Integrating AWS EKS with Amazon CNI addon for networking
TypeScriptTo integrate AWS Elastic Kubernetes Service (EKS) with the Amazon VPC CNI plugin for Kubernetes, we will use Pulumi to deploy an EKS Cluster and then install the Amazon VPC CNI addon onto it. The Amazon VPC CNI plugin allows Kubernetes pods to have the same IP address inside the pod as they do on the VPC network. This plugin is the default networking solution for AWS EKS.
Here's a Pulumi program written in TypeScript, that creates an EKS cluster and applies the Amazon VPC CNI addon:
import * as aws from "@pulumi/aws"; import * as eks from "@pulumi/eks"; // Create an EKS cluster with the default VPC CNI managed by EKS. const cluster = new eks.Cluster("my-cluster", { // Request an explicit VPC and subnet to ensure the proper networking setup for VPC CNI. // By default, the EKS cluster would use the default VPC CNI configuration. vpcId: "<Your-VPC-ID>", publicSubnetIds: ["<Your-Public-Subnet-Ids>"], privateSubnetIds: ["<Your-Private-Subnet-Ids>"], // Other EKS cluster configurations... }); // Get the EKS cluster's OIDC provider URL for IAM role integration. const oidcProviderUrl = cluster.core.oidcProviderUrl; // Create a role for the EKS cluster to apply add-ons. const cniAddonRole = new aws.iam.Role("cniAddonRole", { assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "eks.amazonaws.com" }), }); // Attach the Amazon EKS CNI Policy to the role created. const cniAddonPolicyAttachment = new aws.iam.RolePolicyAttachment("cniAddonPolicyAttachment", { role: cniAddonRole, policyArn: "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" }); // Create the VPC CNI add-on for the EKS cluster. const vpcCniAddon = new aws.eks.Addon("vpcCniAddon", { clusterName: cluster.eksCluster.name, addonName: "vpc-cni", addonVersion: "v1.7.5-eksbuild.1", // specify the version or use the latest supported by your EKS cluster version serviceAccountRoleArn: cniAddonRole.arn, resolveConflicts: "OVERWRITE", // Specifies how to handle add-on updates and conflicts }); // Export the cluster's kubeconfig. export const kubeconfig = cluster.kubeconfig;
Be sure to replace
<Your-VPC-ID>
,<Your-Public-Subnet-Ids>
, and<Your-Private-Subnet-Ids>
with your actual VPC and subnet IDs.In this program:
eks.Cluster
: Creates an EKS cluster. Here you specify your VPC and subnet IDs. This is important for the CNI to properly integrate with your VPC.aws.iam.Role
: Creates an IAM role that AWS services like EKS can assume to manage resources on your behalf.aws.iam.RolePolicyAttachment
: Attaches theAmazonEKS_CNI_Policy
to the IAM role. This policy grants the permissions necessary for the CNI plugin to work with networking resources in your VPC.aws.eks.Addon
: Represents the AWS-managed EKS add-on for VPC CNI. It is associated with the EKS cluster created and the IAM role for permissions.
Please ensure you have the right permissions set in your AWS account for Pulumi to create these resources. Also, ensure you've installed the Pulumi CLI and AWS CLI, and have configured the AWS CLI with the necessary credentials. To apply this configuration, navigate to the directory containing your Pulumi TypeScript code and run
pulumi up
.Learn more about EKS Cluster and IAM Role in the Pulumi documentation.