubernetes.io/zone --selector=topology.kubernetes.io/zone=ap-northeast-2b -o jsonpath={.items[0].status.addresses[0].address})
N3=$(kubectl get node --label-columns=topology.kubernetes.io/zone --selector=topology.kubernetes.io/zone=ap-northeast-2c -o jsonpath={.items[0].status.addresses[0].address})
echo "export N1=$N1" >> /etc/profile
echo "export N2=$N2" >> /etc/profile
echo "export N3=$N3" >> /etc/profile
echo $N1, $N2, $N3

# λ…Έλ“œ λ³΄μ•ˆκ·Έλ£Ή ID 확인
NGSGID=$(aws ec2 describe-security-groups --filters Name=group-name,Values=*ng1* --query "SecurityGroups[*].[GroupId]" --output text)
aws ec2 authorize-security-group-ingress --group-id $NGSGID --protocol '-1' --cidr 192.168.1.100/32

# μ›Œμ»€ λ…Έλ“œ SSH 접속
ssh ec2-user@$N1 hostname
ssh ec2-user@$N2 hostname
ssh ec2-user@$N3 hostname

# λ…Έλ“œμ— 툴 μ„€μΉ˜
ssh ec2-user@$N1 sudo yum install links tree jq tcpdump sysstat -y
ssh ec2-user@$N2 sudo yum install links tree jq tcpdump sysstat -y
ssh ec2-user@$N3 sudo yum install links tree jq tcpdump sysstat -y

# AWS LB, ExternalDNS μ„€μΉ˜
helm repo add eks https://aws.github.io/eks-charts
helm repo update
helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=$CLUSTER_NAME \
  --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller

# ExternalDNS
MyDomain=awskops.click
MyDnzHostedZoneId=$(aws route53 list-hosted-zones-by-name --dns-name "${MyDomain}." --query "HostedZones[0].Id" --output text)
echo $MyDomain, $MyDnzHostedZoneId
curl -s -O https://raw.githubusercontent.com/gasida/PKOS/main/aews/externaldns.yaml
MyDomain=$MyDomain MyDnzHostedZoneId=$MyDnzHostedZoneId envsubst < externaldns.yaml | kubectl apply -f -

1-1. kube-ops-view

  • μ‹œκ°μ μœΌλ‘œ ν˜„μž¬ k8s의 μƒνƒœλ₯Ό λ³Ό 수 μžˆλŠ” 툴
  • μ•ˆλ˜λŠ” 쀄 μ•Œμ•˜λŠ”λ°, λ·°μ–΄κ°€ 뜰 λ•ŒκΉŒμ§€ μ‹œκ°„μ΄ κ±Έλ¦¬λŠ” κ²ƒμ΄μ—ˆμŒ.

1-kube-ops-view

  1. <<
  2. <
  3. 1
  4. 2
  5. >
  6. >>

kkumtree

Source code on GitHub

Β© 2025 kkumtree and contributors All rights reserved.
Licensed under
CC BY-NC-ND 4.0