Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.

EKS Getting Started Guide Configuration

This is the full configuration from

See that guide for additional information.

NOTE: This full configuration utilizes the Terraform http provider to call out to to determine your local workstation external IP for easily configuring EC2 Security Group access to the Kubernetes master servers. Feel free to replace this as necessary.

Create the EKS cluster via Terraform

  1. terraform apply
  2. Run terraform output config_map_aws_auth > config_map_aws_auth.yaml and save the configuration into a file, e.g. config_map_aws_auth.yaml

apiVersion: v1
kind: ConfigMap
  name: aws-auth
  namespace: kube-system
  mapRoles: |
    - rolearn: arn:aws:iam::131778002569:role/terraform-eks-demo-node
      username: system:node:{{EC2PrivateDNSName}}
        - system:bootstrappers
        - system:nodes
  1. Than apply it to the cluster which allows worker nodes to be able to join the cluster
➜  aws-eks git:(master) ✗ kubectl apply -f config_map_aws_auth.yaml
configmap "aws-auth" created
  1. Verify nodes are joining to the cluster.
kubectl get nodes --watch

Kubectl setup on osx

  1. Check the version of your kubectl
    kubectl version --short --client
  2. Get the recommended version of kubectl if you have not already. docs
    curl -o kubectl
  3. Get the iam authenticator
    curl -o aws-iam-authenticator
  4. Update eks kubeconfig aws eks update-kubeconfig --name terraform-eks-demo --region=us-west-2
➜  .kube git:(master) aws eks update-kubeconfig --name terraform-eks-demo --region=us-west-2
Added new context arn:aws:eks:us-west-2:131778002569:cluster/terraform-eks-demo to /Users/shaytac/.kube/config

module 'distutils' has no attribute 'spawn'
  1. Check to see if you can issue commands against cluster. If you receive username/password prompt that is most likely due to outdated kubectl version
➜ kubectl get svc                                                                                                                          │
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE                                                                                              │
kubernetes   ClusterIP   <none>        443/TCP   52m

  1. Managing Users or IAM Roles for your Cluster

  2. Deploy the Kubernetes dashboard to your cluster:

kubectl apply -f
  1. Deploy Hipster
kubectl apply -f
  1. Deploy the influxdb backend for heapster to your cluster:
kubectl apply -f
  1. Create the heapster cluster role binding for the dashboard:
kubectl apply -f

  1. Create an eks admin account [file](./eks-admin-account.yml]
kubectl apply -f eks-admin-service-account.yml
  1. Bind the admin role to eks admin account
kubectl apply -f eks-admin-cluster-role-binding.yml
  1. Now using the eks-admin account connect to dashbard.
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}')
  1. Start the kubectl proxy
➜  aws-eks git:(master) ✗ kubectl proxy
Starting to serve on
  1. Connect to dashboard.
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}')


Name:         eks-admin-token-b5zv4
Namespace:    kube-system
Labels:       <none>


ca.crt:     1025 bytes
namespace:  11 bytes
token:      ------> <authentication_token> <------
➜  ~ kubectl --namespace kube-system get services
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
kube-dns               ClusterIP      <none>        53/UDP,53/TCP   1h
kubernetes-dashboard   ClusterIP   <none>        443/TCP         22m

Installing Helm on Kubernetes cluster

  1. brew install helm
  2. Make sure to have current context set to desired cluster
➜  ~ kubectl config current-context
  1. Execute helm init

In case of following error

➜  ~ helm install --name my-release stable/nginx-ingress
Error: release my-release failed: namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "default"

Installing Nginx ingress

Based on this guide

➜  nginx-ingress git:(master) ✗ cat ns-and-sa.yaml
apiVersion: v1
kind: Namespace
  name: nginx-ingress
apiVersion: v1
kind: ServiceAccount
  name: nginx-ingress
  namespace: nginx-ingress%

➜  aws-eks git:(master) ✗ kubectl apply -f nginx-ingress/ns-and-sa.yaml
namespace "nginx-ingress" created
serviceaccount "nginx-ingress" created
➜  aws-eks git:(master) ✗ kubectl apply -f ./nginx-ingress/default-server-secret.yaml
secret "default-server-secret" created
kubectl apply -f common/nginx-config.yaml
  1. Create an nginx ingress deployment
➜  nginx-ingress git:(master) ✗ kubectl apply -f ./deployments/nginx-ingress.yaml
deployment.extensions "nginx-ingress" created
  1. Create a DaemonSet
➜  nginx-ingress git:(master) ✗ kubectl apply -f daemon-set/nginx-ingress.yaml
daemonset.extensions "nginx-ingress" created

  1. Apply Rbac
➜  nginx-ingress git:(master) ✗ kubectl apply -f rbac.yaml "nginx-ingress" created "nginx-ingress" created

If this is not setup correctly pods will be crashing with the following error:

➜  nginx-ingress git:(master) ✗ kubectl --namespace=nginx-ingress logs -p nginx-ingress-6gmkp
I0210 03:25:38.390831       1 main.go:118] Starting NGINX Ingress controller Version=edge GitCommit=9a21a40b
F0210 03:25:38.399951       1 main.go:177] Error when getting nginx-ingress/default-server-secret: secrets "default-server-secret" is forbidden: User "system:serviceaccount:nginx-ingress:nginx-ingress" cannot get secrets in the namespace "nginx-ingress"
  1. Create a service with the Type LoadBalancer
➜  nginx-ingress git:(master) ✗ kubectl apply -f service/loadbalancer-aws-elb.yaml
service "nginx-ingress" created

Optional demo app deployment with ingress based on nginx docs

  1. Create coffee and tea services that we will be using to test the ingress controller deployment
kubectl create -f cafe.yaml
  1. Create ingress resource for demo-app
➜  aws-eks git:(master) ✗ kubectl create -f cafe-ingress.yaml
ingress.extensions "cafe-ingress" created
  1. To test set IC_HTTPS_PORT and IC_IP
➜  demo-app git:(master) ✗ nslookup

Non-authoritative answer:

➜  demo-app git:(master) ✗ export IC_HTTPS_PORT=443

➜  demo-app git:(master) ✗ export IC_IP=
➜  demo-app git:(master) curl --resolve$IC_HTTPS_PORT:$IC_IP$IC_HTTPS_PORT/coffee --insecure

Server address:
Server name: coffee-6c47b9cb9c-z67wc
Date: 10/Feb/2019:18:16:48 +0000
URI: /coffee
Request ID: f11da1407f0567199da637a0db3c9ca8

➜  demo-app git:(master) curl --resolve$IC_HTTPS_PORT:$IC_IP$IC_HTTPS_PORT/tea --insecure

Server address:
Server name: tea-58d4697745-l5xmt
Date: 10/Feb/2019:18:17:16 +0000
URI: /tea
Request ID: f4805c41008b3300c3c78fbcd35bf1e5


No description or website provided.







No releases published


No packages published