Closed avinassh closed 1 month ago
Here is my Go code:
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-awsx/sdk/v2/go/awsx/ec2"
"github.com/pulumi/pulumi-eks/sdk/v2/go/eks"
"github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes"
corev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/core/v1"
metav1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/meta/v1"
storagev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/storage/v1"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func ptrTo[T any](v T) *T {
return &v
}
func newVPC(ctx *pulumi.Context, clusterName string) (*ec2.Vpc, error) {
vpc, err := ec2.NewVpc(ctx, fmt.Sprintf("%s-vpc", clusterName), &ec2.VpcArgs{
AvailabilityZoneNames: []string{"eu-west-1a", "eu-west-1b", "eu-west-1c"},
Tags: pulumi.StringMap{
"Name": pulumi.String(fmt.Sprintf("%s-vpc", clusterName)),
"kubernetes.io/cluster/" + clusterName: pulumi.String("shared"),
},
EnableDnsHostnames: pulumi.BoolPtr(true),
EnableDnsSupport: pulumi.BoolPtr(true),
SubnetSpecs: []ec2.SubnetSpecArgs{
{
Type: ec2.SubnetTypePublic,
Name: ptrTo("public"),
Tags: pulumi.StringMap{
"Name": pulumi.String(fmt.Sprintf("%s-public-subnet", clusterName)),
"kubernetes.io/role/elb": pulumi.String("1"),
"kubernetes.io/cluster/" + clusterName: pulumi.String("shared"),
},
},
{
Type: ec2.SubnetTypePrivate,
Name: ptrTo("private"),
Tags: pulumi.StringMap{
"Name": pulumi.String(fmt.Sprintf("%s-private-subnet", clusterName)),
"kubernetes.io/role/internal-elb": pulumi.String("1"),
"kubernetes.io/cluster/" + clusterName: pulumi.String("shared"),
},
},
},
SubnetStrategy: ptrTo(ec2.SubnetAllocationStrategyAuto),
})
return vpc, err
}
func createClusterRole(ctx *pulumi.Context, name string) (*iam.Role, *iam.InstanceProfile, error) {
role, err := iam.NewRole(ctx, fmt.Sprintf("%s-instance-role", name), &iam.RoleArgs{
AssumeRolePolicy: pulumi.String(`{
"Version": "2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
}`),
ManagedPolicyArns: pulumi.ToStringArray([]string{
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
}),
})
if err != nil {
return nil, nil, err
}
instanceProfile, err := iam.NewInstanceProfile(ctx, fmt.Sprintf("%s-instance-profile", name), &iam.InstanceProfileArgs{
Role: role,
})
if err != nil {
return nil, nil, err
}
return role, instanceProfile, nil
}
func createCluster(ctx *pulumi.Context, clusterName, imageAmiId string, vpc *ec2.Vpc, instanceRole iam.RoleInput, instanceProfile *iam.InstanceProfile) (*eks.Cluster, error) {
cluster, err := eks.NewCluster(ctx, clusterName, &eks.ClusterArgs{
Name: pulumi.String(clusterName),
VpcId: vpc.VpcId,
PublicSubnetIds: vpc.PublicSubnetIds,
PrivateSubnetIds: vpc.PrivateSubnetIds,
NodeAssociatePublicIpAddress: pulumi.BoolRef(false),
SkipDefaultNodeGroup: pulumi.BoolRef(true),
CreateOidcProvider: pulumi.Bool(true),
InstanceRole: instanceRole,
NodeAmiId: pulumi.String(imageAmiId),
})
if err != nil {
return nil, err
}
cluster.EksCluster.Name().ApplyT(func(name string) error {
_, err = eks.NewNodeGroupV2(ctx, "routers", &eks.NodeGroupV2Args{
Cluster: cluster,
InstanceType: pulumi.String("m5.large"),
DesiredCapacity: pulumi.Int(1),
MinSize: pulumi.Int(1),
MaxSize: pulumi.Int(10),
NodeSubnetIds: pulumi.StringArray{vpc.PrivateSubnetIds.ApplyT(func(ids []string) string {
return ids[0]
}).(pulumi.StringOutput)},
InstanceProfile: instanceProfile,
Labels: map[string]string{
"cluster-name": name,
"nodegroup-name": "routers",
},
}, pulumi.DependsOn([]pulumi.Resource{cluster}))
if err != nil {
return err
}
_, err = eks.NewNodeGroupV2(ctx, "daemon", &eks.NodeGroupV2Args{
Cluster: cluster,
InstanceType: pulumi.String("c5d.large"),
DesiredCapacity: pulumi.Int(1),
MinSize: pulumi.Int(1),
MaxSize: pulumi.Int(10),
NodeSubnetIds: pulumi.StringArray{vpc.PrivateSubnetIds.ApplyT(func(ids []string) string {
return ids[1]
}).(pulumi.StringOutput)},
InstanceProfile: instanceProfile,
Labels: map[string]string{
"cluster-name": name,
"nodegroup-name": "daemon",
},
}, pulumi.DependsOn([]pulumi.Resource{cluster}))
if err != nil {
return err
}
_, err = eks.NewNodeGroupV2(ctx, "internal", &eks.NodeGroupV2Args{
Cluster: cluster,
InstanceType: pulumi.String("m5.large"),
DesiredCapacity: pulumi.Int(1),
MinSize: pulumi.Int(1),
MaxSize: pulumi.Int(10),
NodeSubnetIds: pulumi.StringArray{vpc.PrivateSubnetIds.ApplyT(func(ids []string) string {
return ids[2]
}).(pulumi.StringOutput)},
InstanceProfile: instanceProfile,
Labels: map[string]string{
"cluster-name": name,
"nodegroup-name": "internal",
},
}, pulumi.DependsOn([]pulumi.Resource{cluster}))
if err != nil {
return err
}
return nil
})
return cluster, nil
}
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
region := "eu-west-1"
clusterName := "my-cluster-aws-" + region
imageAmiId := "ami-0b429fd2c7bbec0d5"
reg, err := aws.GetRegion(ctx, nil, nil)
if err != nil {
return err
}
if region != reg.Id {
return fmt.Errorf("invalid region configured. expected %s, got %s", region, reg.Id)
}
vpc, err := newVPC(ctx, clusterName)
if err != nil {
return err
}
instanceRole, instanceProfile, err := createClusterRole(ctx, clusterName)
if err != nil {
return err
}
cluster, err := createCluster(ctx, clusterName, imageAmiId, vpc, instanceRole, instanceProfile)
if err != nil {
return err
}
ctx.Export("clusterName", cluster.Core.Cluster().Name())
ctx.Export("kubeconfig", cluster.Kubeconfig)
k, _ := cluster.GetKubeconfig(ctx, nil)
k8sProvider, err := kubernetes.NewProvider(ctx, "k8s-provider", &kubernetes.ProviderArgs{
Kubeconfig: k,
})
if err != nil {
return err
}
_, err = corev1.NewNamespace(ctx, "daemon", &corev1.NamespaceArgs{
Metadata: &metav1.ObjectMetaArgs{
Name: pulumi.String("daemon"),
Labels: pulumi.StringMap{
"name": pulumi.String("daemon"),
},
},
}, pulumi.Provider(k8sProvider))
if err != nil {
return err
}
_, err = corev1.NewNamespace(ctx, "internal", &corev1.NamespaceArgs{
Metadata: &metav1.ObjectMetaArgs{
Name: pulumi.String("internal"),
Labels: pulumi.StringMap{
"name": pulumi.String("internal"),
},
},
}, pulumi.Provider(k8sProvider))
if err != nil {
return err
}
_, err = storagev1.NewStorageClass(ctx, "local-storage", &storagev1.StorageClassArgs{
Metadata: &metav1.ObjectMetaArgs{
Name: pulumi.String("local-storage"),
},
Provisioner: pulumi.String("kubernetes.io/no-provisioner"),
VolumeBindingMode: pulumi.String("WaitForFirstConsumer"),
}, pulumi.Provider(k8sProvider))
return err
})
}
output of pulumi about
CLI
Version 3.132.0
Go Version go1.23.1
Go Compiler gc
Plugins
KIND NAME VERSION
resource aws 6.51.1
resource awsx 2.14.0
resource docker 4.4.3
resource eks 2.7.9
language go 3.132.0
resource kubernetes 4.18.1
Host
OS darwin
Version 14.5
Arch x86_64
This project is written in go: executable='/usr/local/bin/go' version='go version go1.22.3 darwin/amd64'
Current Stack: organization/pulu/d
TYPE URN
pulumi:providers:aws urn:pulumi:d::pulu::pulumi:providers:aws::default_6_51_1
pulumi:pulumi:Stack urn:pulumi:d::pulu::pulumi:pulumi:Stack::pulu-d
pulumi:providers:awsx urn:pulumi:d::pulu::pulumi:providers:awsx::default_2_14_0
awsx:ec2:Vpc urn:pulumi:d::pulu::awsx:ec2:Vpc::my-cluster-aws-eu-west-1-vpc
aws:iam/role:Role urn:pulumi:d::pulu::aws:iam/role:Role::my-cluster-aws-eu-west-1-instance-role
pulumi:providers:aws urn:pulumi:d::pulu::pulumi:providers:aws::default_6_47_0
aws:iam/instanceProfile:InstanceProfile urn:pulumi:d::pulu::aws:iam/instanceProfile:InstanceProfile::my-cluster-aws-eu-west-1-instance-profile
aws:ec2/vpc:Vpc urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc::my-cluster-aws-eu-west-1-vpc
aws:ec2/internetGateway:InternetGateway urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/internetGateway:InternetGateway::my-cluster-aws-eu-west-1-vpc
aws:ec2/subnet:Subnet urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-private-2
aws:ec2/subnet:Subnet urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-private-3
aws:ec2/subnet:Subnet urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-private-1
aws:ec2/routeTable:RouteTable urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-private-2
aws:ec2/routeTable:RouteTable urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-private-3
aws:ec2/routeTable:RouteTable urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-private-1
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-private-2
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-private-3
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-private-1
aws:ec2/subnet:Subnet urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-public-1
aws:ec2/subnet:Subnet urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-public-2
aws:ec2/subnet:Subnet urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-public-3
aws:ec2/routeTable:RouteTable urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-public-1
aws:ec2/eip:Eip urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::my-cluster-aws-eu-west-1-vpc-1
aws:ec2/eip:Eip urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::my-cluster-aws-eu-west-1-vpc-2
aws:ec2/routeTable:RouteTable urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-public-3
aws:ec2/eip:Eip urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::my-cluster-aws-eu-west-1-vpc-3
aws:ec2/routeTable:RouteTable urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-public-2
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-public-1
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-public-2
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-public-3
aws:ec2/route:Route urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-public-1
aws:ec2/route:Route urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-public-3
aws:ec2/route:Route urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-public-2
aws:ec2/natGateway:NatGateway urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::my-cluster-aws-eu-west-1-vpc-1
aws:ec2/route:Route urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-private-1
aws:ec2/natGateway:NatGateway urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::my-cluster-aws-eu-west-1-vpc-3
aws:ec2/route:Route urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-private-3
aws:ec2/natGateway:NatGateway urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::my-cluster-aws-eu-west-1-vpc-2
aws:ec2/route:Route urn:pulumi:d::pulu::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-private-2
pulumi:providers:pulumi urn:pulumi:d::pulu::pulumi:providers:pulumi::default
pulumi:providers:eks urn:pulumi:d::pulu::pulumi:providers:eks::default_2_7_9
eks:index:Cluster urn:pulumi:d::pulu::eks:index:Cluster::my-cluster-aws-eu-west-1
eks:index:ServiceRole urn:pulumi:d::pulu::eks:index:Cluster$eks:index:ServiceRole::my-cluster-aws-eu-west-1-eksRole
pulumi:providers:aws urn:pulumi:d::pulu::pulumi:providers:aws::default_6_45_0
aws:iam/role:Role urn:pulumi:d::pulu::eks:index:Cluster$eks:index:ServiceRole$aws:iam/role:Role::my-cluster-aws-eu-west-1-eksRole-role
aws:iam/rolePolicyAttachment:RolePolicyAttachment urn:pulumi:d::pulu::eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment::my-cluster-aws-eu-west-1-eksRole-4b490823
aws:ec2/securityGroup:SecurityGroup urn:pulumi:d::pulu::eks:index:Cluster$aws:ec2/securityGroup:SecurityGroup::my-cluster-aws-eu-west-1-eksClusterSecurityGroup
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksClusterInternetEgressRule
aws:eks/cluster:Cluster urn:pulumi:d::pulu::eks:index:Cluster$aws:eks/cluster:Cluster::my-cluster-aws-eu-west-1-eksCluster
pulumi:providers:kubernetes urn:pulumi:d::pulu::eks:index:Cluster$pulumi:providers:kubernetes::my-cluster-aws-eu-west-1-provider
pulumi:providers:kubernetes urn:pulumi:d::pulu::eks:index:Cluster$pulumi:providers:kubernetes::my-cluster-aws-eu-west-1-eks-k8s
aws:iam/openIdConnectProvider:OpenIdConnectProvider urn:pulumi:d::pulu::eks:index:Cluster$aws:iam/openIdConnectProvider:OpenIdConnectProvider::my-cluster-aws-eu-west-1-oidcProvider
aws:ec2/securityGroup:SecurityGroup urn:pulumi:d::pulu::eks:index:Cluster$aws:ec2/securityGroup:SecurityGroup::my-cluster-aws-eu-west-1-nodeSecurityGroup
kubernetes:core/v1:ConfigMap urn:pulumi:d::pulu::eks:index:Cluster$kubernetes:core/v1:ConfigMap::my-cluster-aws-eu-west-1-nodeAccess
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksExtApiServerClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksNodeIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksNodeClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksNodeInternetEgressRule
eks:index:VpcCni urn:pulumi:d::pulu::eks:index:Cluster$eks:index:VpcCni::my-cluster-aws-eu-west-1-vpc-cni
eks:index:NodeGroupV2 urn:pulumi:d::pulu::eks:index:NodeGroupV2::internal
eks:index:NodeGroupV2 urn:pulumi:d::pulu::eks:index:NodeGroupV2::daemon
eks:index:NodeGroupV2 urn:pulumi:d::pulu::eks:index:NodeGroupV2::routers
pulumi:providers:kubernetes urn:pulumi:d::pulu::pulumi:providers:kubernetes::k8s-provider
aws:ec2/securityGroup:SecurityGroup urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroup:SecurityGroup::internal-nodeSecurityGroup
aws:ec2/securityGroup:SecurityGroup urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroup:SecurityGroup::routers-nodeSecurityGroup
aws:ec2/securityGroup:SecurityGroup urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroup:SecurityGroup::daemon-nodeSecurityGroup
kubernetes:storage.k8s.io/v1:StorageClass urn:pulumi:d::pulu::kubernetes:storage.k8s.io/v1:StorageClass::local-storage
kubernetes:core/v1:Namespace urn:pulumi:d::pulu::kubernetes:core/v1:Namespace::internal
kubernetes:core/v1:Namespace urn:pulumi:d::pulu::kubernetes:core/v1:Namespace::daemon
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::internal-eksExtApiServerClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::internal-eksClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::routers-eksNodeIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::daemon-eksNodeIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::internal-eksNodeInternetEgressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::routers-eksClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::routers-eksNodeClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::daemon-eksNodeInternetEgressRule
aws:ec2/launchTemplate:LaunchTemplate urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/launchTemplate:LaunchTemplate::internal-launchTemplate
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::internal-eksNodeIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::daemon-eksClusterIngressRule
aws:ec2/launchTemplate:LaunchTemplate urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/launchTemplate:LaunchTemplate::routers-launchTemplate
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::routers-eksExtApiServerClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::daemon-eksExtApiServerClusterIngressRule
aws:ec2/launchTemplate:LaunchTemplate urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/launchTemplate:LaunchTemplate::daemon-launchTemplate
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::internal-eksNodeClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::routers-eksNodeInternetEgressRule
aws:ec2/securityGroupRule:SecurityGroupRule urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:ec2/securityGroupRule:SecurityGroupRule::daemon-eksNodeClusterIngressRule
aws:autoscaling/group:Group urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:autoscaling/group:Group::internal
aws:autoscaling/group:Group urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:autoscaling/group:Group::daemon
aws:autoscaling/group:Group urn:pulumi:d::pulu::eks:index:NodeGroupV2$aws:autoscaling/group:Group::routers
Found no pending operations associated with d
Backend
Name v-MacBook-Pro.local
URL file://~
User avi
Organizations
Token type personal
Dependencies:
NAME VERSION
github.com/pulumi/pulumi-aws/sdk/v6 v6.51.1
github.com/pulumi/pulumi-awsx/sdk/v2 v2.14.0
github.com/pulumi/pulumi-eks/sdk/v2 v2.7.9
github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.18.1
github.com/pulumi/pulumi/sdk/v3 v3.132.0
Hey @avinassh, the example you're referencing shows how to set up self-managed node groups in two different ways. What's important to note here is that each self managed node group will have their own security group. Those security groups are created with the minimal required rules. This means that by default nodes in one group aren't allowed to communicate with nodes in the other group.
This has the effect that pods on one self managed node group cannot communicate with pods on another self-managed node group by default. Can you please try adding the required ingress rules between the different node groups? Or simpler, just create a single node group.
Generally I'd recommend to use EKS managed node groups instead (unless self-managed is a requirement). The managed node groups are generally easier to operate. They also share the same security group like the API server (see https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) so you do not have to set up additional ingress rules for cross node group traffic.
This is how you can create a managed node group: https://github.com/pulumi/pulumi-eks/blob/8bb0b9ee3f8b13b3be6989d7cfe1f8b80e5fba8a/examples/managed-nodegroups/index.ts#L42-L50
Hey @flostadler, it worked! Thank you so much for offering the solution.
Regarding managed vs non managed nodes, I don't have any strong opinions (or requirements), so I will definitely explore managed nodes.
What happened?
I am new to Pulumi, and infra things. So I setup a EKS cluster following the documentation and examples. However, I am finding DNS and networking within the pods to be broken. My app is simple, at the start it calls an external API and fatals if that call fails.
What I noticed was, out of 4 pods only two were crashing. The other two were able to make this call and start the pod:
So this ruled out IAM policy or permissions issue. This also confirms that NAT/IGN have been setup. I ran a test
nicolaka/netshoot
image and checked DNS configurations:I restarted core dns pods, this time I was able to ping to one of the pods IP (but service IP still failed). Upon restarting core dns, one of the
sync-app
pods were also able to connect to external API and became healthy.Example
My code is in Go. Since I am new to Pulumi, I assumed I'd be doing some mistake. So I tested with https://github.com/pulumi/pulumi-eks/tree/204401a/examples/nodegroup example and noticed the same issue. Here is how you can reproduce:
nodegroup
exampleif above worked, then most likely it was able to connect to a healthy core dns pod. Creating 1-2 more pods, you can run into this issue. I will share my go version of the code in some time.
Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).