diff --git a/README.md b/README.md index a29a40fa9..a6270111c 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,7 @@ versions by running `aws s3 ls s3://amazon-eks/cloudformation/`. | CloudFormation Version | EKS AMI versions | [amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s/releases) | | ---------------------- | ------------------------------------------ | -------------------- | +| 2019-09-17 | amazon-eks-node-(1.14,1.13,1.12,1.11)-v20190906 | v1.5.3 | 2019-02-11 | amazon-eks-node-(1.12,1.11,1.10)-v20190327 | v1.3.2 (for p3dn.24xlarge instances) | | 2019-02-11 | amazon-eks-node-(1.11,1.10)-v20190220 | v1.3.2 (for p3dn.24xlarge instances) | | 2019-02-11 | amazon-eks-node-(1.11,1.10)-v20190211 | v1.3.2 (for p3dn.24xlarge instances) | diff --git a/amazon-eks-nodegroup.yaml b/amazon-eks-nodegroup.yaml index 140869504..467f0c28c 100644 --- a/amazon-eks-nodegroup.yaml +++ b/amazon-eks-nodegroup.yaml @@ -1,22 +1,84 @@ ---- -AWSTemplateFormatVersion: 2010-09-09 +AWSTemplateFormatVersion: "2010-09-09" + Description: Amazon EKS - Node Group +Metadata: + "AWS::CloudFormation::Interface": + ParameterGroups: + - Label: + default: EKS Cluster + Parameters: + - ClusterName + - ClusterControlPlaneSecurityGroup + - Label: + default: Worker Node Configuration + Parameters: + - NodeGroupName + - NodeAutoScalingGroupMinSize + - NodeAutoScalingGroupDesiredCapacity + - NodeAutoScalingGroupMaxSize + - NodeInstanceType + - NodeImageIdSSMParam + - NodeImageId + - NodeVolumeSize + - KeyName + - BootstrapArguments + - Label: + default: Worker Network Configuration + Parameters: + - VpcId + - Subnets + Parameters: + BootstrapArguments: + Type: String + Default: "" + Description: "Arguments to pass to the bootstrap script. See files/bootstrap.sh in https://github.com/awslabs/amazon-eks-ami" + + ClusterControlPlaneSecurityGroup: + Type: "AWS::EC2::SecurityGroup::Id" + Description: The security group of the cluster control plane. + + ClusterName: + Type: String + Description: The cluster name provided when the cluster was created. If it is incorrect, nodes will not be able to join the cluster. KeyName: + Type: "AWS::EC2::KeyPair::KeyName" Description: The EC2 Key Pair to allow SSH access to the instances - Type: AWS::EC2::KeyPair::KeyName + + NodeAutoScalingGroupDesiredCapacity: + Type: Number + Default: 3 + Description: Desired capacity of Node Group ASG. + + NodeAutoScalingGroupMaxSize: + Type: Number + Default: 4 + Description: Maximum size of Node Group ASG. Set to at least 1 greater than NodeAutoScalingGroupDesiredCapacity. + + NodeAutoScalingGroupMinSize: + Type: Number + Default: 1 + Description: Minimum size of Node Group ASG. + + NodeGroupName: + Type: String + Description: Unique identifier for the Node Group. NodeImageId: - Description: AMI id for the node instances. - Type: AWS::EC2::Image::Id + Type: String + Default: "" + Description: (Optional) Specify your own custom image ID. This value overrides any AWS Systems Manager Parameter Store value specified above. + + NodeImageIdSSMParam: + Type: "AWS::SSM::Parameter::Value" + Default: /aws/service/eks/optimized-ami/1.14/amazon-linux-2/recommended/image_id + Description: AWS Systems Manager Parameter Store parameter of the AMI ID for the worker node instances. NodeInstanceType: - Description: EC2 instance type for the node instances Type: String Default: t3.medium - ConstraintDescription: Must be a valid EC2 instance type AllowedValues: - a1.medium - a1.large @@ -43,6 +105,7 @@ Parameters: - c5.12xlarge - c5.18xlarge - c5.24xlarge + - c5.metal - c5d.large - c5d.xlarge - c5d.2xlarge @@ -118,6 +181,7 @@ Parameters: - m5.12xlarge - m5.16xlarge - m5.24xlarge + - m5.metal - m5a.large - m5a.xlarge - m5a.2xlarge @@ -140,6 +204,7 @@ Parameters: - m5d.12xlarge - m5d.16xlarge - m5d.24xlarge + - m5d.metal - p2.xlarge - p2.8xlarge - p2.16xlarge @@ -166,6 +231,7 @@ Parameters: - r5.12xlarge - r5.16xlarge - r5.24xlarge + - r5.metal - r5a.large - r5a.xlarge - r5a.2xlarge @@ -188,6 +254,7 @@ Parameters: - r5d.12xlarge - r5d.16xlarge - r5d.24xlarge + - r5d.metal - t1.micro - t2.nano - t2.micro @@ -210,6 +277,9 @@ Parameters: - t3a.large - t3a.xlarge - t3a.2xlarge + - u-6tb1.metal + - u-9tb1.metal + - u-12tb1.metal - x1.16xlarge - x1.32xlarge - x1e.xlarge @@ -224,229 +294,181 @@ Parameters: - z1d.3xlarge - z1d.6xlarge - z1d.12xlarge - - NodeAutoScalingGroupMinSize: - Description: Minimum size of Node Group ASG. - Type: Number - Default: 1 - - NodeAutoScalingGroupMaxSize: - Description: Maximum size of Node Group ASG. Set to at least 1 greater than NodeAutoScalingGroupDesiredCapacity. - Type: Number - Default: 4 - - NodeAutoScalingGroupDesiredCapacity: - Description: Desired capacity of Node Group ASG. - Type: Number - Default: 3 + - z1d.metal + ConstraintDescription: Must be a valid EC2 instance type + Description: EC2 instance type for the node instances NodeVolumeSize: - Description: Node volume size Type: Number Default: 20 - - ClusterName: - Description: The cluster name provided when the cluster was created. If it is incorrect, nodes will not be able to join the cluster. - Type: String - - BootstrapArguments: - Description: Arguments to pass to the bootstrap script. See files/bootstrap.sh in https://github.com/awslabs/amazon-eks-ami - Type: String - Default: "" - - NodeGroupName: - Description: Unique identifier for the Node Group. - Type: String - - ClusterControlPlaneSecurityGroup: - Description: The security group of the cluster control plane. - Type: AWS::EC2::SecurityGroup::Id - - VpcId: - Description: The VPC of the worker instances - Type: AWS::EC2::VPC::Id + Description: Node volume size Subnets: + Type: "List" Description: The subnets where workers can be created. - Type: List -Metadata: + VpcId: + Type: "AWS::EC2::VPC::Id" + Description: The VPC of the worker instances - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: EKS Cluster - Parameters: - - ClusterName - - ClusterControlPlaneSecurityGroup - - Label: - default: Worker Node Configuration - Parameters: - - NodeGroupName - - NodeAutoScalingGroupMinSize - - NodeAutoScalingGroupDesiredCapacity - - NodeAutoScalingGroupMaxSize - - NodeInstanceType - - NodeImageId - - NodeVolumeSize - - KeyName - - BootstrapArguments - - Label: - default: Worker Network Configuration - Parameters: - - VpcId - - Subnets +Conditions: + HasNodeImageId: !Not + - "Fn::Equals": + - Ref: NodeImageId + - "" Resources: - - NodeInstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Path: "/" - Roles: - - !Ref NodeInstanceRole - NodeInstanceRole: - Type: AWS::IAM::Role + Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: - Version: 2012-10-17 + Version: "2012-10-17" Statement: - Effect: Allow Principal: - Service: ec2.amazonaws.com - Action: sts:AssumeRole - Path: "/" + Service: + - ec2.amazonaws.com + Action: + - "sts:AssumeRole" ManagedPolicyArns: - - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly + - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" + - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" + - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + Path: / + + NodeInstanceProfile: + Type: "AWS::IAM::InstanceProfile" + Properties: + Path: / + Roles: + - Ref: NodeInstanceRole NodeSecurityGroup: - Type: AWS::EC2::SecurityGroup + Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: Security group for all nodes in the cluster - VpcId: !Ref VpcId Tags: - Key: !Sub kubernetes.io/cluster/${ClusterName} Value: owned + VpcId: !Ref VpcId NodeSecurityGroupIngress: - Type: AWS::EC2::SecurityGroupIngress + Type: "AWS::EC2::SecurityGroupIngress" DependsOn: NodeSecurityGroup Properties: Description: Allow node to communicate with each other + FromPort: 0 GroupId: !Ref NodeSecurityGroup + IpProtocol: "-1" SourceSecurityGroupId: !Ref NodeSecurityGroup - IpProtocol: -1 - FromPort: 0 ToPort: 65535 - NodeSecurityGroupFromControlPlaneIngress: - Type: AWS::EC2::SecurityGroupIngress + ClusterControlPlaneSecurityGroupIngress: + Type: "AWS::EC2::SecurityGroupIngress" DependsOn: NodeSecurityGroup Properties: - Description: Allow worker Kubelets and pods to receive communication from the cluster control plane - GroupId: !Ref NodeSecurityGroup - SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup + Description: Allow pods to communicate with the cluster API Server + FromPort: 443 + GroupId: !Ref ClusterControlPlaneSecurityGroup IpProtocol: tcp - FromPort: 1025 - ToPort: 65535 + SourceSecurityGroupId: !Ref NodeSecurityGroup + ToPort: 443 ControlPlaneEgressToNodeSecurityGroup: - Type: AWS::EC2::SecurityGroupEgress + Type: "AWS::EC2::SecurityGroupEgress" DependsOn: NodeSecurityGroup Properties: Description: Allow the cluster control plane to communicate with worker Kubelet and pods - GroupId: !Ref ClusterControlPlaneSecurityGroup DestinationSecurityGroupId: !Ref NodeSecurityGroup - IpProtocol: tcp FromPort: 1025 + GroupId: !Ref ClusterControlPlaneSecurityGroup + IpProtocol: tcp ToPort: 65535 - NodeSecurityGroupFromControlPlaneOn443Ingress: - Type: AWS::EC2::SecurityGroupIngress + ControlPlaneEgressToNodeSecurityGroupOn443: + Type: "AWS::EC2::SecurityGroupEgress" DependsOn: NodeSecurityGroup Properties: - Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane - GroupId: !Ref NodeSecurityGroup - SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup - IpProtocol: tcp + Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443 + DestinationSecurityGroupId: !Ref NodeSecurityGroup FromPort: 443 + GroupId: !Ref ClusterControlPlaneSecurityGroup + IpProtocol: tcp ToPort: 443 - ControlPlaneEgressToNodeSecurityGroupOn443: - Type: AWS::EC2::SecurityGroupEgress + NodeSecurityGroupFromControlPlaneIngress: + Type: "AWS::EC2::SecurityGroupIngress" DependsOn: NodeSecurityGroup Properties: - Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443 - GroupId: !Ref ClusterControlPlaneSecurityGroup - DestinationSecurityGroupId: !Ref NodeSecurityGroup + Description: Allow worker Kubelets and pods to receive communication from the cluster control plane + FromPort: 1025 + GroupId: !Ref NodeSecurityGroup IpProtocol: tcp - FromPort: 443 - ToPort: 443 + SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup + ToPort: 65535 - ClusterControlPlaneSecurityGroupIngress: - Type: AWS::EC2::SecurityGroupIngress + NodeSecurityGroupFromControlPlaneOn443Ingress: + Type: "AWS::EC2::SecurityGroupIngress" DependsOn: NodeSecurityGroup Properties: - Description: Allow pods to communicate with the cluster API Server - GroupId: !Ref ClusterControlPlaneSecurityGroup - SourceSecurityGroupId: !Ref NodeSecurityGroup + Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane + FromPort: 443 + GroupId: !Ref NodeSecurityGroup IpProtocol: tcp + SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup ToPort: 443 - FromPort: 443 + + NodeLaunchConfig: + Type: "AWS::AutoScaling::LaunchConfiguration" + Properties: + AssociatePublicIpAddress: "true" + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + DeleteOnTermination: true + VolumeSize: !Ref NodeVolumeSize + VolumeType: gp2 + IamInstanceProfile: !Ref NodeInstanceProfile + ImageId: !If + - HasNodeImageId + - Ref: NodeImageId + - Ref: NodeImageIdSSMParam + InstanceType: !Ref NodeInstanceType + KeyName: !Ref KeyName + SecurityGroups: + - Ref: NodeSecurityGroup + UserData: !Base64 + "Fn::Sub": | + #!/bin/bash + set -o xtrace + /etc/eks/bootstrap.sh ${ClusterName} ${BootstrapArguments} + /opt/aws/bin/cfn-signal --exit-code $? \ + --stack ${AWS::StackName} \ + --resource NodeGroup \ + --region ${AWS::Region} NodeGroup: - Type: AWS::AutoScaling::AutoScalingGroup + Type: "AWS::AutoScaling::AutoScalingGroup" Properties: DesiredCapacity: !Ref NodeAutoScalingGroupDesiredCapacity LaunchConfigurationName: !Ref NodeLaunchConfig - MinSize: !Ref NodeAutoScalingGroupMinSize MaxSize: !Ref NodeAutoScalingGroupMaxSize - VPCZoneIdentifier: !Ref Subnets + MinSize: !Ref NodeAutoScalingGroupMinSize Tags: - Key: Name + PropagateAtLaunch: "true" Value: !Sub ${ClusterName}-${NodeGroupName}-Node - PropagateAtLaunch: true - Key: !Sub kubernetes.io/cluster/${ClusterName} + PropagateAtLaunch: "true" Value: owned - PropagateAtLaunch: true + VPCZoneIdentifier: !Ref Subnets UpdatePolicy: AutoScalingRollingUpdate: - MaxBatchSize: 1 + MaxBatchSize: "1" MinInstancesInService: !Ref NodeAutoScalingGroupDesiredCapacity PauseTime: PT5M - NodeLaunchConfig: - Type: AWS::AutoScaling::LaunchConfiguration - Properties: - AssociatePublicIpAddress: true - IamInstanceProfile: !Ref NodeInstanceProfile - ImageId: !Ref NodeImageId - InstanceType: !Ref NodeInstanceType - KeyName: !Ref KeyName - SecurityGroups: - - !Ref NodeSecurityGroup - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeSize: !Ref NodeVolumeSize - VolumeType: gp2 - DeleteOnTermination: true - UserData: - Fn::Base64: - !Sub | - #!/bin/bash - set -o xtrace - /etc/eks/bootstrap.sh ${ClusterName} ${BootstrapArguments} - /opt/aws/bin/cfn-signal --exit-code $? \ - --stack ${AWS::StackName} \ - --resource NodeGroup \ - --region ${AWS::Region} - Outputs: - NodeInstanceRole: Description: The node instance role Value: !GetAtt NodeInstanceRole.Arn @@ -454,3 +476,4 @@ Outputs: NodeSecurityGroup: Description: The security group for the node group Value: !Ref NodeSecurityGroup +