EKS on Fargateã§ALBã‹ã‚‰ã‚¢ãƒ—ãƒªã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹

f:id:husq:20191208153743p:plain

é‡‘é¡çš„ã«è‡ªåˆ†ã®è¶£å‘³ã§EKSã‚„Fargateã‚’ä½¿ã†ã“ã¨ã¯ãªã„ã®ã§ã™ãŒã€èˆˆå‘³ãŒã‚ã£ãŸã®ã§å°‘ã—è§¦ã£ã¦ã¿ã¾ã—ãŸã€‚
ç¾æ™‚ç‚¹ã§ã¯ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆãŒæƒã£ã¦ãŠã‚‰ãšã€è©¦è¡ŒéŒ¯èª¤ãŒå¿…è¦ã ã£ãŸã®ã§è¨˜äº‹ã«æ®‹ã—ã¦ãŠãã¾ã™ã€‚

...ã¨æ€ã£ãŸã®ã§ã™ãŒã€AWS Advent CalendarãŒä»£ã‚ã‚Šã«æŠ•ç¨¿ã§ããã†ã ã£ãŸã®ã§7æ—¥ç›®ã¨ã—ã¦æŠ•ç¨¿ã—ã¾ã™ã€‚
qiita.com

ã“ã®è¨˜äº‹ã§ç´¹ä»‹ã•ã‚Œã¦ã„ã‚‹ã“ã¨ã¯ä»¥ä¸‹ã®ãƒªãƒã‚¸ãƒˆãƒªã§ç°¡æ½”ã«ç¢ºèªã™ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
GitHub - 8398a7/eks-on-fargate

æ›¸ã„ã¦ã‚ã‚‹ã“ã¨

ä»Šå›žç´¹ä»‹ã™ã‚‹å†…å®¹ã®ã¾ã¨ã‚ã§ã™ã€‚
æ¤œè¨¼ã¯macOSä¸Šã‹ã‚‰è¡Œã£ã¦ã„ã¾ã™ã€‚

ãƒ„ãƒ¼ãƒ«ã®æº–å‚™

ä¸‹è¨˜ã®ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã‚’èªã‚“ã§aws-cli, kubectl, eksctlã‚’åˆ©ç”¨ã§ãã‚‹ã‚ˆã†ã«ã—ã¦ãã ã•ã„ã€‚
eksctl の開始方法 - Amazon EKS

eksctlãŒæ—¢ã«å…¥ã£ã¦ã„ã‚‹å ´åˆã§ã‚‚fargateã‚¯ãƒ©ã‚¹ã‚¿ã‚’ä½œæˆã™ã‚‹ãŸã‚ã«ã¯0.11ä»¥ä¸ŠãŒå¿…è¦ã§ã™ã€‚
å¿…è¦ã«å¿œã˜ã¦brew upgradeã—ã¦ãã ã•ã„ã€‚

$ > eksctl version 
[â„¹]  version.Info{BuiltAt:"", GitCommit:"", GitTag:"0.11.1"}

ã‚¯ãƒ©ã‚¹ã‚¿ã®æº–å‚™

eksctl create cluster poc --fargate

eksctlã§ä½œæˆã™ã‚‹ã¨ãã®ã‚¯ãƒ©ã‚¹ã‚¿ã§åˆ©ç”¨ã™ã‚‹VPCã‚„subnetã®è¨å®šã‚’è¡Œã£ã¦ãã‚Œã¾ã™ã€‚
ä¸‹è¨˜ã§è§¦ã‚Œã‚‹ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã§subnet tagã«annotationã‚’ã™ã‚‹æ‰‹é †ãŒæ›¸ã‹ã‚Œã¦ã„ã¾ã™ãŒã€eksctlçµŒç”±ã§ä½œæˆã—ãŸå ´åˆã¯æ—¢ã«ä»˜ä¸Žã•ã‚Œã¦ã„ã‚‹ãŸã‚ä¸è¦ãªæ‰‹é †ã§ã™ã€‚

å…·ä½“çš„ã«ã¯ä»¥ä¸‹ã®éƒ¨åˆ†ã§ã™ã€‚

Key Value
kubernetes.io/role/elb 1
kubernetes.io/role/internal-elb 1

ã‚¯ãƒ©ã‚¹ã‚¿ã®ä½œæˆã¯å‰²ã¨æ™‚é–“ãŒã‹ã‹ã‚‹ã®ã§ã€ã¨ã‚Šã‚ãˆãšå©ã„ã¦ä»–äº‹ã‚’ã™ã‚‹ã®ãŒãŠå‹§ã‚ã§ã™ã€‚

ã‚¯ãƒ©ã‚¹ã‚¿ãŒä½œæˆã•ã‚ŒãŸç›´å¾Œã¯corednsã®podãŒå‹•ã„ã¦ãŠã‚Šã€ã“ã‚Œã‚‰ã‚‚Fargateã§å‹•ä½œã—ã¦ã„ã¾ã™ã€‚

$ > kubectl get po -A
NAMESPACE     NAME                       READY   STATUS    RESTARTS   AGE
kube-system   coredns-6d75bbbf58-5vhpf   1/1     Running   0          5m18s
kube-system   coredns-6d75bbbf58-zttkt   1/1     Running   0          5m18s
$ > kubectl get node
NAME                                                         STATUS   ROLES    AGE     VERSION
fargate-ip-192-168-175-13.ap-northeast-1.compute.internal    Ready    <none>   5m1s    v1.14.8-eks
fargate-ip-192-168-179-161.ap-northeast-1.compute.internal   Ready    <none>   5m17s   v1.14.8-eks

Fargateã§å‹•ã‹ã™ãŸã‚ã«ã¯namespaceå˜ä½ã§è¨å®šã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ãŒã€eksctlã§ä½œæˆã—ãŸå ´åˆã¯default, kube-systemã®podãŒFargateã§èµ·å‹•ã™ã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚

f:id:husq:20191207171347p:plain

ä¸Šè¨˜ä»¥å¤–ã®namespaceã§podã‚’å‹•ã‹ã™å ´åˆã¯ç¾åœ¨ã¯nodeãŒå˜åœ¨ã—ãªã„ã®ã§pendingã®ã¾ã¾å¾…ãŸã•ã‚Œã‚‹ã€ã¨ã„ã£ãŸæŒ™å‹•ã«ãªã‚Šã¾ã™ã€‚

ALB Ingress Controllerã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—

å…¬å¼ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã¯ ALB Ingress Controller on Amazon EKS - Amazon EKS ã§ã™ãŒã€EC2ã§å‹•ã‹ã™å‰æã§æ›¸ã‹ã‚Œã¦ãŠã‚Šã€Fargateã®ã¿ã®æ§‹æˆã§ã¯å‹•ãã¾ã›ã‚“ã€‚
å…·ä½“çš„ã«ã¯Fargateã®podã§IAMã®æ¨©é™ã‚’æ¸¡ã™æ–¹æ³•ãŒEC2ã®å ´åˆã¨Fargateã®å ´åˆã§ç•°ãªã‚‹ã®ãŒåŽŸå› ã§ã™ã€‚

ä¸€æ—¦ç°¡æ˜“çš„ãªæ–¹æ³•ã¨ã—ã¦alb-ingress-controllerã®Deploymentã«ç›´æŽ¥key/secretã‚’æ›¸ãæ–¹æ³•ã‚’ç´¹ä»‹ã—ã¾ã™ã€‚
prodã§ã¯æŽ¨å¥¨ã•ã‚Œã¦ã„ãªã„æ–¹å¼ãªã®ã§ã€ã¡ã‚ƒã‚“ã¨ä½¿ã†å ´åˆã¯iam-for-podsã‚’åˆ©ç”¨ã—ã¾ã—ã‚‡ã†ã€‚
refs: Authentication Issues On EKS Cluster with Fargate Policy · Issue #1092 · kubernetes-sigs/aws-alb-ingress-controller · GitHub
iam-for-podsã‚’åˆ©ç”¨ã™ã‚‹æ–¹å¼ã¯å¾Œè¿°ã—ã¾ã™ãŒã€ä¸€æ—¦key/secretæ–¹å¼ã§ç¶šã‘ã¾ã™ã€‚

ä»¥ä¸‹ã®æ‰‹é †ã§key/secretã‚’å–å¾—ã—ã¾ã™ã€‚
jqã‚’åˆ©ç”¨ã—ã¦ã„ã‚‹ã®ã§ã€äºˆã‚ brew install jq ã‚’æ¸ˆã¾ã›ã¦ãŠã„ã¦ãã ã•ã„ã€‚

# ALBã‚’æ“ä½œã™ã‚‹ãŸã‚ã®policyã‚’ä½œæˆ
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/iam-policy.json
policyArn=$(aws iam create-policy \
  --policy-name ALBIngressControllerIAMPolicy \
  --policy-document file://iam-policy.json | jq -r .Policy.Arn)
rm iam-policy.json

# ALBã‚’æ“ä½œã™ã‚‹ãŸã‚ã®key/secretæ‰•ã„å‡ºã—ãƒ¦ãƒ¼ã‚¶ã®ä½œæˆ
aws iam create-user --user-name pocUser
# å…ˆç¨‹ä½œæˆã—ãŸãƒ¦ãƒ¼ã‚¶ã«ALBã®policyã‚’ç´ä»˜ã‘
aws iam attach-user-policy --user-name pocUser --policy-arn $policyArn
# ãƒ¦ãƒ¼ã‚¶ã®key/secretã‚’æ‰•ã„å‡ºã™
aws iam create-access-key --user-name pocUser

æœ€å¾Œã®ã‚³ãƒžãƒ³ãƒ‰ã§ä»¥ä¸‹ã®ã‚ˆã†ãªå‡ºåŠ›ãŒå¾—ã‚‰ã‚Œã‚‹ã®ã§AccessKeyIdã¨SecretAccessKeyã‚’ãƒ¡ãƒ¢ã—ã¦ãŠã„ã¦ãã ã•ã„ã€‚

{
    "AccessKey": {
        "UserName": "pocUser",
        "AccessKeyId": "key",
        "Status": "Active",
        "SecretAccessKey": "secret",
        "CreateDate": "2019-12-07T08:30:11Z"
    }
}

ã“ã“ã¾ã§æ•´ã£ãŸã‚‰rbac-roleã¨alb-ingress-controllerã‚’deployã—ã¦ã„ãã¾ã™ã€‚
rbac-roleã«é–¢ã—ã¦ã¯ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆé€šã‚Šã®æ‰‹é †ã§deployã—ã¾ã™ã€‚

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/rbac-role.yaml

alb-ingress-controllerã«é–¢ã—ã¦ã¯ä»¥ä¸‹ã®ã‚ˆã†ãªä¿®æ£ã‚’ã—ãŸyamlã‚’æ‰‹å…ƒã«ç”¨æ„ã—deployã—ã¦ãã ã•ã„ã€‚ ä¿®æ£ç‚¹ã¯3ç‚¹ã§ã™ã€‚

vpc_idã®æŒ‡å®š
keyã®æŒ‡å®š
secretã®æŒ‡å®š

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/name: alb-ingress-controller
  name: alb-ingress-controller
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: alb-ingress-controller
  template:
    metadata:
      labels:
        app.kubernetes.io/name: alb-ingress-controller
    spec:
      containers:
        - name: alb-ingress-controller
          image: docker.io/amazon/aws-alb-ingress-controller:v1.1.4
          args:
            - --ingress-class=alb
            - --cluster-name=poc
            - --aws-region=ap-northeast-1
            - --aws-vpc-id=vpc-xxxx # eksctlã§ä½œæˆã•ã‚ŒãŸVPCã®id
          env:
            - name: AWS_ACCESS_KEY_ID
              value: # ã•ã£ããƒ¡ãƒ¢ã—ãŸkey
            - name: AWS_SECRET_ACCESS_KEY
              value: # ã•ã£ããƒ¡ãƒ¢ã—ãŸsecret
          resources: {}
      serviceAccountName: alb-ingress-controller

GitHubä¸Šã§ã¯v1.1.4ã‚¿ã‚°ã§ã‚‚v1.1.3ã®ã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’åˆ©ç”¨ã™ã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã‚‹ã®ã§ã€v1.1.4ã«æ›¸ãæ›ãˆã¦ã‚ã‚Šã¾ã™ã€‚
ä¿®æ£ã§ããŸã‚‰ä»¥ä¸‹ã®ã‚³ãƒžãƒ³ãƒ‰ã§deployã—ã€alb-ingress-controllerãŒRunningã«ãªã‚‹ã¾ã§å¾…ã¡ã¾ã—ã‚‡ã†ã€‚

kubectl apply -f alb-ingress-controller.yaml
watch -n1 kubectl get po -n kube-system

æ¬¡ã«nginxã‚’ALBã‹ã‚‰ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ãŸã‚ã®yamlã‚’è¨˜è¿°ã—ã¾ã™ã€‚

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
  labels:
    app: nginx
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: nginx
              servicePort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - image: nginx
          name: nginx
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: ClusterIP
  selector:
    app: nginx

ãƒã‚¤ãƒ³ãƒˆã¯ alb.ingress.kubernetes.io/target-type: ip ã®annotationsã‚’ã¤ã‘ã‚‹ã“ã¨ã§ã™ã€‚
ingressãƒªã‚½ãƒ¼ã‚¹ãŒä½œã‚‰ã‚Œã‚‹ã¨alb-ingress-controllerã«ä»¥ä¸‹ã®ã‚ˆã†ãªãƒã‚°ãŒå‡ºã¾ã™ã€‚
ãƒã‚°ã¯ kubectl logs -n kube-system $(kubectl get po -n kube-system -o name | grep alb | cut -d/ -f2) -f ã§ç¢ºèªã—ã¦ãã ã•ã„ã€‚

default/nginx: granting inbound permissions to securityGroup sg-0c4ff2ae847363695: [{    FromPort: 80,    IpProtocol: "tcp",    IpRanges: [{        CidrIp: "0.0.0.0/0",        Description: "Allow ingress on port 80 from 0.0.0.0/0"      }],    ToPort: 80  }]
default/nginx: creating LoadBalancer 0d836fa6-default-nginx-ef8b

ingressã®çµæžœã‚’ç¢ºèªã—ã¦ãƒ–ãƒ©ã‚¦ã‚¶ã§ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã¿ã¾ã—ã‚‡ã†ã€‚

$ > kubectl get ing
NAME    HOSTS   ADDRESS                                                                 PORTS   AGE
nginx   *       0d836fa6-default-nginx-ef8b-28953798.ap-northeast-1.elb.amazonaws.com   80      4m2s
$ > open http://$(kubectl get ing -o jsonpath='{.items[].status.loadBalancer.ingress[].hostname}')

nginxã®ãƒšãƒ¼ã‚¸ãŒè¡¨ç¤ºã§ããŸã‚‰æˆåŠŸã§ã™ã€‚
ã“ã“ã¾ã§ã§èµ·å‹•ã•ã‚ŒãŸhostæ•°ã¯4å°ã§ã—ãŸã€‚

$ > kubectl get node
NAME                                                         STATUS   ROLES    AGE     VERSION
fargate-ip-192-168-111-46.ap-northeast-1.compute.internal    Ready    <none>   9m26s   v1.14.8-eks
fargate-ip-192-168-126-238.ap-northeast-1.compute.internal   Ready    <none>   8m4s    v1.14.8-eks
fargate-ip-192-168-151-139.ap-northeast-1.compute.internal   Ready    <none>   16m     v1.14.8-eks
fargate-ip-192-168-170-198.ap-northeast-1.compute.internal   Ready    <none>   16m     v1.14.8-eks

ä»¥ä¸‹ã®æ‰‹é †ã§ãƒªã‚½ãƒ¼ã‚¹ã‚’æŽƒé™¤ã—ã¦ãã ã•ã„ã€‚

kubectl delete -f app.yaml # nginxã®ã‚µãƒ³ãƒ—ãƒ«ã‚¢ãƒ—ãƒª
kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/rbac-role.yaml
kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/alb-ingress-controller.yaml
eksctl delete cluster poc
userId=$(aws sts get-caller-identity | jq -r .UserId)
aws iam delete-policy --policy-arn arn:aws:iam::${userId}:policy/ALBIngressControllerIAMPolicy

pocUserã«é–¢ã—ã¦ã¯aws consoleã‹ã‚‰æ‰‹å‹•ã§å‰Šé™¤ã‚’ãŠé¡˜ã„ã—ã¾ã™ã€‚

target-type: ipã®æŒ™å‹•

alb.ingress.kubernetes.io/target-type: ip ã¨ã„ã†annotationãŒåˆè¦‹ã ã£ãŸã®ã§ã€ã©ã†ã„ã†æŒ™å‹•ãªã®ã‹è¦‹ã¦ã¿ã¾ã—ãŸã€‚
LBãŒä½œã‚‰ã‚ŒãŸéš›ã«ã‚¿ãƒ¼ã‚²ãƒƒãƒˆã‚°ãƒ«ãƒ¼ãƒ—ãŒç¨®é¡ž: ipã§ä½œã‚‰ã‚Œã¦Fargate hostã®private ipãŒroutingã•ã‚Œã¦ã„ã¾ã—ãŸã€‚

f:id:husq:20191208145857p:plain

è©¦ã—ã«deploymentã®replicasã‚’1->2ã«æ›´æ–°ã—ã¦ã¿ã‚‹ã¨ä»¥ä¸‹ã®ã‚ˆã†ã«ãƒã‚°ãŒå‡ºã¦ç™»éŒ²æ¸ˆã¿ã‚¿ãƒ¼ã‚²ãƒƒãƒˆãŒè‡ªå‹•çš„ã«æ›´æ–°ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚

Adding targets to arn:aws:elasticloadbalancing:ap-northeast-1:xxx:targetgroup/yyy/zzz
modifying rule 1 on arn:aws:elasticloadbalancing:ap-northeast-1:xxx:listener/app/yyy/zzz
default/nginx: rule 1 modified with conditions [{    Field: "path-pattern",    Values: ["/*"]  }]

replicasã‚’1ã«æˆ»ã™ã¨ã¡ã‚ƒã‚“ã¨å¤–ã—ã¦ãã‚Œã¾ã™ã€‚

default/nginx: Removing targets from arn:aws:elasticloadbalancing:ap-northeast-1:xxx:targetgroup/yyy/zzz: 192.168.147.236:80, 192.168.106.177:80
default/nginx: modifying rule 1 on arn:aws:elasticloadbalancing:ap-northeast-1:xxx:listener/app/yyy/zzz
default/nginx: rule 1 modified with conditions [{    Field: "path-pattern",    Values: ["/*"]  }]

ã“ã®è¾ºã¯å½“ãŸã‚Šå‰ã¨ã¯ã„ãˆã°å½“ãŸã‚Šå‰ã§ã™ãŒã€ã¡ã‚ƒã‚“ã¨integrationã•ã‚Œã¦ã¦è‰¯ã„ã§ã™ãã€‚
å®Ÿè£…ã‚’èªã‚“ã§ã„ãªã„ã§ã™ãŒã€target-type: ipã®annotationãŒã¤ã„ãŸingressã‚’watchã—ã¦svc->deployã¾ã§è¾¿ã£ã¦replicasã‚’ç›£è¦–ã—ã¦ã„ã‚‹ã®ã§ã—ã‚‡ã†ã‹ã€‚

ã‚¿ãƒ¼ã‚²ãƒƒãƒˆã‚°ãƒ«ãƒ¼ãƒ—è¨å®šã‚’è¦‹ã¦ã¿ã‚‹ã¨ã€ç™»éŒ²è§£é™¤ã®é…å»¶ãŒãƒ‡ãƒ•ã‚©ãƒ«ãƒˆ300ç§’ã§ä½œã‚‰ã‚Œã¦ãŠã‚Šã€å¤–ã•ã‚Œã‚‹ã¾ã§ã®æ™‚é–“å·®ãŒå°‘ã—æ°—ã«ãªã‚Šã¾ã—ãŸã€‚
annotationã§æŒ‡å®šã§ãã‚‹ã®ã‹ãªã€ã¨èª¿ã¹ã¦ã¿ãŸã¨ã“ã‚ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã«ã¡ã‚ƒã‚“ã¨è¼‰ã£ã¦ãŠã‚Šã€è©¦ã—ã¦ã¿ã‚‹ã¨åæ˜ ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚

default/nginx: Modifying TargetGroup arn:aws:elasticloadbalancing:ap-northeast-1:xxx:targetgroup/yyy/zzz attributes to [{    Key: "deregistration_delay.timeout_seconds",    Value: "30"  }].
default/nginx: modifying rule 1 on arn:aws:elasticloadbalancing:ap-northeast-1:xxx:listener/app/yyy/zzz
default/nginx: rule 1 modified with conditions [{    Field: "path-pattern",    Values: ["/*"]  }]

alb.ingress.kubernetes.io/target-group-attributes: deregistration_delay.timeout_seconds=30
refs: Annotation - AWS ALB Ingress Controller
300ç§’ã¯é•·ã™ãŽã€çŸã™ãŽã¨ã„ã†å ´åˆã‚‚ã¡ã‚ƒã‚“ã¨è¨å®šã§ãã‚‹ã‚ˆã†ã«ãªã£ã¦ã¦è‰¯ã„ã§ã™ãã€‚

ã“ã“ã§podãŒæ¶ˆãˆã‚‹ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã¨LBã‹ã‚‰å¤–ã•ã‚Œã‚‹ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã¯ã€Œã„ã„æ„Ÿã˜ã€ã«ãªã£ã¦ã„ã‚‹ã®ã‹ã¨æ€ã£ã¦èª¿ã¹ã¦ã¿ã¾ã—ãŸã€‚
ã“ã“ã§è¨€ã†ã€Œã„ã„æ„Ÿã˜ã€ã¨ã¯

ã‚¿ãƒ¼ã‚²ãƒƒãƒˆã‚°ãƒ«ãƒ¼ãƒ—ã‹ã‚‰å¤–ã•ã‚ŒãŸã“ã¨ã‚’ç¢ºèªã—ã¦podã®terminateãŒå®Ÿè¡Œã•ã‚Œã‚‹

ã¨ã„ã†ã“ã¨ã§ã™ã€‚
å®Ÿéš›è©¦ã—ã¦ã¿ã‚‹ã¨ã€podãŒå‰Šé™¤ã¨åŒæ™‚ã«ã‚¿ãƒ¼ã‚²ãƒƒãƒˆã‚°ãƒ«ãƒ¼ãƒ—ã®å‰Šé™¤å‡¦ç†ãŒèµ°ã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã—ãŸã€‚
ã“ã‚Œã§ã¯å¤–ã•ã‚Œã‚‹ã¾ã§ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®300ç§’delayã®ã¨ãã«æ£å¸¸ã«å‹•ä½œã—ãªã„ã®ã§ã¯ï¼Ÿã¨ç¢ºã‹ã‚ã¦ã¿ãŸã¨ã“ã‚ã€ä¸€çž¬504 gateway timeoutãŒå‡ºã‚‹æŒ™å‹•ã‚’ç¢ºèªã—ã¾ã—ãŸã€‚
ãŸã ã—ä¸€çž¬ã ã‘ã§ã™ãã«200ã—ã‹è¿”ã£ã¦ã“ãªããªã‚Šã¾ã—ãŸã€‚

ã‚¿ãƒ¼ã‚²ãƒƒãƒˆã‚°ãƒ«ãƒ¼ãƒ—ã‚’ã‚ã¾ã‚Šä½¿ã£ãŸã“ã¨ãŒãªã„ã®ã§æŽ¨æ¸¬ã«ãªã‚Šã¾ã™ãŒã€deregistrationãŒèµ°ã‚‹ã¨ã‚¢ã‚¯ã‚»ã‚¹ãŒæ–°è¦ã«æ¥ã‚‹ã“ã¨ã¯ãªã„ã‚‚ã®ã®ã€
podã®å‰Šé™¤ãŒå…ˆè¡Œã—ã¦èµ°ã‚Šã€LBå´ã§å¤–ã™å‰ã«ã‚¢ã‚¯ã‚»ã‚¹ã‚’æµã•ã‚Œã¦ã—ã¾ã†ã¨504ãŒå‡ºã‚‹ã‚±ãƒ¼ã‚¹ãŒã‚ã‚‹ã®ã§ã¯ãªã„ã‹ã¨æ€ã„ã¾ã™ã€‚
HPAã‚’ã—ã£ã‹ã‚Šä½¿ã£ã¦ã„ã‚‹ã‚¢ã‚¯ã‚»ã‚¹ãŒå¤šã„ã‚µãƒ¼ãƒ“ã‚¹ã®ã‚±ãƒ¼ã‚¹ã ã¨504ã¯ãã“ãã“å‡ºã¦ã—ã¾ã†ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚

ã“ã‚Œã¯ã€Œing->svc->deployã®replicasæ•°ãŒå¤‰æ›´ã—ã¦ã„ãŸã‚‰ã‚¿ãƒ¼ã‚²ãƒƒãƒˆã‚°ãƒ«ãƒ¼ãƒ—å¤‰æ›´ã€ã¨ã„ã†æ¤œçŸ¥ãƒ‘ã‚¿ãƒ¼ãƒ³ã¨ç›¸æ€§ãŒæ‚ªãã†ã ã¨æ€ã„ã¾ã™ã€‚
æ¤œçŸ¥ãƒ‘ã‚¿ãƒ¼ãƒ³ã®å‘¨æœŸã®åˆé–“ã«å…¥ã£ã¦podãŒå‰Šé™¤ã•ã‚Œã‚‹æ–¹ãŒå…ˆã«ãªã‚‹ã‚±ãƒ¼ã‚¹ã¯å¤šã€…ã‚ã‚‹ã¨æ€ã†ã®ã§ã€504ã¯é¿ã‘ã«ãã„ã§ã™ã€‚
deploymentå®šç¾©ã® preStop ã§alb-ingress-controllerå´ãŒååˆ†æ¤œçŸ¥ã§ãã‚‹æ™‚é–“ã®sleepã‚’æŒŸã‚“ã§podã‚’æ¢ã‚ã‚‹ã‚ˆã†ã«ã™ã‚‹ã€ãªã©ãŒãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ©ã‚¦ãƒ³ãƒ‰ã«ãªã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚
ååˆ†ã«æ¤œè¨¼ã§ãã¦ã„ãªã„ãƒã‚¤ãƒ³ãƒˆãªã®ã§ã‚‚ã£ã¨è‰¯ã„æ–¹æ³•ãŒã‚ã‚Œã°ã‚³ãƒ¡ãƒ³ãƒˆç‰ã‚’ã‚‚ã‚‰ãˆã‚‹ã¨å¬‰ã—ã„ã§ã™ã€‚

hostã®å‰²å½“æ™‚é–“

å¤§ä½“30ç§’å¼±ã§ã‚¹ãƒ†ãƒ¼ã‚¿ã‚¹ãŒPendingã‹ã‚‰ContainerCreatingã«ãªã‚Šã¾ã™ã€‚
ãã“ã‹ã‚‰ã‚¤ãƒ¡ãƒ¼ã‚¸ã®pullãŒå§‹ã¾ã‚Šã€Runningã«ãªã‚‹ã¾ã§å¤§ä½“1åˆ†å¼±ã¨ã„ã£ãŸæ„Ÿã˜ã§ã—ãŸã€‚
ä»Šå›žã¯nginxã‚¤ãƒ¡ãƒ¼ã‚¸ã§éžå¸¸ã«å°ã•ã„ã‚µã‚¤ã‚ºãªã®ã§pullæ™‚é–“ãŒã‚ã¾ã‚Šå½±éŸ¿ã—ã¾ã›ã‚“ã§ã—ãŸãŒã€1GB+ã®ã‚¤ãƒ¡ãƒ¼ã‚¸pullã¯å°‘ã—æ™‚é–“ãŒã‹ã‹ã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚
ã¨ã¯ã„ã£ã¦ã‚‚ã€EKSã¨ã„ã†ã‚ˆã‚ŠFargateã®ç‰¹æ€§ã«ç”±æ¥ã™ã‚‹ã‚‚ã®ãªã®ã§ECSã‚’ä½¿ã‚ã‚Œã¦ã„ã‚‹å ´åˆã¯æ—¢çŸ¥ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ãŒâ€¦ã€‚

iam-for-pods

å…ˆã«key/secretã‚’ä½¿ã£ãŸæ–¹æ³•ã‚’ç´¹ä»‹ã—ã¾ã—ãŸãŒã€iam-for-podsã‚’ä½¿ã£ãŸæ–¹æ³•ã‚‚ç´¹ä»‹ã—ã¾ã™ã€‚
ã‚‚ã—ã‚‚key/secretã‚’ä½¿ã†æ–¹å¼ã§è©¦ã—ã¦ã„ãŸã‚‰ä¸€æ—¦alb-ingress-controllerã®ãƒªã‚½ãƒ¼ã‚¹ã‚’å¿µã®ç‚ºå‰Šé™¤ã—ã¦ãã ã•ã„ã€‚

kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/rbac-role.yaml
kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/alb-ingress-controller.yaml

ã‚¯ãƒ©ã‚¹ã‚¿ã«å¯¾ã—ã¦oidc providerã‚’ç´ä»˜ã‘ã¦ã‹ã‚‰ALBã®IAMæ¨©é™ã‚’ä»˜ä¸Žã—ã¾ã™ã€‚
policyArnã¯ä¸Šã§ä½œæˆã—ãŸALBIngressControllerIAMPolicyãŒå˜åœ¨ã—ã¦ã„ã‚Œã°ãã‚Œã‚’æµç”¨ã—ã¦ãã ã•ã„ã€‚

eksctl utils associate-iam-oidc-provider --region=ap-northeast-1 --cluster=poc --approve
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/iam-policy.json
policyArn=$(aws iam create-policy \
  --policy-name ALBIngressControllerIAMPolicy \
  --policy-document file://iam-policy.json | jq -r .Policy.Arn)
eksctl create iamserviceaccount --name alb-ingress-controller \
  --namespace kube-system \
  --cluster poc \
  --attach-policy-arn ${policyArn}  \
  --approve --override-existing-serviceaccounts

ä½œæˆã™ã‚‹ã¨ã€ä»¥ä¸‹ã®ã‚ˆã†ãªæƒ…å ±ãŒå–ã‚Œã¾ã™ã€‚

$ > kubectl get sa -n kube-system alb-ingress-controller -o jsonpath="{.metadata.annotations['eks\.amazonaws\.com/role-arn']}"
arn:aws:iam::xxx:role/eksctl-poc-addon-iamserviceaccount-ku-Role1-CBGA2Q1975Q9

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/name: alb-ingress-controller
  name: alb-ingress-controller
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: alb-ingress-controller
  template:
    metadata:
      labels:
        app.kubernetes.io/name: alb-ingress-controller
    spec:
      serviceAccountName: alb-ingress-controller
      containers:
        - name: alb-ingress-controller
          image: docker.io/amazon/aws-alb-ingress-controller:v1.1.4
          args:
            - --ingress-class=alb
            - --cluster-name=poc
            - --aws-region=ap-northeast-1
            - --aws-vpc-id=vpc-xxxx # eksctlã§ä½œæˆã•ã‚ŒãŸVPCã®id
          resources: {}

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.4/docs/examples/rbac-role.yaml
kubectl apply -f alb-ingress-controller.yaml

alb-ingress-controllerã®podãŒä½œæˆã•ã‚ŒãŸã‚‰ä¸Šè¨˜ã§è¨˜è¼‰ã—ãŸnginxã‚’å‹•ã‹ã™ãŸã‚ã®ãƒªã‚½ãƒ¼ã‚¹ã‚’applyã—ã¦ãã ã•ã„ã€‚
envã§key/secretã‚’æŒ‡å®šã—ãªã„å ´åˆã¨åŒæ§˜ã«LBãŒä½œã‚‰ã‚Œã€ã‚¢ã‚¯ã‚»ã‚¹ã§ãã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚

æœ€åˆã¯oidc id providerã®æ¦‚å¿µãŒã‚„ã‚„ã“ã—ãã†ã ã£ãŸã®ã§æ•¬é ã—ã¦ã„ãŸã®ã§ã™ãŒã€ã“ã®ã‚ãŸã‚Šã‚‚å‰²ã¨æ¥½ã«è¨å®šã§ãã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ãã€‚
eksctlã§iamserviceaccountã‚’ä½œã‚‹ã¨è£å´ã§CloudFormationãŒå‹•ã„ã¦ã„ã‚‹ã®ã§ã™ãŒã€ä¸ã§ã¯oidc id providerã¸ã®ç´ä»˜ã‘ã‚’ã‚„ã£ã¦ãã‚Œã¦ã„ã‚‹ã‚ˆã†ã§ã™ã€‚

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "IAM role for serviceaccount \"kube-system/alb-ingress-controller\" [created and managed by eksctl]",
  "Resources": {
    "Role1": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": [
                "sts:AssumeRoleWithWebIdentity"
              ],
              "Condition": {
                "StringEquals": {
                  "oidc.eks.ap-northeast-1.amazonaws.com/id/yyy:aud": "sts.amazonaws.com",
                  "oidc.eks.ap-northeast-1.amazonaws.com/id/yyy:sub": "system:serviceaccount:kube-system:alb-ingress-controller"
                }
              },
              "Effect": "Allow",
              "Principal": {
                "Federated": "arn:aws:iam::xxx:oidc-provider/oidc.eks.ap-northeast-1.amazonaws.com/id/yyy
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "ManagedPolicyArns": [
          "arn:aws:iam::xxx:policy/ALBIngressControllerIAMPolicy"
        ]
      }
    }
  },
  "Outputs": {
    "Role1": {
      "Value": {
        "Fn::GetAtt": "Role1.Arn"
      }
    }
  }
}

eksctlçµŒç”±ã§ä½œæˆã—ãŸSAã¯rbac-role.yamlã‚’applyã™ã‚‹ã“ã¨ã«ã‚ˆã‚ŠannotationãŒæ¶ˆãˆã‚‹ã®ã§ã¯ãªã„ã‹ã€ã¨æ€ã£ã¦ã„ã¾ã—ãŸãŒæ®‹ã£ã¦ã„ã¾ã—ãŸã€‚

ãƒãƒžã£ãŸãƒã‚¤ãƒ³ãƒˆ

v.1.1.4ã®ã‚¿ã‚°ã§alb-ingress-controller.yamlã‚’ãƒ‡ãƒ—ãƒã‚¤ã—ãŸã‚‰v.1.1.3ã®ã‚¤ãƒ¡ãƒ¼ã‚¸ãŒä½¿ã‚ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã‚‹
- update to latest version by 8398a7 · Pull Request #1095 · kubernetes-sigs/aws-alb-ingress-controller · GitHub ã§PRã‚’å‡ºã—ã¾ã—ãŸ
fargate profileã®IAMã«ALBä½œæˆæ¨©é™ãŒã‚ã‚Œã°ALBãŒä½œã‚‰ã‚Œã‚‹ã¨æ€ã£ãŸã‚‰ä½œã‚‰ã‚Œã¦ã„ãªã„
- iam-for-pods or envã«key/secretæŒ‡å®šã™ã‚‹å¿…è¦ãŒã‚ã‚‹ã¨çŸ¥ã‚‹
- Authentication Issues On EKS Cluster with Fargate Policy · Issue #1092 · kubernetes-sigs/aws-alb-ingress-controller · GitHub
eksctl delete clusterã§cfnãŒã‚³ã‚±ã¦å‰Šé™¤ã•ã‚Œãªã„
- æŽ¨æ¸¬ã§ã™ãŒã€è‡ªåˆ†ã§applyã—ãŸãƒªã‚½ãƒ¼ã‚¹ãŒæ®‹ã£ã¦ã„ã‚‹ã¨fargate profileå´ã§podã‚’å‰Šé™¤->deployã§ä½œã‚‰ã‚Œã‚‹ã®ç¹°ã‚Šè¿”ã—ãŒèµ·ãã‚‹ã®ã§ã¯ãªã„ã‹ã¨...
- æ‰‹å‹•ã§é©å½“ã«VPCã¨ã‹ã‚’æ¶ˆã—å§‹ã‚ã¦fargate profileã‚‚ãªã‹ãªã‹å‰Šé™¤ã•ã‚Œãªã„æŒ™å‹•ã«ãªã£ã¦ãŠã‚Šã€é ã‚’æŠ±ãˆã¾ã—ãŸ
  - 20åˆ†ãã‚‰ã„å¾…ã£ãŸã‚‰ã¡ã‚ƒã‚“ã¨å‰Šé™¤ã•ã‚Œã¾ã—ãŸ
- ãƒªã‚½ãƒ¼ã‚¹ã‚’å…¨éƒ¨å‰Šé™¤ã—ã¦eksctl delete clusterã‚’å©ã„ã¦ã‚‚VPCã®å‰Šé™¤ã§ã‚³ã‚±ã¦ã„ã‚‹ã®ã‚’ç¢ºèª
  - ãƒªãƒˆãƒ©ã‚¤ã§ã‚‚æˆåŠŸã—ãªã„ã®ã§VPCã¯æ‰‹å‹•ã§æ¶ˆã—ã¾ã—ãŸ
  - ã“ã‚Œã£ã½ã„=>eksctl resources not really deleted after deleting cluster · Issue #1651 · weaveworks/eksctl · GitHub
  - The vpc 'vpc-xxx' has dependencies and cannot be deleted. (Service: AmazonEC2; Status Code: 400; Error Code: DependencyViolation; Request ID: u-u-i-d-x) ã¨å‡ºã‚‹

æ‰€æ„Ÿ

EC2ã‚’ç®¡ç†ã—ãŸããªã„ã¨ã„ã†è¦³ç‚¹ã§ã¯Fargateã§å®Œçµã§ãã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã‚‹ã®ã§è‰¯ã•ãã†ã§ã™ã€‚
LBã®ã‚¿ãƒ¼ã‚²ãƒƒãƒˆã‚°ãƒ«ãƒ¼ãƒ—ã‹ã‚‰ã®å‰Šé™¤å‡¦ç†ã¨podãŒæ¶ˆãˆã‚‹ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã§ã‚¨ãƒ©ãƒ¼ãŒå‡ºã‚‹ã®ã¯ç¾çŠ¶ãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ©ã‚¦ãƒ³ãƒ‰ãŒå¿…è¦ãã†ã ã¨æ„Ÿã˜ã¾ã—ãŸã€‚

å®Ÿéš›å…¨éƒ¨Fargateã«ã™ã‚‹ã‹ã¨è¨€ã‚ã‚Œã‚‹ã¨ã‚³ã‚¹ãƒ‘ã¯ã‚ã¾ã‚Šè‰¯ããªã„ã‚ˆã†ã«æ„Ÿã˜ã¾ã—ãŸã€‚
alb ingress controllerã‚’å§‹ã‚ã¨ã—ãŸk8sã®ä¸ã‚’æ•´ãˆã‚‹ã‚ˆã†ãªpodã¯1host 1podãŒã‚ªãƒ¼ãƒãƒ¼ã‚¹ãƒšãƒƒã‚¯ãªã®ã§ã€ãã†ã„ã£ãŸpodã¯ã¾ã¨ã‚ã¦1ã¤ã®nodeã§å‹•ã‹ã—ãŸã„ã‚ˆã†ã«æ„Ÿã˜ã¾ã™ã€‚
ä»–ã®è¨˜äº‹ã§ã‚‚è¨€åŠã•ã‚Œã¦ã„ã¾ã™ãŒã€Daemonsetã§fluentdã‚’å‹•ã‹ã—ã¦ãŠãã€ã¿ãŸã„ãªã“ã¨ã‚‚ã§ããªã„ã®ã§ãƒã‚°åŽé›†ã‚’sidecarã§é…ç½®ã™ã‚‹å¿…è¦ãŒã‚ã‚‹ã¨ã„ã†ã®ã‚‚å®Ÿé‹ç”¨ã§ã¯æ‰‹é–“ã«ãªã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚

839ã®æ—¥è¨˜

è¶£å‘³ã®è©±ã‚’æ›¸ããƒ–ãƒã‚°ã§ã™ã€‚

EKS on Fargateã§ALBã‹ã‚‰ã‚¢ãƒ—ãƒªã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹

æ›¸ã„ã¦ã‚ã‚‹ã“ã¨

ãƒ„ãƒ¼ãƒ«ã®æº–å‚™

ã‚¯ãƒ©ã‚¹ã‚¿ã®æº–å‚™

ALB Ingress Controllerã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—

target-type: ipã®æŒ™å‹•

hostã®å‰²å½“æ™‚é–“

iam-for-pods

ãƒãƒžã£ãŸãƒã‚¤ãƒ³ãƒˆ

æ‰€æ„Ÿ

æ›¸ã„ã¦ã‚ã‚‹ã“ã¨

ãƒ„ãƒ¼ãƒ«ã®æº–å‚™

ã‚¯ãƒ©ã‚¹ã‚¿ã®æº–å‚™

ALB Ingress Controllerã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—

target-type: ipã®æŒ™å‹•

hostã®å‰²å½“æ™‚é–“

iam-for-pods

ãƒãƒžã£ãŸãƒã‚¤ãƒ³ãƒˆ

æ‰€æ„Ÿ

æ›¸ã„ã¦ã‚ã‚‹ã“ã¨

ãƒ„ãƒ¼ãƒ«ã®æº–å‚™

ã‚¯ãƒ©ã‚¹ã‚¿ã®æº–å‚™

ALB Ingress Controllerã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—

target-type: ipã®æŒ™å‹•

hostã®å‰²å½“æ™‚é–“

ãƒãƒžã£ãŸãƒã‚¤ãƒ³ãƒˆ