├── .gitignore ├── NOTICE ├── CODE_OF_CONDUCT.md ├── preview-programs └── zz_archive │ ├── eks-arm-preview │ ├── aws-auth-cm-arm64.yaml │ ├── cni-metrics-helper-arm64.yaml │ ├── kube-proxy-arm-1.13.yaml │ ├── kube-proxy-arm-1.14.yaml │ ├── kube-proxy-arm-1.15.yaml │ ├── dns-arm-1.14.yaml │ ├── dns-arm-1.15.yaml │ ├── dns-arm-1.13.yaml │ ├── aws-k8s-cni-arm64.yaml │ ├── amazon-eks-arm-nodegroup.yaml │ ├── README.md │ └── calico-arm64.yaml │ ├── eks-windows-preview │ ├── aws-auth-cm-windows.yaml │ ├── webhook-patch-ca-bundle.sh │ ├── webhook-patch-ca-bundle.ps1 │ ├── windows-server-IIS.yaml │ ├── vpc-admission-webhook-deployment.yaml │ ├── eks-clusteraddons-quickstart-windows.yaml │ ├── webhook-create-signed-cert.ps1 │ ├── webhook-create-signed-cert.sh │ └── README.md │ └── firelens │ ├── forward_task_definition.json │ ├── firehose_task_definition.json │ ├── cloudwatch_task_definition.json │ └── README.md ├── .github ├── workflows │ └── stale.yml ├── PULL_REQUEST_TEMPLATE.md └── ISSUE_TEMPLATE │ └── community-request-.md ├── PRINCIPLES.md ├── CONTRIBUTING.md ├── README.md └── LICENSE /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Containers Roadmap 2 | Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/aws-auth-cm-arm64.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: aws-auth 5 | namespace: kube-system 6 | data: 7 | mapRoles: | 8 | - rolearn: 9 | username: system:node:{{EC2PrivateDNSName}} 10 | groups: 11 | - system:bootstrappers 12 | - system:nodes 13 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-windows-preview/aws-auth-cm-windows.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: aws-auth 5 | namespace: kube-system 6 | data: 7 | mapRoles: | 8 | - rolearn: 9 | username: system:node:{{EC2PrivateDNSName}} 10 | groups: 11 | - system:bootstrappers 12 | - system:nodes 13 | - rolearn: 14 | username: system:node:{{EC2PrivateDNSName}} 15 | groups: 16 | - system:bootstrappers 17 | - system:nodes 18 | - eks:kube-proxy-windows -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | name: "Close stale issues" 2 | on: 3 | schedule: 4 | # hourly 5 | - cron: "0 * * * *" 6 | 7 | jobs: 8 | stale: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/stale@v3 12 | with: 13 | repo-token: ${{ secrets.GITHUB_TOKEN }} 14 | 15 | only-labels: "More Info Requested" 16 | stale-issue-message: "Greetings! It looks like this issue hasn't been active for a while. Because it has been some time since the last update on this, and in the absence of more information, we will be closing this issue soon. Please feel free to provide a comment to prevent automatic closure, or if the issue is already closed, please feel free to open a new one." 17 | stale-issue-label: "Closing Soon" 18 | 19 | # Issue timing 20 | days-before-stale: 45 21 | days-before-close: 15 22 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/firelens/forward_task_definition.json: -------------------------------------------------------------------------------- 1 | { 2 | "family": "firelens-example-forward", 3 | "taskRoleArn": "arn:aws:iam::XXXXXXXXXXXX:role/ecs_task_iam_role", 4 | "containerDefinitions": [ 5 | { 6 | "essential": true, 7 | "image": "amazon/aws-for-fluent-bit:latest", 8 | "name": "log_router", 9 | "firelensConfiguration": { 10 | "type": "fluentbit" 11 | }, 12 | "logConfiguration": { 13 | "logDriver": "awslogs", 14 | "options": { 15 | "awslogs-group": "firelens-container", 16 | "awslogs-region": "us-west-2", 17 | "awslogs-create-group": "true", 18 | "awslogs-stream-prefix": "firelens" 19 | } 20 | }, 21 | "memoryReservation": 50 22 | }, 23 | { 24 | "essential": true, 25 | "image": "httpd", 26 | "name": "app", 27 | "logConfiguration": { 28 | "logDriver":"awsfirelens", 29 | "options": { 30 | "Name": "forward", 31 | "Host": "fluentdhost", 32 | "Port": "24224" 33 | } 34 | }, 35 | "memoryReservation": 100 36 | } 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/firelens/firehose_task_definition.json: -------------------------------------------------------------------------------- 1 | { 2 | "family": "firelens-example-firehose", 3 | "taskRoleArn": "arn:aws:iam::XXXXXXXXXXXX:role/ecs_task_iam_role", 4 | "containerDefinitions": [ 5 | { 6 | "essential": true, 7 | "image": "amazon/aws-for-fluent-bit:latest", 8 | "name": "log_router", 9 | "firelensConfiguration": { 10 | "type": "fluentbit" 11 | }, 12 | "logConfiguration": { 13 | "logDriver": "awslogs", 14 | "options": { 15 | "awslogs-group": "firelens-container", 16 | "awslogs-region": "us-west-2", 17 | "awslogs-create-group": "true", 18 | "awslogs-stream-prefix": "firelens" 19 | } 20 | }, 21 | "memoryReservation": 50 22 | }, 23 | { 24 | "essential": true, 25 | "image": "httpd", 26 | "name": "app", 27 | "logConfiguration": { 28 | "logDriver":"awsfirelens", 29 | "options": { 30 | "Name": "firehose", 31 | "region": "us-west-2", 32 | "delivery_stream": "my-stream" 33 | } 34 | }, 35 | "memoryReservation": 100 36 | } 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ### Community Note 4 | 5 | * Please vote on this pull request by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original pull request comment to help the community and maintainers prioritize this request 6 | * Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request 7 | 8 | 9 | 10 | 17 | 18 | *Issue #, if available:* 19 | 20 | *Description of changes:* 21 | 22 | 23 | By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. 24 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-windows-preview/webhook-patch-ca-bundle.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"). You may 6 | # not use this file except in compliance with the License. A copy of the 7 | # License is located at 8 | # 9 | # http://aws.amazon.com/apache2.0/ 10 | # 11 | # or in the "license" file accompanying this file. This file is distributed 12 | # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 13 | # express or implied. See the License for the specific language governing 14 | # permissions and limitations under the License. 15 | 16 | ROOT=$(cd $(dirname $0)/../../; pwd) 17 | 18 | set -o errexit 19 | set -o nounset 20 | set -o pipefail 21 | 22 | export CA_BUNDLE=$(kubectl config view --raw -o json --minify | jq -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '"') 23 | 24 | if command -v envsubst >/dev/null 2>&1; then 25 | envsubst 26 | else 27 | sed -e "s|\${CA_BUNDLE}|${CA_BUNDLE}|g" 28 | fi 29 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/firelens/cloudwatch_task_definition.json: -------------------------------------------------------------------------------- 1 | { 2 | "family": "firelens-example-cloudwatch", 3 | "taskRoleArn": "arn:aws:iam::XXXXXXXXXXXX:role/ecs_task_iam_role", 4 | "containerDefinitions": [ 5 | { 6 | "essential": true, 7 | "image": "906394416424.dkr.ecr.us-east-1.amazonaws.com/aws-for-fluent-bit:latest", 8 | "name": "log_router", 9 | "firelensConfiguration": { 10 | "type": "fluentbit" 11 | }, 12 | "logConfiguration": { 13 | "logDriver": "awslogs", 14 | "options": { 15 | "awslogs-group": "firelens-container", 16 | "awslogs-region": "us-west-2", 17 | "awslogs-create-group": "true", 18 | "awslogs-stream-prefix": "firelens" 19 | } 20 | }, 21 | "memoryReservation": 50 22 | }, 23 | { 24 | "essential": true, 25 | "image": "nginx", 26 | "name": "app", 27 | "logConfiguration": { 28 | "logDriver":"awsfirelens", 29 | "options": { 30 | "Name": "cloudwatch", 31 | "region": "us-west-2", 32 | "log_group_name": "firelens-testing-fluent-bit", 33 | "auto_create_group": "true", 34 | "log_stream_prefix": "from-fluent-bit" 35 | } 36 | }, 37 | "memoryReservation": 100 38 | } 39 | ] 40 | } 41 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-windows-preview/webhook-patch-ca-bundle.ps1: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"). You may 4 | # not use this file except in compliance with the License. A copy of the 5 | # License is located at 6 | # 7 | # http://aws.amazon.com/apache2.0/ 8 | # 9 | # or in the "license" file accompanying this file. This file is distributed 10 | # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 11 | # express or implied. See the License for the specific language governing 12 | # permissions and limitations under the License. 13 | 14 | [CmdLetBinding()] 15 | param 16 | ( 17 | [Parameter(Mandatory = $True)] 18 | [ValidateNotNullOrEmpty()] 19 | [string] $DeploymentTemplateFilePath, 20 | 21 | [Parameter(Mandatory = $True)] 22 | [ValidateNotNullOrEmpty()] 23 | [string] $OutputFilePath 24 | ) 25 | 26 | Write-Verbose 'Getting CA bundle' 27 | $CaBundle = (kubectl config view --raw -o json --minify | ConvertFrom-Json).clusters[0].cluster."certificate-authority-data" 28 | 29 | Write-Verbose 'Updating deployment YAML' 30 | Get-Content -Path $DeploymentTemplateFilePath | ` 31 | %{ $_ -replace '\${CA_BUNDLE}', $CaBundle } | ` 32 | Out-File -FilePath $OutputFilePath -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-windows-preview/windows-server-IIS.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: windows-server-iis 5 | spec: 6 | selector: 7 | matchLabels: 8 | app: windows-server-iis 9 | tier: backend 10 | track: stable 11 | replicas: 1 12 | template: 13 | metadata: 14 | labels: 15 | app: windows-server-iis 16 | tier: backend 17 | track: stable 18 | spec: 19 | containers: 20 | - name: windows-server-iis 21 | image: mcr.microsoft.com/windows/servercore:1809 22 | ports: 23 | - name: http 24 | containerPort: 80 25 | imagePullPolicy: IfNotPresent 26 | command: 27 | - powershell.exe 28 | - -command 29 | - "Add-WindowsFeature Web-Server; Invoke-WebRequest -UseBasicParsing -Uri 'https://dotnetbinaries.blob.core.windows.net/servicemonitor/2.0.1.6/ServiceMonitor.exe' -OutFile 'C:\\ServiceMonitor.exe'; echo '

Hello EKS!!!

' > C:\\inetpub\\wwwroot\\default.html; C:\\ServiceMonitor.exe 'w3svc'; " 30 | nodeSelector: 31 | beta.kubernetes.io/os: windows 32 | --- 33 | apiVersion: v1 34 | kind: Service 35 | metadata: 36 | name: windows-server-iis-service 37 | namespace: default 38 | spec: 39 | ports: 40 | - port: 80 41 | protocol: TCP 42 | targetPort: 80 43 | selector: 44 | app: windows-server-iis 45 | tier: backend 46 | track: stable 47 | sessionAffinity: None 48 | type: LoadBalancer -------------------------------------------------------------------------------- /PRINCIPLES.md: -------------------------------------------------------------------------------- 1 | # Principles 2 | 3 | These are the principles that embody the culture of the container services organization. They build on the [Amazon Leadership Principles](https://www.amazon.jobs/en/principles). 4 | 5 | ## People 6 | 7 | * we invest in people through a focus on individual development, career progression, mentorship, and active sponsorship; 8 | * we embrace diversity and inclusiveness, recognizing that innovation is fueled by challenging accepted norms, driving for understanding, and broadening perspective; 9 | * we empower the voice of the individual by creating an environment where everyone can speak up, where leaders listen, actively address, and follow through on feedback; 10 | 11 | ## Priorities 12 | 13 | * we emphasize service reliability as the primary mechanism for earning and retaining customer trust, we factor operational sustainability into our development practices; 14 | * we consider user experience to be our top feature, understanding that simplicity is powerful, and we are confident in being opinionated; 15 | * we focus on the long-term, and build a roadmap that blends large and small improvements, preferring steady and consistent releases; 16 | * we deliver on the right priorities because we work backwards from our customers, have the right mechanisms for measuring value, and have the ability to respond quickly to shifts in customer expectations. 17 | 18 | ## Product 19 | 20 | * we are open and transparent in sharing the product vision and direction with the team and customers, identifying where we are succeeding and where we can improve, recognizing that sharing this information accurately advises us on how we get better; 21 | * we encourage and enable individuals to interact directly with customers as a means toward building awareness, understanding, and customer empathy; 22 | * we embrace Open Source where possible as a mechanism to build better software, to give our customers insight into our designs, and because we don't assume that we always have the best answers. 23 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/community-request-.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: 'Community request ' 3 | about: Suggest an idea for the roadmap! The team will review. 4 | title: "[service] [request]: describe request here" 5 | labels: Proposed 6 | assignees: '' 7 | 8 | --- 9 | 10 | 11 | 12 | ### Community Note 13 | 14 | * Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request 15 | * Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request 16 | * If you are interested in working on this issue or have submitted a pull request, please leave a comment 17 | 18 | 19 | 20 | 27 | 28 | Tell us about your request 29 | What do you want us to build? 30 | 31 | Which service(s) is this request for? 32 | This could be Fargate, ECS, EKS, ECR 33 | 34 | Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? 35 | What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem. 36 | 37 | Are you currently working around this issue? 38 | How are you currently solving this problem? 39 | 40 | Additional context 41 | Anything else we should know? 42 | 43 | Attachments 44 | If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.) 45 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-windows-preview/vpc-admission-webhook-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: vpc-admission-webhook-svc 6 | labels: 7 | app: vpc-admission-webhook 8 | spec: 9 | ports: 10 | - port: 443 11 | targetPort: 443 12 | selector: 13 | app: vpc-admission-webhook 14 | --- 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | name: vpc-admission-webhook-deployment 19 | labels: 20 | app: vpc-admission-webhook 21 | spec: 22 | replicas: 1 23 | selector: 24 | matchLabels: 25 | app: vpc-admission-webhook 26 | template: 27 | metadata: 28 | labels: 29 | app: vpc-admission-webhook 30 | spec: 31 | containers: 32 | - name: vpc-admission-webhook 33 | args: 34 | - -tlsCertFile=/etc/webhook/certs/cert.pem 35 | - -tlsKeyFile=/etc/webhook/certs/key.pem 36 | - -alsologtostderr 37 | - -v=4 38 | - 2>&1 39 | image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/vpc-admission-webhook:beta 40 | imagePullPolicy: Always 41 | volumeMounts: 42 | - name: webhook-certs 43 | mountPath: /etc/webhook/certs 44 | readOnly: true 45 | hostNetwork: true 46 | nodeSelector: 47 | beta.kubernetes.io/os: linux 48 | beta.kubernetes.io/arch: amd64 49 | volumes: 50 | - name: webhook-certs 51 | secret: 52 | secretName: vpc-admission-webhook-certs 53 | --- 54 | apiVersion: admissionregistration.k8s.io/v1beta1 55 | kind: MutatingWebhookConfiguration 56 | metadata: 57 | name: vpc-admission-webhook-cfg 58 | labels: 59 | app: vpc-admission-webhook 60 | webhooks: 61 | - name: vpc-admission-webhook.amazonaws.com 62 | clientConfig: 63 | service: 64 | name: vpc-admission-webhook-svc 65 | namespace: default 66 | path: "/mutate" 67 | caBundle: ${CA_BUNDLE} 68 | rules: 69 | - operations: [ "CREATE" ] 70 | apiGroups: [""] 71 | apiVersions: ["v1"] 72 | resources: ["pods"] 73 | failurePolicy: Ignore 74 | --- 75 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/cni-metrics-helper-arm64.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | # kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1 4 | kind: ClusterRole 5 | metadata: 6 | name: cni-metrics-helper 7 | rules: 8 | - apiGroups: [""] 9 | resources: 10 | - nodes 11 | - pods 12 | - pods/proxy 13 | - services 14 | - resourcequotas 15 | - replicationcontrollers 16 | - limitranges 17 | - persistentvolumeclaims 18 | - persistentvolumes 19 | - namespaces 20 | - endpoints 21 | verbs: ["list", "watch", "get"] 22 | - apiGroups: ["extensions"] 23 | resources: 24 | - daemonsets 25 | - deployments 26 | - replicasets 27 | verbs: ["list", "watch"] 28 | - apiGroups: ["apps"] 29 | resources: 30 | - statefulsets 31 | verbs: ["list", "watch"] 32 | - apiGroups: ["batch"] 33 | resources: 34 | - cronjobs 35 | - jobs 36 | verbs: ["list", "watch"] 37 | - apiGroups: ["autoscaling"] 38 | resources: 39 | - horizontalpodautoscalers 40 | verbs: ["list", "watch"] 41 | --- 42 | apiVersion: v1 43 | kind: ServiceAccount 44 | metadata: 45 | name: cni-metrics-helper 46 | namespace: kube-system 47 | --- 48 | apiVersion: rbac.authorization.k8s.io/v1 49 | # kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1 50 | kind: ClusterRoleBinding 51 | metadata: 52 | name: cni-metrics-helper 53 | roleRef: 54 | apiGroup: rbac.authorization.k8s.io 55 | kind: ClusterRole 56 | name: cni-metrics-helper 57 | subjects: 58 | - kind: ServiceAccount 59 | name: cni-metrics-helper 60 | namespace: kube-system 61 | --- 62 | kind: Deployment 63 | apiVersion: extensions/v1beta1 64 | metadata: 65 | name: cni-metrics-helper 66 | namespace: kube-system 67 | labels: 68 | k8s-app: cni-metrics-helper 69 | spec: 70 | selector: 71 | matchLabels: 72 | k8s-app: cni-metrics-helper 73 | template: 74 | metadata: 75 | labels: 76 | k8s-app: cni-metrics-helper 77 | spec: 78 | serviceAccountName: cni-metrics-helper 79 | containers: 80 | - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper-arm64:v1.6.2 81 | imagePullPolicy: Always 82 | name: cni-metrics-helper 83 | env: 84 | - name: USE_CLOUDWATCH 85 | value: "true" 86 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-windows-preview/eks-clusteraddons-quickstart-windows.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: vpc-resource-controller 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - nodes 10 | - nodes/status 11 | - pods 12 | verbs: 13 | - update 14 | - get 15 | - list 16 | - watch 17 | - patch 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: vpc-resource-controller 23 | roleRef: 24 | apiGroup: rbac.authorization.k8s.io 25 | kind: ClusterRole 26 | name: vpc-resource-controller 27 | subjects: 28 | - kind: ServiceAccount 29 | name: vpc-resource-controller 30 | namespace: kube-system 31 | --- 32 | apiVersion: v1 33 | kind: ServiceAccount 34 | metadata: 35 | name: vpc-resource-controller 36 | namespace: kube-system 37 | --- 38 | apiVersion: apps/v1beta1 39 | kind: Deployment 40 | metadata: 41 | name: vpc-resource-controller 42 | namespace: kube-system 43 | spec: 44 | replicas: 1 45 | template: 46 | metadata: 47 | labels: 48 | app: vpc-resource-controller 49 | tier: backend 50 | track: stable 51 | spec: 52 | serviceAccount: vpc-resource-controller 53 | containers: 54 | - command: 55 | - /vpc-resource-controller 56 | args: 57 | - -stderrthreshold=info 58 | image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/vpc-resource-controller:beta 59 | imagePullPolicy: Always 60 | livenessProbe: 61 | failureThreshold: 5 62 | httpGet: 63 | host: 127.0.0.1 64 | path: /healthz 65 | port: 61679 66 | scheme: HTTP 67 | initialDelaySeconds: 30 68 | periodSeconds: 30 69 | timeoutSeconds: 5 70 | name: vpc-resource-controller 71 | securityContext: 72 | privileged: true 73 | hostNetwork: true 74 | nodeSelector: 75 | beta.kubernetes.io/os: linux 76 | --- 77 | kind: ClusterRoleBinding 78 | apiVersion: rbac.authorization.k8s.io/v1beta1 79 | metadata: 80 | name: eks:kube-proxy-windows 81 | labels: 82 | k8s-app: kube-proxy 83 | eks.amazonaws.com/component: kube-proxy 84 | subjects: 85 | - kind: Group 86 | name: "eks:kube-proxy-windows" 87 | roleRef: 88 | kind: ClusterRole 89 | name: system:node-proxier 90 | apiGroup: rbac.authorization.k8s.io 91 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/kube-proxy-arm-1.13.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions/v1beta1 3 | kind: DaemonSet 4 | metadata: 5 | labels: 6 | k8s-app: kube-proxy 7 | eks.amazonaws.com/component: kube-proxy 8 | name: kube-proxy 9 | namespace: kube-system 10 | spec: 11 | selector: 12 | matchLabels: 13 | k8s-app: kube-proxy 14 | updateStrategy: 15 | type: RollingUpdate 16 | rollingUpdate: 17 | maxUnavailable: 10% 18 | template: 19 | metadata: 20 | labels: 21 | k8s-app: kube-proxy 22 | spec: 23 | affinity: 24 | nodeAffinity: 25 | requiredDuringSchedulingIgnoredDuringExecution: 26 | nodeSelectorTerms: 27 | - matchExpressions: 28 | - key: "beta.kubernetes.io/os" 29 | operator: In 30 | values: 31 | - linux 32 | - key: "beta.kubernetes.io/arch" 33 | operator: In 34 | values: 35 | - arm64 36 | hostNetwork: true 37 | tolerations: 38 | - operator: "Exists" 39 | priorityClassName: system-node-critical 40 | containers: 41 | - name: kube-proxy 42 | image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/kube-proxy-arm64:v1.13.12 43 | resources: 44 | requests: 45 | cpu: 100m 46 | command: 47 | - /bin/sh 48 | - -c 49 | - kube-proxy --v=2 --config=/var/lib/kube-proxy-config/config 50 | securityContext: 51 | privileged: true 52 | volumeMounts: 53 | - mountPath: /var/log 54 | name: varlog 55 | readOnly: false 56 | - mountPath: /run/xtables.lock 57 | name: xtables-lock 58 | readOnly: false 59 | - mountPath: /lib/modules 60 | name: lib-modules 61 | readOnly: true 62 | - name: kubeconfig 63 | mountPath: /var/lib/kube-proxy/ 64 | - name: config 65 | mountPath: /var/lib/kube-proxy-config/ 66 | volumes: 67 | - name: varlog 68 | hostPath: 69 | path: /var/log 70 | - name: xtables-lock 71 | hostPath: 72 | path: /run/xtables.lock 73 | type: FileOrCreate 74 | - name: lib-modules 75 | hostPath: 76 | path: /lib/modules 77 | - name: kubeconfig 78 | configMap: 79 | name: kube-proxy 80 | - name: config 81 | configMap: 82 | name: kube-proxy-config 83 | serviceAccountName: kube-proxy 84 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/kube-proxy-arm-1.14.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions/v1beta1 3 | kind: DaemonSet 4 | metadata: 5 | labels: 6 | k8s-app: kube-proxy 7 | eks.amazonaws.com/component: kube-proxy 8 | name: kube-proxy 9 | namespace: kube-system 10 | spec: 11 | selector: 12 | matchLabels: 13 | k8s-app: kube-proxy 14 | updateStrategy: 15 | type: RollingUpdate 16 | rollingUpdate: 17 | maxUnavailable: 10% 18 | template: 19 | metadata: 20 | labels: 21 | k8s-app: kube-proxy 22 | spec: 23 | affinity: 24 | nodeAffinity: 25 | requiredDuringSchedulingIgnoredDuringExecution: 26 | nodeSelectorTerms: 27 | - matchExpressions: 28 | - key: "beta.kubernetes.io/os" 29 | operator: In 30 | values: 31 | - linux 32 | - key: "beta.kubernetes.io/arch" 33 | operator: In 34 | values: 35 | - arm64 36 | hostNetwork: true 37 | tolerations: 38 | - operator: "Exists" 39 | priorityClassName: system-node-critical 40 | containers: 41 | - name: kube-proxy 42 | image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/kube-proxy-arm64:v1.14.9 43 | resources: 44 | requests: 45 | cpu: 100m 46 | command: 47 | - /bin/sh 48 | - -c 49 | - kube-proxy --v=2 --config=/var/lib/kube-proxy-config/config 50 | securityContext: 51 | privileged: true 52 | volumeMounts: 53 | - mountPath: /var/log 54 | name: varlog 55 | readOnly: false 56 | - mountPath: /run/xtables.lock 57 | name: xtables-lock 58 | readOnly: false 59 | - mountPath: /lib/modules 60 | name: lib-modules 61 | readOnly: true 62 | - name: kubeconfig 63 | mountPath: /var/lib/kube-proxy/ 64 | - name: config 65 | mountPath: /var/lib/kube-proxy-config/ 66 | volumes: 67 | - name: varlog 68 | hostPath: 69 | path: /var/log 70 | - name: xtables-lock 71 | hostPath: 72 | path: /run/xtables.lock 73 | type: FileOrCreate 74 | - name: lib-modules 75 | hostPath: 76 | path: /lib/modules 77 | - name: kubeconfig 78 | configMap: 79 | name: kube-proxy 80 | - name: config 81 | configMap: 82 | name: kube-proxy-config 83 | serviceAccountName: kube-proxy 84 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/kube-proxy-arm-1.15.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions/v1beta1 3 | kind: DaemonSet 4 | metadata: 5 | labels: 6 | k8s-app: kube-proxy 7 | eks.amazonaws.com/component: kube-proxy 8 | name: kube-proxy 9 | namespace: kube-system 10 | spec: 11 | selector: 12 | matchLabels: 13 | k8s-app: kube-proxy 14 | updateStrategy: 15 | type: RollingUpdate 16 | rollingUpdate: 17 | maxUnavailable: 10% 18 | template: 19 | metadata: 20 | labels: 21 | k8s-app: kube-proxy 22 | spec: 23 | affinity: 24 | nodeAffinity: 25 | requiredDuringSchedulingIgnoredDuringExecution: 26 | nodeSelectorTerms: 27 | - matchExpressions: 28 | - key: "beta.kubernetes.io/os" 29 | operator: In 30 | values: 31 | - linux 32 | - key: "beta.kubernetes.io/arch" 33 | operator: In 34 | values: 35 | - arm64 36 | hostNetwork: true 37 | tolerations: 38 | - operator: "Exists" 39 | priorityClassName: system-node-critical 40 | containers: 41 | - name: kube-proxy 42 | image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/kube-proxy-arm64:v1.15.10 43 | resources: 44 | requests: 45 | cpu: 100m 46 | command: 47 | - /bin/sh 48 | - -c 49 | - kube-proxy --v=2 --config=/var/lib/kube-proxy-config/config 50 | securityContext: 51 | privileged: true 52 | volumeMounts: 53 | - mountPath: /var/log 54 | name: varlog 55 | readOnly: false 56 | - mountPath: /run/xtables.lock 57 | name: xtables-lock 58 | readOnly: false 59 | - mountPath: /lib/modules 60 | name: lib-modules 61 | readOnly: true 62 | - name: kubeconfig 63 | mountPath: /var/lib/kube-proxy/ 64 | - name: config 65 | mountPath: /var/lib/kube-proxy-config/ 66 | volumes: 67 | - name: varlog 68 | hostPath: 69 | path: /var/log 70 | - name: xtables-lock 71 | hostPath: 72 | path: /run/xtables.lock 73 | type: FileOrCreate 74 | - name: lib-modules 75 | hostPath: 76 | path: /lib/modules 77 | - name: kubeconfig 78 | configMap: 79 | name: kube-proxy 80 | - name: config 81 | configMap: 82 | name: kube-proxy-config 83 | serviceAccountName: kube-proxy 84 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use issues to report bugs or suggest features. 13 | 14 | If you're suggesting a new feature (i.e., functionality that doesn't exist yet), please use our issue template. This will prompt you to answer a few questions that will help us figure out what you're looking for. The template will also tag incoming issues with "Proposed". This gives us a way to filter the community-opened issues quickly so we can review as a team. 15 | 16 | If you want to see the list of proposed features, you can see the view [here](https://github.com/aws/containers-roadmap/labels/Proposed). 17 | 18 | Check for duplicates, though! When filing an issue, please check [existing open](https://github.com/aws/containers-roadmap/issues), or [recently closed](https://github.com/aws/containers-roadmap/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20) issues to make sure somebody else hasn't already reported the issue. 19 | 20 | 21 | If you're reporting what you think is a bug (i.e., something isn't right with an existing feature), please try to include as much information as you can. Details like these are incredibly useful: 22 | 23 | * A reproducible test case or series of steps 24 | * The version of our code being used (for something like Fargate or EKS, the platform version. For ECS, the agent version) 25 | * Any modifications you've made relevant to the bug 26 | * Anything unusual about your environment or deployment 27 | 28 | 29 | ## Code of Conduct 30 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 31 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 32 | opensource-codeofconduct@amazon.com with any additional questions or comments. 33 | 34 | 35 | ## Security issue notifications 36 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do not create a public github issue. 37 | 38 | 39 | ## Licensing 40 | 41 | See the [LICENSE](https://github.com/aws/containers-roadmap/blob/master/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 42 | 43 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 44 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/dns-arm-1.14.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions/v1beta1 3 | kind: Deployment 4 | metadata: 5 | name: coredns 6 | namespace: kube-system 7 | labels: 8 | k8s-app: kube-dns 9 | kubernetes.io/name: "CoreDNS" 10 | eks.amazonaws.com/component: coredns 11 | spec: 12 | replicas: 2 13 | strategy: 14 | type: RollingUpdate 15 | rollingUpdate: 16 | maxUnavailable: 1 17 | selector: 18 | matchLabels: 19 | k8s-app: kube-dns 20 | eks.amazonaws.com/component: coredns 21 | template: 22 | metadata: 23 | labels: 24 | k8s-app: kube-dns 25 | eks.amazonaws.com/component: coredns 26 | spec: 27 | serviceAccountName: coredns 28 | priorityClassName: system-cluster-critical 29 | affinity: 30 | nodeAffinity: 31 | requiredDuringSchedulingIgnoredDuringExecution: 32 | nodeSelectorTerms: 33 | - matchExpressions: 34 | - key: "beta.kubernetes.io/os" 35 | operator: In 36 | values: 37 | - linux 38 | - key: "beta.kubernetes.io/arch" 39 | operator: In 40 | values: 41 | - arm64 42 | podAntiAffinity: 43 | preferredDuringSchedulingIgnoredDuringExecution: 44 | - podAffinityTerm: 45 | labelSelector: 46 | matchExpressions: 47 | - key: k8s-app 48 | operator: In 49 | values: 50 | - kube-dns 51 | topologyKey: kubernetes.io/hostname 52 | weight: 100 53 | tolerations: 54 | - key: node-role.kubernetes.io/master 55 | effect: NoSchedule 56 | - key: "CriticalAddonsOnly" 57 | operator: "Exists" 58 | containers: 59 | - name: coredns 60 | image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/coredns-arm64:v1.6.6 61 | imagePullPolicy: IfNotPresent 62 | resources: 63 | limits: 64 | memory: 170Mi 65 | requests: 66 | cpu: 100m 67 | memory: 70Mi 68 | args: [ "-conf", "/etc/coredns/Corefile" ] 69 | volumeMounts: 70 | - name: config-volume 71 | mountPath: /etc/coredns 72 | readOnly: true 73 | ports: 74 | - containerPort: 53 75 | name: dns 76 | protocol: UDP 77 | - containerPort: 53 78 | name: dns-tcp 79 | protocol: TCP 80 | - containerPort: 9153 81 | name: metrics 82 | protocol: TCP 83 | livenessProbe: 84 | httpGet: 85 | path: /health 86 | port: 8080 87 | scheme: HTTP 88 | initialDelaySeconds: 60 89 | timeoutSeconds: 5 90 | successThreshold: 1 91 | failureThreshold: 5 92 | securityContext: 93 | allowPrivilegeEscalation: false 94 | capabilities: 95 | add: 96 | - NET_BIND_SERVICE 97 | drop: 98 | - all 99 | readOnlyRootFilesystem: true 100 | dnsPolicy: Default 101 | volumes: 102 | - name: config-volume 103 | configMap: 104 | name: coredns 105 | items: 106 | - key: Corefile 107 | path: Corefile 108 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/dns-arm-1.15.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions/v1beta1 3 | kind: Deployment 4 | metadata: 5 | name: coredns 6 | namespace: kube-system 7 | labels: 8 | k8s-app: kube-dns 9 | kubernetes.io/name: "CoreDNS" 10 | eks.amazonaws.com/component: coredns 11 | spec: 12 | replicas: 2 13 | strategy: 14 | type: RollingUpdate 15 | rollingUpdate: 16 | maxUnavailable: 1 17 | selector: 18 | matchLabels: 19 | k8s-app: kube-dns 20 | eks.amazonaws.com/component: coredns 21 | template: 22 | metadata: 23 | labels: 24 | k8s-app: kube-dns 25 | eks.amazonaws.com/component: coredns 26 | spec: 27 | serviceAccountName: coredns 28 | priorityClassName: system-cluster-critical 29 | affinity: 30 | nodeAffinity: 31 | requiredDuringSchedulingIgnoredDuringExecution: 32 | nodeSelectorTerms: 33 | - matchExpressions: 34 | - key: "beta.kubernetes.io/os" 35 | operator: In 36 | values: 37 | - linux 38 | - key: "beta.kubernetes.io/arch" 39 | operator: In 40 | values: 41 | - arm64 42 | podAntiAffinity: 43 | preferredDuringSchedulingIgnoredDuringExecution: 44 | - podAffinityTerm: 45 | labelSelector: 46 | matchExpressions: 47 | - key: k8s-app 48 | operator: In 49 | values: 50 | - kube-dns 51 | topologyKey: kubernetes.io/hostname 52 | weight: 100 53 | tolerations: 54 | - key: node-role.kubernetes.io/master 55 | effect: NoSchedule 56 | - key: "CriticalAddonsOnly" 57 | operator: "Exists" 58 | containers: 59 | - name: coredns 60 | image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/coredns-arm64:v1.6.6 61 | imagePullPolicy: IfNotPresent 62 | resources: 63 | limits: 64 | memory: 170Mi 65 | requests: 66 | cpu: 100m 67 | memory: 70Mi 68 | args: [ "-conf", "/etc/coredns/Corefile" ] 69 | volumeMounts: 70 | - name: config-volume 71 | mountPath: /etc/coredns 72 | readOnly: true 73 | ports: 74 | - containerPort: 53 75 | name: dns 76 | protocol: UDP 77 | - containerPort: 53 78 | name: dns-tcp 79 | protocol: TCP 80 | - containerPort: 9153 81 | name: metrics 82 | protocol: TCP 83 | livenessProbe: 84 | httpGet: 85 | path: /health 86 | port: 8080 87 | scheme: HTTP 88 | initialDelaySeconds: 60 89 | timeoutSeconds: 5 90 | successThreshold: 1 91 | failureThreshold: 5 92 | securityContext: 93 | allowPrivilegeEscalation: false 94 | capabilities: 95 | add: 96 | - NET_BIND_SERVICE 97 | drop: 98 | - all 99 | readOnlyRootFilesystem: true 100 | dnsPolicy: Default 101 | volumes: 102 | - name: config-volume 103 | configMap: 104 | name: coredns 105 | items: 106 | - key: Corefile 107 | path: Corefile 108 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/dns-arm-1.13.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions/v1beta1 3 | kind: Deployment 4 | metadata: 5 | name: coredns 6 | namespace: kube-system 7 | labels: 8 | k8s-app: kube-dns 9 | kubernetes.io/name: "CoreDNS" 10 | eks.amazonaws.com/component: coredns 11 | spec: 12 | replicas: 2 13 | strategy: 14 | type: RollingUpdate 15 | rollingUpdate: 16 | maxUnavailable: 1 17 | selector: 18 | matchLabels: 19 | k8s-app: kube-dns 20 | eks.amazonaws.com/component: coredns 21 | template: 22 | metadata: 23 | labels: 24 | k8s-app: kube-dns 25 | eks.amazonaws.com/component: coredns 26 | spec: 27 | serviceAccountName: coredns 28 | priorityClassName: system-cluster-critical 29 | affinity: 30 | nodeAffinity: 31 | requiredDuringSchedulingIgnoredDuringExecution: 32 | nodeSelectorTerms: 33 | - matchExpressions: 34 | - key: "beta.kubernetes.io/os" 35 | operator: In 36 | values: 37 | - linux 38 | - key: "beta.kubernetes.io/arch" 39 | operator: In 40 | values: 41 | - arm64 42 | podAntiAffinity: 43 | preferredDuringSchedulingIgnoredDuringExecution: 44 | - podAffinityTerm: 45 | labelSelector: 46 | matchExpressions: 47 | - key: k8s-app 48 | operator: In 49 | values: 50 | - kube-dns 51 | topologyKey: kubernetes.io/hostname 52 | weight: 100 53 | tolerations: 54 | - key: node-role.kubernetes.io/master 55 | effect: NoSchedule 56 | - key: "CriticalAddonsOnly" 57 | operator: "Exists" 58 | containers: 59 | - name: coredns 60 | image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/coredns-arm64:v1.2.6 61 | imagePullPolicy: IfNotPresent 62 | resources: 63 | limits: 64 | memory: 170Mi 65 | requests: 66 | cpu: 100m 67 | memory: 70Mi 68 | args: [ "-conf", "/etc/coredns/Corefile" ] 69 | volumeMounts: 70 | - name: config-volume 71 | mountPath: /etc/coredns 72 | readOnly: true 73 | ports: 74 | - containerPort: 53 75 | name: dns 76 | protocol: UDP 77 | - containerPort: 53 78 | name: dns-tcp 79 | protocol: TCP 80 | - containerPort: 9153 81 | name: metrics 82 | protocol: TCP 83 | livenessProbe: 84 | httpGet: 85 | path: /health 86 | port: 8080 87 | scheme: HTTP 88 | initialDelaySeconds: 60 89 | timeoutSeconds: 5 90 | successThreshold: 1 91 | failureThreshold: 5 92 | securityContext: 93 | allowPrivilegeEscalation: false 94 | capabilities: 95 | add: 96 | - NET_BIND_SERVICE 97 | drop: 98 | - all 99 | readOnlyRootFilesystem: true 100 | dnsPolicy: Default 101 | volumes: 102 | - name: config-volume 103 | configMap: 104 | name: coredns 105 | items: 106 | - key: Corefile 107 | path: Corefile 108 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-windows-preview/webhook-create-signed-cert.ps1: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"). You may 4 | # not use this file except in compliance with the License. A copy of the 5 | # License is located at 6 | # 7 | # http://aws.amazon.com/apache2.0/ 8 | # 9 | # or in the "license" file accompanying this file. This file is distributed 10 | # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 11 | # express or implied. See the License for the specific language governing 12 | # permissions and limitations under the License. 13 | 14 | [CmdLetBinding()] 15 | param 16 | ( 17 | [ValidateNotNullOrEmpty()] 18 | [string] $ServiceName = 'vpc-admission-webhook-svc', 19 | 20 | [ValidateNotNullOrEmpty()] 21 | [string] $SecretName = 'vpc-admission-webhook-certs', 22 | 23 | [ValidateNotNullOrEmpty()] 24 | [string] $Namespace = 'default' 25 | ) 26 | 27 | if (!(Get-Command -Name openssl -ErrorAction SilentlyContinue)) 28 | { 29 | throw 'OpenSSL not found' 30 | } 31 | 32 | $TempDirectoryPath = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath ([System.IO.Path]::GetRandomFileName()) 33 | New-Item -Type Directory -Path $TempDirectoryPath | Out-Null 34 | Write-Verbose "Creating certificates in path: $TempDirectoryPath" 35 | 36 | $CsrConfFilePath = Join-Path -Path $TempDirectoryPath -ChildPath 'csr.conf' 37 | $CsrName = "$ServiceName`.$Namespace" 38 | $ServiceAddress = "$CsrName`.svc" 39 | @" 40 | [req] 41 | req_extensions = v3_req 42 | distinguished_name = req_distinguished_name 43 | [req_distinguished_name] 44 | [v3_req] 45 | basicConstraints = CA:FALSE 46 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment 47 | extendedKeyUsage = serverAuth 48 | subjectAltName = @alt_names 49 | [alt_names] 50 | DNS.1 = $ServiceName 51 | DNS.2 = $CsrName 52 | DNS.3 = $ServiceAddress 53 | "@ | ` 54 | Out-File -FilePath $CsrConfFilePath -Encoding ASCII 55 | 56 | $ServerCertificateKeyFilePath = Join-Path -Path $TempDirectoryPath -ChildPath 'server-key.pem' 57 | $CsrFilePath = Join-Path -Path $TempDirectoryPath -ChildPath 'server.csr' 58 | openssl genrsa -out $ServerCertificateKeyFilePath 2048 59 | openssl req -new -key $ServerCertificateKeyFilePath -subj "/CN=$ServiceAddress" -out $CsrFilePath -config $CsrConfFilePath 60 | 61 | Write-Verbose 'Cleaning up any previously created CSR' 62 | kubectl delete csr $CsrName 2> $Null 63 | 64 | Write-Verbose 'Creating server CSR' 65 | @" 66 | apiVersion: certificates.k8s.io/v1beta1 67 | kind: CertificateSigningRequest 68 | metadata: 69 | name: $CsrName 70 | spec: 71 | groups: 72 | - system:authenticated 73 | request: $([Convert]::ToBase64String([IO.File]::ReadAllBytes($CsrFilePath))) 74 | usages: 75 | - digital signature 76 | - key encipherment 77 | - server auth 78 | "@ | ` 79 | kubectl create -f - 80 | 81 | Write-Verbose 'Verifying CSR has been created' 82 | do 83 | { 84 | kubectl get csr $CsrName 85 | $Succeeded = $LASTEXITCODE -eq 0 86 | if (!$Succeeded) 87 | { 88 | Start-Sleep -Seconds 1 89 | } 90 | } 91 | while (!$Succeeded) 92 | 93 | Write-Verbose 'Approving server CSR' 94 | kubectl certificate approve $CsrName 95 | 96 | Write-Verbose 'Getting signed certificate' 97 | do 98 | { 99 | $ServerCertificate = kubectl get csr $CsrName -o jsonpath='{.status.certificate}' 100 | $Succeeded = $LASTEXITCODE -eq 0 101 | if (!$Succeeded) 102 | { 103 | if (++$Attempts -ge 10) 104 | { 105 | throw 'Unable to get certificate after 10 attempts' 106 | } 107 | 108 | Start-Sleep -Seconds 1 109 | } 110 | } 111 | while (!$Succeeded) 112 | 113 | Write-Verbose 'Writing signed certificate' 114 | $ServerCertificateFilePath = Join-Path -Path $TempDirectoryPath -ChildPath 'server-cert.pem' 115 | $ServerCertificate | openssl base64 -d -A -out $ServerCertificateFilePath 116 | 117 | Write-Verbose 'Creating secret with CA certificate and server certificate' 118 | kubectl create secret generic $SecretName ` 119 | --from-file=key.pem=$ServerCertificateKeyFilePath ` 120 | --from-file=cert.pem=$ServerCertificateFilePath ` 121 | --dry-run -o yaml | ` 122 | kubectl -n $Namespace apply -f - -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/aws-k8s-cni-arm64.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: aws-node 6 | rules: 7 | - apiGroups: 8 | - crd.k8s.amazonaws.com 9 | resources: 10 | - "" 11 | verbs: 12 | - "" 13 | - apiGroups: [""] 14 | resources: 15 | - pods 16 | - nodes 17 | - namespaces 18 | verbs: ["list", "watch", "get"] 19 | - apiGroups: ["extensions"] 20 | resources: 21 | - daemonsets 22 | verbs: ["list", "watch"] 23 | 24 | --- 25 | apiVersion: v1 26 | kind: ServiceAccount 27 | metadata: 28 | name: aws-node 29 | namespace: kube-system 30 | 31 | --- 32 | apiVersion: rbac.authorization.k8s.io/v1 33 | kind: ClusterRoleBinding 34 | metadata: 35 | name: aws-node 36 | roleRef: 37 | apiGroup: rbac.authorization.k8s.io 38 | kind: ClusterRole 39 | name: aws-node 40 | subjects: 41 | - kind: ServiceAccount 42 | name: aws-node 43 | namespace: kube-system 44 | 45 | --- 46 | kind: DaemonSet 47 | apiVersion: apps/v1 48 | metadata: 49 | name: aws-node 50 | namespace: kube-system 51 | labels: 52 | k8s-app: aws-node 53 | spec: 54 | updateStrategy: 55 | type: RollingUpdate 56 | selector: 57 | matchLabels: 58 | k8s-app: aws-node 59 | template: 60 | metadata: 61 | labels: 62 | k8s-app: aws-node 63 | spec: 64 | priorityClassName: system-node-critical 65 | affinity: 66 | nodeAffinity: 67 | requiredDuringSchedulingIgnoredDuringExecution: 68 | nodeSelectorTerms: 69 | - matchExpressions: 70 | - key: "kubernetes.io/os" 71 | operator: In 72 | values: 73 | - linux 74 | - key: "kubernetes.io/arch" 75 | operator: In 76 | values: 77 | - arm64 78 | - key: "eks.amazonaws.com/compute-type" 79 | operator: NotIn 80 | values: 81 | - fargate 82 | serviceAccountName: aws-node 83 | hostNetwork: true 84 | tolerations: 85 | - operator: Exists 86 | containers: 87 | - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-arm64:v1.6.2 88 | imagePullPolicy: Always 89 | ports: 90 | - containerPort: 61678 91 | name: metrics 92 | name: aws-node 93 | env: 94 | - name: AWS_VPC_K8S_CNI_LOGLEVEL 95 | value: DEBUG 96 | - name: AWS_VPC_K8S_CNI_VETHPREFIX 97 | value: eni 98 | - name: AWS_VPC_ENI_MTU 99 | value: "9001" 100 | - name: MY_NODE_NAME 101 | valueFrom: 102 | fieldRef: 103 | fieldPath: spec.nodeName 104 | resources: 105 | requests: 106 | cpu: 10m 107 | securityContext: 108 | privileged: true 109 | volumeMounts: 110 | - mountPath: /host/opt/cni/bin 111 | name: cni-bin-dir 112 | - mountPath: /host/etc/cni/net.d 113 | name: cni-net-dir 114 | - mountPath: /host/var/log 115 | name: log-dir 116 | - mountPath: /var/run/docker.sock 117 | name: dockersock 118 | - mountPath: /var/run/dockershim.sock 119 | name: dockershim 120 | volumes: 121 | - name: cni-bin-dir 122 | hostPath: 123 | path: /opt/cni/bin 124 | - name: cni-net-dir 125 | hostPath: 126 | path: /etc/cni/net.d 127 | - name: log-dir 128 | hostPath: 129 | path: /var/log 130 | - name: dockersock 131 | hostPath: 132 | path: /var/run/docker.sock 133 | - name: dockershim 134 | hostPath: 135 | path: /var/run/dockershim.sock 136 | 137 | --- 138 | apiVersion: apiextensions.k8s.io/v1beta1 139 | kind: CustomResourceDefinition 140 | metadata: 141 | name: eniconfigs.crd.k8s.amazonaws.com 142 | spec: 143 | scope: Cluster 144 | group: crd.k8s.amazonaws.com 145 | versions: 146 | - name: v1alpha1 147 | served: true 148 | storage: true 149 | names: 150 | plural: eniconfigs 151 | singular: eniconfig 152 | kind: ENIConfig 153 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Containers Roadmap 2 | 3 | This is the public roadmap for AWS container services (ECS, ECR, Fargate, and EKS). 4 | 5 | ## Introduction 6 | This is the public roadmap for AWS Container services. 7 | Knowing about our upcoming products and priorities helps our customers plan. This repository contains information about what we are working on and allows all AWS customers to give direct feedback. 8 | 9 | [See the roadmap »](https://github.com/aws/containers-roadmap/projects/1) 10 | 11 | Other AWS Public Roadmaps 12 | * [AWS Proton](https://github.com/aws/aws-proton-public-roadmap) 13 | * [CloudFormation coverage](https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap) 14 | * [AWS Elastic Beanstalk](https://github.com/aws/elastic-beanstalk-roadmap) 15 | * [Amazon EC2 Spot Instances integrations](https://github.com/aws/ec2-spot-instances-integrations-roadmap) 16 | * [AWS Controllers for Kubernetes (ACK)](https://github.com/aws-controllers-k8s/community/projects/1) 17 | * [AWS CDK](https://github.com/orgs/aws/projects/7) 18 | * [AWS App Runner](https://github.com/aws/apprunner-roadmap/projects/1) 19 | 20 | ## Developer Preview Programs 21 | We now have information for developer preview programs within this repository. Issues tagged [Developer Preview](https://github.com/aws/containers-roadmap/labels/Developer%20Preview) on the public roadmap are active preview programs. 22 | 23 | Current Programs 24 | * There's more to come! Stay tuned! 25 | 26 | Past Programs 27 | * EKS on ARM - [EKS on AWS Graviton2 is generally available](https://aws.amazon.com/blogs/containers/eks-on-graviton-generally-available/) 28 | * ECS Multiple Target Groups - [Support for multiple target groups on ECS is generally available](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) 29 | * Firelens - [Support for custom log routing is generally available](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html) 30 | * EKS Windows - [Support for Windows on EKS is generally available](https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html) 31 | 32 | ## Security disclosures 33 | 34 | If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions [here](https://aws.amazon.com/security/vulnerability-reporting/) or [email AWS security directly](mailto:aws-security@amazon.com). 35 | 36 | 37 | ## FAQs 38 | Q: Why did you build this? 39 | 40 | A: We know that our customers are making decisions and plans based on what we are developing, and we want to provide our customers the insights they need to plan. 41 | 42 | Q: Why are there no dates on your roadmap? 43 | 44 | A: Because job zero is security and operational stability, we can't provide specific target dates for features. The roadmap is subject to change at any time, and roadmap issues in this repository do not guarantee a feature will be launched as proposed. 45 | 46 | Q: What do the roadmap categories mean? 47 | * Just shipped - obvious, right? 48 | * Coming soon - coming up. Think a couple of months out, give or take. 49 | * We're working on it - in progress, but further out. We might still be working through the implementation details, or scoping stuff out. 50 | * Researching - We're thinking about it. This might mean we're still designing, or thinking through how this might work. This is a great phase to send how you want to see something implemented! We'd love to see your usecase or design ideas here. 51 | 52 | Q: Is everything on the roadmap? 53 | 54 | A: The majority of our development work for Amazon ECS, Fargate, ECR, EKS and other AWS-sponsored OSS projects are included on this roadmap. Of course, there will be technologies we are very excited about that we are going to launch without notice to surprise and delight our customers. 55 | 56 | Q: How can I provide feedback or ask for more information? 57 | 58 | A: Please open an issue! 59 | 60 | Q: How can I request a feature be added to the roadmap? 61 | 62 | A: Please open an issue! You can read about how to contribute [here](/CONTRIBUTING.md). Community submitted issues will be tagged "Proposed" and will be reviewed by the team. 63 | 64 | Q: Will you accept a pull request? 65 | 66 | A: We haven't worked out how pull requests should work for a public roadmap page, but we will take all PRs very seriously and review for inclusion. Read about [contributing](/CONTRIBUTING.md). 67 | 68 | ## License 69 | 70 | This library is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. 71 | 72 | To learn more about the services, head here: http://aws.amazon.com/containers 73 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-windows-preview/webhook-create-signed-cert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"). You may 6 | # not use this file except in compliance with the License. A copy of the 7 | # License is located at 8 | # 9 | # http://aws.amazon.com/apache2.0/ 10 | # 11 | # or in the "license" file accompanying this file. This file is distributed 12 | # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 13 | # express or implied. See the License for the specific language governing 14 | # permissions and limitations under the License. 15 | 16 | set -e 17 | 18 | usage() { 19 | cat <> ${tmpdir}/csr.conf 76 | [req] 77 | req_extensions = v3_req 78 | distinguished_name = req_distinguished_name 79 | [req_distinguished_name] 80 | [ v3_req ] 81 | basicConstraints = CA:FALSE 82 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment 83 | extendedKeyUsage = serverAuth 84 | subjectAltName = @alt_names 85 | [alt_names] 86 | DNS.1 = ${service} 87 | DNS.2 = ${service}.${namespace} 88 | DNS.3 = ${service}.${namespace}.svc 89 | EOF 90 | 91 | openssl genrsa -out ${tmpdir}/server-key.pem 2048 92 | openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf 93 | 94 | # clean-up any previously created CSR for our service. Ignore errors if not present. 95 | kubectl delete csr ${csrName} 2>/dev/null || true 96 | 97 | # create server cert/key CSR and send to k8s API 98 | cat <&2 133 | exit 1 134 | fi 135 | echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem 136 | 137 | 138 | # create the secret with CA cert and server cert/key 139 | kubectl create secret generic ${secret} \ 140 | --from-file=key.pem=${tmpdir}/server-key.pem \ 141 | --from-file=cert.pem=${tmpdir}/server-cert.pem \ 142 | --dry-run -o yaml | 143 | kubectl -n ${namespace} apply -f - 144 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/amazon-eks-arm-nodegroup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | AWSTemplateFormatVersion: 2010-09-09 3 | Description: Amazon EKS - Node Group 4 | 5 | Parameters: 6 | 7 | KeyName: 8 | Description: The EC2 Key Pair to allow SSH access to the instances 9 | Type: AWS::EC2::KeyPair::KeyName 10 | 11 | KubernetesVersion: 12 | Type: String 13 | Default: '1.15' 14 | AllowedValues: 15 | - '1.13' 16 | - '1.14' 17 | - '1.15' 18 | 19 | NodeInstanceType: 20 | Description: EC2 instance type for the node instances 21 | Type: String 22 | Default: a1.large 23 | ConstraintDescription: Must be a valid EC2 instance type 24 | AllowedValues: 25 | - a1.medium 26 | - a1.large 27 | - a1.xlarge 28 | - a1.2xlarge 29 | - a1.4xlarge 30 | - m6g.medium 31 | - m6g.large 32 | - m6g.xlarge 33 | - m6g.2xlarge 34 | - m6g.4xlarge 35 | - m6g.8xlarge 36 | - m6g.12xlarge 37 | - m6g.16xlarge 38 | 39 | NodeAutoScalingGroupMinSize: 40 | Description: Minimum size of Node Group ASG. 41 | Type: Number 42 | Default: 1 43 | 44 | NodeAutoScalingGroupMaxSize: 45 | Description: Maximum size of Node Group ASG. Set to at least 1 greater than NodeAutoScalingGroupDesiredCapacity. 46 | Type: Number 47 | Default: 4 48 | 49 | NodeAutoScalingGroupDesiredCapacity: 50 | Description: Desired capacity of Node Group ASG. 51 | Type: Number 52 | Default: 3 53 | 54 | NodeVolumeSize: 55 | Description: Node volume size 56 | Type: Number 57 | Default: 20 58 | 59 | ClusterName: 60 | Description: The cluster name provided when the cluster was created. If it is incorrect, nodes will not be able to join the cluster. 61 | Type: String 62 | 63 | BootstrapArguments: 64 | Description: Arguments to pass to the bootstrap script. See files/bootstrap.sh in https://github.com/awslabs/amazon-eks-ami 65 | Type: String 66 | Default: "--pause-container-account 602401143452" 67 | 68 | NodeGroupName: 69 | Description: Unique identifier for the Node Group. 70 | Type: String 71 | 72 | ClusterControlPlaneSecurityGroup: 73 | Description: The security group of the cluster control plane. 74 | Type: AWS::EC2::SecurityGroup::Id 75 | 76 | VpcId: 77 | Description: The VPC of the worker instances 78 | Type: AWS::EC2::VPC::Id 79 | 80 | Subnets: 81 | Description: The subnets where workers can be created. 82 | Type: List 83 | 84 | NodeImageAMI113: 85 | Description: The SSM parameter that contains the Amazon Machine Image (AMI) ID for Kubernetes 1.13 nodes. 86 | Type : 'AWS::SSM::Parameter::Value' 87 | Default: /aws/service/eks/optimized-ami/1.13/amazon-linux-2-arm64/recommended/image_id 88 | 89 | NodeImageAMI114: 90 | Description: The SSM parameter that contains the Amazon Machine Image (AMI) ID for Kubernetes 1.14 nodes. 91 | Type : 'AWS::SSM::Parameter::Value' 92 | Default: /aws/service/eks/optimized-ami/1.14/amazon-linux-2-arm64/recommended/image_id 93 | 94 | NodeImageAMI115: 95 | Description: The SSM parameter that contains the Amazon Machine Image (AMI) ID for Kubernetes 1.15 nodes. 96 | Type : 'AWS::SSM::Parameter::Value' 97 | Default: /aws/service/eks/optimized-ami/1.15/amazon-linux-2-arm64/recommended/image_id 98 | 99 | Mappings: 100 | PartitionMap: 101 | aws: 102 | EC2ServicePrincipal: "ec2.amazonaws.com" 103 | aws-cn: 104 | EC2ServicePrincipal: "ec2.amazonaws.com.cn" 105 | 106 | Metadata: 107 | 108 | AWS::CloudFormation::Interface: 109 | ParameterGroups: 110 | - Label: 111 | default: EKS Cluster 112 | Parameters: 113 | - KubernetesVersion 114 | - ClusterName 115 | - ClusterControlPlaneSecurityGroup 116 | - Label: 117 | default: Worker Node Configuration 118 | Parameters: 119 | - NodeGroupName 120 | - NodeAutoScalingGroupMinSize 121 | - NodeAutoScalingGroupDesiredCapacity 122 | - NodeAutoScalingGroupMaxSize 123 | - NodeInstanceType 124 | - NodeImageAMI 125 | - NodeVolumeSize 126 | - KeyName 127 | - BootstrapArguments 128 | - Label: 129 | default: Worker Network Configuration 130 | Parameters: 131 | - VpcId 132 | - Subnets 133 | - Label: 134 | default: Amazon Machine Image information 135 | Parameters: 136 | - NodeImageAMI113 137 | - NodeImageAMI114 138 | - NodeImageAMI115 139 | 140 | Conditions: 141 | Kubernetes113: !Equals [!Ref KubernetesVersion, '1.13'] 142 | Kubernetes114: !Equals [!Ref KubernetesVersion, '1.14'] 143 | Kubernetes115: !Equals [!Ref KubernetesVersion, '1.15'] 144 | 145 | Resources: 146 | 147 | NodeInstanceProfile: 148 | Type: AWS::IAM::InstanceProfile 149 | Properties: 150 | Path: "/" 151 | Roles: 152 | - !Ref NodeInstanceRole 153 | 154 | NodeInstanceRole: 155 | Type: AWS::IAM::Role 156 | Properties: 157 | AssumeRolePolicyDocument: 158 | Version: 2012-10-17 159 | Statement: 160 | - Effect: Allow 161 | Principal: 162 | Service: 163 | - !FindInMap [PartitionMap, !Ref "AWS::Partition", EC2ServicePrincipal] 164 | Action: sts:AssumeRole 165 | Path: "/" 166 | ManagedPolicyArns: 167 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy" 168 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy" 169 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" 170 | 171 | NodeSecurityGroup: 172 | Type: AWS::EC2::SecurityGroup 173 | Properties: 174 | GroupDescription: Security group for all nodes in the cluster 175 | VpcId: !Ref VpcId 176 | Tags: 177 | - Key: !Sub kubernetes.io/cluster/${ClusterName} 178 | Value: owned 179 | 180 | NodeSecurityGroupIngress: 181 | Type: AWS::EC2::SecurityGroupIngress 182 | DependsOn: NodeSecurityGroup 183 | Properties: 184 | Description: Allow node to communicate with each other 185 | GroupId: !Ref NodeSecurityGroup 186 | SourceSecurityGroupId: !Ref NodeSecurityGroup 187 | IpProtocol: -1 188 | FromPort: 0 189 | ToPort: 65535 190 | 191 | NodeSecurityGroupFromControlPlaneIngress: 192 | Type: AWS::EC2::SecurityGroupIngress 193 | DependsOn: NodeSecurityGroup 194 | Properties: 195 | Description: Allow worker Kubelets and pods to receive communication from the cluster control plane 196 | GroupId: !Ref NodeSecurityGroup 197 | SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup 198 | IpProtocol: tcp 199 | FromPort: 1025 200 | ToPort: 65535 201 | 202 | ControlPlaneEgressToNodeSecurityGroup: 203 | Type: AWS::EC2::SecurityGroupEgress 204 | DependsOn: NodeSecurityGroup 205 | Properties: 206 | Description: Allow the cluster control plane to communicate with worker Kubelet and pods 207 | GroupId: !Ref ClusterControlPlaneSecurityGroup 208 | DestinationSecurityGroupId: !Ref NodeSecurityGroup 209 | IpProtocol: tcp 210 | FromPort: 1025 211 | ToPort: 65535 212 | 213 | NodeSecurityGroupFromControlPlaneOn443Ingress: 214 | Type: AWS::EC2::SecurityGroupIngress 215 | DependsOn: NodeSecurityGroup 216 | Properties: 217 | Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane 218 | GroupId: !Ref NodeSecurityGroup 219 | SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup 220 | IpProtocol: tcp 221 | FromPort: 443 222 | ToPort: 443 223 | 224 | ControlPlaneEgressToNodeSecurityGroupOn443: 225 | Type: AWS::EC2::SecurityGroupEgress 226 | DependsOn: NodeSecurityGroup 227 | Properties: 228 | Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443 229 | GroupId: !Ref ClusterControlPlaneSecurityGroup 230 | DestinationSecurityGroupId: !Ref NodeSecurityGroup 231 | IpProtocol: tcp 232 | FromPort: 443 233 | ToPort: 443 234 | 235 | ClusterControlPlaneSecurityGroupIngress: 236 | Type: AWS::EC2::SecurityGroupIngress 237 | DependsOn: NodeSecurityGroup 238 | Properties: 239 | Description: Allow pods to communicate with the cluster API Server 240 | GroupId: !Ref ClusterControlPlaneSecurityGroup 241 | SourceSecurityGroupId: !Ref NodeSecurityGroup 242 | IpProtocol: tcp 243 | ToPort: 443 244 | FromPort: 443 245 | 246 | NodeGroup: 247 | Type: AWS::AutoScaling::AutoScalingGroup 248 | Properties: 249 | DesiredCapacity: !Ref NodeAutoScalingGroupDesiredCapacity 250 | LaunchConfigurationName: !Ref NodeLaunchConfig 251 | MinSize: !Ref NodeAutoScalingGroupMinSize 252 | MaxSize: !Ref NodeAutoScalingGroupMaxSize 253 | VPCZoneIdentifier: !Ref Subnets 254 | Tags: 255 | - Key: Name 256 | Value: !Sub ${ClusterName}-${NodeGroupName}-Node 257 | PropagateAtLaunch: true 258 | - Key: !Sub kubernetes.io/cluster/${ClusterName} 259 | Value: owned 260 | PropagateAtLaunch: true 261 | UpdatePolicy: 262 | AutoScalingRollingUpdate: 263 | MaxBatchSize: 1 264 | MinInstancesInService: !Ref NodeAutoScalingGroupDesiredCapacity 265 | PauseTime: PT5M 266 | 267 | NodeLaunchConfig: 268 | Type: AWS::AutoScaling::LaunchConfiguration 269 | Properties: 270 | IamInstanceProfile: !Ref NodeInstanceProfile 271 | ImageId: 272 | Fn::Join: 273 | - '' 274 | - - !If [ Kubernetes114, !Ref NodeImageAMI114, '' ] 275 | - !If [ Kubernetes113, !Ref NodeImageAMI113, '' ] 276 | - !If [ Kubernetes115, !Ref NodeImageAMI115, '' ] 277 | InstanceType: !Ref NodeInstanceType 278 | KeyName: !Ref KeyName 279 | SecurityGroups: 280 | - !Ref NodeSecurityGroup 281 | BlockDeviceMappings: 282 | - DeviceName: /dev/xvda 283 | Ebs: 284 | VolumeSize: !Ref NodeVolumeSize 285 | VolumeType: gp2 286 | DeleteOnTermination: true 287 | UserData: 288 | Fn::Base64: 289 | !Sub | 290 | #!/bin/bash 291 | set -o xtrace 292 | /etc/eks/bootstrap.sh ${ClusterName} ${BootstrapArguments} 293 | /opt/aws/bin/cfn-signal --exit-code $? \ 294 | --stack ${AWS::StackName} \ 295 | --resource NodeGroup \ 296 | --region ${AWS::Region} 297 | 298 | Outputs: 299 | 300 | NodeInstanceRole: 301 | Description: The node instance role 302 | Value: !GetAtt NodeInstanceRole.Arn 303 | 304 | NodeSecurityGroup: 305 | Description: The security group for the node group 306 | Value: !Ref NodeSecurityGroup 307 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Attribution-ShareAlike 4.0 International Public License 2 | 3 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. 4 | 5 | Section 1 – Definitions. 6 | 7 | a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. 8 | 9 | b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. 10 | 11 | c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License. 12 | 13 | d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. 14 | 15 | e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. 16 | 17 | f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. 18 | 19 | g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike. 20 | 21 | h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License. 22 | 23 | i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. 24 | 25 | j. Licensor means the individual(s) or entity(ies) granting rights under this Public License. 26 | 27 | k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. 28 | 29 | l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. 30 | 31 | m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. 32 | 33 | Section 2 – Scope. 34 | 35 | a. License grant. 36 | 37 | 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: 38 | 39 | A. reproduce and Share the Licensed Material, in whole or in part; and 40 | 41 | B. produce, reproduce, and Share Adapted Material. 42 | 43 | 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. 44 | 45 | 3. Term. The term of this Public License is specified in Section 6(a). 46 | 47 | 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. 48 | 49 | 5. Downstream recipients. 50 | 51 | A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. 52 | 53 | B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply. 54 | 55 | C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. 56 | 57 | 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). 58 | 59 | b. Other rights. 60 | 61 | 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. 62 | 63 | 2. Patent and trademark rights are not licensed under this Public License. 64 | 65 | 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties. 66 | 67 | Section 3 – License Conditions. 68 | 69 | Your exercise of the Licensed Rights is expressly made subject to the following conditions. 70 | 71 | a. Attribution. 72 | 73 | 1. If You Share the Licensed Material (including in modified form), You must: 74 | 75 | A. retain the following if it is supplied by the Licensor with the Licensed Material: 76 | 77 | i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); 78 | 79 | ii. a copyright notice; 80 | 81 | iii. a notice that refers to this Public License; 82 | 83 | iv. a notice that refers to the disclaimer of warranties; 84 | 85 | v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; 86 | 87 | B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and 88 | 89 | C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. 90 | 91 | 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. 92 | 93 | 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. 94 | 95 | b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply. 96 | 97 | 1. The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License. 98 | 99 | 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material. 100 | 101 | 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply. 102 | 103 | Section 4 – Sui Generis Database Rights. 104 | 105 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: 106 | 107 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database; 108 | 109 | b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and 110 | 111 | c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. 112 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. 113 | 114 | Section 5 – Disclaimer of Warranties and Limitation of Liability. 115 | 116 | a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You. 117 | 118 | b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You. 119 | 120 | c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. 121 | 122 | Section 6 – Term and Termination. 123 | 124 | a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. 125 | 126 | b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: 127 | 128 | 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or 129 | 130 | 2. upon express reinstatement by the Licensor. 131 | 132 | c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. 133 | 134 | d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. 135 | 136 | e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. 137 | 138 | Section 7 – Other Terms and Conditions. 139 | 140 | a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. 141 | 142 | b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. 143 | 144 | Section 8 – Interpretation. 145 | 146 | a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. 147 | 148 | b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. 149 | 150 | c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. 151 | 152 | d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. 153 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/README.md: -------------------------------------------------------------------------------- 1 | # Amazon EKS ARM Instances Preview Program 2 | 3 | # Note, this preview program is now deprecated, as EKS support for Arm-based instances is generally available. See the launch [blog](https://aws.amazon.com/blogs/containers/eks-on-graviton-generally-available/) for more details. 4 | 5 | Start here to participate in the [Amazon EKS](https://aws.amazon.com/eks) preview program for EC2 ARM instances. Using the instructions and code in this repository you can run containers using EC2 [A1](https://aws.amazon.com/ec2/instance-types/a1) or [M6](https://aws.amazon.com/ec2/instance-types/m6/) instances as part of a Kubernetes cluster that is managed by Amazon EKS. 6 | 7 | EC2 ARM instances deliver significant cost savings for scale-out and Arm-based applications such as web servers, containerized microservices, caching fleets, and distributed data stores. 8 | 9 | ### Supported Instance Types 10 | * [A1 instances](https://aws.amazon.com/ec2/instance-types/a1/) deliver significant cost savings for scale-out and Arm-based applications. These are the first EC2 instances powered by AWS Graviton Processors that feature 64-bit Arm Neoverse cores and custom silicon designed by AWS. 11 | * [M6g instances](https://aws.amazon.com/ec2/instance-types/m6/) are powered by Arm-based AWS Graviton2 processors. They deliver up to 40% better price performance over current generation M5 instances and offer a balance of compute, memory, and networking resources for a broad set of workloads. 12 | 13 | Note: The assets and instructions in this repository folder are offered as part of a _public preview_ program administered by AWS. 14 | 15 | Using the instructions and assets in this repository folder is governed as a preview program under the [AWS Service Terms](https://aws.amazon.com/service-terms/). 16 | 17 | #### Contents 18 | * [Before you begin](#before-you-begin) 19 | * [Key resources](#key-resources) 20 | * [Instructions](#instructions) 21 | 22 | #### Leaving feedback and getting help 23 | * The assets and instructions in this repository are offered on an _as-is_ basis as part of a public preview program for new AWS service functionality. 24 | * Please [open an issue](https://github.com/aws/containers-roadmap/issues/new?assignees=&labels=Developer+Preview%2C+EKS+ARM&template=eks-arm-preview-feedback.md&title=%5BEKS+ARM%5D+Issue) for comments, questions, or to report a bug. 25 | * For issues with the Amazon EKS service (creating, modifying, deleting a cluster) or with your AWS account, please contact AWS support using the AWS console. 26 | * As always, if you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions [here](https://aws.amazon.com/security/vulnerability-reporting/) or [email AWS security directly](mailto:aws-security@amazon.com). 27 | 28 | ## Before you begin 29 | * Make sure you have an active and valid AWS account. If you don't, you can create one [here](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html). 30 | * If you haven't used Kubernetes before, familiarize yourself with the [basics of Kubernetes](https://kubernetes.io/docs/concepts/) 31 | * If you haven't used Amazon EKS before, familiarize yourself with the [EKS user guide](https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html). We also have a [tutorial](https://eksworkshop.com) that is a good starting point for new users. 32 | 33 | #### Key Resources 34 | The specific resources you need to run containers on EC2 ARM instances with Amazon EKS are within this repository folder. All other resources needed to successfully start and manage an EKS cluster can be found within the [EKS user guide](https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html). 35 | 36 | #### Important Considerations 37 | * EKS currently supports the ability to run all nodes on ARM instances with Kubernetes version 1.15 (the default), 1.14 and 1.13. 38 | 39 | ## Instructions 40 | Follow these instructions to create a Kubernetes cluster with Amazon EKS and start a service on EC2 ARM nodes. 41 | 42 | Note: This guide requires that you create a new EKS cluster. Please ensure you complete all steps to avoid issues. 43 | 44 | ### Step 1. Install eksctl, the EKS command line tool 45 | To create our cluster, we will use [eksctl](https://eksctl.io/), the command line tool for EKS. 46 | 47 | 1. Ensure you have the latest version of [Homebrew](https://brew.sh/) installed. 48 | If you don't have Homebrew, you can install it with the command: `/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"` 49 | 2. Install the Weaveworks Homebrew tap: `brew tap weaveworks/tap` 50 | 3. Install ekstctl: `brew install weaveworks/tap/eksctl` 51 | 4. Test that your installation was successful: `eksctl --help` 52 | 53 | ### Step 2. Install kubectl and AWS IAM authenticator 54 | If you used the Homebrew instructions above to install eksctl on macOS, then kubectl and the aws-iam-authenticator have already been installed on your system. Otherwise, you can refer to the Amazon EKS [getting started guide prerequisites](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html#eks-prereqs). 55 | 56 | ### Step 3. Create Your VPC, IAM role, and Amazon EKS Cluster without worker nodes 57 | Create an EKS cluster without provisioning worker nodes using the following eksctl command (change the `--version` if you don't want Kubernetes 1.15): 58 | 59 | ``` 60 | eksctl create cluster \ 61 | --name arm-preview \ 62 | --version 1.15 \ 63 | --region us-west-2 \ 64 | --without-nodegroup 65 | ``` 66 | 67 | Launching an EKS cluster using eksctl creates a CloudFormation stack. The launch process for this stack typically takes 10-15 minutes. You can monitor the progress in the [EKS console](https://console.aws.amazon.com/eks). 68 | 69 | Once the launch process has completed, we will want to review the CloudFormation stack to record the IDs of the Control Plane security group as well as the VPC ID. Navigate to the [CloudFormation console](https://console.aws.amazon.com/cloudformation). You will see a stack named `eksctl--cluster`. Select this stack, and on the right-hand side panel, click the tab for `Outputs`. Record the values of the items for `SecurityGroup` and `VPC`. 70 | 71 | Test that your cluster is running using `kubectl get svc`. It should return information such as the following: 72 | 73 | ``` 74 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE 75 | kubernetes ClusterIP ww.xx.yy.zz 443/TCP 20m 76 | ``` 77 | 78 | In order to support having only ARM nodes on our EKS cluster, we need to update some of the Kubernetes components. Follow the steps below to update CoreDNS, Kube-Proxy, and install the AWS ARM64 CNI plugin. 79 | 80 | ### Step 4. Update the image ID used for CoreDNS 81 | Run one of the below commands based upon the version of Kubernetes you are using to install an updated version of `CoreDNS`: 82 | 83 | Kubernetes 1.15 84 | ```shell 85 | kubectl apply -f https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-arm-preview/dns-arm-1.15.yaml 86 | ``` 87 | 88 | Kubernetes 1.14 89 | ```shell 90 | kubectl apply -f https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-arm-preview/dns-arm-1.14.yaml 91 | ``` 92 | 93 | Kubernetes 1.13 94 | ```shell 95 | kubectl apply -f https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-arm-preview/dns-arm-1.13.yaml 96 | ``` 97 | 98 | ### Step 5. Update the image ID used for kube-proxy 99 | Run the below command based upon the version of Kubernetes you are using to install an updated version of `kube-proxy`: 100 | 101 | Kubernetes 1.15 102 | ```shell 103 | kubectl apply -f https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-arm-preview/kube-proxy-arm-1.15.yaml 104 | ``` 105 | 106 | Kubernetes 1.14 107 | ```shell 108 | kubectl apply -f https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-arm-preview/kube-proxy-arm-1.14.yaml 109 | ``` 110 | 111 | Kubernetes 1.13 112 | ```shell 113 | kubectl apply -f https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-arm-preview/kube-proxy-arm-1.13.yaml 114 | ``` 115 | 116 | ### Step 6. Deploy the ARM CNI Plugin 117 | Run the below command to install the AWS ARM64 CNI Plugin (this config works on all Kubernetes versions): 118 | 119 | ```shell 120 | kubectl apply -f https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-arm-preview/aws-k8s-cni-arm64.yaml 121 | ``` 122 | 123 | ### Step 7. Launch and Configure Amazon EKS ARM Worker Nodes 124 | 1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation. Ensure that you are in the AWS 125 | region that you created your EKS cluster in. 126 | 2. Choose Create stack. 127 | 3. For Choose a template, select Specify an Amazon S3 template URL. 128 | 4. Paste the following URL into the text area and choose Next 129 | `https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2019-11-15/amazon-eks-arm-nodegroup.yaml` 130 | 5. On the Specify Details page, fill out the following parameters accordingly, and choose Next. 131 | * Stack name: Choose a stack name for your AWS CloudFormation stack. For example, you can call it -worker-nodes. 132 | * KubernetesVersion Select the version of Kubernetes you chose when launching your EKS cluster. 133 | Important 134 | This version must match the version you used in Step 1: Create Your Amazon EKS Cluster; otherwise, your worker nodes cannot join the cluster. 135 | * ClusterName: Enter the name that you used when you created your Amazon EKS cluster. 136 | Important 137 | This name must exactly match the name you used in Step 1: Create Your Amazon EKS Cluster; otherwise, your worker nodes cannot join the cluster. 138 | * ClusterControlPlaneSecurityGroup: You will be presented with a drop-down list of security groups. Choose the value from the AWS CloudFormation 139 | output that you captured in the Create your Amazon EKS Cluster VPC step. (e.g. eksctl-\-cluster-ControlPlaneSecurityGroup-XXXXXXXXXXXXX) 140 | * NodeGroupName: Enter a name for your node group. This name can be used later to identify the Auto Scaling node group that is created for your worker nodes. 141 | * NodeAutoScalingGroupMinSize: Enter the minimum number of nodes that your worker node Auto Scaling group can scale in to. 142 | * NodeAutoScalingGroupDesiredCapacity: Enter the desired number of nodes to scale to when your stack is created. 143 | * NodeAutoScalingGroupMaxSize: Enter the maximum number of nodes that your worker node Auto Scaling group can scale out to. 144 | * NodeInstanceType: Choose one of the ARM instance types for your worker nodes (e.g.: `a1.large`). 145 | * NodeVolumeSize: Enter node volume size. The default of 20 is fine. 146 | * KeyName: Enter the name of an Amazon EC2 key pair that you can use to decrypt administrator password while RDP into your 147 | worker nodes after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the AWS Management Console. 148 | For more information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances. 149 | 150 | Note: If you do not provide a key pair here, the AWS CloudFormation stack creation will fail. 151 | 152 | * VpcId: Choose the value from the AWS CloudFormation output that you captured in the Create your Amazon EKS 153 | Cluster VPC step. (e.g. eksctl-\-cluster/VPC) 154 | * Subnets: Choose the subnets that you created in Create your Amazon EKS Cluster VPC. 155 | 156 | * NodeImageAMI11X: The Amazon EC2 Systems Manager parameter for the AMI image ID. You should not make any changes to this parameter. 157 | 158 | 6. On the Options page, you can choose to tag your stack resources. Choose Next. 159 | 7. On the Review page, review your information, acknowledge that the stack might create IAM resources, and then choose Create. 160 | 161 | ### Step 8. Record the ARM64 instance role ARN. 162 | 1. After the ARM worker nodes stack has finished creating, select it in the console and choose the Outputs tab. 163 | 2. Record the value of NodeInstanceRole for the node group that was created. You need this when you configure your Amazon EKS worker nodes in step 10. 164 | 165 | ### Step 9. Configure the AWS authenticator configuration map to enable worker nodes to join your cluster 166 | 1. Download the configuration map 167 | `wget https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-arm-preview/aws-auth-cm-arm64.yaml` 168 | 169 | 2. Open the file with your favorite text editor. Replace the __ snippet with the NodeInstanceRole values that you recorded from step 10 above, and save the file. 170 | 171 | Important: Do not modify any other lines in this file. 172 | 173 | ``` 174 | apiVersion: v1 175 | kind: ConfigMap 176 | metadata: 177 | name: aws-auth 178 | namespace: kube-system 179 | data: 180 | mapRoles: | 181 | - rolearn: 182 | username: system:node:{{EC2PrivateDNSName}} 183 | groups: 184 | - system:bootstrappers 185 | - system:nodes 186 | ``` 187 | 188 | 3. Apply the configuration. This command may take a few minutes to finish: `kubectl apply -f aws-auth-cm-arm64.yaml` 189 | 190 | Note: If you receive the error `"aws-iam-authenticator": executable file not found in PATH`, then kubectl on your machine is not configured correctly for Amazon EKS. For more information, see [Installing aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html). 191 | 192 | If you receive any other authorization or resource type errors, see [Unauthorized or Access Denied (kubectl)](https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html#unauthorized). 193 | 194 | 4. Watch the status of your nodes and wait for them to reach the Ready status: `kubectl get nodes --watch` 195 | 196 | ### Step 10. Launch an app 197 | Launch the metrics server to test that you can schedule pods. 198 | 199 | ``` 200 | kubectl apply -f https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-arm-preview/cni-metrics-helper-arm64.yaml 201 | ``` 202 | * Output: 203 | ``` 204 | clusterrole.rbac.authorization.k8s.io/cni-metrics-helper created 205 | serviceaccount/cni-metrics-helper created 206 | clusterrolebinding.rbac.authorization.k8s.io/cni-metrics-helper created 207 | deployment.extensions/cni-metrics-helper created 208 | ``` 209 | 210 | Check the scheduled pods: 211 | 212 | * `kubectl -n kube-system get pods -o wide` 213 | 214 | 215 | ## Next steps 216 | 217 | * Run your own containers on your new EKS cluster. 218 | 219 | * Leave comments or questions on our [GitHub issue](https://github.com/aws/containers-roadmap/issues/264). 220 | 221 | * This is an evolving project. As we roll out new features and functionality, we will update this repository and the roadmap issue. 222 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-windows-preview/README.md: -------------------------------------------------------------------------------- 1 | # WARNING: This preview program is deprecated and no longer maintained. 2 | 3 | ## Windows worker nodes are now fully supported by Amazon Elastic Kubernetes Service (EKS). See the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html) for instructions on getting started with launching Windows worker nodes and containers in your cluster. 4 | 5 | # Amazon EKS Windows Preview Program 6 | Start here to participate in the Windows node preview program for [Amazon Elastic Container Service for Kubernetes (EKS)](https://aws.amazon.com/eks). Using the instructions and code in this repository you can run Windows server docker containers on a Kubernetes cluster that is managed by Amazon EKS. 7 | 8 | Note: The assets and instructions in this repository folder are offered as part of a _public preview_ program administered by AWS. 9 | 10 | Using the instructions and assets in this repository folder as well as running Windows Server EC2 instances (worker nodes) with Amazon EKS is governed as a preview program under the [AWS Service Terms](https://aws.amazon.com/service-terms/). 11 | 12 | #### Contents 13 | * [Before you begin](#before-you-begin) 14 | * [Key resources](#key-resources) 15 | * [Instructions](#instructions) 16 | 17 | #### Leaving feedback and getting help 18 | * The assets and instructions in this repository are offered on an _as-is_ basis as part of a public preview program for new AWS service functionality. 19 | * Leave comments or questions on our [GitHub issue](https://github.com/aws/containers-roadmap/issues/69). 20 | * To send more detailed problem information or feedback directly to the EKS Windows preview team, email [eks-windows-preview@amazon.com](mailto:eks-windows-preview@amazon.com). _(Please give 24-48 hours for a reply.)_ 21 | * For issues with the Amazon EKS service (creating, modifying, deleting a cluster) or with your AWS account, please contact AWS support using the AWS console. 22 | 23 | ## Before you begin 24 | * Make sure you have an active and valid AWS account. If you don't, you can create one [here](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html). 25 | * If you haven't used Kubernetes before, familiarize yourself with the [basics of Kubernetes](https://kubernetes.io/docs/concepts/) 26 | * If you haven't used Amazon EKS before, familiarize yourself with the [EKS user guide](https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html). We also have a [tutorial](https://eksworkshop.com) that is a good starting point for new users. 27 | 28 | Important Considerations for Windows nodes 29 | * EKS Windows nodes are only supported by Kubernetes version 1.11 (1.10 is not supported). 30 | * Windows EC2 instance types C3, C4, D2, I2, M4 (excluding m4.16xlarge), and R3 instances are not supported. 31 | * Microsoft doesn't support hostnetworking mode in Windows yet. Hence an EKS Windows cluster will be a mixed mode cluster (1 Linux node and 3+ Windows nodes). 32 | * The VPC resource controller and coredns will be running in linux node. 33 | * Kubelet and kube-proxy event logs are redirected to Windows Event log (Log : EKS) and is set to 200 MB limit. 34 | * There is no support for secondary CIDR blocks with Windows nodes. 35 | * Workloads must have valid node selectors: 36 | 37 | ``` 38 | # Windows specific targeting 39 | nodeSelector: 40 | beta.kubernetes.io/os: windows 41 | beta.kubernetes.io/arch: amd64 42 | 43 | # Linux specific targeting 44 | nodeSelector: 45 | beta.kubernetes.io/os: linux 46 | beta.kubernetes.io/arch: amd64 47 | ``` 48 | 49 | Occasionally, when a node leaves and rejoins the cluster, the vpc-resource-controller is not notified. This results in the node not advertising the correct capacity. To workaround this issue, simply delete the "vpc-resource-controller" pod. 50 | 51 | ## Key Resources 52 | The specific resources you need to run Windows containers with Amazon EKS are within this repository folder. All other resources needed to successfully start and manage an EKS cluster can be found within the [EKS user guide](https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html). 53 | 54 | ### Latest EKS Windows AMIs 55 | 56 | Kubernetes 1.11 57 | 58 | AMI Name: Windows_Server-2019-English-{Full / Core}-Containers-EKS 59 | 60 | Note: Windows Full AMI is the full Windows Server. Windows Core AMI is the smaller AMI that only includes components necessary to run containers. You can use either version as part of this guide. 61 | 62 | | Region | Server-2019-English-Full-Container-EKS AMI ID | Server-2019-English-Core-Container-EKS AMI ID | 63 | | --------------- | --------------------------------------------- | ---------------------------------------------- | 64 | | us-west-2 | ami-0d8fe37c57ffcb1cb | ami-070545a832d840b39 | 65 | | us-west-1 | ami-045f7d2976827c603 | ami-0b6365aeb3a4c7bed | 66 | | us-east-2 | ami-0ea4b11850e39ea45 | ami-087f4399676501cc5 | 67 | | us-east-1 | ami-0d50009cca6b3931a | ami-09469be1febc3ccaa | 68 | | sa-east-1 | ami-056ee2bfe11770e0b | ami-09a98faec87472a01 | 69 | | eu-west-3 | ami-0ba98761c56cbbde4 | ami-0bd875fb0dfbdfde9 | 70 | | eu-west-2 | ami-04679d5532fcb80a1 | ami-076e3a7505911ebbe | 71 | | eu-west-1 | ami-0251127b78f4417d0 | ami-00f116bc27664b5ca | 72 | | eu-north-1 | ami-0ce584f71aecdcbbb | ami-014da0d238c71afc2 | 73 | | eu-central-1 | ami-052759c2c4cfcc018 | ami-0b34353e0be33b6cc | 74 | | ca-central-1 | ami-0c4cf918855bab556 | ami-0406cee5903b280c4 | 75 | | ap-southeast-2 | ami-078946ad0e72394aa | ami-08d971022fd230af2 | 76 | | ap-southeast-1 | ami-0171c286f494f6eee | ami-08595c683d421d64a | 77 | | ap-south-1 | ami-08a4d85769014678c | ami-0112fbd4a4e198f3e | 78 | | ap-northeast-2 | ami-0bdc11c7431ad3359 | ami-07bc6510a032017e4 | 79 | | ap-northeast-1 | ami-0c7d532e61ed68389 | ami-0785aee1ddf5ebf5e | 80 | 81 | 82 | ## Instructions 83 | Follow these instructions to create a Kubernetes cluster with Amazon EKS and start a service using Windows server Docker containers. 84 | 85 | Note: This guide requires that you create a new EKS cluster. Please ensure you complete all steps to avoid issues. 86 | 87 | ### Step 1. Install and Configure kubectl for Amazon EKS 88 | Refer to the Amazon EKS [getting started guide prerequisites](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html#eks-prereqs). 89 | 90 | ### Step 2. Create Your VPC, IAM Role, Amazon EKS Cluster & Worker nodes 91 | 1. Open the AWS CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/home). 92 | 2. From the navigation bar, select an AWS region where Amazon EKS is available. 93 | 94 | Note 95 | The Amazon EKS Windows preview works in [all regions where Amazon EKS is available](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). 96 | 97 | 3. Choose Create stack. 98 | 4. For Choose a template, select use an Amazon S3 URL and add the QuickStart YAML file: `https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/windows-public-preview/amazon-eks-cfn-quickstart-windows.yaml`. 99 | 11. On the Specify Details page, fill out the parameters accordingly, and then choose Next. 100 | 101 | * Stack name: Choose a stack name for your AWS CloudFormation stack. For example, you can call it `eks-vpc`. 102 | * ClusterName: Enter the name that you want to use for your Amazon EKS cluster. 103 | * KeyName: Enter the name of an Amazon EC2 SSH key pair that you can use to connect using SSH / RDP into your worker nodes with after they launch. If you don't already have an Amazon EC2 keypair, you can create one in the AWS Management Console. For more information, see [Amazon EC2 Key Pairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html). 104 | 105 | Note 106 | If you do not provide a keypair, the AWS CloudFormation stack creation will fail. 107 | 108 | * LinuxNodeImageId: Enter the current Amazon EKS Linux worker node AMI ID for your Region. The AMI IDs for the latest Amazon EKS-optimized AMI are shown [here](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) (Refer to Kubernetes version 1.11). 109 | * WindowsNodeAutoScalingGroupDesiredCapacity: Enter the desired number of nodes to scale to when your stack is created. 110 | * WindowsNodeAutoScalingGroupMaxSize: Enter the maximum number of nodes that your worker node Auto Scaling group can scale out to. 111 | * WindowsNodeAutoScalingGroupMinSize: Enter the minimum number of nodes that your worker node Auto Scaling group can scale in to. 112 | * WindowsNodeImageId: Enter the latest [Amazon EKS Windows worker node AMI ID](#latest-eks-windows-amis) for your Region. 113 | * WindowsNodeInstanceType: Choose an instance type for your worker nodes (see [Before you begin](#before-you-begin)). 114 | 115 | 12. (Optional) On the Options page, tag your stack resources. Choose Next. 116 | 13. On the Review page, choose Create. 117 | 14. When your stack is created, select it in the console and choose Outputs. 118 | 15. Record the `LinuxNodeInstanceRole` and `WindowsNodeInstanceRole` values for the node instance roles that were created. You need this when you configure your Amazon EKS worker nodes. 119 | 120 | ### Step 3. Deploy VPC Resource controller & kube-proxy-windows-cluster-role-binding 121 | 1. Download cluster addons file locally 122 | 123 | `curl -o eks-clusteraddons-quickstart-windows.yaml https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-windows-preview/eks-clusteraddons-quickstart-windows.yaml` 124 | 125 | 2. Deploy the cluster addons 126 | 127 | `kubectl apply -f eks-clusteraddons-quickstart-windows.yaml` 128 | 129 | ### Step 4. Deploy the VPC admission webhook 130 | 1. Install openssl and jq 131 | * openssl (https://github.com/openssl/openssl/releases) 132 | * jq (https://github.com/stedolan/jq/wiki/Installation) 133 | 2. Setup the vpc admission webhook 134 | * Download the required scripts and deployment files 135 | ``` 136 | curl -o webhook-create-signed-cert.sh https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-windows-preview/webhook-create-signed-cert.sh 137 | curl -o webhook-patch-ca-bundle.sh https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-windows-preview/webhook-patch-ca-bundle.sh 138 | curl -o vpc-admission-webhook-deployment.yaml https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-windows-preview/vpc-admission-webhook-deployment.yaml 139 | 140 | chmod +x webhook-create-signed-cert.sh 141 | chmod +x webhook-patch-ca-bundle.sh 142 | ``` 143 | 144 | * Setup secret for secure communication 145 | 146 | `./webhook-create-signed-cert.sh` 147 | 148 | * Verify secret 149 | 150 | `kubectl get secret vpc-admission-webhook-certs` 151 | 152 | * Configure webhook and create deployment file 153 | 154 | `cat ./vpc-admission-webhook-deployment.yaml| ./webhook-patch-ca-bundle.sh > vpc-admission-webhook.yaml` 155 | 156 | 3. Deploy the vpc-admission-webhook 157 | 158 | `kubectl apply -f vpc-admission-webhook.yaml` 159 | 160 | ### 5. Enable worker nodes to join the cluster 161 | 1. Download, edit, and apply the AWS authenticator configuration map 162 | * Download the configuration map 163 | 164 | `curl -o aws-auth-cm-windows.yaml https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-windows-preview/aws-auth-cm-windows.yaml` 165 | 166 | * Open the file with your favorite text editor. Replace the snippet with the NodeInstanceRole value that you recorded in the previous procedure, and save the file. 167 | 168 | Important: Do not modify any other lines in this file. 169 | 170 | ``` 171 | apiVersion: v1 172 | kind: ConfigMap 173 | metadata: 174 | name: aws-auth 175 | namespace: kube-system 176 | data: 177 | mapRoles: | 178 | - rolearn: 179 | username: system:node:{{EC2PrivateDNSName}} 180 | groups: 181 | - system:bootstrappers 182 | - system:nodes 183 | - rolearn: 184 | username: system:node:{{EC2PrivateDNSName}} 185 | groups: 186 | - system:bootstrappers 187 | - system:nodes 188 | - eks:kube-proxy-windows 189 | ``` 190 | 191 | * Apply the configuration. This command may take a few minutes to finish. 192 | 193 | `kubectl apply -f aws-auth-cm-windows.yaml` 194 | 195 | Note: If you receive the error "aws-iam-authenticator": executable file not found in PATH, then kubectl is not configured for your Amazon EKS cluster. For more information, see [Installing aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html). 196 | 197 | 2. Watch the status of your nodes and wait for them to reach the Ready status 198 | 199 | `kubectl get nodes --watch` 200 | 201 | Your cluster and workers are ready. You can launch a Windows webserver application to test your setup. 202 | 203 | ### 6. Launch a Windows webserver application 204 | 205 | Watch the status of your nodes and wait for them to reach the Ready status. Then download the sample application from this GitHub repository. 206 | 207 | `curl -o windows-server-iis.yaml https://raw.githubusercontent.com/aws/containers-roadmap/master/preview-programs/eks-windows-preview/windows-server-IIS.yaml` 208 | 209 | `kubectl apply -f windows-server-iis.yaml` 210 | 211 | `kubectl get pods -w` 212 | 213 | Watch for the pod to transition to "RUNNING" state. Then check pod details. 214 | 215 | `kubectl get services` 216 | 217 | Note down the External-IP and wait for few min. to propagate DNS record. 218 | 219 | In browser, access `http://<>/default.html` 220 | 221 | ## Next steps 222 | 223 | * Run your own Windows containers on your new EKS cluster. 224 | 225 | * Leave comments or questions on our [GitHub issue](https://github.com/aws/containers-roadmap/issues/69). 226 | 227 | * To send more detailed problem information or feedback directly to the EKS Windows preview team, email [eks-windows-preview@amazon.com](mailto:eks-windows-preview@amazon.com). _(Please give 24-48 hours for a reply.)_ 228 | 229 | * This is an evolving project. As we roll out new features and functionality, we will update this repository and the roadmap issue. 230 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/firelens/README.md: -------------------------------------------------------------------------------- 1 | # Amazon ECS and AWS Fargate FireLens Preview Program 2 | 3 | Start here to participate in the FireLens preview program for [Amazon Elastic Container Service (ECS)](https://aws.amazon.com/ecs). FireLens is available for ECS tasks using the EC2 and Fargate launch types. 4 | 5 | FireLens works with [Fluentd](https://www.fluentd.org/) and [Fluent Bit](https://fluentbit.io/). With FireLens, you can route your logs to a large number of AWS and partner destinations using simple configuration in your ECS Task Definition. 6 | 7 | We are providing FireLens with a basic set of functionality as a public preview to allow you to test it out, and give us feedback. Once we announce the general availability of FireLens it will be ready for production workloads, and will support more uses cases. 8 | 9 | Note: FireLens is no longer under public preview. The feature is generally available. Please see the [official AWS Documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html). 10 | 11 | #### Contents 12 | * [Leaving feedback and getting help](#leaving-feedback-and-getting-help) 13 | * [Before you begin](#before-you-begin) 14 | * [Availability](#availability) 15 | * [Use Cases](#use-cases) 16 | * [Using the aws-for-fluent-bit image](#using-the-aws-for-fluent-bit-image) 17 | * [FireLens Task Definitions](#firelens-task-definitions) 18 | * [Permissions](#permissions) 19 | * [Supported Fluentd and Fluent Bit Docker Images](#supported-fluentd-and-fluent-bit-docker-images) 20 | * [Examples](#examples) 21 | * [Troubleshooting](#troubleshooting) 22 | 23 | #### Leaving feedback and getting help 24 | * The assets and instructions in this repository are offered on an _as-is_ basis as part of a public preview program for new AWS service functionality. 25 | * Leave comments or questions on our [GitHub issue](https://github.com/aws/containers-roadmap/issues/10). 26 | * For issues with the Amazon ECS or AWS Fargate service or with your AWS account, please contact AWS support using the AWS console. 27 | 28 | ## Before you begin 29 | * Make sure you have an active and valid AWS account. If you don't, you can create one [here](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html). 30 | * If you haven't used Amazon ECS before, familiarize yourself with the [AWS Documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) 31 | 32 | ## Availability 33 | 34 | FireLens is supported in all regions where Amazon ECS is supported. FireLens for ECS Tasks using the Fargate Launch Type is supported in all AWS Fargate regions. 35 | 36 | During the public preview, creating FireLens Task Definitions is only supported via the AWS SDKs, and AWS CLI. 37 | 38 | FireLens is supported in the bridge, host, and awsvpc network modes. 39 | 40 | ## Use Cases 41 | 42 | The Firelens Public Preview is intended to serve three key use cases. 43 | 44 | ### 1. Provide a simple method of sending container standard out logs to almost any destination 45 | 46 | FireLens allows you to configure Fluentd or Fluent Bit outputs in your Task Definition. Fluentd supports a number of log destinations in its with its built-in plugins; see its [official documentation for a list](https://docs.fluentd.org/output). Support for more destinations can be obtained by [installing plugins](https://www.fluentd.org/plugins/all). 47 | 48 | We recommend that you use Fluent Bit as your log router because its resource utilization is significantly lower than Fluentd. If you use the [AWS Fluent Bit Image](#using-the-aws-for-fluent-bit-image), you have access to all of its [built-in outputs](https://fluentbit.io/documentation/0.14/output/) and [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) and [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/). 49 | 50 | Note that you can forward from Fluent Bit to Fluentd, and vice versa. So for example, you could use FireLens to forward logs from a Fargate task to a [Centralized Fluentd Aggregator](https://aws.amazon.com/blogs/compute/building-a-scalable-log-solution-aggregator-with-aws-fargate-fluentd-and-amazon-kinesis-data-firehose/). 51 | 52 | ### 2. Filter Logs at Source 53 | 54 | Not all logs are of equal importance. Some may be unneeded; you can save on log storage costs by only sending the logs that you need. Fluentd and Fluent Bit both support filtering of logs via regular expressions. You can drop all logs that match a pattern, or only send logs that match a pattern. FireLens allows you to easily configure this via the Task Definition. 55 | 56 | ### 3. Decorate Logs with ECS Metadata 57 | 58 | By default, FireLens will add useful metadata to each log message. This can be disabled. 59 | 60 | When enabled, a log event will look like the following: 61 | 62 | ``` 63 | { 64 | "source": "stdout", 65 | "log": "116.82.105.169 - Homenick7462 197 [2018-11-27T21:53:38Z] \"HEAD /enable/relationships/cross-platform/partnerships\" 501 13886", 66 | "container_id": "e54cccfac2b87417f71877907f67879068420042828067ae0867e60a63529d35", 67 | "container_name": "/ecs-demo-6-container2-a4eafbb3d4c7f1e16e00" 68 | "ecs_cluster": "mycluster", 69 | "ecs_task_arn": "arn:aws:ecs:us-east-2:01234567891011:task/mycluster/3de392df-6bfa-470b-97ed-aa6f482cd7a6", 70 | "ecs_task_definition": "demo:7" 71 | "ec2_instance_id": "i-06bc83dbc2ac2fdf8" 72 | } 73 | ``` 74 | 75 | ## Using the aws-for-fluent-bit image 76 | 77 | We recommend that you use Fluent Bit as your log router because its resource utilization is significantly lower than Fluentd. AWS provides a Fluent Bit image with plugins for [CloudWatch Logs](https://github.com/aws/amazon-cloudwatch-logs-for-fluent-bit) and [Kinesis Firehose](https://github.com/aws/amazon-kinesis-firehose-for-fluent-bit). 78 | 79 | This image is available on [Docker Hub](https://hub.docker.com/r/amazon/aws-for-fluent-bit), however, we recommend that you use the regionalized [Amazon ECR](https://aws.amazon.com/ecr/) image repositories because they provide higher availability. 80 | 81 | 82 | | Region | Registry ID | Full Image Names | 83 | |----------------|--------------|-------------------------------------------------------------------------| 84 | | us-east-1 | 906394416424 | 906394416424.dkr.ecr.us-east-1.amazonaws.com/aws-for-fluent-bit:latest | 85 | | eu-west-1 | 906394416424 | 906394416424.dkr.ecr.eu-west-1.amazonaws.com/aws-for-fluent-bit:latest | 86 | | us-west-1 | 906394416424 | 906394416424.dkr.ecr.us-west-1.amazonaws.com/aws-for-fluent-bit:latest | 87 | | ap-southeast-1 | 906394416424 | 906394416424.dkr.ecr.ap-southeast-1.amazonaws.com/aws-for-fluent-bit:latest | 88 | | ap-northeast-1 | 906394416424 | 906394416424.dkr.ecr.ap-northeast-1.amazonaws.com/aws-for-fluent-bit:latest | 89 | | us-west-2 | 906394416424 | 906394416424.dkr.ecr.us-west-2.amazonaws.com/aws-for-fluent-bit:latest | 90 | | sa-east-1 | 906394416424 | 906394416424.dkr.ecr.sa-east-1.amazonaws.com/aws-for-fluent-bit:latest | 91 | | ap-southeast-2 | 906394416424 | 906394416424.dkr.ecr.ap-southeast-2.amazonaws.com/aws-for-fluent-bit:latest | 92 | | eu-central-1 | 906394416424 | 906394416424.dkr.ecr.eu-central-1.amazonaws.com/aws-for-fluent-bit:latest | 93 | | ap-northeast-2 | 906394416424 | 906394416424.dkr.ecr.ap-northeast-2.amazonaws.com/aws-for-fluent-bit:latest | 94 | | ap-south-1 | 906394416424 | 906394416424.dkr.ecr.ap-south-1.amazonaws.com/aws-for-fluent-bit:latest | 95 | | us-east-2 | 906394416424 | 906394416424.dkr.ecr.us-east-2.amazonaws.com/aws-for-fluent-bit:latest | 96 | | ca-central-1 | 906394416424 | 906394416424.dkr.ecr.ca-central-1.amazonaws.com/aws-for-fluent-bit:latest | 97 | | eu-west-2 | 906394416424 | 906394416424.dkr.ecr.eu-west-2.amazonaws.com/aws-for-fluent-bit:latest | 98 | | eu-west-3 | 906394416424 | 906394416424.dkr.ecr.eu-west-3.amazonaws.com/aws-for-fluent-bit:latest | 99 | | ap-northeast-3 | 906394416424 | 906394416424.dkr.ecr.ap-northeast-3.amazonaws.com/aws-for-fluent-bit:latest | 100 | | eu-north-1 | 906394416424 | 906394416424.dkr.ecr.eu-north-1.amazonaws.com/aws-for-fluent-bit:latest | 101 | | ap-east-1 | 449074385750 | 449074385750.dkr.ecr.ap-east-1.amazonaws.com/aws-for-fluent-bit:latest | 102 | | me-south-1 | 741863432321 | 741863432321.dkr.ecr.me-south-1.amazonaws.com/aws-for-fluent-bit:latest | 103 | | cn-north-1 | 128054284489 | 128054284489.dkr.ecr.cn-north-1.amazonaws.com.cn/aws-for-fluent-bit:latest | 104 | | cn-northwest-1 | 128054284489 | 128054284489.dkr.ecr.cn-northwest-1.amazonaws.com.cn/aws-for-fluent-bit:latest | 105 | | us-gov-east-1 | 161423150738 | 161423150738.dkr.ecr.us-gov-east-1.amazonaws.com/aws-for-fluent-bit:latest | 106 | | us-gov-west-1 | 161423150738 | 161423150738.dkr.ecr.us-gov-west-1.amazonaws.com/aws-for-fluent-bit:latest | 107 | 108 | 109 | ## FireLens Task Definitions 110 | 111 | A Task Definition that uses FireLens has two parts; the log router container definition and the log configuration for application containers. 112 | 113 | ### 1. FireLens Log Router Container Definition 114 | 115 | Create a container definition with either Fluentd or Fluent Bit, and mark it as the FireLens container: 116 | 117 | ``` 118 | { 119 | "essential": true, 120 | "image": "amazon/aws-for-fluent-bit:latest", 121 | "name": "log_router", 122 | "firelensConfiguration": { 123 | "type": "fluentbit", 124 | "options": { 125 | "enable-ecs-log-metadata": "true" 126 | } 127 | } 128 | } 129 | ``` 130 | 131 | The option `enable-ecs-log-metadata` toggles the metadata fields described in the Use Cases section. It can be either `true` or `false`. It is enabled by default- not specifying this key is equivalent to setting it to `true`. 132 | 133 | The container with `firelensConfiguration` must be marked as essential. 134 | 135 | ### 2. Application Containers that use FireLens for Logs 136 | 137 | You configure an application container to use FireLens for logs the same way you would configure it to use a [Docker Log Driver](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html). Use the pseudo-driver `awsfirelens` and specify the key value pairs present in a Fluentd or Fluent Bit output section as the log driver options. 138 | 139 | For example, a Fluent Bit output definition looks like the following: 140 | 141 | ``` 142 | [OUTPUT] 143 | Name firehose 144 | Match * 145 | region us-west-2 146 | delivery_stream my-stream 147 | ``` 148 | 149 | If you want your application container to use that configuration for its container standard out logs, specify the following as its [logConfiguration]((https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html)): 150 | 151 | ``` 152 | "logConfiguration": { 153 | "logDriver": "awsfirelens", 154 | "options": { 155 | "Name": "firehose", 156 | "region": "us-west-2", 157 | "delivery_stream": "my-stream" 158 | } 159 | } 160 | ``` 161 | 162 | The Fluent Bit `Match` field is not needed; that configuration is managed by FireLens. 163 | 164 | Note: The FireLens container must start before any application containers that use it. Normally, ECS will handle this for you. However, you can control the start ordering of containers using [Container Dependencies](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDependency.html) in your Task Definition. If you use this field on containers which use FireLens for logs, ensure that each container has a `START` or `HEALTHY` (if you have configured a health check for Fluentd or Fluent Bit) dependency on the FireLens container. 165 | 166 | #### Filtering Logs Using Regular Expressions 167 | 168 | Fluentd and Fluent Bit both support filtering of logs based on their content. FireLens provides a simple short hand for enabling this. The options section of a container's logConfiguration can contain the special keys `exclude-pattern` and `include-pattern` that take regular expressions as their values. The `exclude-pattern` key will cause all logs that match its regular expression to be dropped. With `include-pattern`, only logs which match its regular expression will be sent. These keys can be used together. 169 | 170 | Here is an example usage that also contains a Fluentd output definition for CloudWatch Logs: 171 | ``` 172 | "logConfiguration": { 173 | "logDriver":"awsfirelens", 174 | "options": { 175 | "@type": "cloudwatch_logs", 176 | "log_group_name": "firelens-testing", 177 | "auto_create_stream": "true", 178 | "use_tag_as_stream": "true", 179 | "region": "us-west-2", 180 | "exclude-pattern": "^[a-z][aeiou].$", 181 | "include-pattern": "^.[aeiou]$" 182 | } 183 | } 184 | ``` 185 | 186 | Fluentd and Fluent Bit use Ruby Regular expressions; you can use the [Rubular](https://rubular.com/) website to test expressions. 187 | 188 | ## Permissions 189 | 190 | Fluentd/Fluent Bit runs as a side-car in your task. Thus, it uses the [ECS Task IAM Role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) for access to AWS Services. Ensure that you have given your task the necessary permissions. 191 | 192 | ## Supported Fluentd and Fluent Bit Docker Images 193 | 194 | FireLens support Fluentd versions `v1.0` and greater, and Fluent Bit versions `v1.0.0` and greater. 195 | 196 | Your Fluent Bit image must be configured to use a configuration file at `/fluent-bit/etc/fluent-bit.conf`. The [aws-for-fluent-bit](https://hub.docker.com/r/amazon/aws-for-fluent-bit) image and the [fluent/fluent-bit](https://hub.docker.com/r/fluent/fluent-bit/) images all use this default path. The command in the Dockerfile for your Fluent Bit image should look something like the following: 197 | 198 | ``` 199 | CMD ["/fluent-bit/bin/fluent-bit", "-c", "/fluent-bit/etc/fluent-bit.conf"] 200 | ``` 201 | 202 | Your Fluentd image must be configured to use a configuration file at `/fluentd/etc/fluent.conf`. The [fluent/fluentd](https://hub.docker.com/r/fluent/fluentd) images all use this default path. See the official [fluentd-docker-image](https://github.com/fluent/fluentd-docker-image) repo for examples. 203 | 204 | ## Examples 205 | 206 | We have provided example Task Definitions for the preview program. Use these as a starting point and customize them for your own needs: 207 | * [Fluent Bit CloudWatch Logs Example](cloudwatch_task_definition.json) 208 | * [Fluent Bit Kinesis Firehose Example](firehose_task_definition.json) 209 | * [Forward to external Fluentd/Fluent Bit Example](forward_task_definition.json) 210 | 211 | ## Troubleshooting 212 | 213 | Here are common problems that you may encounter when configuring FireLens: 214 | 215 | #### 1. No logs are present at your log destination 216 | 217 | Likely Causes: 218 | * Incorrect network configuration. Make sure that you have configured the networking in your VPC so that your task can access your log destination. 219 | * Incorrect permissions. Make sure that you have given your Task all needed permissions in its [Task IAM Role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html). 220 | * Incorrect configuration of your Fluentd/Fluent Bit output. 221 | 222 | To help debug these problems, we recommend enabling logs for your Fluentd/Fluent Bit container using the [`awslogs` Docker Log Driver](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html). Any errors or warnings produced by your log router will be sent to CloudWatch. 223 | 224 | #### 2. Incorrectly specifying the Fluentd/Fluent Bit Plugin options 225 | 226 | Carefully consult the documentation for the output plugin you are using. 227 | 228 | ##### Fluentd Errors 229 | 230 | ``` 231 | 2019-08-29 18:07:07 +0000 [error]: config error file="/fluentd/etc/fluent.conf" error_class=Fluent::ConfigError error="Unknown output plugin 'firehouse'. 232 | ``` 233 | 234 | Make sure you have correctly specified the plugin name with `@type` in your logConfiguration options: 235 | 236 | ``` 237 | { 238 | "@type": "kinesis_firehose" 239 | } 240 | ``` 241 | 242 | Furthermore, most Fluentd plugins have to be installed. In many cases, you need to create a custom docker image with Fluentd and the plugin(s) that you want to use. 243 | 244 | ``` 245 | gem install fluent-plugin-kinesis 246 | ``` 247 | 248 | The [Fluentd Docker Hub page](https://hub.docker.com/r/fluent/fluentd/) has instructions on building a custom images. 249 | 250 | 251 | ##### Fluent Bit Errors 252 | 253 | ``` 254 | Output plugin 'foward' cannot be loaded 255 | Error: You must specify an output target. Aborting 256 | ``` 257 | 258 | Make sure you have correctly specified the plugin `Name` in your logConfiguration options: 259 | 260 | ``` 261 | { 262 | "Name": "forward" 263 | } 264 | ``` 265 | 266 | We recommend using the [aws-for-fluent-bit](https://hub.docker.com/r/amazon/aws-for-fluent-bit) Docker image with FireLens. 267 | 268 | 269 | #### 3. Specifying your own configuration 270 | 271 | This is not supported in the FireLens preview. If you specify your own configuration file for Fluentd or Fluent Bit at the default path, it will be overridden by ECS. 272 | 273 | Specifying custom configuration will be supported after the FireLens preview. 274 | -------------------------------------------------------------------------------- /preview-programs/zz_archive/eks-arm-preview/calico-arm64.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: DaemonSet 3 | apiVersion: apps/v1 4 | metadata: 5 | name: calico-node 6 | namespace: kube-system 7 | labels: 8 | k8s-app: calico-node 9 | spec: 10 | selector: 11 | matchLabels: 12 | k8s-app: calico-node 13 | updateStrategy: 14 | type: RollingUpdate 15 | rollingUpdate: 16 | maxUnavailable: 1 17 | template: 18 | metadata: 19 | labels: 20 | k8s-app: calico-node 21 | spec: 22 | priorityClassName: system-node-critical 23 | nodeSelector: 24 | kubernetes.io/os: linux 25 | hostNetwork: true 26 | serviceAccountName: calico-node 27 | # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force 28 | # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. 29 | terminationGracePeriodSeconds: 0 30 | containers: 31 | # Runs calico/node container on each Kubernetes node. This 32 | # container programs network policy and routes on each 33 | # host. 34 | - name: calico-node 35 | image: calico/node:v3.13.4 36 | env: 37 | # Use Kubernetes API as the backing datastore. 38 | - name: DATASTORE_TYPE 39 | value: "kubernetes" 40 | # Use eni not cali for interface prefix 41 | - name: FELIX_INTERFACEPREFIX 42 | value: "eni" 43 | # Enable felix info logging. 44 | - name: FELIX_LOGSEVERITYSCREEN 45 | value: "info" 46 | # Don't enable BGP. 47 | - name: CALICO_NETWORKING_BACKEND 48 | value: "none" 49 | # Cluster type to identify the deployment type 50 | - name: CLUSTER_TYPE 51 | value: "k8s,ecs" 52 | # Disable file logging so `kubectl logs` works. 53 | - name: CALICO_DISABLE_FILE_LOGGING 54 | value: "true" 55 | - name: FELIX_TYPHAK8SSERVICENAME 56 | value: "calico-typha" 57 | # Set Felix endpoint to host default action to ACCEPT. 58 | - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 59 | value: "ACCEPT" 60 | # This will make Felix honor AWS VPC CNI's mangle table 61 | # rules. 62 | - name: FELIX_IPTABLESMANGLEALLOWACTION 63 | value: Return 64 | # Disable IPV6 on Kubernetes. 65 | - name: FELIX_IPV6SUPPORT 66 | value: "false" 67 | # Wait for the datastore. 68 | - name: WAIT_FOR_DATASTORE 69 | value: "true" 70 | - name: FELIX_LOGSEVERITYSYS 71 | value: "none" 72 | - name: FELIX_PROMETHEUSMETRICSENABLED 73 | value: "true" 74 | - name: NO_DEFAULT_POOLS 75 | value: "true" 76 | # Set based on the k8s node name. 77 | - name: NODENAME 78 | valueFrom: 79 | fieldRef: 80 | fieldPath: spec.nodeName 81 | # No IP address needed. 82 | - name: IP 83 | value: "" 84 | - name: FELIX_HEALTHENABLED 85 | value: "true" 86 | securityContext: 87 | privileged: true 88 | livenessProbe: 89 | exec: 90 | command: 91 | - /bin/calico-node 92 | - -felix-live 93 | periodSeconds: 10 94 | initialDelaySeconds: 10 95 | failureThreshold: 6 96 | readinessProbe: 97 | exec: 98 | command: 99 | - /bin/calico-node 100 | - -felix-ready 101 | periodSeconds: 10 102 | volumeMounts: 103 | - mountPath: /lib/modules 104 | name: lib-modules 105 | readOnly: true 106 | - mountPath: /run/xtables.lock 107 | name: xtables-lock 108 | readOnly: false 109 | - mountPath: /var/run/calico 110 | name: var-run-calico 111 | readOnly: false 112 | - mountPath: /var/lib/calico 113 | name: var-lib-calico 114 | readOnly: false 115 | volumes: 116 | # Used to ensure proper kmods are installed. 117 | - name: lib-modules 118 | hostPath: 119 | path: /lib/modules 120 | - name: var-run-calico 121 | hostPath: 122 | path: /var/run/calico 123 | - name: var-lib-calico 124 | hostPath: 125 | path: /var/lib/calico 126 | - name: xtables-lock 127 | hostPath: 128 | path: /run/xtables.lock 129 | type: FileOrCreate 130 | tolerations: 131 | # Make sure calico/node gets scheduled on all nodes. 132 | - effect: NoSchedule 133 | operator: Exists 134 | # Mark the pod as a critical add-on for rescheduling. 135 | - key: CriticalAddonsOnly 136 | operator: Exists 137 | - effect: NoExecute 138 | operator: Exists 139 | 140 | --- 141 | 142 | # Create all the CustomResourceDefinitions needed for 143 | # Calico policy-only mode. 144 | 145 | apiVersion: apiextensions.k8s.io/v1beta1 146 | kind: CustomResourceDefinition 147 | metadata: 148 | name: felixconfigurations.crd.projectcalico.org 149 | spec: 150 | scope: Cluster 151 | group: crd.projectcalico.org 152 | versions: 153 | - name: v1 154 | served: true 155 | storage: true 156 | names: 157 | kind: FelixConfiguration 158 | plural: felixconfigurations 159 | singular: felixconfiguration 160 | 161 | --- 162 | 163 | apiVersion: apiextensions.k8s.io/v1beta1 164 | kind: CustomResourceDefinition 165 | metadata: 166 | name: ipamblocks.crd.projectcalico.org 167 | spec: 168 | scope: Cluster 169 | group: crd.projectcalico.org 170 | versions: 171 | - name: v1 172 | served: true 173 | storage: true 174 | names: 175 | kind: IPAMBlock 176 | plural: ipamblocks 177 | singular: ipamblock 178 | 179 | --- 180 | 181 | apiVersion: apiextensions.k8s.io/v1beta1 182 | kind: CustomResourceDefinition 183 | metadata: 184 | name: blockaffinities.crd.projectcalico.org 185 | spec: 186 | scope: Cluster 187 | group: crd.projectcalico.org 188 | versions: 189 | - name: v1 190 | served: true 191 | storage: true 192 | names: 193 | kind: BlockAffinity 194 | plural: blockaffinities 195 | singular: blockaffinity 196 | 197 | --- 198 | 199 | apiVersion: apiextensions.k8s.io/v1beta1 200 | kind: CustomResourceDefinition 201 | metadata: 202 | name: bgpconfigurations.crd.projectcalico.org 203 | spec: 204 | scope: Cluster 205 | group: crd.projectcalico.org 206 | versions: 207 | - name: v1 208 | served: true 209 | storage: true 210 | names: 211 | kind: BGPConfiguration 212 | plural: bgpconfigurations 213 | singular: bgpconfiguration 214 | 215 | --- 216 | apiVersion: apiextensions.k8s.io/v1beta1 217 | kind: CustomResourceDefinition 218 | metadata: 219 | name: bgppeers.crd.projectcalico.org 220 | spec: 221 | scope: Cluster 222 | group: crd.projectcalico.org 223 | versions: 224 | - name: v1 225 | served: true 226 | storage: true 227 | names: 228 | kind: BGPPeer 229 | plural: bgppeers 230 | singular: bgppeer 231 | --- 232 | 233 | apiVersion: apiextensions.k8s.io/v1beta1 234 | kind: CustomResourceDefinition 235 | metadata: 236 | name: ippools.crd.projectcalico.org 237 | spec: 238 | scope: Cluster 239 | group: crd.projectcalico.org 240 | versions: 241 | - name: v1 242 | served: true 243 | storage: true 244 | names: 245 | kind: IPPool 246 | plural: ippools 247 | singular: ippool 248 | 249 | --- 250 | 251 | apiVersion: apiextensions.k8s.io/v1beta1 252 | kind: CustomResourceDefinition 253 | metadata: 254 | name: hostendpoints.crd.projectcalico.org 255 | spec: 256 | scope: Cluster 257 | group: crd.projectcalico.org 258 | versions: 259 | - name: v1 260 | served: true 261 | storage: true 262 | names: 263 | kind: HostEndpoint 264 | plural: hostendpoints 265 | singular: hostendpoint 266 | 267 | --- 268 | 269 | apiVersion: apiextensions.k8s.io/v1beta1 270 | kind: CustomResourceDefinition 271 | metadata: 272 | name: clusterinformations.crd.projectcalico.org 273 | spec: 274 | scope: Cluster 275 | group: crd.projectcalico.org 276 | versions: 277 | - name: v1 278 | served: true 279 | storage: true 280 | names: 281 | kind: ClusterInformation 282 | plural: clusterinformations 283 | singular: clusterinformation 284 | 285 | --- 286 | 287 | apiVersion: apiextensions.k8s.io/v1beta1 288 | kind: CustomResourceDefinition 289 | metadata: 290 | name: globalnetworkpolicies.crd.projectcalico.org 291 | spec: 292 | scope: Cluster 293 | group: crd.projectcalico.org 294 | versions: 295 | - name: v1 296 | served: true 297 | storage: true 298 | names: 299 | kind: GlobalNetworkPolicy 300 | plural: globalnetworkpolicies 301 | singular: globalnetworkpolicy 302 | 303 | --- 304 | 305 | apiVersion: apiextensions.k8s.io/v1beta1 306 | kind: CustomResourceDefinition 307 | metadata: 308 | name: globalnetworksets.crd.projectcalico.org 309 | spec: 310 | scope: Cluster 311 | group: crd.projectcalico.org 312 | versions: 313 | - name: v1 314 | served: true 315 | storage: true 316 | names: 317 | kind: GlobalNetworkSet 318 | plural: globalnetworksets 319 | singular: globalnetworkset 320 | 321 | --- 322 | 323 | apiVersion: apiextensions.k8s.io/v1beta1 324 | kind: CustomResourceDefinition 325 | metadata: 326 | name: networkpolicies.crd.projectcalico.org 327 | spec: 328 | scope: Namespaced 329 | group: crd.projectcalico.org 330 | versions: 331 | - name: v1 332 | served: true 333 | storage: true 334 | names: 335 | kind: NetworkPolicy 336 | plural: networkpolicies 337 | singular: networkpolicy 338 | 339 | --- 340 | 341 | apiVersion: apiextensions.k8s.io/v1beta1 342 | kind: CustomResourceDefinition 343 | metadata: 344 | name: networksets.crd.projectcalico.org 345 | spec: 346 | scope: Namespaced 347 | group: crd.projectcalico.org 348 | versions: 349 | - name: v1 350 | served: true 351 | storage: true 352 | names: 353 | kind: NetworkSet 354 | plural: networksets 355 | singular: networkset 356 | 357 | --- 358 | 359 | # Create the ServiceAccount and roles necessary for Calico. 360 | 361 | apiVersion: v1 362 | kind: ServiceAccount 363 | metadata: 364 | name: calico-node 365 | namespace: kube-system 366 | 367 | --- 368 | 369 | kind: ClusterRole 370 | apiVersion: rbac.authorization.k8s.io/v1 371 | metadata: 372 | name: calico-node 373 | rules: 374 | # The CNI plugin needs to get pods, nodes, configmaps and namespaces. 375 | - apiGroups: [""] 376 | resources: 377 | - pods 378 | - nodes 379 | - configmaps 380 | - namespaces 381 | verbs: 382 | - get 383 | - apiGroups: [""] 384 | resources: 385 | - endpoints 386 | - services 387 | verbs: 388 | # Used to discover service IPs for advertisement. 389 | - watch 390 | - list 391 | # Used to discover Typhas. 392 | - get 393 | - apiGroups: [""] 394 | resources: 395 | - nodes/status 396 | verbs: 397 | # Needed for clearing NodeNetworkUnavailable flag. 398 | - patch 399 | # Calico stores some configuration information in node annotations. 400 | - update 401 | # Watch for changes to Kubernetes NetworkPolicies. 402 | - apiGroups: ["networking.k8s.io"] 403 | resources: 404 | - networkpolicies 405 | verbs: 406 | - watch 407 | - list 408 | # Used by Calico for policy information. 409 | - apiGroups: [""] 410 | resources: 411 | - pods 412 | - namespaces 413 | - serviceaccounts 414 | verbs: 415 | - list 416 | - watch 417 | # The CNI plugin patches pods/status. 418 | - apiGroups: [""] 419 | resources: 420 | - pods/status 421 | verbs: 422 | - patch 423 | # Calico monitors various CRDs for config. 424 | - apiGroups: ["crd.projectcalico.org"] 425 | resources: 426 | - globalfelixconfigs 427 | - felixconfigurations 428 | - bgppeers 429 | - globalbgpconfigs 430 | - bgpconfigurations 431 | - ippools 432 | - ipamblocks 433 | - globalnetworkpolicies 434 | - globalnetworksets 435 | - networkpolicies 436 | - networksets 437 | - clusterinformations 438 | - hostendpoints 439 | - blockaffinities 440 | verbs: 441 | - get 442 | - list 443 | - watch 444 | # Calico must create and update some CRDs on startup. 445 | - apiGroups: ["crd.projectcalico.org"] 446 | resources: 447 | - ippools 448 | - felixconfigurations 449 | - clusterinformations 450 | verbs: 451 | - create 452 | - update 453 | # Calico stores some configuration information on the node. 454 | - apiGroups: [""] 455 | resources: 456 | - nodes 457 | verbs: 458 | - get 459 | - list 460 | - watch 461 | # These permissions are only requried for upgrade from v2.6, and can 462 | # be removed after upgrade or on fresh installations. 463 | - apiGroups: ["crd.projectcalico.org"] 464 | resources: 465 | - bgpconfigurations 466 | - bgppeers 467 | verbs: 468 | - create 469 | - update 470 | # These permissions are required for Calico CNI to perform IPAM allocations. 471 | - apiGroups: ["crd.projectcalico.org"] 472 | resources: 473 | - blockaffinities 474 | - ipamblocks 475 | - ipamhandles 476 | verbs: 477 | - get 478 | - list 479 | - create 480 | - update 481 | - delete 482 | - apiGroups: ["crd.projectcalico.org"] 483 | resources: 484 | - ipamconfigs 485 | verbs: 486 | - get 487 | # Block affinities must also be watchable by confd for route aggregation. 488 | - apiGroups: ["crd.projectcalico.org"] 489 | resources: 490 | - blockaffinities 491 | verbs: 492 | - watch 493 | # The Calico IPAM migration needs to get daemonsets. These permissions can be 494 | # removed if not upgrading from an installation using host-local IPAM. 495 | - apiGroups: ["apps"] 496 | resources: 497 | - daemonsets 498 | verbs: 499 | - get 500 | 501 | --- 502 | 503 | apiVersion: rbac.authorization.k8s.io/v1 504 | kind: ClusterRoleBinding 505 | metadata: 506 | name: calico-node 507 | roleRef: 508 | apiGroup: rbac.authorization.k8s.io 509 | kind: ClusterRole 510 | name: calico-node 511 | subjects: 512 | - kind: ServiceAccount 513 | name: calico-node 514 | namespace: kube-system 515 | 516 | --- 517 | 518 | apiVersion: apps/v1 519 | kind: Deployment 520 | metadata: 521 | name: calico-typha 522 | namespace: kube-system 523 | labels: 524 | k8s-app: calico-typha 525 | spec: 526 | revisionHistoryLimit: 2 527 | selector: 528 | matchLabels: 529 | k8s-app: calico-typha 530 | template: 531 | metadata: 532 | labels: 533 | k8s-app: calico-typha 534 | annotations: 535 | cluster-autoscaler.kubernetes.io/safe-to-evict: 'true' 536 | spec: 537 | priorityClassName: system-cluster-critical 538 | nodeSelector: 539 | kubernetes.io/os: linux 540 | tolerations: 541 | # Mark the pod as a critical add-on for rescheduling. 542 | - key: CriticalAddonsOnly 543 | operator: Exists 544 | hostNetwork: true 545 | serviceAccountName: calico-node 546 | # fsGroup allows using projected serviceaccount tokens as described here kubernetes/kubernetes#82573 547 | securityContext: 548 | fsGroup: 65534 549 | containers: 550 | - image: calico/typha:v3.13.4 551 | name: calico-typha 552 | ports: 553 | - containerPort: 5473 554 | name: calico-typha 555 | protocol: TCP 556 | env: 557 | # Use eni not cali for interface prefix 558 | - name: FELIX_INTERFACEPREFIX 559 | value: "eni" 560 | - name: TYPHA_LOGFILEPATH 561 | value: "none" 562 | - name: TYPHA_LOGSEVERITYSYS 563 | value: "none" 564 | - name: TYPHA_LOGSEVERITYSCREEN 565 | value: "info" 566 | - name: TYPHA_PROMETHEUSMETRICSENABLED 567 | value: "true" 568 | - name: TYPHA_CONNECTIONREBALANCINGMODE 569 | value: "kubernetes" 570 | - name: TYPHA_PROMETHEUSMETRICSPORT 571 | value: "9093" 572 | - name: TYPHA_DATASTORETYPE 573 | value: "kubernetes" 574 | - name: TYPHA_MAXCONNECTIONSLOWERLIMIT 575 | value: "1" 576 | - name: TYPHA_HEALTHENABLED 577 | value: "true" 578 | # This will make Felix honor AWS VPC CNI's mangle table 579 | # rules. 580 | - name: FELIX_IPTABLESMANGLEALLOWACTION 581 | value: Return 582 | livenessProbe: 583 | httpGet: 584 | path: /liveness 585 | port: 9098 586 | host: localhost 587 | periodSeconds: 30 588 | initialDelaySeconds: 30 589 | securityContext: 590 | runAsNonRoot: true 591 | allowPrivilegeEscalation: false 592 | readinessProbe: 593 | httpGet: 594 | path: /readiness 595 | port: 9098 596 | host: localhost 597 | periodSeconds: 10 598 | 599 | --- 600 | 601 | # This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict 602 | apiVersion: policy/v1beta1 603 | kind: PodDisruptionBudget 604 | metadata: 605 | name: calico-typha 606 | namespace: kube-system 607 | labels: 608 | k8s-app: calico-typha 609 | spec: 610 | maxUnavailable: 1 611 | selector: 612 | matchLabels: 613 | k8s-app: calico-typha 614 | 615 | --- 616 | apiVersion: rbac.authorization.k8s.io/v1 617 | kind: ClusterRoleBinding 618 | metadata: 619 | name: typha-cpha 620 | roleRef: 621 | apiGroup: rbac.authorization.k8s.io 622 | kind: ClusterRole 623 | name: typha-cpha 624 | subjects: 625 | - kind: ServiceAccount 626 | name: typha-cpha 627 | namespace: kube-system 628 | 629 | --- 630 | 631 | apiVersion: rbac.authorization.k8s.io/v1 632 | kind: ClusterRole 633 | metadata: 634 | name: typha-cpha 635 | rules: 636 | - apiGroups: [""] 637 | resources: ["nodes"] 638 | verbs: ["watch", "list"] 639 | 640 | --- 641 | 642 | kind: ConfigMap 643 | apiVersion: v1 644 | metadata: 645 | name: calico-typha-horizontal-autoscaler 646 | namespace: kube-system 647 | data: 648 | ladder: |- 649 | { 650 | "coresToReplicas": [], 651 | "nodesToReplicas": 652 | [ 653 | [1, 1], 654 | [10, 2], 655 | [100, 3], 656 | [250, 4], 657 | [500, 5], 658 | [1000, 6], 659 | [1500, 7], 660 | [2000, 8] 661 | ] 662 | } 663 | 664 | --- 665 | 666 | apiVersion: apps/v1 667 | kind: Deployment 668 | metadata: 669 | name: calico-typha-horizontal-autoscaler 670 | namespace: kube-system 671 | labels: 672 | k8s-app: calico-typha-autoscaler 673 | spec: 674 | selector: 675 | matchLabels: 676 | k8s-app: calico-typha-autoscaler 677 | replicas: 1 678 | template: 679 | metadata: 680 | labels: 681 | k8s-app: calico-typha-autoscaler 682 | spec: 683 | priorityClassName: system-cluster-critical 684 | nodeSelector: 685 | kubernetes.io/os: linux 686 | containers: 687 | - image: k8s.gcr.io/cluster-proportional-autoscaler-arm64:1.7.1 688 | name: autoscaler 689 | command: 690 | - /cluster-proportional-autoscaler 691 | - --namespace=kube-system 692 | - --configmap=calico-typha-horizontal-autoscaler 693 | - --target=deployment/calico-typha 694 | - --logtostderr=true 695 | - --v=2 696 | resources: 697 | requests: 698 | cpu: 10m 699 | limits: 700 | cpu: 10m 701 | serviceAccountName: typha-cpha 702 | 703 | --- 704 | 705 | apiVersion: rbac.authorization.k8s.io/v1 706 | kind: Role 707 | metadata: 708 | name: typha-cpha 709 | namespace: kube-system 710 | rules: 711 | - apiGroups: [""] 712 | resources: ["configmaps"] 713 | verbs: ["get"] 714 | - apiGroups: ["extensions", "apps"] 715 | resources: ["deployments/scale"] 716 | verbs: ["get", "update"] 717 | 718 | --- 719 | 720 | apiVersion: v1 721 | kind: ServiceAccount 722 | metadata: 723 | name: typha-cpha 724 | namespace: kube-system 725 | 726 | --- 727 | 728 | apiVersion: rbac.authorization.k8s.io/v1 729 | kind: RoleBinding 730 | metadata: 731 | name: typha-cpha 732 | namespace: kube-system 733 | roleRef: 734 | apiGroup: rbac.authorization.k8s.io 735 | kind: Role 736 | name: typha-cpha 737 | subjects: 738 | - kind: ServiceAccount 739 | name: typha-cpha 740 | namespace: kube-system 741 | 742 | --- 743 | 744 | apiVersion: v1 745 | kind: Service 746 | metadata: 747 | name: calico-typha 748 | namespace: kube-system 749 | labels: 750 | k8s-app: calico-typha 751 | spec: 752 | ports: 753 | - port: 5473 754 | protocol: TCP 755 | targetPort: calico-typha 756 | name: calico-typha 757 | selector: 758 | k8s-app: calico-typha 759 | --------------------------------------------------------------------------------