This repository contains playbooks to deploy a minimalistic and lightly opinionated Amazon EKS-D Kubernetes Distribution. Kubernetes is installed in a Highly Available configuration using kubeadm
with at least three control plane nodes, but defaults to automatically generated TLS certificates for control plane authentication as well as self-signed certificates for API.
Also consider that, although the Kubernetes installation is highly available, the NGINX deployment that directs traffic to the Kubernetes API is not highly available and, because the open source version of NGINX is used, no active health checks are in place. These caveats will be addressed in upcoming iterations.
There are certain opinions defined in the playbooks:
nginx
is used for load balancing, and a singlenginx
node has been used by default.docker
is used for container runtime - this will soon be replaced forcontainerd
weave-net
is used for networking plugin, and currently receives a hardcoded value forpod
CIDR.
Note: The hardcoded
pod
CIDR range may collide with existing routes in your system depending on your specific network configuration. If you run into this issue, edit the hardcoded value in the applicable playbook
You will find two versions of the playbooks available, one for Ubuntu
, tested on version 18.04
and another for CentOS
tested on version 7
. The playbooks may result in unexpected behavior if tested on other versions or distributions.
git clone https://github.com/murillodigital/eksd-ansible.git
python3 -m venv ./eksd-ansible
cd eksd-ansible
. bin/activate
pip install -r requirements.txt
Note: If you have
ansible
globally installed you may not have to do this. Commands will vary if you are usingpython2
You will need at least seven hosts, running either CentOS 7
or Ubuntu 18.04
(see note on compatibility). Three of those hosts will be used for control plane
, three for workers
and one for loadbalancer
.
Refer to the README.md in the inventory/
directory for details.
Make sure the user specific in the inventory for access via ssh
can log in using a SSH key, and if necessary add the key to a ssh-agent
. Confirm the user can sudo
without requiring a password specified.
Note: These requirements can be changed by using
ansible_*
variables in the inventory, for example if you must provide a password or if you use something other thansudo
for elevation.
- The
loadbalancer
node should allow traffic fromanywhere
toTCP
port6443
- All
master
nodes should allow traffic fromloadbalancer
onTCP
port6443
- For sake of simplicity, allow all traffic between
master
andworker
nodes.
Note: Open traffic between master and worker nodes may not be ideal in some production scenarios, refer to the official documentation for specifics.
The playbook to run will depend on your Linux Distribution. For CentOS 7 run the following command
ansible-playbook centos.yaml -i inventory/<name of your inventory>
For Ubuntu 18.04 run the following command:
ansible-playbook ubuntu.yaml -i inventory/<name of your inventory>
- Leonardo Murillo (@murillodigital)