walkthrough: echoserver

In this walkthrough, you'll

• Create a cluster with EKS
• Deploy an alb-ingress-controller
• Create deployments and ingress resources in the cluster
• Use external-dns to create a DNS record
  • This assumes you have a route53 hosted zone available. Otherwise you can skip this, but you'll only be able to address the service from the ALB's DNS.

Create the EKS cluster

1. Install eksctl: https://eksctl.io

2. Create EKS cluster via eksctl

   eksctl create cluster
   

   2018-08-14T11:19:09-07:00 [ℹ]  setting availability zones to [us-west-2c us-west-2a us-west-2b]
   2018-08-14T11:19:09-07:00 [ℹ]  importing SSH public key "/Users/kamador/.ssh/id_rsa.pub" as "eksctl-exciting-gopher-1534270749-b7:71:da:f6:f3:63:7a:ee:ad:7a:10:37:28:ff:44:d1"
   2018-08-14T11:19:10-07:00 [ℹ]  creating EKS cluster "exciting-gopher-1534270749" in "us-west-2" region
   2018-08-14T11:19:10-07:00 [ℹ]  creating ServiceRole stack "EKS-exciting-gopher-1534270749-ServiceRole"
   2018-08-14T11:19:10-07:00 [ℹ]  creating VPC stack "EKS-exciting-gopher-1534270749-VPC"
   2018-08-14T11:19:50-07:00 [✔]  created ServiceRole stack "EKS-exciting-gopher-1534270749-ServiceRole"
   2018-08-14T11:20:30-07:00 [✔]  created VPC stack "EKS-exciting-gopher-1534270749-VPC"
   2018-08-14T11:20:30-07:00 [ℹ]  creating control plane "exciting-gopher-1534270749"
   2018-08-14T11:31:52-07:00 [✔]  created control plane "exciting-gopher-1534270749"
   2018-08-14T11:31:52-07:00 [ℹ]  creating DefaultNodeGroup stack "EKS-exciting-gopher-1534270749-DefaultNodeGroup"
   2018-08-14T11:35:33-07:00 [✔]  created DefaultNodeGroup stack "EKS-exciting-gopher-1534270749-DefaultNodeGroup"
   2018-08-14T11:35:33-07:00 [✔]  all EKS cluster "exciting-gopher-1534270749" resources has been created
   2018-08-14T11:35:33-07:00 [✔]  saved kubeconfig as "/Users/kamador/.kube/config"
   2018-08-14T11:35:34-07:00 [ℹ]  the cluster has 0 nodes
   2018-08-14T11:35:34-07:00 [ℹ]  waiting for at least 2 nodes to become ready
   2018-08-14T11:36:05-07:00 [ℹ]  the cluster has 2 nodes
   2018-08-14T11:36:05-07:00 [ℹ]  node "ip-192-168-139-176.us-west-2.compute.internal" is ready
   2018-08-14T11:36:05-07:00 [ℹ]  node "ip-192-168-214-126.us-west-2.compute.internal" is ready
   2018-08-14T11:36:05-07:00 [✔]  EKS cluster "exciting-gopher-1534270749" in "us-west-2" region is ready
   

Deploy the ALB ingress controller

1. Download the example alb-ingress-manifest locally.

   wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.9/docs/examples/alb-ingress-controller.yaml
   wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.9/docs/examples/rbac-role.yaml
   

2. Edit the manifest and set the following parameters and environment variables.

   • cluster-name: name of the cluster.

   • AWS_ACCESS_KEY_ID: access key id that alb controller can use to communicate with AWS. This is only used for convenience of this example. It will keep the credentials in plain text within this manifest. It's recommended a project such as kube2iam is used to resolve access. You will need to uncomment this from the manifest.

     - name: AWS_ACCESS_KEY_ID
       value: KEYVALUE
     

   • AWS_SECRET_ACCESS_KEY: secret access key that alb controller can use to communicate with AWS. This is only used for convenience of this example. It will keep the credentials in plain text within this manifest. It's recommended a project such as kube2iam is used to resolve access. You will need to uncomment this from the manifest.

     - name: AWS_SECRET_ACCESS_KEY
       value: SECRETVALUE
     

3. Deploy the modified alb-ingress-controller.

   kubectl apply -f rbac-role.yaml
   kubectl apply -f alb-ingress-controller.yaml
   

   The manifest above will deploy the controller to the kube-system namespace.

4. Verify the deployment was successful and the controller started.

   kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o alb-ingress[a-zA-Z0-9-]+)
   

   Should display output similar to the following.

   -------------------------------------------------------------------------------
   AWS ALB Ingress controller
   Release:    UNKNOWN
   Build:      UNKNOWN
   Repository: UNKNOWN
   -------------------------------------------------------------------------------
   
   I0725 11:22:06.464996   16433 main.go:159] Creating API client for http://localhost:8001
   I0725 11:22:06.563336   16433 main.go:203] Running in Kubernetes cluster version v1.8+ (v1.8.9+coreos.1) - git (clean) commit cd373fe93e046b0a0bc7e4045af1bf4171cea395 - platform linux/amd64
   I0725 11:22:06.566255   16433 alb.go:80] ALB resource names will be prefixed with 2f92da62
   I0725 11:22:06.645910   16433 alb.go:163] Starting AWS ALB Ingress controller
   

Deploy the echoserver resources

1. Deploy all the echoserver resources (namespace, service, deployment)

   kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.9/docs/examples/echoservice/echoserver-namespace.yaml &&\
   kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.9/docs/examples/echoservice/echoserver-service.yaml &&\
   kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.9/docs/examples/echoservice/echoserver-deployment.yaml
   

2. List all the resources to ensure they were created.

   kubectl get -n echoserver deploy,svc
   

   Should resolve similar to the following.

   NAME             CLUSTER-IP   EXTERNAL-IP   PORT(S)        AGE
   svc/echoserver   10.3.31.76   <nodes>       80:31027/TCP   4d
   
   NAME                DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
   deploy/echoserver   1         1         1            1           4d
   

Deploy ingress for echoserver

1. Download the echoserver ingress manifest locally.

   wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.9/docs/examples/echoservice/echoserver-ingress.yaml
   

2. Configure the subnets, either by add annotation to the ingress or add tags to subnets.

   Tip

   If you'd like to use external dns, alter the host field to a domain that you own in Route 53. Assuming you managed example.com in Route 53.

   • Edit the alb.ingress.kubernetes.io/subnets annotation to include at least two subnets.

     eksctl get cluster exciting-gopher-1534270749
     

     NAME                        VERSION STATUS         CREATED          VPC                     SUBNETS                             SECURITYGROUPS
     exciting-gopher-1534270749  1.10    ACTIVE  2018-08-14T18:20:32Z    vpc-0aa01b07b3c922c9c   subnet-05e1c98ed0f5b109e,subnet-07f5bb81f661df61b,subnet-0a4e6232630820516  sg-05ceb5eee9fd7cac4
     

     apiVersion: extensions/v1beta1
     kind: Ingress
     metadata:
         name: echoserver
         namespace: echoserver
         annotations:
             alb.ingress.kubernetes.io/scheme: internet-facing
             alb.ingress.kubernetes.io/target-type: ip
             alb.ingress.kubernetes.io/subnets: subnet-05e1c98ed0f5b109e,subnet-07f5bb81f661df61b,subnet-0a4e6232630820516
             alb.ingress.kubernetes.io/tags: Environment=dev,Team=test
     spec:
         rules:
         - host: echoserver.example.com
             http:
             paths:
     

   • Adding tags to subnets for auto-discovery(instead of alb.ingress.kubernetes.io/subnets annotation)

     you must include the following tags on desired subnets.

     • kubernetes.io/cluster/$CLUSTER_NAME where $CLUSTER_NAME is the same CLUSTER_NAME specified in the above step.
     • kubernetes.io/role/internal-elb should be set to 1 or an empty tag value for internal load balancers.
     • kubernetes.io/role/elb should be set to 1 or an empty tag value for internet-facing load balancers.

     An example of a subnet with the correct tags for the cluster joshcalico is as follows.

     

3. Deploy the ingress resource for echoserver

   kubectl apply -f echoserver-ingress.yaml
   

4. Verify the alb-ingress-controller creates the resources

   kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o 'alb-ingress[a-zA-Z0-9-]+') | grep 'echoserver\/echoserver'
   

   You should see similar to the following.

   echoserver/echoserver: Start ELBV2 (ALB) creation.
   echoserver/echoserver: Completed ELBV2 (ALB) creation. Name: joshcalico-echoserver-echo-2ad7 | ARN: arn:aws:elasticloadbalancing:us-east-2:432733164488:loadbalancer/app/joshcalico-echoserver-echo-2ad7/4579643c6f757be9
   echoserver/echoserver: Start TargetGroup creation.
   echoserver/echoserver: Succeeded TargetGroup creation. ARN: arn:aws:elasticloadbalancing:us-east-2:432733164488:targetgroup/joshcalico-31027-HTTP-6657576/77ef58891a00263e | Name: joshcalico-31027-HTTP-6657576.
   echoserver/echoserver: Start Listener creation.
   echoserver/echoserver: Completed Listener creation. ARN: arn:aws:elasticloadbalancing:us-east-2:432733164488:listener/app/joshcalico-echoserver-echo-2ad7/4579643c6f757be9/2b2987fa3739c062 | Port: 80 | Proto: HTTP.
   echoserver/echoserver: Start Rule creation.
   echoserver/echoserver: Completed Rule creation. Rule Priority: "1" | Condition: [{    Field: "host-header",    Values: ["echoserver.joshrosso.com"]  },{    Field: "path-pattern",    Values: ["/"]  }]
   

5. Check the events of the ingress to see what has occur.

   kubectl describe ing -n echoserver echoserver
   

   You should see similar to the following.

   Name:                   echoserver
   Namespace:              echoserver
   Address:                joshcalico-echoserver-echo-2ad7-1490890749.us-east-2.elb.amazonaws.com
   Default backend:        default-http-backend:80 (10.2.1.28:8080)
   Rules:
     Host                          Path    Backends
     ----                          ----    --------
     echoserver.joshrosso.com
                                   /       echoserver:80 (<none>)
   Annotations:
   Events:
     FirstSeen     LastSeen        Count   From                    SubObjectPath   Type            Reason  Message
     ---------     --------        -----   ----                    -------------   --------        ------  -------
     3m            3m              1       ingress-controller                      Normal          CREATE  Ingress echoserver/echoserver
     3m            32s             3       ingress-controller                      Normal          UPDATE  Ingress echoserver/echoserver
   

   The address seen above is the ALB's DNS record. This will be referenced via records created by external-dns.

Setup external-DNS to manage DNS automatically

1. Ensure your nodes (on which External DNS runs) have the correct IAM permission required for external-dns. See https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/aws.md#iam-permissions.

2. Download external-dns to manage Route 53.

   wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.9/docs/examples/external-dns.yaml
   

3. Edit the --domain-filter flag to include your hosted zone(s)

   The following example is for a hosted zone test-dns.com

   args:
   - --source=service
   - --source=ingress
   - --domain-filter=test-dns.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
   - --provider=aws
   - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
   

4. Deploy external-dns

   kubectl apply -f external-dns.yaml
   

5. Verify the DNS has propagated

   dig echoserver.josh-test-dns.com
   

   ;; QUESTION SECTION:
   ;echoserver.josh-test-dns.com.  IN      A
   
   ;; ANSWER SECTION:
   echoserver.josh-test-dns.com. 60 IN     A       13.59.147.105
   echoserver.josh-test-dns.com. 60 IN     A       18.221.65.39
   echoserver.josh-test-dns.com. 60 IN     A       52.15.186.25
   

6. Once it has, you can make a call to echoserver and it should return a response payload.

   curl echoserver.josh-test-dns.com
   

   CLIENT VALUES:
   client_address=10.0.50.185
   command=GET
   real path=/
   query=nil
   request_version=1.1
   request_uri=http://echoserver.josh-test-dns.com:8080/
   
   SERVER VALUES:
   server_version=nginx: 1.10.0 - lua: 10001
   
   HEADERS RECEIVED:
   accept=*/*
   host=echoserver.josh-test-dns.com
   user-agent=curl/7.54.0
   x-amzn-trace-id=Root=1-59c08da5-113347df69640735312371bd
   x-forwarded-for=67.173.237.250
   x-forwarded-port=80
   x-forwarded-proto=http
   BODY:
   

Kube2iam setup

follow below steps if you want to use kube2iam to provide the AWS credentials

1. configure the proper policy The policy to be used can be fetched from https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.9/docs/examples/iam-policy.json

2. configure the proper role and create the trust relationship You have to find which role is associated with your K8S nodes. Once you found take note of the full arn:

   arn:aws:iam::XXXXXXXXXXXX:role/k8scluster-node
   

3. create the role, called k8s-alb-controller, attach the above policy and add a Trust Relationship like:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "",
         "Effect": "Allow",
         "Principal": {
           "Service": "ec2.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       },
       {
         "Sid": "",
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/k8scluster-node"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
   

   The new role will have a similar arn:

   arn:aws:iam:::XXXXXXXXXXXX:role/k8s-alb-controller
   

4. update the alb-ingress-controller.yaml

   Add the annotations in the template's metadata point

   spec:
   replicas: 1
   selector:
     matchLabels:
       app: alb-ingress-controller
   strategy:
     rollingUpdate:
       maxSurge: 1
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
         iam.amazonaws.com/role: arn:aws:iam:::XXXXXXXXXXXX:role/k8s-alb-controller