EKS Node creation

This section describes the requirements that must be satisfied for an EC2 Nitro-capable host to be added to an EKS cluster.

Overview

In Getting Started with the Anjuna Nitro Kubernetes tools, you learned how to create a simple EKS cluster using the Anjuna Nitro Kubernetes terraform sample script.

If you already have an existing EKS cluster, using the Anjuna Nitro Kubernetes terraform sample script might not be convenient or consistent with your deployment policies.

This section provides information to allow you to provision EKS nodes using your tool of choice. (terraform, Cloudformation, etc.)

Supported EC2 instances

Adding a Nitro-capable node to your EKS cluster is similar to adding a regular node to EKS. The main differences are:

  • EC2 instance type: you must select an instance type that is Nitro-capable. See Nitro Instance for an up-to-date list of instances/regions that support AWS Nitro.

  • Amazon Machine Image: It is recommended to use one of the EKS-Optimized Amazon Machine Images (see https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html for a complete list of EKS-ready AMIs), which already contain all the dependencies required for an EC2 node to join your EKS cluster. The Anjuna Nitro Kubernetes Tools have been tested on the Amazon Linux AMI.

Additional Software Packages

In addition to the standard packages needed on an EKS node, you need to install the aws-nitro-enclaves-cli package. If your EC2 host is based on the Amazon Linux AMI, run the following command:

$ sudo amazon-linux-extras install aws-nitro-enclaves-cli

EC2 Host Configuration

The EC2 host should be configured to allow EKS to manage the resources required to create Nitro enclaves:

  • Number of vCPUs reserved for a Nitro Enclave (must be even due to hyperthreading).

  • Memory configuration for the Nitro Enclave Allocator Service.

  • Kernel parameter for Huge Page support.

Here is an example of a UserData script that will set up an EC2 host that can be managed by an EKS cluster and also allow the creation of Nitro enclaves:

amazon-linux-extras install aws-nitro-enclaves-cli

RES_CPU="${nitro_reserved_cpu}"
RES_MEM_MB="${nitro_reserved_mem_mb}"
# Find out no of pages (2MB in size) required to allocate
RES_PAGES=$(( "${RES_MEM_MB}" / 2 ))
# IF requested memory is odd number, add one more
REMAINDER=$(( "${RES_MEM_MB}" % 2 ))
if [[ "${REMAINDER}" == "1" ]];then
  RES_PAGES=$(( "${RES_PAGES}" + 1 ))
fi

cp /etc/nitro_enclaves/allocator.yaml /etc/nitro_enclaves/allocator-orig.yaml
echo "---" | tee /etc/nitro_enclaves/allocator.yaml
echo cpu_count: "${RES_CPU}" | tee -a /etc/nitro_enclaves/allocator.yaml
## keep memory_mib < 1GB to force usage of 2MB hugepage
echo memory_mib: 512 | tee -a /etc/nitro_enclaves/allocator.yaml

systemctl start nitro-enclaves-allocator.service
systemctl enable nitro-enclaves-allocator.service

sysctl -w vm.nr_hugepages="${RES_PAGES}"
echo vm.nr_hugepages = "${RES_PAGES}" | tee /etc/sysctl.d/99-anjuna.conf

The script above uses the terraform format, which supports passing parameters to the script. The parameters used in the script are:

  • nitro_reserved_cpu: the maximum number of vCPUs that can be assigned to a Nitro Enclave (must be even due to hyperthreading),

  • nitro_reserved_mem_mb: the maximum amount of memory (in MB) that can be assigned to a Nitro enclave.

You must update this script to match the syntax required by your provisioning tool.

Other configurations

You also must set up the EC2 instance with an IAM Role that will grant the node access to the resources needed to create, configure and run a Nitro Enclave:

  • S3 bucket which contains the encrypted secrets

  • AWS KMS key in KMS (for decrypting secrets stored in the S3 bucket)