1. Arn#

AWS ARN(Amazon Resource Name)是
Amazon Web Services(AWS)中用于唯一标识和命名资源的标识符。一般情况下 partition 为 aws,在中国时 aws-cn

1
2
3
4
if self.region.startswith('cn-'):
    arn = f"arn:aws-cn:s3:::xxx"  
else:
    arn = f"arn:aws:s3:::xxx",

2. EC2 实例是否在所有可用区(Availablity Zone)可用#

我在国际区 AWS 的做法是在每个 EKS 的子网,创建一个单独的计算组(Nond Group),主要目的是在节点(K8S Node)自动扩缩容时,可以自动的选择可用区。(A 的 Pod 无法使用 B 可用区的 PVC)。我在部署时 CDK 报错:

1
2
3
Resource handler returned message: "[Issue(Code=AsgInstanceLaunchFailures, Message=Could not launch On-Demand Instances. Unsupported - Your requested instance type (t3a.small) is
not supported in your requested Availability Zone (cn-north-1d). Please retry your request by not specifying an Availability Zone or choosing cn-north-1a, cn-north-1b. Launching
EC2 instance failed.

这说明我选择的 EC2 实例类型 t3a.small 在可用区 cn-north-1d 不被支持。我在 AWS Global 没有遇到过这个问题。解决方案:支持为 EKS 节点组自定义子网。代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
def add_node_groups(self):
    for node_group in self.props.node_groups:
        if node_group.subnets is None:
            subnets = self.subnets
        else:
            subnets = [aws_ec2.Subnet.from_subnet_id(
                self,
                f'ng_{node_group.name}_subnet_{subnet_id}',
                subnet_id
            ) for subnet_id in node_group.subnets]

        for subnet in subnets:
            subnet_selection = aws_ec2.SubnetSelection(
                subnets=[subnet, ]
            )
            self.cluster.add_nodegroup_capacity(
                f'eks_{self.cluster_name}_node_group_{node_group.name}_{subnet.subnet_id}',
                nodegroup_name=f'{node_group.name}-{subnet.subnet_id}',
                min_size=node_group.min_size,
                max_size=node_group.max_size,
                desired_size=node_group.desired_size,
                instance_types=node_group.instance_types,
                disk_size=node_group.disk_size,
                labels=node_group.labels,
                taints=node_group.taints,
                subnets=subnet_selection
            )

还有一个隐藏的问题:如果已经在 A 可用区创建了 PVC,后面想更换 EC2 实例类型。如果欲更换的实例类型不支持可用区 A,则无法再不迁移 PVC 的情况下更换实例类型。

3. AWS Ingress LoadBlancer Controller#

AWS CDK 提供了非常简单的 aws_eks.AlbController() 方法来安装 ALB Controller,但可惜在中国区也是不可用的,原因是中国区无法拉取镜像:

1
Normal  BackOff  112s (x415 over 96m)  kubelet  Back-off 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.6.2

检查 CDK 源码,没有发现可以指定镜像的参数,只能通过 Helm Chart 安装。需要注意的是,代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
def install_lb_controller(self):
    # AWS Load Balancer Controller
    if self.region.startswith('cn-'):
        # Install ALB Controller from Helm Chart in China Region.
        self.add_iam_service_account(
            name='aws-load-balancer-controller',
            namespace='kube-system',
            policy_statements=json.loads(
                # https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy_cn.json
                open('./bot_cdk/eks/policy/alb_controller_cn.json', 'rt').read()
            )
        )
        self.cluster.add_helm_chart(
            f'eks_{self.cluster_name}_alb_controller',
            chart='aws-load-balancer-controller',
            namespace='kube-system',
            release='aws-load-balancer-controller',
            repository='https://aws.github.io/eks-charts',
            version='1.6.2',
            values={
                'clusterName': 'my-cluster',
                'serviceAccount': {
                    'create': False,
                    'name': 'aws-load-balancer-controller',
                },
            },
        )
    else:
        aws_eks.AlbController(
            self,
            f'eks_{self.cluster_name}_alb_ingress_controller',
            cluster=self.cluster,
            version=aws_eks.AlbControllerVersion.V2_6_2
        )