EKS cluster setup

Overview

This section provides instructions for setting up Amazon Elastic Kubernetes Service (EKS) for use with the CAST Imaging helm charts installation scripts described in Installation on Amazon Web Services via EKS.

Setup AWS CLI

Install the aws CLI, see https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
Configure the CLI with your credentials:

aws configure

You will be prompted for your AWS Access Key ID, Secret Access Key, default region (for example us-east-2) and output format.

Permissions

Ensure the AWS account (IAM user or role) used to run the commands below has the permissions required to create and manage EKS clusters, EC2 instances, VPC resources, IAM roles and CloudFormation stacks. Insufficient permissions are the most common cause of failures during cluster creation.

Install eksctl

eksctl is the command line tool used to create and manage the EKS cluster.

Follow the instructions provided here: https://eksctl.io/installation/
Test the cli is working by running: eksctl version

Create cluster

The script below creates the EKS cluster and configures the components required by CAST Imaging:

an IAM OIDC provider associated with the cluster,
the Amazon VPC CNI addon,
the Amazon EBS CSI driver (block storage) with its dedicated IAM role,
the Amazon EFS CSI driver (shared file storage) with its dedicated IAM role.

Set the variables at the top of the script (CLUSTER_NAME, AWS_DEFAULT_REGION, NODE_TYPE, K8S_VERSION) to match your environment before running it. The t2.2xlarge node type provides 8 vCPU / 32 GB RAM; use r5.2xlarge if you need 8 vCPU / 64 GB RAM.

The cluster creation scripts below are provided as a suggested starting point - adapt them to your own requirements. It is recommended to keep all nodes in the same Availability Zone to reduce network latency in the communications between CAST Imaging services. This is why the scripts pin the node group to a single AZ (--node-zones) while still creating the cluster across two AZs (--zones), as required by EKS.

If you do not have SSH keys, you can generate a pair before running the script:

Linux/macOS: ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa
Windows (PowerShell): ssh-keygen -t rsa -b 2048 -f C:\Users\USERNAME\.ssh\id_rsa

Linux / macOS

#!/bin/bash

# Set environment variables
export AWS_DEFAULT_REGION=us-east-2
export CLUSTER_NAME=castimaging
export NODE_TYPE=t2.2xlarge
# Kubernetes version for the cluster (must be a version supported by EKS)
export K8S_VERSION=1.31

# Create the EKS cluster
eksctl create cluster --name "$CLUSTER_NAME" \
  --version "$K8S_VERSION" \
  --region "$AWS_DEFAULT_REGION" \
  --nodegroup-name "${CLUSTER_NAME}-ng" \
  --nodes-min 2 --nodes-max 4 \
  --node-type "$NODE_TYPE" \
  --nodes 2 \
  --node-volume-size 100 \
  --ssh-access \
  --with-oidc \
  --zones "${AWS_DEFAULT_REGION}a,${AWS_DEFAULT_REGION}b" \
  --node-zones "${AWS_DEFAULT_REGION}b"

# Associate IAM OIDC provider with the cluster
eksctl utils associate-iam-oidc-provider --cluster "$CLUSTER_NAME" --approve

# Update VPC CNI addon
eksctl update addon --name vpc-cni --cluster "$CLUSTER_NAME"

# Create IAM Service Account for EBS CSI Driver
eksctl create iamserviceaccount \
  --name ebs-csi-controller-sa \
  --namespace kube-system \
  --cluster "$CLUSTER_NAME" \
  --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
  --approve \
  --role-only \
  --role-name "AmazonEKS_EBS_CSI_DriverRole-${CLUSTER_NAME}"

# Create EBS CSI Driver addon
EBS_ROLE_ARN=$(aws iam get-role --role-name "AmazonEKS_EBS_CSI_DriverRole-${CLUSTER_NAME}" --query Role.Arn --output text)
eksctl create addon \
  --name aws-ebs-csi-driver \
  --cluster "$CLUSTER_NAME" \
  --service-account-role-arn "$EBS_ROLE_ARN" \
  --force

# Create IAM Service Account for EFS CSI Driver
eksctl create iamserviceaccount \
  --name efs-csi-controller-sa \
  --namespace kube-system \
  --cluster "$CLUSTER_NAME" \
  --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \
  --approve \
  --role-only \
  --role-name "AmazonEKS_EFS_CSI_DriverRole-${CLUSTER_NAME}"

# Create EFS CSI Driver addon
EFS_ROLE_ARN=$(aws iam get-role --role-name "AmazonEKS_EFS_CSI_DriverRole-${CLUSTER_NAME}" --query Role.Arn --output text)
eksctl create addon \
  --name aws-efs-csi-driver \
  --cluster "$CLUSTER_NAME" \
  --service-account-role-arn "$EFS_ROLE_ARN" \
  --force

Windows

REM Set environment variables
set AWS_DEFAULT_REGION=us-east-2
set CLUSTER_NAME=castimaging
set NODE_TYPE=t2.2xlarge
REM 8 cpu 64GB RAM:
REM set NODE_TYPE=r5.2xlarge
REM Kubernetes version for the cluster (must be a version supported by EKS)
set K8S_VERSION=1.31

REM Create the EKS cluster
eksctl create cluster --name %CLUSTER_NAME% --version %K8S_VERSION% --region %AWS_DEFAULT_REGION% --nodegroup-name %CLUSTER_NAME%-ng --nodes-min 2 --nodes-max 4 --node-type %NODE_TYPE% --nodes 2 --node-volume-size 100 --ssh-access --with-oidc --zones %AWS_DEFAULT_REGION%a,%AWS_DEFAULT_REGION%b --node-zones %AWS_DEFAULT_REGION%b

REM Associate IAM OIDC provider with the cluster
eksctl utils associate-iam-oidc-provider --cluster %CLUSTER_NAME% --approve

REM Update VPC CNI addon
eksctl update addon --name vpc-cni --cluster %CLUSTER_NAME%

REM Create IAM Service Account for EBS CSI Driver
eksctl create iamserviceaccount --name ebs-csi-controller-sa --namespace kube-system --cluster %CLUSTER_NAME% --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy --approve --role-only --role-name AmazonEKS_EBS_CSI_DriverRole-%CLUSTER_NAME%

REM Create EBS CSI Driver addon
for /f "delims=" %%i in ('aws iam get-role --role-name AmazonEKS_EBS_CSI_DriverRole-%CLUSTER_NAME% --query Role.Arn --output text') do set EBS_ROLE_ARN=%%i
eksctl create addon --name aws-ebs-csi-driver --cluster %CLUSTER_NAME% --service-account-role-arn %EBS_ROLE_ARN% --force

REM Create IAM Service Account for EFS CSI Driver
eksctl create iamserviceaccount --name efs-csi-controller-sa --namespace kube-system --cluster %CLUSTER_NAME% --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy --approve --role-only --role-name AmazonEKS_EFS_CSI_DriverRole-%CLUSTER_NAME%

REM Create EFS CSI Driver addon
for /f "delims=" %%i in ('aws iam get-role --role-name AmazonEKS_EFS_CSI_DriverRole-%CLUSTER_NAME% --query Role.Arn --output text') do set EFS_ROLE_ARN=%%i
eksctl create addon --name aws-efs-csi-driver --cluster %CLUSTER_NAME% --service-account-role-arn %EFS_ROLE_ARN% --force

Verify the cluster

# List your clusters
eksctl get cluster --region us-east-2

# Verify the nodes are ready
kubectl get nodes

Delete the cluster

Important

Always delete the cluster with eksctl so that all the associated AWS resources (CloudFormation stacks, IAM roles, node groups) are removed cleanly.

eksctl delete cluster --name <cluster-name> --region us-east-2

If some resources remain after deletion, you can remove the leftover CloudFormation stack manually:

aws cloudformation delete-stack --stack-name <stack-name> --region us-east-2

Install kubectl - commandline K8s tool

Follow the instructions provided here: https://kubernetes.io/docs/tasks/tools/
Test the cli is working by running: kubectl version --client

eksctl automatically updates your kubeconfig when the cluster is created. If you need to refresh the credentials later, run:

aws eks update-kubeconfig --name <cluster-name> --region us-east-2

Install Helm

Follow the instructions provided here: https://helm.sh/docs/intro/quickstart/ . The binary download is provided here: https://github.com/helm/helm/releases