Create EKS Self-Managed Node Group¶

This section will guide you through creating a self-managed node group.

Fast Forward

If you already have a node group for your cluster, expand this box to fast-forward.

Proceed to the Verify section.

What You’ll Need¶

A configured management environment.
An existing EKS cluster.
Access to the AWS console, if you are going to create a self-managed node group.

Procedure¶

Download the CloudFormation stack for self-managed node groups below:

amazon-eks-nodegroup.yaml

1AWSTemplateFormatVersion: "2010-09-09"
2
3Description: Amazon EKS - Node Group
4-674
4
5Metadata:
"AWS::CloudFormation::Interface":
  ParameterGroups:
    - Label:
        default: EKS Cluster
      Parameters:
        - ClusterName
        - ClusterControlPlaneSecurityGroup
    - Label:
        default: Worker Node Configuration
      Parameters:
        - NodeGroupName
        - NodeAutoScalingGroupMinSize
        - NodeAutoScalingGroupDesiredCapacity
        - NodeAutoScalingGroupMaxSize
        - NodeInstanceType
        - NodeImageIdSSMParam
        - NodeImageId
        - NodeVolumeSize
        - NodeExtraEBSVolumeSize
        - KeyName
        - BootstrapArguments
        - DisableIMDSv1
    - Label:
        default: Worker Network Configuration
      Parameters:
        - VpcId
        - Subnets
33
34Parameters:
BootstrapArguments:
  Type: String
  Default: ""
  Description: "Arguments to pass to the bootstrap script. See files/bootstrap.sh in https://github.com/awslabs/amazon-eks-ami"
39
ClusterControlPlaneSecurityGroup:
  Type: "AWS::EC2::SecurityGroup::Id"
  Description: The security group of the cluster control plane.
43
ClusterName:
  Type: String
  Description: The cluster name provided when the cluster was created. If it is incorrect, nodes will not be able to join the cluster.
47
KeyName:
  Type: "AWS::EC2::KeyPair::KeyName"
  Description: The EC2 Key Pair to allow SSH access to the instances
51
NodeAutoScalingGroupDesiredCapacity:
  Type: Number
  Default: 3
  Description: Desired capacity of Node Group ASG.
56
NodeAutoScalingGroupMaxSize:
  Type: Number
  Default: 4
  Description: Maximum size of Node Group ASG. Set to at least 1 greater than NodeAutoScalingGroupDesiredCapacity.
61
NodeAutoScalingGroupMinSize:
  Type: Number
  Default: 1
  Description: Minimum size of Node Group ASG.
66
NodeGroupName:
  Type: String
  Description: Unique identifier for the Node Group.
70
NodeImageId:
  Type: String
  Default: ""
  Description: (Optional) Specify your own custom image ID. This value overrides any AWS Systems Manager Parameter Store value specified above.
75
NodeImageIdSSMParam:
  Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
  Default: /aws/service/eks/optimized-ami/1.17/amazon-linux-2/recommended/image_id
  Description: AWS Systems Manager Parameter Store parameter of the AMI ID for the worker node instances. Change this value to match the version of Kubernetes you are using.
80
DisableIMDSv1:
  Type: String
  Default: "true"
  AllowedValues:
    - "false"
    - "true"
87
NodeInstanceType:
  Type: String
  Default: t3.medium
  AllowedValues:
    - a1.2xlarge
    - a1.4xlarge
    - a1.large
    - a1.medium
    - a1.metal
    - a1.xlarge
    - c1.medium
    - c1.xlarge
    - c3.2xlarge
    - c3.4xlarge
    - c3.8xlarge
    - c3.large
    - c3.xlarge
    - c4.2xlarge
    - c4.4xlarge
    - c4.8xlarge
    - c4.large
    - c4.xlarge
    - c5.12xlarge
    - c5.18xlarge
    - c5.24xlarge
    - c5.2xlarge
    - c5.4xlarge
    - c5.9xlarge
    - c5.large
    - c5.metal
    - c5.xlarge
    - c5a.12xlarge
    - c5a.16xlarge
    - c5a.24xlarge
    - c5a.2xlarge
    - c5a.4xlarge
    - c5a.8xlarge
    - c5a.large
    - c5a.metal
    - c5a.xlarge
    - c5ad.12xlarge
    - c5ad.16xlarge
    - c5ad.24xlarge
    - c5ad.2xlarge
    - c5ad.4xlarge
    - c5ad.8xlarge
    - c5ad.large
    - c5ad.metal
    - c5ad.xlarge
    - c5d.12xlarge
    - c5d.18xlarge
    - c5d.24xlarge
    - c5d.2xlarge
    - c5d.4xlarge
    - c5d.9xlarge
    - c5d.large
    - c5d.metal
    - c5d.xlarge
    - c5n.18xlarge
    - c5n.2xlarge
    - c5n.4xlarge
    - c5n.9xlarge
    - c5n.large
    - c5n.metal
    - c5n.xlarge
    - c6g.12xlarge
    - c6g.16xlarge
    - c6g.2xlarge
    - c6g.4xlarge
    - c6g.8xlarge
    - c6g.large
    - c6g.medium
    - c6g.metal
    - c6g.xlarge
    - c6gd.12xlarge
    - c6gd.16xlarge
    - c6gd.2xlarge
    - c6gd.4xlarge
    - c6gd.8xlarge
    - c6gd.large
    - c6gd.medium
    - c6gd.metal
    - c6gd.xlarge
    - cc2.8xlarge
    - cr1.8xlarge
    - d2.2xlarge
    - d2.4xlarge
    - d2.8xlarge
    - d2.xlarge
    - f1.16xlarge
    - f1.2xlarge
    - f1.4xlarge
    - g2.2xlarge
    - g2.8xlarge
    - g3.16xlarge
    - g3.4xlarge
    - g3.8xlarge
    - g3s.xlarge
    - g4dn.12xlarge
    - g4dn.16xlarge
    - g4dn.2xlarge
    - g4dn.4xlarge
    - g4dn.8xlarge
    - g4dn.metal
    - g4dn.xlarge
    - h1.16xlarge
    - h1.2xlarge
    - h1.4xlarge
    - h1.8xlarge
    - hs1.8xlarge
    - i2.2xlarge
    - i2.4xlarge
    - i2.8xlarge
    - i2.xlarge
    - i3.16xlarge
    - i3.2xlarge
    - i3.4xlarge
    - i3.8xlarge
    - i3.large
    - i3.metal
    - i3.xlarge
    - i3en.12xlarge
    - i3en.24xlarge
    - i3en.2xlarge
    - i3en.3xlarge
    - i3en.6xlarge
    - i3en.large
    - i3en.metal
    - i3en.xlarge
    - inf1.24xlarge
    - inf1.2xlarge
    - inf1.6xlarge
    - inf1.xlarge
    - m1.large
    - m1.medium
    - m1.small
    - m1.xlarge
    - m2.2xlarge
    - m2.4xlarge
    - m2.xlarge
    - m3.2xlarge
    - m3.large
    - m3.medium
    - m3.xlarge
    - m4.10xlarge
    - m4.16xlarge
    - m4.2xlarge
    - m4.4xlarge
    - m4.large
    - m4.xlarge
    - m5.12xlarge
    - m5.16xlarge
    - m5.24xlarge
    - m5.2xlarge
    - m5.4xlarge
    - m5.8xlarge
    - m5.large
    - m5.metal
    - m5.xlarge
    - m5a.12xlarge
    - m5a.16xlarge
    - m5a.24xlarge
    - m5a.2xlarge
    - m5a.4xlarge
    - m5a.8xlarge
    - m5a.large
    - m5a.xlarge
    - m5ad.12xlarge
    - m5ad.16xlarge
    - m5ad.24xlarge
    - m5ad.2xlarge
    - m5ad.4xlarge
    - m5ad.8xlarge
    - m5ad.large
    - m5ad.xlarge
    - m5d.12xlarge
    - m5d.16xlarge
    - m5d.24xlarge
    - m5d.2xlarge
    - m5d.4xlarge
    - m5d.8xlarge
    - m5d.large
    - m5d.metal
    - m5d.xlarge
    - m5dn.12xlarge
    - m5dn.16xlarge
    - m5dn.24xlarge
    - m5dn.2xlarge
    - m5dn.4xlarge
    - m5dn.8xlarge
    - m5dn.large
    - m5dn.xlarge
    - m5n.12xlarge
    - m5n.16xlarge
    - m5n.24xlarge
    - m5n.2xlarge
    - m5n.4xlarge
    - m5n.8xlarge
    - m5n.large
    - m5n.xlarge
    - m6g.12xlarge
    - m6g.16xlarge
    - m6g.2xlarge
    - m6g.4xlarge
    - m6g.8xlarge
    - m6g.large
    - m6g.medium
    - m6g.metal
    - m6g.xlarge
    - m6gd.12xlarge
    - m6gd.16xlarge
    - m6gd.2xlarge
    - m6gd.4xlarge
    - m6gd.8xlarge
    - m6gd.large
    - m6gd.medium
    - m6gd.metal
    - m6gd.xlarge
    - p2.16xlarge
    - p2.8xlarge
    - p2.xlarge
    - p3.16xlarge
    - p3.2xlarge
    - p3.8xlarge
    - p3dn.24xlarge
    - p4d.24xlarge
    - r3.2xlarge
    - r3.4xlarge
    - r3.8xlarge
    - r3.large
    - r3.xlarge
    - r4.16xlarge
    - r4.2xlarge
    - r4.4xlarge
    - r4.8xlarge
    - r4.large
    - r4.xlarge
    - r5.12xlarge
    - r5.16xlarge
    - r5.24xlarge
    - r5.2xlarge
    - r5.4xlarge
    - r5.8xlarge
    - r5.large
    - r5.metal
    - r5.xlarge
    - r5a.12xlarge
    - r5a.16xlarge
    - r5a.24xlarge
    - r5a.2xlarge
    - r5a.4xlarge
    - r5a.8xlarge
    - r5a.large
    - r5a.xlarge
    - r5ad.12xlarge
    - r5ad.16xlarge
    - r5ad.24xlarge
    - r5ad.2xlarge
    - r5ad.4xlarge
    - r5ad.8xlarge
    - r5ad.large
    - r5ad.xlarge
    - r5d.12xlarge
    - r5d.16xlarge
    - r5d.24xlarge
    - r5d.2xlarge
    - r5d.4xlarge
    - r5d.8xlarge
    - r5d.large
    - r5d.metal
    - r5d.xlarge
    - r5dn.12xlarge
    - r5dn.16xlarge
    - r5dn.24xlarge
    - r5dn.2xlarge
    - r5dn.4xlarge
    - r5dn.8xlarge
    - r5dn.large
    - r5dn.xlarge
    - r5n.12xlarge
    - r5n.16xlarge
    - r5n.24xlarge
    - r5n.2xlarge
    - r5n.4xlarge
    - r5n.8xlarge
    - r5n.large
    - r5n.xlarge
    - r6g.12xlarge
    - r6g.16xlarge
    - r6g.2xlarge
    - r6g.4xlarge
    - r6g.8xlarge
    - r6g.large
    - r6g.medium
    - r6g.metal
    - r6g.xlarge
    - r6gd.12xlarge
    - r6gd.16xlarge
    - r6gd.2xlarge
    - r6gd.4xlarge
    - r6gd.8xlarge
    - r6gd.large
    - r6gd.medium
    - r6gd.metal
    - r6gd.xlarge
    - t1.micro
    - t2.2xlarge
    - t2.large
    - t2.medium
    - t2.micro
    - t2.nano
    - t2.small
    - t2.xlarge
    - t3.2xlarge
    - t3.large
    - t3.medium
    - t3.micro
    - t3.nano
    - t3.small
    - t3.xlarge
    - t3a.2xlarge
    - t3a.large
    - t3a.medium
    - t3a.micro
    - t3a.nano
    - t3a.small
    - t3a.xlarge
    - t4g.2xlarge
    - t4g.large
    - t4g.medium
    - t4g.micro
    - t4g.nano
    - t4g.small
    - t4g.xlarge
    - u-12tb1.metal
    - u-18tb1.metal
    - u-24tb1.metal
    - u-6tb1.metal
    - u-9tb1.metal
    - x1.16xlarge
    - x1.32xlarge
    - x1e.16xlarge
    - x1e.2xlarge
    - x1e.32xlarge
    - x1e.4xlarge
    - x1e.8xlarge
    - x1e.xlarge
    - z1d.12xlarge
    - z1d.2xlarge
    - z1d.3xlarge
    - z1d.6xlarge
    - z1d.large
    - z1d.metal
    - z1d.xlarge
  ConstraintDescription: Must be a valid EC2 instance type
  Description: EC2 instance type for the node instances
444
NodeVolumeSize:
  Type: Number
  Default: 20
  Description: Node volume size
449
NodeExtraEBSVolumeSize:
  Type: Number
  Default: 0
  Description: Extra EBS volume size
454
Subnets:
  Type: "List<AWS::EC2::Subnet::Id>"
  Description: The subnets where workers can be created.
458
VpcId:
  Type: "AWS::EC2::VPC::Id"
  Description: The VPC of the worker instances
462
463Mappings:
PartitionMap:
  aws:
    EC2ServicePrincipal: "ec2.amazonaws.com"
  aws-us-gov:
    EC2ServicePrincipal: "ec2.amazonaws.com"
  aws-cn:
    EC2ServicePrincipal: "ec2.amazonaws.com.cn"
  aws-iso:
    EC2ServicePrincipal: "ec2.c2s.ic.gov"
  aws-iso-b:
    EC2ServicePrincipal: "ec2.sc2s.sgov.gov"
475
476Conditions:
HasNodeImageId: !Not
  - "Fn::Equals":
    - !Ref NodeImageId
    - ""
481
IMDSv1Disabled:
  "Fn::Equals":
    - !Ref DisableIMDSv1
    - "true"
486
HasNodeExtraDisk: !Not
  - "Fn::Equals":
      - !Ref NodeExtraEBSVolumeSize
      - 0
491
492
493Resources:
NodeInstanceRole:
  Type: "AWS::IAM::Role"
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - !FindInMap [PartitionMap, !Ref "AWS::Partition", EC2ServicePrincipal]
          Action:
            - "sts:AssumeRole"
    ManagedPolicyArns:
      - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
      - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy"
      - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
    Path: /
511
NodeInstanceProfile:
  Type: "AWS::IAM::InstanceProfile"
  Properties:
    Path: /
    Roles:
      - !Ref NodeInstanceRole
518
NodeSecurityGroup:
  Type: "AWS::EC2::SecurityGroup"
  Properties:
    GroupDescription: Security group for all nodes in the cluster
    Tags:
      - Key: !Sub kubernetes.io/cluster/${ClusterName}
        Value: owned
    VpcId: !Ref VpcId
527
NodeSecurityGroupIngress:
  Type: "AWS::EC2::SecurityGroupIngress"
  DependsOn: NodeSecurityGroup
  Properties:
    Description: Allow node to communicate with each other
    FromPort: 0
    GroupId: !Ref NodeSecurityGroup
    IpProtocol: "-1"
    SourceSecurityGroupId: !Ref NodeSecurityGroup
    ToPort: 65535
538
ClusterControlPlaneSecurityGroupIngress:
  Type: "AWS::EC2::SecurityGroupIngress"
  DependsOn: NodeSecurityGroup
  Properties:
    Description: Allow pods to communicate with the cluster API Server
    FromPort: 443
    GroupId: !Ref ClusterControlPlaneSecurityGroup
    IpProtocol: tcp
    SourceSecurityGroupId: !Ref NodeSecurityGroup
    ToPort: 443
549
ControlPlaneEgressToNodeSecurityGroup:
  Type: "AWS::EC2::SecurityGroupEgress"
  DependsOn: NodeSecurityGroup
  Properties:
    Description: Allow the cluster control plane to communicate with worker Kubelet and pods
    DestinationSecurityGroupId: !Ref NodeSecurityGroup
    FromPort: 1025
    GroupId: !Ref ClusterControlPlaneSecurityGroup
    IpProtocol: tcp
    ToPort: 65535
560
ControlPlaneEgressToNodeSecurityGroupOn443:
  Type: "AWS::EC2::SecurityGroupEgress"
  DependsOn: NodeSecurityGroup
  Properties:
    Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443
    DestinationSecurityGroupId: !Ref NodeSecurityGroup
    FromPort: 443
    GroupId: !Ref ClusterControlPlaneSecurityGroup
    IpProtocol: tcp
    ToPort: 443
571
NodeSecurityGroupFromControlPlaneIngress:
  Type: "AWS::EC2::SecurityGroupIngress"
  DependsOn: NodeSecurityGroup
  Properties:
    Description: Allow worker Kubelets and pods to receive communication from the cluster control plane
    FromPort: 1025
    GroupId: !Ref NodeSecurityGroup
    IpProtocol: tcp
    SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup
    ToPort: 65535
582
NodeSecurityGroupFromControlPlaneOn443Ingress:
  Type: "AWS::EC2::SecurityGroupIngress"
  DependsOn: NodeSecurityGroup
  Properties:
    Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane
    FromPort: 443
    GroupId: !Ref NodeSecurityGroup
    IpProtocol: tcp
    SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup
    ToPort: 443
593
NodeLaunchTemplate:
  Type: "AWS::EC2::LaunchTemplate"
  Properties:
    LaunchTemplateData:
      BlockDeviceMappings: !If
        - HasNodeExtraDisk
        - - DeviceName: /dev/xvda
            Ebs:
              DeleteOnTermination: true
              VolumeSize: !Ref NodeVolumeSize
              VolumeType: gp2
          - DeviceName: /dev/sdf
            Ebs:
              DeleteOnTermination: true
              VolumeSize: !Ref NodeExtraEBSVolumeSize
              VolumeType: gp2
        - - DeviceName: /dev/xvda
            Ebs:
              DeleteOnTermination: true
              VolumeSize: !Ref NodeVolumeSize
              VolumeType: gp2
615
      IamInstanceProfile:
        Arn: !GetAtt NodeInstanceProfile.Arn
      ImageId: !If
        - HasNodeImageId
        - !Ref NodeImageId
        - !Ref NodeImageIdSSMParam
      InstanceType: !Ref NodeInstanceType
      KeyName: !Ref KeyName
      SecurityGroupIds:
      - !Ref NodeSecurityGroup
      UserData: !Base64
        "Fn::Sub": |
          #!/bin/bash
          set -o xtrace
          /etc/eks/bootstrap.sh ${ClusterName} ${BootstrapArguments}
          /opt/aws/bin/cfn-signal --exit-code $? \
                   --stack  ${AWS::StackName} \
                   --resource NodeGroup  \
                   --region ${AWS::Region}
      MetadataOptions:
        HttpPutResponseHopLimit : 1
        HttpEndpoint: enabled
        HttpTokens: !If
          - IMDSv1Disabled
          - required
          - optional
642
NodeGroup:
  Type: "AWS::AutoScaling::AutoScalingGroup"
  Properties:
    DesiredCapacity: !Ref NodeAutoScalingGroupDesiredCapacity
    LaunchTemplate:
      LaunchTemplateId: !Ref NodeLaunchTemplate
      Version: !GetAtt NodeLaunchTemplate.LatestVersionNumber
    MaxSize: !Ref NodeAutoScalingGroupMaxSize
    MinSize: !Ref NodeAutoScalingGroupMinSize
    Tags:
      - Key: Name
        PropagateAtLaunch: true
        Value: !Sub ${ClusterName}-${NodeGroupName}-Node
      - Key: !Sub kubernetes.io/cluster/${ClusterName}
        PropagateAtLaunch: true
        Value: owned
    VPCZoneIdentifier: !Ref Subnets
  UpdatePolicy:
    AutoScalingRollingUpdate:
      MaxBatchSize: 1
      MinInstancesInService: !Ref NodeAutoScalingGroupDesiredCapacity
      PauseTime: PT5M
665
666Outputs:
NodeInstanceRole:
  Description: The node instance role
  Value: !GetAtt NodeInstanceRole.Arn
670
NodeSecurityGroup:
  Description: The security group for the node group
  Value: !Ref NodeSecurityGroup
674
NodeAutoScalingGroup:
  Description: The autoscaling group
  Value: !Ref NodeGroup

Go to AWS CloudFormation Console.
Click the Create stack dropdown menu and select with new resources(standard).
In Specify template choose Upload a template file and upload the amazon-eks-nodegroup.yaml file you downloaded in the first step. Then click Next.
In section Stack name pick a name for the stack, for example, <EKS_CLUSTER>-workers, where <EKS_CLUSTER> is the name of your cluster.
In section Parameters specify the name of the EKS cluster you created previously.
For ClusterControlPlaneSecurityGroup, select the security group created with your VPC CloudFormation stack. To find it, go to AWS CloudFormation Console, select the CF stack of your VPC, go to Outputs, and note down the SecurityGroups value:

This is the security group to allow communication between your worker nodes and the Kubernetes control plane.
Pick a name for the node group, for example, general-workers. The created instances will be named after <EKS_CLUSTER>-<NODEGROUPNAME>-Node.
In NodeInstanceType select your desired instance type. We recommend that you use an instance type that has instance store volumes (local NVMe storage) attached, such as m5d.4xlarge.
Set NodeImageIdSSMParam by choosing one of the following options based on the Kubernetes version of your cluster.

Kubernetes 1.24

Kubernetes 1.23

Kubernetes 1.22

/aws/service/eks/optimized-ami/1.24/amazon-linux-2/amazon-eks-node-1.24-v20230304/image_id

/aws/service/eks/optimized-ami/1.23/amazon-linux-2/amazon-eks-node-1.23-v20221112/image_id

/aws/service/eks/optimized-ami/1.22/amazon-linux-2/amazon-eks-node-1.22-v20221112/image_id
Set a large enough NodeVolumeSize, for example, 200 (GB) since this will hold Docker images and ephemeral storage of Pods.
If the instance type you chose is EBS-only (that is, it doesn’t have ephemeral storage attached), set a large enough NodeExtraEBSVolumeSize, for example, 500 (GB) since this will hold your Rok storage.
Under KeyName, specify an EC2 key pair to allow SSH access to the instances. This option is required by the CloudFormation template that we are using.
Ensure that DisableIMDSv1 is set to true so that worker nodes use IMDSv2 only.
Select the VPC, and the subnets to spawn the workers in. If you use EBS volumes, we highly recommend that the Auto Scaling group (ASG) spans a single Availability zone. Choose them from the given drop down list. Then click Next.
In Configure stack options, add the following Tags that Cluster Autoscaler requires so that it can discover the instances of the ASG automatically. Then click Next.

Key Value

k8s.io/cluster-autoscaler/enabled true

k8s.io/cluster-autoscaler/<EKS_CLUSTER> owned
Review your CloudFormation stack to make sure you have configured it as instructed above. Check the necessary boxes and click Create stack.
Note

CloudFormation will
- Create an IAM role that worker nodes will consume.
- Create an AutoScalingGroup with a new Launch Template.
- Create a security group that the worker nodes will use.
- Modify given cluster security group to allow communication between control plane and worker nodes.
After the stack has finished creating, you need to allow the nodes to join the cluster. Go to your GitOps repository, inside your rok-tools management environment:

root@rok-tools:~# cd ~/ops/deployments
Specify the CloudFormation stack name you used for creating the node group:

root@rok-tools:~/ops/deployments# export CF_STACK_NAME=<CF_STACK_NAME>

Replace <CF_STACK_NAME> with the your node group’s CF stack, for example:

root@rok-tools:~/ops/deployments# export CF_STACK_NAME=arrikto-cluster-workers
Obtain the IAM role that CloudFormation created for the nodes to run with:

root@rok-tools:~/ops/deployments# aws cloudformation describe-stacks \ > --stack-name ${CF_STACK_NAME?} \ > --query 'Stacks[].Outputs[?OutputKey==`NodeInstanceRole`].OutputValue' \ > --output text arn:aws:iam::123456789012:role/arrikto-cluster-workers-NodeInstanceRole-1UR1Z9YTC2TTK
Inspect the aws-auth ConfigMap to get existing entries if any:

root@rok-tools:~/ops/deployments# kubectl get configmap aws-auth \ > -n kube-system -o jsonpath={.data.mapRoles}
Edit rok/eks/aws-auth.yaml and add a new entry under mapRoles, including the entries you found in previous step:

data: mapRoles: | - groups: - system:bootstrappers - system:nodes rolearn: arn:aws:iam::123456789012:role/arrikto-cluster-workers-NodeInstanceRole-1UR1Z9YTC2TTK username: system:node:{{EC2PrivateDNSName}}
Commit your changes:

root@rok-tools:~/ops/deployments# git commit \ > -am "Create EKS Self-managed Node Group: Allow $CF_STACK_NAME to join the cluster"
Apply the manifest:

root@rok-tools:~/ops/deployments# kubectl apply -f rok/eks/aws-auth.yaml

Verify¶

Go to your GitOps repository, inside your rok-tools management environment:

root@rok-tools:~# cd ~/ops/deployments
Restore the required context from previous sections:

root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-cluster)

root@rok-tools:~/ops/deployments# export EKS_CLUSTER
Verify that EC2 instances have been created:

root@rok-tools:~/ops/deployments# aws ec2 describe-instances \ > --filters Name=tag-key,Values=kubernetes.io/cluster/${EKS_CLUSTER?} { "Reservations": [ { "Groups": [], "Instances": [ { "AmiLaunchIndex": 0, "ImageId": "ami-012b81faa674369fc", "InstanceId": "i-0a1795ed2c92c16d5", "InstanceType": "m5.large", "LaunchTime": "2021-07-27T08:39:41+00:00", "Monitoring": { "State": "disabled" }, "Placement": { "AvailabilityZone": "eu-central-1b", "GroupName": "", "Tenancy": "default" }, ...
Verify that all EC2 instances use IMDSv2 only:
1. Retrieve the EC2 instance IDs of your cluster:
  
  root@rok-tools:~/ops/deployments# aws ec2 describe-instances \ > --filters Name=tag:kubernetes.io/cluster/${EKS_CLUSTER?},Values=owned \ > --query "Reservations[*].Instances[*].InstanceId" --output text) i-075363bbf64a60e04 i-06a5ee72c6eed1bad
2. Repeat the steps below for each one of the EC2 instance IDs in the list of the previous step.
  1. Specify the ID of the EC2 instance to operate on:
    
    root@rok-tools:~/ops/deployments# export INSTANCE_ID=<INSTANCE_ID>
    
    Replace <INSTANCE_ID> with one of the IDs you found in the previous step, for example:
    
    root@rok-tools:~/ops/deployments# export INSTANCE_ID=i-075363bbf64a60e04
  2. Verify that the HttpTokens metadata option is set to required:
    
    root@rok-tools:~/ops/deployments# aws ec2 get-launch-template-data \ > --instance-id ${INSTANCE_ID?} \ > --query 'LaunchTemplateData.MetadataOptions.HttpTokens == `required`' true
  3. Verify that the HttpPutResponseHopLimit metadata option is set to 1:
    
    root@rok-tools:~/ops/deployments# aws ec2 get-launch-template-data \ > --instance-id ${INSTANCE_ID?} \ > --query 'LaunchTemplateData.MetadataOptions.HttpPutResponseHopLimit == `1`' true
  4. Go back to step i and repeat steps i-iv for the remaining instance IDs.
Verify that Kubernetes nodes have appeared:

root@rok-tools:~/ops/deployments# kubectl get nodes NAME STATUS ROLES AGE VERSION ip-172-31-0-86.us-west-2.compute.internal Ready <none> 8m2s v1.24.10-eks-ba74326 ip-172-31-24-96.us-west-2.compute.internal Ready <none> 8m4s v1.24.10-eks-ba74326

Summary¶

You have successfully created a self-managed node group.

What’s Next¶

The next step to disable unsafe operations for your EKS cluster.

Disable Unsafe Operations for Your EKS Cluster

Previous Next

Key	Value
k8s.io/cluster-autoscaler/enabled	true
k8s.io/cluster-autoscaler/<EKS_CLUSTER>	owned