EKS 和 ECR VPC 端点

问题描述 投票:0回答:1

我正在尝试从 EKS 配置 ECR 的 VPC 终端节点。 EKS 集群有两个公有子网。我正在使用 Terraform 来配置一切。

# VPC for EKS Cluster
resource "aws_vpc" "primary" {
  cidr_block = "10.0.0.0/16"

  enable_dns_support   = true
  enable_dns_hostnames = true

  tags = {
    environment = var.environment
    Name        = "${var.environment}-eks-vpc"
  }

}


# Primary Subnet for EKS
resource "aws_subnet" "eks_primary" {
  vpc_id                  = var.eks_vpc_id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = "eu-central-1a"
  map_public_ip_on_launch = true

  tags = {
    Name = "${var.environment}-eks-primary-subnet"
  }
}

# Secondary Subnet for EKS
resource "aws_subnet" "eks_secondary" {
  vpc_id                  = var.eks_vpc_id
  cidr_block              = "10.0.2.0/24"
  availability_zone       = "eu-central-1b"
  map_public_ip_on_launch = true

  tags = {
    Name = "${var.environment}-eks-secondary-subnet"
  }
}


map_public_ip_on_launch = true
已设置,因此它会按预期分配公共 IP。以下是我的 EKS TF 配置。

resource "aws_eks_cluster" "main" {
  name     = "hehe-${var.environment}"
  role_arn = var.role_arn_primary

  vpc_config {
    subnet_ids = [var.eks_subnet_id_primary, var.eks_subnet_id_secondary]
  }

  tags = {
    environment = var.environment
  }

}

resource "aws_eks_node_group" "main" {
  cluster_name    = aws_eks_cluster.main.name
  node_group_name = "system"
  node_role_arn   = var.role_arn_secondary
  subnet_ids      = [var.eks_subnet_id_primary, var.eks_subnet_id_secondary]

  tags = {
    environment = var.environment
  }

  scaling_config {
    desired_size = 1
    max_size     = 2
    min_size     = 1
  }

  update_config {
    max_unavailable = 1
  }

}

以下是公有子网中 ECR 的 VPC 终端节点。

# VPC Endpoint for ECR API in the EKS VPC
resource "aws_vpc_endpoint" "ecr_api" {
  vpc_id             = var.eks_vpc_id
  service_name       = "com.amazonaws.eu-central-1.ecr.api"
  subnet_ids         = [var.eks_primary_subnet_id, var.eks_secondary_subnet_id]
  security_group_ids = [var.eks_security_group_id]
  vpc_endpoint_type  = "Interface"

  private_dns_enabled = true


  tags = {
    environment = var.environment
    Name        = "${var.environment}-vpc-endpoint-api"
  }

}

# VPC Endpoint for ECR DKR API in the EKS VPC
resource "aws_vpc_endpoint" "ecr_dkr" {
  vpc_id             = var.eks_vpc_id
  service_name       = "com.amazonaws.eu-central-1.ecr.dkr"
  subnet_ids         = [var.eks_primary_subnet_id, var.eks_secondary_subnet_id]
  security_group_ids = [var.eks_security_group_id]
  vpc_endpoint_type  = "Interface"

  private_dns_enabled = true

  tags = {
    environment = var.environment
    Name        = "${var.environment}-vpc-endpoint-dkr"
  }

}

# VPC Endpoint for ECR S3 API in the EKS VPC
resource "aws_vpc_endpoint" "s3" {
  vpc_id             = var.eks_vpc_id
  service_name       = "com.amazonaws.eu-central-1.s3"
  security_group_ids = [var.eks_security_group_id]
  vpc_endpoint_type = "Gateway"

  route_table_ids = [var.route_table_id]

  tags = {
    environment = var.environment
    Name        = "${var.environment}-vpc-endpoint-s3"
  }

}

我收到以下错误:

创建:意外状态“CREATE_FAILED”,想要目标“ACTIVE”。最后的 错误:NodeCreationFailure:实例未能加入 kubernetes 簇

EKS NodeGroup 无法加入 EKS 集群。

但是,如果我从 

VPC
中删除 
enable_dns_support = true
enable_dns_hostnames = true,NodeGroup 可以加入 EKS 集群,但 ECR 端点的 
nslookup
无法解析为 私有 IP。知道出了什么问题吗?

amazon-web-services terraform amazon-vpc vpc-endpoint
1个回答
0
投票

确保您的 vpc 的 DHCP 选项具有 

[AmazonProvidedDNS][1]
作为 terraform aws_vpc_dhcp_options 中 DNS 列表中的值。

另一点,我认为您还需要为 EC2 

com.amazonaws.region-code.ec2
定义一个端点,因为它是 私有 EKS 配置所必需的。但您的帖子中并不清楚您是否尝试在私有模式或公共模式下配置 EKS。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.