EKS Node creation

This section describes the requirements that must be satisfied for an AWS Nitro-based EC2 instance to be added to an EKS cluster.

Overview

In Getting started with the Anjuna Nitro Kubernetes Toolset, you learned how to create a simple EKS cluster using the Anjuna Nitro Kubernetes terraform sample script.

If you already have an existing EKS cluster, using the Anjuna Nitro Kubernetes terraform sample script might not be convenient or consistent with your deployment policies.

This section provides information to allow you to provision EKS Nodes using your tool of choice (for example, Terraform or CloudFormation).

Supported EC2 instances

Adding an AWS Nitro-based Node to your EKS cluster is similar to adding a regular node to EKS. The main differences are:

  • EC2 instance type: you must select an AWS Nitro-based instance. See Nitro Instance for an up-to-date list of instances/regions that support AWS Nitro.

  • Amazon Machine Image: It is recommended to use one of the EKS-Optimized Amazon Machine Images (see a complete list of EKS-ready AMIs), which already contain all the dependencies required for an EC2 node to join your EKS cluster. The Anjuna Nitro Kubernetes Tools have been tested on the Amazon Linux AMI.

Additional software packages

In addition to the standard packages needed on an EKS Node, you need to install the aws-nitro-enclaves-cli package. If your EC2 host is based on the Amazon Linux AMI, run the following command:

$ sudo amazon-linux-extras install aws-nitro-enclaves-cli

EKS v1.24 and later

For EKS v1.24 and later, Docker is required if you want to build EIFs on-the-fly. If your EC2 host is based on the Amazon Linux AMI, run the following command to install Docker:

$ sudo amazon-linux-extras install docker

EC2 host configuration

The EC2 host should be configured to allow EKS to manage the resources required to create AWS Nitro Enclaves:

  • Number of vCPUs reserved for an AWS Nitro Enclave (must be even due to hyperthreading).

  • Memory configuration for the AWS Nitro Enclave Allocator Service.

  • Kernel parameter for Huge Page support.

Here is an example of a UserData script that will set up an EC2 host that can be managed by an EKS cluster and also allow the creation of AWS Nitro Enclaves:

#!/bin/bash
amazon-linux-extras install aws-nitro-enclaves-cli

# To build EIFs on-the-fly on EKS v1.24 and later, you must ensure that the
# Docker service is installed and running:
INSTALL_DOCKER=true

RES_CPU="${nitro_reserved_cpu}"
RES_MEM_MB="${nitro_reserved_mem_mb}"
# Find out number of pages (2MB in size) required to allocate
RES_PAGES=$(( "${RES_MEM_MB}" / 2 ))
# If requested memory is odd number, add one more
REMAINDER=$(( "${RES_MEM_MB}" % 2 ))
if [[ "${REMAINDER}" == "1" ]]; then
  RES_PAGES=$(( "${RES_PAGES}" + 1 ))
fi

cp /etc/nitro_enclaves/allocator.yaml /etc/nitro_enclaves/allocator-orig.yaml
echo "---" | tee /etc/nitro_enclaves/allocator.yaml
echo cpu_count: "${RES_CPU}" | tee -a /etc/nitro_enclaves/allocator.yaml
# Keep memory_mib < 1GB to force usage of 2MB hugepage
echo memory_mib: 512 | tee -a /etc/nitro_enclaves/allocator.yaml

systemctl start nitro-enclaves-allocator.service
systemctl enable nitro-enclaves-allocator.service

sysctl -w vm.nr_hugepages="${RES_PAGES}"
echo vm.nr_hugepages = "${RES_PAGES}" | tee /etc/sysctl.d/99-anjuna.conf

if [[ "$INSTALL_DOCKER" == "true" ]]; then
    sudo amazon-linux-extras install -y docker
    sudo systemctl daemon-reload
    sudo systemctl enable docker.service
    sudo systemctl start docker.service
fi

The script above uses the terraform format, which supports passing parameters to the script. The parameters used in the script are:

  • nitro_reserved_cpu: the maximum number of vCPUs that can be assigned to an AWS Nitro Enclave (must be even due to hyperthreading),

  • nitro_reserved_mem_mb: the maximum amount of memory (in MB) that can be assigned to an AWS Nitro Enclave.

You must update this script to match the syntax required by your provisioning tool.

Other configurations

You also must set up the EC2 instance with an IAM Role that will grant the node access to the resources needed to create, configure, and run an AWS Nitro Enclave:

  • S3 bucket which contains the encrypted secrets

  • AWS KMS key in KMS (for decrypting secrets stored in the S3 bucket)