이전 글에서 EKS 클러스터를 생성했었다. ➡️ EKS 클러스터 생성
ALB LB Controller 구성
생성할 자원
- OIDC (openID Connect Identify Provider)
→ Terraform EKS 모듈에서enable_irsa = true로 이미 자동생성 - Cert-manager 설치
- Controller 가 사용할 IAM Policy & IAM Role 생성
- Controller 의 ServiceAccount 생성
- Controller 배포 (YAML)
Cert-manager 설치
- 소스 다운로드
$ wget https://github.com/jetstack/cert-manager/releases/download/v1.10.1/cert-manager.yaml
- EKS 클러스터 폴더 modules/yaml/lb-controller/ 에 복사
- kubectl 적용
$ k apply -f cert-manager.yaml
- Cert-manager 확인
$ k get ns $ k get all -n cert-manager
- kubectl 적용
Controller가 사용할 IAM Policy & IAM Role 생성
-
alb-controller-roler.tf
module "iam_assumable_role_alb_controller" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.0.0" create_role = true role_name = "${local.cluster_name}-alb-controller" role_description = "Used by AWS Load Balancer Controller for EKS" provider_url = module.eks.cluster_oidc_issuer_url oidc_fully_qualified_subjects = ["system:941024664395:kube-system:aws-load-balancer-controller"] } data "http" "iam_policy" { url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.1/docs/install/iam_policy.json" } # 인라인으로 정책이 추가 resource "aws_iam_role_policy" "controller" { name_prefix = "AWSLoadBalancerControllerIAMPolicy" policy = data.http.iam_policy.response_body role = module.iam_assumable_role_alb_controller.iam_role_name }➡️ LB Controller가 EKS 클러스터에서 동작하기위해 생성하는 IAM 역할 및 정책
Controller의 Service Account 생성
- serivce-account.yaml
apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: aws-load-balancer-controller name: aws-load-balancer-controller namespace: kube-system annotations: eks.amazonaws.com/role-arn: arn:aws:iam::941024664395:role/my-eks-cluster-alb-controller # kubectl 적용 $ k apply -f serivce-account.yaml
Controller 설치
- 소스 다운로드
$ wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.4.4/v2_4_4_full.yaml
샘플 애플리케이션 (2048)
샘플 애플리케이션 코드 ➡️ game-2048
샘플 애플리케이션 로컬 테스트
$ npm install --include=dev
$ npm run build
$ npm start- localhost:8080에서 확인
dockerfile 작성
# node base image 설치
FROM node:16-slim
# 기본 디렉토리 지정
WORKDIR /usr/src/app
# 소스 복사
COPY . .
# 패키지 설치
RUN npm install http-server -g
# Listen 포트 정의
EXPOSE 8080
# 서버 기동
CMD ["http-server", "./dist"]도커 이미지 빌드 및 ECR 푸쉬
빌드된 이미지 테스트
$ docker run --rm -it -p 8080:8080 eks-app
localhost:8080에서 확인manifest 작성
- namespace.yaml
apiVersion: v1 kind: Namespace metadata: name: game2048 - deployment.yaml
apiVersion: apps/v1 kind: Deployment metadata: namespace: game2048 name: game2048 spec: revisionHistoryLimit: 5 replicas: 3 strategy: type: RollingUpdate rollingUpdate: maxSurge: 25% maxUnavailable: 0% selector: matchLabels: app.kubernetes.io/name: game2048 template: metadata: labels: app.kubernetes.io/name: game2048 spec: containers: - name: game2048 image: "941024664395.dkr.ecr.ap-northeast-2.amazonaws.com/eks-app:latest" imagePullPolicy: IfNotPresent ports: - name: http containerPort: 8080 protocol: TCP nodeSelector: nodeType: service-2023 tolerations: - key: service operator: "Equal" value: "true" effect: "NoSchedule" - service.yaml
apiVersion: v1 kind: Service metadata: namespace: game2048 name: game2048 spec: type: ClusterIP ports: - port: 8080 targetPort: 8080 protocol: TCP name: http selector: app.kubernetes.io/name: game2048 - ingress.yaml
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: namespace: game2048 name: game2048 annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/load-balancer-name: my-eks-alb alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]' alb.ingress.kubernetes.io/healthcheck-path: / alb.ingress.kubernetes.io/subnets: <Public Subnet 1>, <Public Subnet 2> spec: rules: - http: paths: - path: / pathType: Prefix backend: service: name: game2048 port: number: 8080 - kubectl 적용하기
$ k apply -f .
결과
Cloud Engineer / DevOps Engineer