AWS Add-On beta

The AWS add-on enables the Kubernetes control plane to be configured to use the Amazon Web Services (AWS) cloud provider integration. For more information about these components, see the Kubernetes cloud-provider-aws repository. For information about the kubeadm add-on, see Kubernetes (kubeadm) Add-On.

This integration, provided by Kubernetes, creates an interface between the Kubernetes cluster and specific AWS APIs. This enables the:

For more information about the AWS cloud provider, see AWS Cloud Provider in the Kubernetes documentation.

Prerequisite

IAM Roles and Policies

The AWS cloud provider performs some tasks on behalf of the operator, such as creating an ELB or an EBS volume. Considering this, you must create identity and access management (IAM) policies in your AWS account.

For more information about AWS IAM, see AWS Identity and Access Management (IAM) in the AWS documentation.

For more information about the required permissions for Amazon Web Services (AWS) cloud provider integration, see the Prerequisites section in the Kubernetes documentation.

Applying Policies by Tagging AWS Resources

After the prerequisite policies are created, you must assign them to the appropriate resources in your AWS account.

For more information about AWS policies prerequisites, see Prerequisites in the Kubernetes documentation.

For more information about tagging, see AWS Documentation: Tagging your Amazon EC2 Resources in the AWS documentation.

The following resources are discovered and managed only after the tags are assigned:

  • EC2 instances: The Elastic Compute Cloud (EC2) instances used for the kURL cluster. See Elastic Compute Cloud (EC2) in the AWS documentation.
  • Security Groups: The security groups used by the nodes in the kURL cluster.
  • Subnet: The subnets used by the kURL cluster.
  • VPC: The VPC used by the kURL cluster.

These resources must have a tag with the key of kubernetes.io/cluster/<cluster-name>. By default, the Kubernetes add-on uses the cluster name kubernetes. The value for this key is owned. Alternatively, if you choose to share resources between clusters, the value shared can be used. For more information about the Kubernetes add-on, see Advanced Install Options in Kubernetes add-on.

Requirements and Limitations

Supported Configurations

The AWS add-on is supported only:

  • When the cluster created by kURL is installed on an AWS EC2 instance.
  • With the Kubernetes (kubeadm) add-on. See Kubernetes (kubeadm) add-on.

AWS ELB and Kubernetes LoadBalancer Service Requirements

There are additional requirements when creating a LoadBalancer service:

  • The AWS cloud provider requires that a minimum of two nodes are available in the cluster and that one of the nodes is assigned the worker node role to use this integration. See Kubernetes AWS Cloud Provider in the Kubernetes documentation. Failure to have two nodes available, one of which is a worker node, will require an AWS administrator for your account to manually register the ELB in the AWS management console.
  • When creating a LoadBalancer service where there is more than one security group attached to your cluster nodes, you must tag only one of the security groups as owned so that Kubernetes knows which group to add and remove rules from. A single, untagged security group is allowed, however, sharing this untagged security group between clusters is not recommended.
  • Kubernetes uses subnet tagging to attempt to discover the correct subnet for the LoadBalancer service. This requires that these internet-facing and internal AWS ELB resources are properly tagged in your AWS account to operate successfully. For more information about AWS subnet tagging, see AWS Documentation: Subnet tagging for load balancers in the AWS documentation.

Advanced Install Options

The following example shows the exclusion of AWS-EBS provisioner storage class provided by the AWS add-on:

spec:
  aws:
    version: 0.1.0
    excludeStorageClass: false

Flag Usage
version The version of aws to be installed.
excludeStorageClass Exclude AWS-EBS provisioner storage class provided by the AWS add-on. When `true`, another storage provisioner, such as Longhorn, must be used.

Using a Volume Provisioner with the AWS Add-On

When the AWS add-on is enabled, you do not need to add a volume provisioner add-on to the kURL specification because you can use the default AWS EBS volume provisioner.

For more information about the AWS EBS volume provisioner, see Amazon Elastic Block Store (EBS) in the the AWS documentation.