AWS Infrastructure Setup - Manual
Overview
This document covers the steps required to deploy a new Kubernetes cluster to your existing AWS account, including the creation of all required resources. This process will be completed through the AWS CLI as well as the web interface.
Assumptions/Prerequisites
By default, Snorkel Flow is deployed into an existing AWS VPC and subnets, and configures new infrastructure in your AWS account. We start off with a couple assumptions:
- You have access to an AWS account
- You have access to a VPC, along with 3 or more subnets within that VPC
- You have a domain that you own, as well as a certificate for TLS
- The domain is configured in Route53
- The certificate is configured in AWS Certificate Manager
- The individual executing these setup tasks has admin access to the VPC
Part 1: Subnet Tagging
To ensure the kubernetes cluster created later in this document recognizes the 3 or more subnets provided, we need to tag them each with 2 tags:
- Navigate to subnets in the AWS Console
- VPC -> Subnets
- For each of the 3 subnets, add a tag for elb (for the aws-load-balancer-controller later in this document) and for the cluster
- Subnet -> Manage tags
- Add an elb tag
- For private subnets
- Key: kubernetes.io/role/internal-elb
- Value: 1
- For public subnets
- Key: kubernetes.io/role/elb
- Value: 1
- For private subnets
- Add a cluster tag
- Key: kubernetes.io/cluster/snorkel-flow-aws
note
snorkel-flow-awsis the default eks cluster name. If you use a different cluster name during EKS setup, replacesnorkel-flow-awswith your cluster name. - Value: shared
- Key: kubernetes.io/cluster/snorkel-flow-aws
Part 2: Security Group Setup
Create a security group for Snorkel Flow inside of your existing VPC:
- Navigate to Security Groups in the AWS Console
- EC2 -> Network and Security -> Security Groups
- Create a new Security Group with name `snorkel-flow-aws` in the existing VPC, allowing all outbound traffic and TCP inbound traffic
- Create security group
- Security group name: snorkel-flow-aws
- Description: snorkel-flow-aws
- VPC: Existing VPC ID
- Inbound traffic -> Add rule
- Type: All traffic
- Source: Anywhere-IPV4
- Outbound traffic -> Add rule
- Type: All traffic
- Source: Anywhere-IPV4
- Outbound traffic -> Add rule
- Type: All traffic
- Source: Anywhere-IPV6
- Create security group
Part 3: Create an EFS Instance
Create an EFS instance for Snorkel Flow inside of your existing VPC:
- Navigate to EFS in the AWS Console
- Create a new EFS instance with name `snorkel-flow-aws` in the existing VPC, with existing subnets as the mount points
- Create file system -> Customize
- File system settings
- Name: snorkel-flow-aws
- Storage class: standard
- Enable automated backups
- Enable encryption at rest
- Throughput mode: Bursting
- Network access
- VPC: your existing VPC
- Mount targets
- Your 3 or more subnets, along with their associated availability zone
- Security group: add `snorkel-flow-aws` created in Part 2
- Create
- File system settings
- Create file system -> Customize
Create an access point at the root directory of your EFS volume, with POSIX and creation permissions for user 99:
- Navigate to the new EFS in the AWS Console
- EFS -> snorkel-flow-aws -> Access points
- Create a new access point
- Create access point
- Name: snorkel-flow-aws
- Root directory path: /snorkel-flow/data
- POSIX User ID: 99
- POSIX Group ID: 99
- POSIX Secondary group IDs: 99
- Root directory owner user ID: 99
- Root directory owner group ID: 99
- Root directory access point permissions: 775
- Create access point
- Create access point
Part 4: Create an EKS cluster
Create an IAM role for the EKS cluster backplane:
- Navigate to IAM roles in the AWS Console
- IAM -> Roles
- Create a new role snorkel-flow-aws-cluster with AmazonEKSClusterPolicy and AmazonEKSVPCResourceController attached
- Create role
- Select trusted entity
- Custom trust policy
- Select trusted entity
- Create role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSClusterAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Add permissions
- Add the `AmazonEKSClusterPolicy` and `AmazonEKSVPCResourceController` policies
- Name, review, and create
- Role name: snorkel-flow-aws-cluster
- Create Role
Create an EKS cluster for Snorkel Flow inside of your existing VPC:
- Navigate to EKS (Elastic Kubernetes Service) in the AWS Console
- Create a new EKS cluster with name `snorkel-flow-aws` in the existing VPC
- Add cluster -> Create
- Configure cluster
- Name: snorkel-flow-aws
- Kubernetes version: default
- Cluster service role: snorkel-flow-aws-cluster
- Specify networking
- VPC: your existing VPC
- Subnets: your existing 3 or more subnets
- Security Groups: snorkel-flow-aws
- Select addons
- Amazon VPC CNI
- Kube-proxy
- CoreDNS
- Create
- Configure cluster
- Add cluster -> Create
Part 5: Add a node group to the EKS cluster
Create an IAM role for the EKS node group:
- Navigate to IAM roles in the AWS Console
- IAM -> Roles
- Create a new role snorkel-flow-aws-cluster-node with AmazonEC2ContainerRegistryReadOnly, AmazonEKS_CNI_Policy, and AmazonEKSWorkerNodePolicy attached
- Create role
- Select trusted entity
- Custom trust policy
- Select trusted entity
- Create role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSNodeAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Add permissions
- Add the `AmazonEC2ContainerRegistryReadOnly`, `AmazonEKS_CNI_Policy`, and `AmazonEKSWorkerNodePolicy` policies
- Name, review, and create
- Role name: snorkel-flow-aws-cluster-node
- Create Role
Create a node group for the EKS cluster:
- Navigate to the EKS cluster created in Part 4 in the AWS Console
- EKS (Elastic Kubernetes Service) -> Clusters -> snorkel-flow-aws -> Compute
- Add a new node group
- Add node group
- Configure node group
- Name: snorkel-flow-aws
- Node IAM role: snorkel-flow-aws-cluster-node
- Set compute and scaling configuration
- Node group compute configuration
- AMI type: Amazon Linux 2 (AL_x86_64)
- Capacity type: On-Demand
- Instance Types: m5.8xlarge
- Disk Size: 1024GiB
- Node group scaling configuration
- Desired size: 2 nodes
- Minimum size: 2 nodes
- Maximum size: 2 nodes
- Node group compute configuration
- Specify Networking
- Subnets: your 3 or more existing subnets
- Create
- Configure node group
- Add node group
Part 6: Create aws-efs-csi-driver, aws-load-balancer-controller, external-dns, and aws-ebs-csi-driver operators via helm
Create IAM policies for aws-efs-csi-driver, aws-load-balancer-controller, external-dns, and aws-ebs-csi-driver operators.
- Navigate to IAM policies in the AWS Console
- IAM -> Policies
- Create a new policy lb-controller-irsa-aws-load-balancer-controller
- Create policy
- Policy editor -> JSON
- Create policy
{
"Statement": [
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"ec2:GetCoipPoolUsage",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeTags",
� "ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstances",
"ec2:DescribeCoipPools",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAddresses",
"ec2:DescribeAccountAttributes"
],
"Effect": "Allow",
"Resource": "*"
},
� {
"Action": [
"wafv2:GetWebACLForResource",
"wafv2:GetWebACL",
"wafv2:DisassociateWebACL",
"wafv2:AssociateWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:GetWebACL",
"waf-regional:DisassociateWebACL",
"waf-regional:AssociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:DeleteProtection",
"shield:CreateProtection",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateSecurityGroup",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
},
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:security-group/*"
},
{
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:security-group/*"
},
{
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress"
],
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:CreateLoadBalancer"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateListener"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:AddTags"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
]
},
{
"Action": [
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:AddTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Action": "elasticloadbalancing:AddTags",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
},
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
]
},
{
"Action": [
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeleteLoadBalancer"
],
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Effect": "Allow",
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
-
Policy name: lb-controller-irsa-aws-load-balancer-controller
-
Create policy
-
Create a new policy external-dns-irsa-external-dns
- Create policy
- Policy editor -> JSON
- Create policy
{
"Statement": [
{
"Action": "route53:ChangeResourceRecordSets",
"Effect": "Allow",
"Resource": "arn:aws:route53:::hostedzone/*",
"Sid": "ChangeResourceRecordSets"
},
{
"Action": [
"route53:ListTagsForResource",
"route53:ListResourceRecordSets",
"route53:ListHostedZones"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ListResourceRecordSets"
}
],
"Version": "2012-10-17"
}
-
Policy name: external-dns-irsa-external-dns
-
Create policy
-
Create a new policy efs-csi-controller-aws-efs-csi-driver
- Create policy
- Policy editor -> JSON
- Create policy
{
"Statement": [
{
"Action": [
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeAccessPoints",
"ec2:DescribeAvailabilityZones"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "elasticfilesystem:CreateAccessPoint",
"Condition": {
"StringLike": {
"aws:RequestTag/efs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "elasticfilesystem:TagResource",
"Condition": {
"StringLike": {
"aws:ResourceTag/efs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "elasticfilesystem:DeleteAccessPoint",
"Condition": {
"StringEquals": {
"aws:ResourceTag/efs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
-
Policy name: efs-csi-controller-aws-efs-csi-driver
-
Create policy
-
Create a new policy ebs-csi-controller-aws-ebs-csi-driver
- Create policy
- Policy editor -> JSON
- Create policy
{
"Statement": [
{
"Action": [
"ec2:ModifyVolume",
"ec2:DetachVolume",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumes",
� "ec2:DescribeTags",
"ec2:DescribeSnapshots",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSnapshot",
"ec2:AttachVolume"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Action": "ec2:DeleteTags",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Action": "ec2:CreateVolume",
"Condition": {
"StringLike": {
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateVolume",
"Condition": {
"StringLike": {
"aws:RequestTag/CSIVolumeName": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateVolume",
"Condition": {
"StringLike": {
"aws:RequestTag/kubernetes.io/cluster/*": "owned"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"ec2:ResourceTag/kubernetes.io/cluster/*": "owned"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
-
Policy name: ebs-csi-controller-aws-ebs-csi-driver - Create policy
Create associated IAM roles for aws-efs-csi-driver, aws-load-balancer-controller, external-dns, and aws-ebs-csi-driver operators.
- Navigate to IAM roles in the AWS Console
- IAM -> Roles
- Create a new role lb-controller-irsa-aws-load-balancer-controller that refers to the lb-controller-irsa-aws-load-balancer-controller policy
- Create role
- Select trusted entity
- Custom trust policy
- Note: ${OIDC_URL} is `OpenID Connect provider URL` of the EKS cluster created in Part 4 without the `https://` and can be found on the EKS cluster’s page (e.g. https://oidc.eks.us-west-2.amazonaws.com/id/64A3B40CAAD5443BD95F6A8B7889F272)
- Custom trust policy
- Select trusted entity
- Create role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_URL}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_URL}:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"
}
}
}
]
}
-
Add permissions
- Add the `lb-controller-irsa-aws-load-balancer-controller` policy created in the prior steps
-
Name, review, and create
- Role name: lb-controller-irsa-aws-load-balancer-controller
- Create Role
-
Create a new role external-dns-irsa-external-dns that refers to the external-dns-irsa-external-dns policy
- Create role
- Select trusted entity
- Custom trust policy
- Note: ${OIDC_URL} is `OpenID Connect provider URL` of the EKS cluster created in Part 4 without the `https://` and can be found on the EKS cluster’s page (e.g. https://oidc.eks.us-west-2.amazonaws.com/id/64A3B40CAAD5443BD95F6A8B7889F272)
- Custom trust policy
- Select trusted entity
- Create role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_URL}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_URL}:sub": "system:serviceaccount:kube-system:external-dns"
}
}
}
]
}
-
Add permissions
- Add the `external-dns-irsa-external-dns` policy created in the prior steps
-
Name, review, and create
- Role name: external-dns-irsa-external-dns
- Create Role
-
Create a new role efs-csi-controller-aws-efs-csi-driver that refers to the efs-csi-controller-aws-efs-csi-driver policy
- Create role
- Select trusted entity
- Custom trust policy
- Note: ${OIDC_URL} is `OpenID Connect provider URL` of the EKS cluster created in Part 4 without the `https://` and can be found on the EKS cluster’s page (e.g. https://oidc.eks.us-west-2.amazonaws.com/id/64A3B40CAAD5443BD95F6A8B7889F272)
- Custom trust policy
- Select trusted entity
- Create role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_URL}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_URL}:sub": "system:serviceaccount:kube-system:efs-csi-controller-sa"
}
}
}
]
}
-
Add permissions
- Add the `efs-csi-controller-aws-efs-csi-driver` policy created in the prior steps
-
Name, review, and create
- Role name: efs-csi-controller-aws-efs-csi-driver
- Create Role
-
Create a new role ebs-csi-controller-aws-ebs-csi-driver that refers to the ebs-csi-controller-aws-ebs-csi-driver policy
- Create role
- Select trusted entity
- Custom trust policy
- Note: ${OIDC_URL} is `OpenID Connect provider URL` of the EKS cluster created in Part 4 without the `https://` and can be found on the EKS cluster’s page (e.g. https://oidc.eks.us-west-2.amazonaws.com/id/64A3B40CAAD5443BD95F6A8B7889F272)
- Custom trust policy
- Select trusted entity
- Create role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_URL}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_URL}:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
}
}
}
]
}
- Add permissions
- Add the `ebs-csi-controller-aws-ebs-csi-driver` policy created in the prior steps
- Name, review, and create
- Role name: ebs-csi-controller-aws-ebs-csi-driver
- Create Role
Create aws-efs-csi-driver, aws-load-balancer-controller, external-dns, and aws-ebs-csi-driver operators via helm charts.
- Connect to your cluster via kubectl
-
aws eks --region us-west-2 update-kubeconfig --name snorkel-flow-aws -
kubectl get pods --all-namespaces - Should return coredns, aws-node, and kube-proxy pods
-
- Deploy aws-efs-csi-driver
-
helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/ -
helm repo update aws-efs-csi-driver -
helm install aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver -n kube-system --set controller.serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::${ACCOUNT_ID}:role/efs-csi-controller-aws-efs-csi-driver" --version 2.4.7 -
kubectl get pods -n kube-system - Confirm that this now has the new efs-csi pods
-
- Deploy aws-load-balancer-controller
-
helm repo add eks [https://aws.github.io/eks-charts](https://aws.github.io/eks-charts) -
helm repo update eks -
helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=snorkel-flow-aws --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::${ACCOUNT_ID}:role/lb-controller-irsa-aws-load-balancer-controller" --version 1.5.5
-
- Deploy external-dns
- create an OIDC provider for the cluster first (follow instructions in https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html)
-
helm repo add external-dns [https://kubernetes-sigs.github.io/external-dns/](https://kubernetes-sigs.github.io/external-dns/) -
helm repo update external-dns -
helm install external-dns external-dns/external-dns -n kube-system --set provider=aws --set txtOwnerId=snorkel-flow-aws --set txtPrefix=txt- --set domainFilters={$DOMAIN} --set extraArgs={--aws-prefer-cname} --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::${ACCOUNT_ID}:role/external-dns-irsa-external-dns" --version 1.13.0 - Note: $DOMAIN is the domain that you own
- Deploy aws-ebs-csi-driver
-
helm repo add aws-ebs-csi-driver [https://kubernetes-sigs.github.io/aws-ebs-csi-driver](https://kubernetes-sigs.github.io/aws-ebs-csi-driver) -
helm repo update aws-ebs-csi-driver -
helm install aws-ebs-csi-driver aws-ebs-csi-driver/aws-ebs-csi-driver -n kube-system --set controller.serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::${ACCOUNT_ID}:role/ebs-csi-controller-aws-ebs-csi-driver" --version 2.21.0
-
Part 7: AWS-Specific Configurations for Snorkel Flow
While deploying Snorkel Flow in AWS (link), there are a couple specific configurations that are needed to be set for helm to work with the infrastructure set up above:
- For annotations on the UI ingress, we’ll need the following:
alb.ingress.kubernetes.io/scheme: internal
external-dns.alpha.kubernetes.io/ttl: "60"
alb.ingress.kubernetes.io/certificate-arn: $AWS_CERTIFICATE_ARN
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/ssl-redirect: "443"
alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=600
alb.ingress.kubernetes.io/success-codes: 200-302
alb.ingress.kubernetes.io/target-type: "ip"
external-dns.alpha.kubernetes.io/hostname: $SUBDOMAIN.$DOMAIN
alb.ingress.kubernetes.io/group.name: $SUBDOMAIN.$DOMAIN
alb.ingress.kubernetes.io/healthcheck-path: /health
- $AWS_CERTIFICATE_ARN is the certificate configured for your domain in AWS Certificate Manager
- $SUBDOMAIN is the subdomain chosen for Snorkel Flow’s url
- $DOMAIN is a domain configured in route53
- Note: a similar set of annotations are required for each ingress Snorkel Flow uses
- For the data volume driver, we’ll need the following:
csi:
driver: efs.csi.aws.com
volumeHandle: $EFS_ID::$ACCESS_POINT_ID
- $EFS_ID is the id of the EFS created earlier for Snorkel Flow
- $ACCESS_POI