Fully Private Cluster

apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: wsi-cluster version: "1.31" region: ap-northeast-2 cloudWatch: clusterLogging: enableTypes: ["*"] iam: withOIDC: true serviceAccounts: - metadata: name: aws-load-balancer-controller namespace: kube-system wellKnownPolicies: awsLoadBalancerController: true - metadata: name: cert-manager namespace: cert-manager wellKnownPolicies: certManager: true privateCluster: enabled: true skipEndpointCreation: true vpc: securityGroup: sg-0c1843d9c76955861 # Ingress 443 Egress All traffic subnets: private: ap-northeast-2a: { id: private_a } ap-northeast-2b: { id: private_b } managedNodeGroups: - name: wsi-app-nodegroup instanceName: wsi-app-node instanceType: c5.large desiredCapacity: 2 minSize: 2 maxSize: 4 privateNetworking: true

eksctl create cluster -f cluster.yaml

apiVersion: apps/v1 kind: Deployment metadata: name: node namespace: default labels: app: node spec: replicas: 2 selector: matchLabels: app: node template: metadata: labels: app: node spec: containers: - name: node image: 362708816803.dkr.ecr.ap-northeast-2.amazonaws.com/app:latest ports: - containerPort: 8080

kubectl apply -f deployment.yaml

apiVersion: v1 kind: Service metadata: name: node namespace: default spec: selector: app: node type: ClusterIP sessionAffinity: None sessionAffinityConfig: clientIP: timeoutSeconds: 10800 ports: - name: node protocol: TCP port: 8080 targetPort: 8080

kubectl apply -f service.yaml

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: time namespace: default annotations: alb.ingress.kubernetes.io/load-balancer-name: wsi-alb alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]' alb.ingress.kubernetes.io/healthcheck-path: /healthcheck alb.ingress.kubernetes.io/healthcheck-interval-seconds: "5" alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "2" alb.ingress.kubernetes.io/healthy-threshold-count: "2" alb.ingress.kubernetes.io/unhealthy-threshold-count: "2" alb.ingress.kubernetes.io/target-group-attributes: deregistration_delay.timeout_seconds=30 spec: ingressClassName: alb rules: - http: paths: - path: /v1/worldskills pathType: Prefix backend: service: name: node port: number: 8080 - path: /v1/gold pathType: Prefix backend: service: name: node port: number: 8080 - path: /healthcheck pathType: Prefix backend: service: name: node port: number: 8080

kubectl apply -f ingress.yaml

export EKS_CLUSTER_NAME=wsi-cluster

helm repo add eks https://aws.github.io/eks-charts helm repo update eks helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ -n kube-system \ --set clusterName=$EKS_CLUSTER_NAME \ --set serviceAccount.create=false \ --set serviceAccount.name=aws-load-balancer-controller

public_a=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=wsi-public-subnet-a" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text) public_b=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=wsi-public-subnet-b" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text) private_a=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=wsi-private-subnet-a" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text) private_b=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=wsi-private-subnet-b" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text) public_subnet_name=("$public_a" "$public_b") private_subnet_name=("$private_a" "$private_b") for name in "${public_subnet_name[@]}" do aws ec2 create-tags --resources $name --tags Key=kubernetes.io/role/elb,Value=1 done for name in "${private_subnet_name[@]}" do aws ec2 create-tags --resources $name --tags Key=kubernetes.io/role/internal-elb,Value=1 done

ping 8.8.8.8 # 실패 해야함