Creating an Amazon EC2 Cluster
Use Rancher to create a Kubernetes cluster in Amazon EC2.
Prerequisites
- AWS EC2 Access Key and Secret key that will be used to create the instances. See Amazon Documentation: Creating Access Keys how to create an Access Key and Secret Key.
- IAM Policy created to add to the user of the Access Key And Secret Key. See Amazon Documentation: Creating IAM Policies (Console) how to create an IAM policy. See our two example JSON policies below:
- Example IAM Policy
- Example IAM Policy with PassRole (needed if you want to use Kubernetes Cloud Provider or want to pass an IAM Profile to an instance)
- IAM Policy added as Permission to the user. See Amazon Documentation: Adding Permissions to a User (Console) how to attach it to an user.
Create the cluster
- From the Clusters page, click Add Cluster.
- Choose Amazon EC2.
- Enter a Cluster Name.
Use Member Roles to configure user authorization for the cluster.
- Click Add Member to add users that can access the cluster.
- Use the Role drop-down to set permissions for each user.
Use Cluster Options to choose the version of Kubernetes, what network provider will be used, if you want to enable Pod Security Policies and whether the nodes added to this cluster need to have a supported Docker version installed. Refer to Selecting Cloud Providers to configure the Kubernetes Cloud Provider.
Add one or more node pools to your cluster.
A node pool is a collection of nodes based on a node template. A node Template defines the configuration of a node, like what Operating System to use, number of CPUs and amount of memory. Each node pool must have one or more nodes roles assigned.Notes:
- Each node role (i.e.
etcd
,Control Plane
, andWorker
) should be assigned to a distinct node pool. Although it is possible to assign multiple node roles to a node pool, this should not be done for production clusters. - The recommended setup is to have a node pool with the
etcd
node role and a count of three, a node pool with theControl Plane
node role and a count of at least two, and a node pool with theWorker
node role and a count of at least two. Regarding theetcd
node role, refer to the etcd Admin Guide.
- Each node role (i.e.
Click Add Node Template.
Complete each of the following forms using information available from the EC2 Management Console.
Account Access is where you configure the region of the nodes, and the credentials (Access Key and Secret Key) used to create the machine. See Prerequisistes how to create the Access Key and Secret Key and the needed permissions.
Zone and Network configures the availability zone and network settings for your cluster.
Security Groups creates or configures the Security Groups applied to your nodes. Please refer to Amazon EC2 security group when using Node Driver to see what rules are created in the
rancher-nodes
Security Group.Instance configures the instances that will be created. Make sure you configure the correct SSH User for the configured AMI.
If you need to pass an IAM Instance Profile Name (not ARN), for example, when you want to use a Kubernetes Cloud Provider, you will need an additional permission in your policy. See Example IAM policy with PassRole for an example policy.
-
Complete the Rancher Template form to configure the Docker daemon on the instances that will be created.
-
Labels can be configured on the Docker daemon.
-
Engine Options customize the configuration of the Docker daemon. Important configuration options might include:
- Docker Engine Install URL: Determines what Docker version will be installed on the instance.
- Registry mirrors: Docker Registry mirror to be used by the Docker daemon
-
- Click Create.
- Optional: Add additional node pools.
Review your cluster settings to confirm they are correct. Then click Create.
Result:
- Your cluster is created and assigned a state of Provisioning. Rancher is standing up your cluster.
- You can access your cluster after its state is updated to Active.
- Active clusters are assigned two Projects,
Default
(containing the namespacedefault
) andSystem
(containing the namespacescattle-system
,ingress-nginx
,kube-public
andkube-system
, if present).
Example IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteKeyPair"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:REGION::image/ami-*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:placement-group/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:volume/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:subnet/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:security-group/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*"
}
]
}
Example IAM Policy with PassRole
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteKeyPair"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:REGION::image/ami-*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:placement-group/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:volume/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:subnet/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:security-group/*",
"arn:aws:iam::AWS_ACCOUNT_ID:role/your-role-name"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*"
}
]
}