Skip to main content

AWS Elastic Kubernetes Service EKS (Managed Kubernetes Services): Deploy EKS Cluster via eksctl; Example Deployment with TLS Encryption with AWS Certificate Manager & Load Balancer Service

1284 words·
Kubernetes Kubernetes Cluster AWS EKS Kubectl AWS Certificate Manager (ACM) AWS Elastic Load Balancer (ELB) Route 53
Table of Contents
Kubernetes-Cluster - This article is part of a series.
Part 1: Local Kubernetes Cluster with Minikube and Virtualbox: Example Pod with Port Forwarding, Example Deployment with NodePort Service
Part 2: Local Kubernetes Cluster with Kubernetes in Docker (KIND), Deployment with NodePort Service, Install Kubernetes Dashboard
Part 3: K3s: Single and Multi Node Kubernetes Cluster based on Debian 12 Servers, Traefik & Nginx Ingress Controller, Helm Package Manager, Node Labels, Taint Master Node, Deployment Scaling, TLS Encryption with Certbot
Part 4: This Article
Part 5: Azure Kubernetes Service AKS (Managed Kubernetes Services): Deploy AKS Cluster via AZ CLI; Deploy & Configure Nginx Ingress, Cert Manager, ClusterIssuer; Example Deployment with TLS Encryption
Part 6: Google Kubernetes Engine GKE (Managed Kubernetes Services): Install gcloud, Enable APIs, Deploy Regional & Zonal Cluster via gcloud CLI; Exaple Deployment with TLS Encryption via GKE Ingress and Google-managed Certificate
Part 7: K8s Kubespray: Kubernetes Cluster Deployment, MetalLB Configuration, Add & Remove Nodes from the Cluster, Example Deployment with LoadBalancer and NodePort Services
Part 8: RKE2 - Rancher Kubernetes Engine 2: Deploy a Bare-Metal Kubernetes Cluster based on Ubuntu 24.04 Servers, Add Controller & Worker Nodes, Deploy & Configure MetalLB LoadBalancer, Example Deployment with LoadBalancer Service
Part 9: K0s: Deploy a K0s Cluster with K0sctl, Deploy and Configure MetalLB, Deploy Nginx Ingress Controller; Example Deployment with TLS Encryption
Part 10: K8s Kubeadm - Basic Kubernetes Cluster Deployment with one Controller and two Worker Nodes, Containerd and Kubeadmin Cgroup Driver Configuration, Cilium Network Add-On, MetalLB & Nginx Ingress Controller, Test-Deployment with TLS Encryption
Part 11: K8s Kubeadm - High Availability Kubernetes Cluster Deployment with HAproxy and Keepalived, Pod based stacked etcd Cluster; Cilium Network Add-On, MetalLB & Nginx Ingress Controller, Test-Deployment with TLS Encryption
Part 12: K8s Kubeadm - High Availability Kubernetes Cluster Deployment with HAproxy and Keepalived, External etcd Cluster
Part 13: K8s Kubeadm - Upgrade Kubernetes Version with Kubeadm
Part 14: Cluster API vSphere (CAPV): Deploy a Kubeadm based Kubernetes Cluster on vSphere, with Cluster API from a KIND Management Cluster

Amazon Elastic Kubernetes Service or Amazon Elastic Container Service for Kubernetes.

Prerequisites: Docker image
#

The following Docker container lists the hostname of the container. This is very helpful the test the scaling of a Kubernetes pod, as it lists the different hostnames when it’s curled.

Node.js
#

  • Create the following file: app.js
const http = require('http');
const os = require('os');

console.log("Kubernetes testing");

var handler = function(request, response) {
  console.log("Received request from " + request.connection.remoteAddress);
  response.writeHead(200);
  response.end("Container runs on: " + os.hostname() + "\n");
};

var www = http.createServer(handler);
www.listen(8080);

Dockerfile
# 

FROM node:lts-alpine3.19
Copy app.js /app.js
EXPOSE 8080
ENTRYPOINT ["node", "app.js"]

Build & Push the Docker Image
# 

# Build the image
docker build -t jueklu/container-2 .

# Push the image to the registry
docker push jueklu/container-2

Test the Image
# 

# Run the container
docker run -d --name container-2 -p 8080:8080 jueklu/container-2

# Use curl to check the container host
curl localhost:8080

# Optional: Open container terminal
docker exec -it container-2 /bin/ash

# Verify the container hostname
hostname

Prerequisites: Packages
#

AWS CLIv2
#

Install AWS CLIv2
# 

# Install AWS CLI version 2
sudo apt install curl zip -y &&
cd /tmp &&
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" &&
unzip awscliv2.zip &&
sudo ./aws/install

# Verify / check version
aws --version

IAM User & Policies
#

Create an IAM user, create access keys for the user and add the following managed policy AdministratorAccess. In a production environment only the least necessary permissions should be granted!

Configure AWS CLIv2
# 

# Add the IAM user access key, secret access key & define the default region
aws configure

Install Eksctl
#

Eksctl is a command-line tool for creating and managing Kubernetes clusters on EKS.

curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp &&
sudo mv /tmp/eksctl /usr/local/bin

# Verify / check version
eksctl version

Install Kubectl
# 

# Install Kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" &&
chmod +x kubectl &&
sudo mv kubectl /usr/local/bin/

# Verify installation
kubectl version --client

EKS Cluster
#

Create Cluster
# 

# Create an EKS cluster: Default region
eksctl create cluster \
  --name my-cluster \
  --nodegroup-name linux-nodes \
  --node-type t3.micro \
  --nodes 3

# Create an EKS cluster: Define Kubernetes version & region
eksctl create cluster \
  --name my-cluster \
  --version 1.29 \
  --region us-east-1 \
  --nodegroup-name linux-nodes \
  --node-type t3.micro \
  --nodes 3

More Options:

  • --node-volume-size 20 Define the volume size of the worker nodes

Note: Creating the necessary CloudFormation resources can take up to 10 - 20 minutes.

List Resources in AWS Management Console
# 

# EKS Cluster
https://eu-central-1.console.aws.amazon.com/eks/

# Cloudformation stack
https://eu-central-1.console.aws.amazon.com/cloudformation

List Nodes
# 

# List nodes
kubectl get nodes

# Shell output:
NAME                                              STATUS   ROLES    AGE   VERSION
ip-192-168-17-98.eu-central-1.compute.internal    Ready    <none>   14m   v1.29.0-eks-5e0fdde
ip-192-168-55-216.eu-central-1.compute.internal   Ready    <none>   14m   v1.29.0-eks-5e0fdde
ip-192-168-71-245.eu-central-1.compute.internal   Ready    <none>   14m   v1.29.0-eks-5e0fdde

# List nodes: More details
kubectl get nodes -o wide

# Shell output:
NAME                                              STATUS   ROLES    AGE   VERSION               INTERNAL-IP      EXTERNAL-IP    OS-IMAGE         KERNEL-VERSION                  CONTAINER-RUNTIME
ip-192-168-17-98.eu-central-1.compute.internal    Ready    <none>   14m   v1.29.0-eks-5e0fdde   192.168.17.98    3.72.87.1      Amazon Linux 2   5.10.213-201.855.amzn2.x86_64   containerd://1.7.11
ip-192-168-55-216.eu-central-1.compute.internal   Ready    <none>   14m   v1.29.0-eks-5e0fdde   192.168.55.216   3.75.229.65    Amazon Linux 2   5.10.213-201.855.amzn2.x86_64   containerd://1.7.11
ip-192-168-71-245.eu-central-1.compute.internal   Ready    <none>   13m   v1.29.0-eks-5e0fdde   192.168.71.245   52.28.67.132   Amazon Linux 2   5.10.213-201.855.amzn2.x86_64   containerd://1.7.11

List & Delete Clusters
# 

# List all cluster: Define region
eksctl get cluster --region eu-central-1

# Shell output:
NAME            REGION          EKSCTL CREATED
my-cluster      eu-central-1    True

# Delete Cluster: Define name & region
eksctl delete cluster --name my-cluster --region eu-central-1

Create HTTP Deployment
#

Deploy Pod & Load Balancer
# 

# Create a Deployment
kubectl create deployment my-container --image=jueklu/container-2

# Create a load balancer service for the deployment
kubectl expose deployment my-container --type=LoadBalancer --port=8080 --target-port=8080 --name my-container-http

Scale the Deployment
# 

# Scale the Deployment
kubectl scale deployment my-container --replicas=3

# List the deployed pods
kubectl get pods

# Shell output:
NAME                            READY   STATUS    RESTARTS   AGE
my-container-69f894487d-jfbzn   1/1     Running   0          97s
my-container-69f894487d-rw9xz   1/1     Running   0          115s
my-container-69f894487d-zc86s   1/1     Running   0          97s

List External IP
# 

# List load balancer service details: List external IP
kubectl get svc my-container-http

# Shell output:
NAME                TYPE           CLUSTER-IP       EXTERNAL-IP                                                                  PORT(S)          AGE
my-container-http   LoadBalancer   10.100.145.106   a6f48ac532c55486b88dc421a8671a91-1612496629.eu-central-1.elb.amazonaws.com   8080:32477/TCP   3m29s

Test the Deployment
#

The AWS Elastic Load Balancer (ELB) URL randomly hit different pods and should output the different container hostnames when it’s curled:

# Test the deployment
curl a6f48ac532c55486b88dc421a8671a91-1612496629.eu-central-1.elb.amazonaws.com:8080

# Shell output:
Container runs on: my-container-69f894487d-jfbzn

# Test the deployment
curl a6f48ac532c55486b88dc421a8671a91-1612496629.eu-central-1.elb.amazonaws.com:8080

# Shell output:
Container runs on: my-container-69f894487d-zc86s

# Test the deployment
curl a6f48ac532c55486b88dc421a8671a91-1612496629.eu-central-1.elb.amazonaws.com:8080

# Shell output:
Container runs on: my-container-69f894487d-rw9xz

Delete the Deployment
# 

# Delete the Deployment
kubectl delete deployment my-container

# Delete the load balancer service
kubectl delete svc my-container-http

Create HTTPS Deployment
#

Note: For this deployment I use a wildcard certificate *.jklug.work from the AWS certificate manager.

Deploy Pod: CLI
# 

# Create a Deployment
kubectl create deployment my-container --image=jueklu/container-2

Note: Kubernetes automatically uses the deployment name as a key for a label named “app”.

# Scale the Deployment
kubectl scale deployment my-container --replicas=3

# List the deployed pods
kubectl get pods

# Shell output:
NAME                            READY   STATUS    RESTARTS   AGE
my-container-69f894487d-pcqbj   1/1     Running   0          59m
my-container-69f894487d-w2dsb   1/1     Running   0          2m27s
my-container-69f894487d-wsf7m   1/1     Running   0          2m27s

Deploy Pod: YML
# 

vi my-container.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-container
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-container
  template:
    metadata:
      labels:
        app: my-container
    spec:
      containers:
      - name: container-2
        image: jueklu/container-2
        ports:
        - containerPort: 8080

# Apply the deployment
kubectl apply -f my-container.yml

LoadBalancer Service
# 

# Create yml file
vi loadbalancer.yml

apiVersion: v1
kind: Service
metadata:
  name: my-container-https
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:...
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
spec:
  selector:
    app: my-container
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8080
  type: LoadBalancer
  • service.beta.kubernetes.io/aws-load-balancer-ssl-cert: Define the ARN of the TLS certificate from AWS Certificate Manager (ACM)
# Apply the deployment
kubectl apply -f loadbalancer.yml

List External DNS Name
#

Note: The “EXTERNAL-IP” / DNS name of a load balancer service is listed as “” it’s meaning there is a problem with the configuration. It should only take a view second till the extern IP is shown.

# List load balancer service details: List DNS name
kubectl get svc my-container-https

# Shell output:
NAME                 TYPE           CLUSTER-IP      EXTERNAL-IP                                                              PORT(S)                      AGE
my-container-https   LoadBalancer   10.100.41.226   abcfad6f62e1a42bba95c282eea0c998-672012549.us-east-1.elb.amazonaws.com   80:31022/TCP,443:32030/TCP   37s

Create CNAME DNS Entry
#

Manually
#

Create a Route 53 DNS entry with the following values:

  • Record name: For example eks.jklug.work

  • Record type: CNAME

  • Value: abcfad6f62e1a42bba95c282eea0c998-672012549.us-east-1.elb.amazonaws.com

  • TTL: 300

AWS CLI
# 

# Identify the hosted zone ID
aws route53 list-hosted-zones

# Shell output:
{
    "HostedZones": [
        {
            "Id": "/hostedzone/...",
            "Name": "jklug.work.",
            "CallerReference": "...",
            "Config": {
                "Comment": "",
                "PrivateZone": false
            },
            "ResourceRecordSetCount": 18
        },
    ]
}
  • Create a JSON file for the DNS record
vi cname-record.json

{
  "Comment": "Create CNAME record for custom domain",
  "Changes": [
    {
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "eks.jklug.work",
        "Type": "CNAME",
        "TTL": 300,
        "ResourceRecords": [
          {
            "Value": "abcfad6f62e1a42bba95c282eea0c998-672012549.us-east-1.elb.amazonaws.com"
          }
        ]
      }
    }
  ]
}
  • Action: "UPSERT" Create the record if it doesn’t exist or update it if it does.
# Create the record
aws route53 change-resource-record-sets --hosted-zone-id /hostedzone/... --change-batch file://cname-record.json

Test the Deployment
#

The AWS Elastic Load Balancer (ELB) URL randomly hit different pods and should output the different container hostnames when it’s curled:

# Test the deployment
curl eks.jklug.work

# Shell output:
Container runs on: my-container-69f894487d-pcqbj

# Test the deployment
curl eks.jklug.work

# Shell output:
Container runs on: my-container-69f894487d-wsf7m

Delete the Deployment
# 

# Delete the Deployment
kubectl delete deployment my-container

# Delete the load balancer service
kubectl delete svc my-container-https

Troubleshooting
# 

# List logs
kubectl get events --sort-by=.metadata.creationTimestamp

# List load balancer details
aws elb describe-load-balancers --region us-east-1

# Retrieves headers / TLS details
curl -Iv https://abcfad6f62e1a42bba95c282eea0c998-672012549.us-east-1.elb.amazonaws.com

Links # 

# Install AWS CLIv2
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

# Install AWS Eksctl
https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-eksctl.html


# Create Cluster
https://eksctl.io/usage/creating-and-managing-clusters/

# Create Cluster
https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html
Kubernetes-Cluster - This article is part of a series.
Part 1: Local Kubernetes Cluster with Minikube and Virtualbox: Example Pod with Port Forwarding, Example Deployment with NodePort Service
Part 2: Local Kubernetes Cluster with Kubernetes in Docker (KIND), Deployment with NodePort Service, Install Kubernetes Dashboard
Part 3: K3s: Single and Multi Node Kubernetes Cluster based on Debian 12 Servers, Traefik & Nginx Ingress Controller, Helm Package Manager, Node Labels, Taint Master Node, Deployment Scaling, TLS Encryption with Certbot
Part 4: This Article
Part 5: Azure Kubernetes Service AKS (Managed Kubernetes Services): Deploy AKS Cluster via AZ CLI; Deploy & Configure Nginx Ingress, Cert Manager, ClusterIssuer; Example Deployment with TLS Encryption
Part 6: Google Kubernetes Engine GKE (Managed Kubernetes Services): Install gcloud, Enable APIs, Deploy Regional & Zonal Cluster via gcloud CLI; Exaple Deployment with TLS Encryption via GKE Ingress and Google-managed Certificate
Part 7: K8s Kubespray: Kubernetes Cluster Deployment, MetalLB Configuration, Add & Remove Nodes from the Cluster, Example Deployment with LoadBalancer and NodePort Services
Part 8: RKE2 - Rancher Kubernetes Engine 2: Deploy a Bare-Metal Kubernetes Cluster based on Ubuntu 24.04 Servers, Add Controller & Worker Nodes, Deploy & Configure MetalLB LoadBalancer, Example Deployment with LoadBalancer Service
Part 9: K0s: Deploy a K0s Cluster with K0sctl, Deploy and Configure MetalLB, Deploy Nginx Ingress Controller; Example Deployment with TLS Encryption
Part 10: K8s Kubeadm - Basic Kubernetes Cluster Deployment with one Controller and two Worker Nodes, Containerd and Kubeadmin Cgroup Driver Configuration, Cilium Network Add-On, MetalLB & Nginx Ingress Controller, Test-Deployment with TLS Encryption
Part 11: K8s Kubeadm - High Availability Kubernetes Cluster Deployment with HAproxy and Keepalived, Pod based stacked etcd Cluster; Cilium Network Add-On, MetalLB & Nginx Ingress Controller, Test-Deployment with TLS Encryption
Part 12: K8s Kubeadm - High Availability Kubernetes Cluster Deployment with HAproxy and Keepalived, External etcd Cluster
Part 13: K8s Kubeadm - Upgrade Kubernetes Version with Kubeadm
Part 14: Cluster API vSphere (CAPV): Deploy a Kubeadm based Kubernetes Cluster on vSphere, with Cluster API from a KIND Management Cluster