ACK EC2 Chart
The ACK EC2 Chart is a Kubernetes chart designed to deploy the Amazon Elastic Kubernetes Service (EKS) Controller for Amazon EC2 (ACK EC2 Controller) within an EKS cluster. This controller is responsible for managing Amazon EC2 resources as Kubernetes custom resources, allowing Kubernetes users to interact with Amazon EC2 resources using Kubernetes manifests.
The ACK EC2 Chart is used to extend the capabilities of Kubernetes running on Amazon EKS, enabling the management of Amazon EC2 resources directly from Kubernetes. This includes the ability to create, update, and delete EC2 instances, security groups, and other related resources as part of Kubernetes deployments. This is particularly useful for applications that require direct interaction with EC2 resources or for managing infrastructure as code within a Kubernetes environment.
The ACK EC2 Chart is a prerequisite to use OBLV Deploy. For additional information, refer to the Prerequisites page.
Configuration
The configuration of the ACK EC2 Chart involves creating an IAM service account with the necessary permissions to manage EC2 resources. This is achieved using the eksctl command-line tool. The following code block presents an example of a command used to create an IAM service account for the ACK EC2 Controller.
eksctl create iamserviceaccount \
--cluster=${CLUSTER_NAME} \
--namespace=kube-system \
--name=ack-ec2-controller \
--role-name AmazonACKec2ControllerRolePrivateTest \
--attach-policy-arn=arn:aws:iam::aws:policy/AmazonEC2FullAccess \
--approve
The above command line is described in the table below:
| Parameter | Description |
|---|---|
--cluster=${CLUSTER_NAME} | Specifies the name of the EKS cluster where the service account will be created. Replace ${CLUSTER_NAME} with the actual name of your EKS cluster. |
--namespace=kube-system | Specifies the Kubernetes namespace where the service account will be created. In this case, it is created in the kube-system namespace |
--name=ack-ec2-controller | Specifies the name of the service account. This name is used to identify the service account within the Kubernetes cluster. |
--role-name | AmazonACKec2ControllerRolePrivateTest: Specifies the name of the IAM role that will be associated with the service account. This role should have the necessary permissions to manage EC2 resources. |
--attach-policy-arn=arn:aws:iam::aws:policy/AmazonEC2FullAccess | Attaches the specified IAM policy to the role. In this case, the AmazonEC2FullAccess policy is attached, granting full access to Amazon EC2 resources. |
--approve | Automatically approves the creation of the service account and the associated IAM role. |
When using the above command it's important to consider the following considerations:
- Security: The
AmazonEC2FullAccesspolicy grants broad permissions to manage EC2 resources. Ensure that this level of access is appropriate for your use case and consider using more restrictive policies if possible. - Namespace: The service account is created in the
kube-systemnamespace. This is a common practice for system-level resources, but you may choose to create the service account in a different namespace if your organization's policies dictate so. - Role Name: The role name
AmazonACKec2ControllerRolePrivateTestis used in this example. In a production environment, you should use a role name that reflects the purpose and environment of the service account.
What's next?
For additional information about how OBLV Deploy uses ACK EC2 Chart, access the Prerequisites page.