🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com 👉 [UPDATED] AWS EKS Kubernetes Tutorial [NEW]: ruclips.net/p/PLiMWaCMwGJXnKY6XmeifEpjIfkWRo9v2l&si=wc6LIC5V2tD-Tzwl
@@AntonPutra You are a such a wonderful person. Please keep up your good work, i am sure like me, there will be more people admire your work and appreciate your greatness..
Great implementation Anton. very clean. after watching your video i refactored a legacy implementation of an eks that was based on terraform-aws-modules/eks/aws. your approach is better in several ways.
Thanks Lawrence! I have updated video - ruclips.net/video/MZyrxzb7yAU/видео.html and code available in this repo - github.com/antonputra/tutorials/tree/main/lessons/102
Very nice explanations and straight to the point! Thank you. I have a doubt: Usually systems are accessed by the public through internet gateway and public facing load-balancers. My doubt is who (which services) will be using internal load-balancers. Please give an example.
Usually, in large enterprises, you have multiple workloads running in different places. It can be run on Mesos, standalone services on VMs, some data pipelines, or even separate k8s clusters. Frequently they all need to communicate; that's where internal load balancers can help you.
Bro! Great project! I am learning devops now and this was a great start for one of my pet projects. Your explanations could be a bit more detailed as this is for beginners if I am not mistaken but anyways, this series of videos paired with coding along and lots of googling made me learn a lot! Thank you, subscribed! :)
Hi there big brother, Merry Xmas. I saw your content on the channel and I am impressed. I am currently learning the below topics: Doubling test execution speed every 3 months Reducing the MTTF for server infrastructure to >= 90 days Building a multi-tenant infrastructure supporting >=1000 concurrent clients Reducing server infrastructure needs by 50% every 6 months Addressing 100% of DevOps provisioning & post production monitoring needs via APIs on AWS. It would be great if these could be converted into a video.
Aton, you've got one of the best series on Terraform and EKS. Let's say I want to create 3 different infrastructures (dev, QA, prod), how should I go about achieving this? Thank you so much!
The general approach would be to create terraform "modules" based on your terraform code and call those modules from different environments (dev, qa, prod). The project structure may look like this: environments/ - dev - qa - prod modules/ - vpc - eks I'm planning to create a video soon on terraform best practices and project structures. There is no single approach that will fit every team.
Very well explained, became a big fan of yours! Thank you so much. BTW a question for you, Let's say I wanna use custom image other than AL2_x86_64 how can I do that. How to pass custom ami id??
You need to use unmanaged instance group, clone github.com/awslabs/amazon-eks-ami repo and build an image. Here is a tutorial - aws.amazon.com/premiumsupport/knowledge-center/eks-custom-linux-ami/. Then you would need to create launch_template and specify your ami id there. registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
Any chance you can do a video re security groups and a 2nd video deploying a EC2 instance. I did not notice you creating a ssh key pair anywhere, that we can associate with the EKS cluster or with EC2 isntances
Hi Anton, This is one of the best video on EKS.. Could you please let me know what parameters i need to specify if i wanted to have a mixed instance group like on-demand and spot instances under capactiy_type?
To be honest, I can't remember, off the top of my head. For sure, you can create two instance groups: on-demand and spot using this parameter - github.com/antonputra/tutorials/blob/main/lessons/038/terraform/eks-node-groups.tf#L95
Thank you, I'll see if I can find any, but I have a video on how to add IAM roles/users to the EKS cluster if you are interested - ruclips.net/video/aIpHYYcR7oU/видео.html
Hi , awesome video, I have been following you since long, really like all the stuff you share. I am just stuck on creating service account through terraform for eks? as I have to manually do kubectl apply -f serviceaccount.yaml for load balancer (EKS), how can I automate this part, will appreciate it, if you can provide some knowledge
Playlist: ruclips.net/p/PLiMWaCMwGJXkeBzos8QuUxiYT6j8JYGE5 ⏱️TIMESTAMPS⏱️ 0:00 Intro 0:47 Create IAM Role for EKS Cluster 2:00 Attach AmazonEKSClusterPolicy to EKS Role 3:08 Create AWS EKS Cluster 5:40 Create IAM Role for EKS Node Group 6:42 Attach AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, and AmazonEC2ContainerRegistryReadOnly to EKS Node Group IAM Role 8:06 Create AWS EKS Node Group 11:08 Run Terraform Commands to Create AWS EKS Cluster 12:26 Connect to EKS Cluster 14:35 Deploy Sample Application to EKS Cluster 15:20 Expose Kubernetes Service with Private Load Balancer 20:35 Expose Kubernetes Service with Public Load Balancer
Hi Anton, Thanks again for all this valuable information! I managed to install all resources using Terraform. The only problem is when launching the kubectl apply -f app.yaml file the load balancers are not created, and an error shows up: Warning SyncLoadBalancerFailed 27s service-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::680137726026:assumed-role/eks-cluster/1619638328121329618 is not authorized to perform: ec2:DescribeAccountAttributes \tstatus code: 403, request id: 0dbca513-39ac-4a77-a002-18e16b245375" Any idea?
Hi, Anton! I've made the EKS cluster with Terraform. What's the common practice about creating internal Kubernetes resources like Deployments, Ingress, etc? Do I have to do it with Terraform, or kubectl would be better choice? Thanks!
Hey Anton! This video series is excellent and I have one question. How can we setup AWS loadbalancer-controller for this cluster and enable ALB ingress for the sample application you have deployed and add path base routing to it
Hey, well you can deploy nginx ingress controller, and use nlb (network load balancer) you don't need ALB application load balancer (L7) for that. Just configure ingress resource to point to that service.
Hey, Anton, thank you for the amazing video series. I have learned a lot from you :) Hopefully, there will some videos about bastion hosts, ACM, and Route 53... etc. Or maybe even more components you can think for the cluster. I have a question though. I understand why we need an external load balancer because when traffic comes in, it will distribute into different node if you have multiple worker nodes. But I don't understand why we need internal LB? Our Worker Node(s) are all in private subnet, and our private subnets only accept the traffic from the corresponding public subnets, that should be enough, right? Am I missing any key points here?
Thank you. Usually, companies doesn't have a single Kubernetes cluster to serve all their needs. Most likely you would get legacy services deployed on VMs or even streaming frameworks such as storm, flink etc may need to access a service in k8s. In that case you would expose it using an internal loadbalancer. Even if you have multiple k8s clusters, which most companies have you would again use internal LB.
@@AntonPutra I see your points. So basically you are saying that all internal services will need to talk to each for some framework or infrastructure. If I have multiple k8s clusters, wouldn't be safer to make another VPC and do VPC peering so each cluster doesn't impact each other? And if that's the case, I don't think internal LB would be much helpful because it can only be used in one cluster. Another question, based on what I know about k8s and if it's on Public cloud service like aws, when you spin up a pod with Ingress resource, aws will spin up a load balancer for you. In that case, do I still need a external balancer ? After looking your videos, I will try to spin up some bastion hosts and make the external balancer route traffic to bastion hosts first, and then worker nodes in the private subnets
I don't think that VPC peering is a wise solution here, you will be changed for data transfer between VPC and you would still create an internal load balancer, otherwise what's the point of VPC peering at all? If you use ingress, you share single load balancer for k8s. Instead of bastion take a look on aws session manager wich is a better solution, by the way I have a video :)
@@AntonPutra Right, I understand I will be charged more on data transferring between VPCs. I' sorry, I might be confused a bit. When you mentioned internal load balancer, did you mean a LB for 2 or more VPCs? Like if I have 2 VPCs, and there will be a LB for these VPCs? If that's a case, wouldn't you have an external LB outside of 2 VPCs instead of an internal one? I tried to picture what you mean, and it's a bit hard not see a topology :( I will watch how your handle ssh using session manger instead of a bastion host :)
@@chengjohnny5228 Internal load balancer means that it will get only private IP address and can be accessed only from VPC. The point of VPC peering to route traffic between them using private IPv4 addresses. In that case you don't need public load balancer (with public IP address)
Hello Anton, Clean and Excellent tutorials, thank you so much for these videos. I have followed your other videos and built EKS cluster. However I am unable to execute the command "aws eks update-kubeconfig --region eu-west-1 --name clustername --profile ??" as my terraform is running in CICD code pipeline of aws, is there any way to find out the profile and execute this command? your help is much appreciated. thank you
Thanks Vamsi, the key here is to use the same user that created EKS cluster. You don't have to use "--profile " you can just use environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY that belong to that user. The process will be different if you used IAM Role to create a EKS cluster.
@@AntonPutra Thank you for the reply Anton, Yeah I am using Iam role in Account A creating the cluster in Account B, and struggling to create kubeconfig because of permission issues. If the IAM role which creates the cluster assume role in other account which has eksadmin policy would that be sufficient?
@@vamsigomatam4673 If your user can assume that role or you have access to that instance profile it should not be an issue. Try to troubleshoot - aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/
Very good tutorial, but I have an error NodeCreationFailure: Instances failed to join the kubernetes cluster when I apply it. it's in eks-node-group.tf. Any idea how to fix this?
Full error mesage is: Error: error waiting for EKS Node Group (eks:nodes-general) to create: unexpected state 'CREATE_FAILED', wanted target 'ACTIVE'. last error: 1 error occurred: │ * i-0752b11761256b6e6: NodeCreationFailure: Instances failed to join the kubernetes cluster │ │ │ │ with aws_eks_node_group.nodes_general, │ on eks-node-groups.tf line 59, in resource "aws_eks_node_group" "nodes_general": │ 59: resource "aws_eks_node_group" "nodes_general" {
I cannot create the aws_iam_role. I get a not authorized error when I try to create the role. I've already give all permissions to the user I'm using and even so I can't create the role.
🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
👉 [UPDATED] AWS EKS Kubernetes Tutorial [NEW]: ruclips.net/p/PLiMWaCMwGJXnKY6XmeifEpjIfkWRo9v2l&si=wc6LIC5V2tD-Tzwl
If I want to be honest, I have to say these series are more than exceptional. They are fabulous, and I'm so appreciative of them. Thank you so much
Glad you enjoy it!
@@AntonPutra You are a such a wonderful person. Please keep up your good work, i am sure like me, there will be more people admire your work and appreciate your greatness..
Great implementation Anton. very clean. after watching your video i refactored a legacy implementation of an eks that was based on terraform-aws-modules/eks/aws. your approach is better in several ways.
Thanks Lawrence! I have updated video - ruclips.net/video/MZyrxzb7yAU/видео.html and code available in this repo - github.com/antonputra/tutorials/tree/main/lessons/102
wow this is the best tutorial i have seen on terraform EKS without modules. love you work please 👍 ❤
Thanks Segun!
Very nice explanations and straight to the point! Thank you. I have a doubt: Usually systems are accessed by the public through internet gateway and public facing load-balancers. My doubt is who (which services) will be using internal load-balancers. Please give an example.
Usually, in large enterprises, you have multiple workloads running in different places. It can be run on Mesos, standalone services on VMs, some data pipelines, or even separate k8s clusters. Frequently they all need to communicate; that's where internal load balancers can help you.
Bro! Great project! I am learning devops now and this was a great start for one of my pet projects. Your explanations could be a bit more detailed as this is for beginners if I am not mistaken but anyways, this series of videos paired with coding along and lots of googling made me learn a lot! Thank you, subscribed! :)
Thanks Gergely for the feedback!
Anton ... Its really superb video ..
Thanks!
Anton .. could you can video create for Zookeeper + Kafaka with AKS cluster please ...
Hi there big brother, Merry Xmas.
I saw your content on the channel and I am impressed.
I am currently learning the below topics:
Doubling test execution speed every 3 months
Reducing the MTTF for server infrastructure to >= 90 days
Building a multi-tenant infrastructure supporting >=1000 concurrent clients
Reducing server infrastructure needs by 50% every 6 months
Addressing 100% of DevOps provisioning & post production monitoring needs via APIs on AWS.
It would be great if these could be converted into a video.
Thank you Shivam! Currently, trying to deliver on my other promised videos, but I will definitely add it to my list! :)
Aton, you've got one of the best series on Terraform and EKS. Let's say I want to create 3 different infrastructures (dev, QA, prod), how should I go about achieving this? Thank you so much!
The general approach would be to create terraform "modules" based on your terraform code and call those modules from different environments (dev, qa, prod). The project structure may look like this:
environments/
- dev
- qa
- prod
modules/
- vpc
- eks
I'm planning to create a video soon on terraform best practices and project structures. There is no single approach that will fit every team.
@@AntonPutra Yes, if that's possible based on your timeline. I'm looking forward to it! And thank you. Keep it up!
Also, if you could make a video that covers how to configure the EKS cluster with Ansible, that'd be a huge help! Thank you.
my favourite devops guy alongwith javatechie!
❤
Excellent Explanation, Really great job!
Thank you Kavindu!
Very well explained, became a big fan of yours! Thank you so much. BTW a question for you, Let's say I wanna use custom image other than AL2_x86_64 how can I do that. How to pass custom ami id??
You need to use unmanaged instance group, clone github.com/awslabs/amazon-eks-ami repo and build an image. Here is a tutorial - aws.amazon.com/premiumsupport/knowledge-center/eks-custom-linux-ami/. Then you would need to create launch_template and specify your ami id there. registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
Bless you sir! (Thanks)
thanks Evgeni =)
Any chance you can do a video re security groups and a 2nd video deploying a EC2 instance. I did not notice you creating a ssh key pair anywhere, that we can associate with the EKS cluster or with EC2 isntances
Sure, like create EC2 instances + security groups + keypairs? without autoscaling groups i guess
Excellent videos Anton. you got a new subscriber :-)
Awesome, thank you!
@@AntonPutra Can you do a production grade video on how to deploy containers in Kubernet cluster using CI/CD tool Jenkins? thanks
Hi Anton, This is one of the best video on EKS.. Could you please let me know what parameters i need to specify if i wanted to have a mixed instance group like on-demand and spot instances under capactiy_type?
To be honest, I can't remember, off the top of my head. For sure, you can create two instance groups: on-demand and spot using this parameter - github.com/antonputra/tutorials/blob/main/lessons/038/terraform/eks-node-groups.tf#L95
Great videos !! Are there some good examples of the AWS EKS module for IAM?
Thank you, I'll see if I can find any, but I have a video on how to add IAM roles/users to the EKS cluster if you are interested - ruclips.net/video/aIpHYYcR7oU/видео.html
@@AntonPutra Thanks !!
Hi , awesome video, I have been following you since long, really like all the stuff you share. I am just stuck on creating service account through terraform for eks? as I have to manually do kubectl apply -f serviceaccount.yaml for load balancer (EKS), how can I automate this part, will appreciate it, if you can provide some knowledge
Pls use kubectl terraform provider for that.
Playlist: ruclips.net/p/PLiMWaCMwGJXkeBzos8QuUxiYT6j8JYGE5
⏱️TIMESTAMPS⏱️
0:00 Intro
0:47 Create IAM Role for EKS Cluster
2:00 Attach AmazonEKSClusterPolicy to EKS Role
3:08 Create AWS EKS Cluster
5:40 Create IAM Role for EKS Node Group
6:42 Attach AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, and AmazonEC2ContainerRegistryReadOnly to EKS Node Group IAM Role
8:06 Create AWS EKS Node Group
11:08 Run Terraform Commands to Create AWS EKS Cluster
12:26 Connect to EKS Cluster
14:35 Deploy Sample Application to EKS Cluster
15:20 Expose Kubernetes Service with Private Load Balancer
20:35 Expose Kubernetes Service with Public Load Balancer
Hi Anton,
Thanks again for all this valuable information!
I managed to install all resources using Terraform. The only problem is when launching the kubectl apply -f app.yaml file the load balancers are not created, and an error shows up:
Warning SyncLoadBalancerFailed 27s service-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::680137726026:assumed-role/eks-cluster/1619638328121329618 is not authorized to perform: ec2:DescribeAccountAttributes
\tstatus code: 403, request id: 0dbca513-39ac-4a77-a002-18e16b245375"
Any idea?
Hi, Anton! I've made the EKS cluster with Terraform. What's the common practice about creating internal Kubernetes resources like Deployments, Ingress, etc? Do I have to do it with Terraform, or kubectl would be better choice? Thanks!
We follow GitOps approach, we keep everything under the git. I would suggest to take a look on Flux
Hey Anton! This video series is excellent and I have one question. How can we setup AWS loadbalancer-controller for this cluster and enable ALB ingress for the sample application you have deployed and add path base routing to it
Hey, well you can deploy nginx ingress controller, and use nlb (network load balancer) you don't need ALB application load balancer (L7) for that. Just configure ingress resource to point to that service.
@@AntonPutra Can you please share me a tutorial to setup path base ingress with NLB
@@ruwanvimukthimettananda7847 I'll make one shortlly :)
Thanks!
Thank you so much Ryan!
Hey, Anton, thank you for the amazing video series. I have learned a lot from you :) Hopefully, there will some videos about bastion hosts, ACM, and Route 53... etc. Or maybe even more components you can think for the cluster.
I have a question though. I understand why we need an external load balancer because when traffic comes in, it will distribute into different node if you have multiple worker nodes. But I don't understand why we need internal LB? Our Worker Node(s) are all in private subnet, and our private subnets only accept the traffic from the corresponding public subnets, that should be enough, right?
Am I missing any key points here?
Thank you. Usually, companies doesn't have a single Kubernetes cluster to serve all their needs. Most likely you would get legacy services deployed on VMs or even streaming frameworks such as storm, flink etc may need to access a service in k8s. In that case you would expose it using an internal loadbalancer. Even if you have multiple k8s clusters, which most companies have you would again use internal LB.
@@AntonPutra I see your points. So basically you are saying that all internal services will need to talk to each for some framework or infrastructure.
If I have multiple k8s clusters, wouldn't be safer to make another VPC and do VPC peering so each cluster doesn't impact each other? And if that's the case, I don't think internal LB would be much helpful because it can only be used in one cluster.
Another question, based on what I know about k8s and if it's on Public cloud service like aws, when you spin up a pod with Ingress resource, aws will spin up a load balancer for you. In that case, do I still need a external balancer ?
After looking your videos, I will try to spin up some bastion hosts and make the external balancer route traffic to bastion hosts first, and then worker nodes in the private subnets
I don't think that VPC peering is a wise solution here, you will be changed for data transfer between VPC and you would still create an internal load balancer, otherwise what's the point of VPC peering at all?
If you use ingress, you share single load balancer for k8s.
Instead of bastion take a look on aws session manager wich is a better solution, by the way I have a video :)
@@AntonPutra Right, I understand I will be charged more on data transferring between VPCs. I' sorry, I might be confused a bit. When you mentioned internal load balancer, did you mean a LB for 2 or more VPCs? Like if I have 2 VPCs, and there will be a LB for these VPCs? If that's a case, wouldn't you have an external LB outside of 2 VPCs instead of an internal one?
I tried to picture what you mean, and it's a bit hard not see a topology :(
I will watch how your handle ssh using session manger instead of a bastion host :)
@@chengjohnny5228 Internal load balancer means that it will get only private IP address and can be accessed only from VPC. The point of VPC peering to route traffic between them using private IPv4 addresses. In that case you don't need public load balancer (with public IP address)
Hey Anton ! EkS cluster is created but problem is that my kubectl is not working , do i have to manually install it ?
Yes, you need to install it separately, you can follow instructions for your OS here - kubernetes.io/docs/tasks/tools/
@@AntonPutra Thanks my cluster is working , i would like to add s3 bucket in it , can u guide me how can i do that ?
How do you use this tutorial with an ingress controller? Do you point the external load balancer to an ingress controller?
Yes, when you setup ingress controller, k8s will provision load balancer. Then you can create CNAME record to point to your ingress.
Hello Anton, Clean and Excellent tutorials, thank you so much for these videos. I have followed your other videos and built EKS cluster. However I am unable to execute the command "aws eks update-kubeconfig --region eu-west-1 --name clustername --profile ??" as my terraform is running in CICD code pipeline of aws, is there any way to find out the profile and execute this command? your help is much appreciated. thank you
Thanks Vamsi, the key here is to use the same user that created EKS cluster. You don't have to use "--profile " you can just use environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY that belong to that user. The process will be different if you used IAM Role to create a EKS cluster.
@@AntonPutra Thank you for the reply Anton, Yeah I am using Iam role in Account A creating the cluster in Account B, and struggling to create kubeconfig because of permission issues. If the IAM role which creates the cluster assume role in other account which has eksadmin policy would that be sufficient?
@@vamsigomatam4673 If your user can assume that role or you have access to that instance profile it should not be an issue. Try to troubleshoot - aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/
@@AntonPutra Thanks much Anton, will check, and once again thank you for all the videos, really help a lot.
@@vamsigomatam4673 let me know when you resolve it what went wrong:)
🔴UPDATED🔴 How to create EKS Cluster using Terraform MODULES (AWS Load Balancer Controller + Autoscaler + IRSA) - ruclips.net/video/kRKmcYC71J4/видео.html
excellent tutorial do upload the code in some repo to play with it? thanks
Here is a link 😀
github.com/antonputra/tutorials/tree/main/lessons/038
🔴UPDATED🔴: How to Create EKS Cluster Using Terraform - ruclips.net/video/MZyrxzb7yAU/видео.html
Available on December 27
Anton .. could you can create for Zookeeper + Kafaka with AKS cluster please
Maybe some day, will include azure vious at some point
While setup the eks with terraform i want to install ansible tower(awx) how can i do it ? please give me some suggestions ?
Have you tried awx-operator? github.com/ansible/awx-operator
Very good tutorial, but I have an error NodeCreationFailure: Instances failed to join the kubernetes cluster when I apply it. it's in eks-node-group.tf. Any idea how to fix this?
Full error mesage is: Error: error waiting for EKS Node Group (eks:nodes-general) to create: unexpected state 'CREATE_FAILED', wanted target 'ACTIVE'. last error: 1 error occurred:
│ * i-0752b11761256b6e6: NodeCreationFailure: Instances failed to join the kubernetes cluster
│
│
│
│ with aws_eks_node_group.nodes_general,
│ on eks-node-groups.tf line 59, in resource "aws_eks_node_group" "nodes_general":
│ 59: resource "aws_eks_node_group" "nodes_general" {
I had some typo. Forget my comment. It' working now. :)
cool :)
great video. but i think worker node is not attached to EKS.
you can check with "kubectl get nodes" =)
@@AntonPutra Thank you.... thank you very much for this playlist... helped me alot.
👉 How to Manage Secrets in Terraform - ruclips.net/video/3N0tGKwvBdA/видео.html
👉 Terraform Tips & Tricks - ruclips.net/video/7S94oUTy2z4/видео.html
👉 ArgoCD Tutorial - ruclips.net/video/zGndgdGa1Tc/видео.html
I cannot create the aws_iam_role. I get a not authorized error when I try to create the role. I've already give all permissions to the user I'm using and even so I can't create the role.
Check with "aws sts get-caller-identity" that you using the correct user, sometimes you may have AWS environment variables somewhere in the shell...
how can i access cluster after cluster creation.
You can run the following command:
*aws eks --region update-kubeconfig --name *