https://pr-35.d2bgfookghzifw.amplifyapp.com/v1.4/getting-started/Recent content in Getting Started on KarpenterHugo -- gohugo.ioenhttps://pr-35.d2bgfookghzifw.amplifyapp.com/v1.4/getting-started/getting-started-with-karpenter/Mon, 01 Jan 0001 00:00:00 +0000https://pr-35.d2bgfookghzifw.amplifyapp.com/v1.4/getting-started/getting-started-with-karpenter/ <p>Karpenter automatically provisions new nodes in response to unschedulable pods. Karpenter does this by observing events within the Kubernetes cluster, and then sending commands to the underlying cloud provider.</p> <p>This guide shows how to get started with Karpenter by creating a Kubernetes cluster and installing Karpenter. To use Karpenter, you must be running a supported Kubernetes cluster on a supported cloud provider.</p> <p>The guide below explains how to utilize the <a href="https://github.com/aws/karpenter-provider-aws">Karpenter provider for AWS</a> with EKS.</p> <p>See the <a href="https://learn.microsoft.com/azure/aks/node-autoprovision">AKS Node autoprovisioning article</a> on how to use Karpenter on Azure&rsquo;s AKS or go to the <a href="https://github.com/Azure/karpenter-provider-azure">Karpenter provider for Azure open source repository</a> for self-hosting on Azure and additional information.</p> <h2 id="create-a-cluster-and-add-karpenter">Create a cluster and add Karpenter</h2> <p>This guide uses <code>eksctl</code> to create the cluster. It should take less than 1 hour to complete, and cost less than $0.25. Follow the clean-up instructions to reduce any charges.</p> <h3 id="1-install-utilities">1. Install utilities</h3> <p>Karpenter is installed in clusters with a Helm chart.</p> <p>Karpenter requires cloud provider permissions to provision nodes, for AWS IAM Roles for Service Accounts (IRSA) should be used. IRSA permits Karpenter (within the cluster) to make privileged requests to AWS (as the cloud provider) via a ServiceAccount.</p> <p>Install these tools before proceeding:</p> <ol> <li><a href="https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html">AWS CLI</a></li> <li><code>kubectl</code> - <a href="https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/">the Kubernetes CLI</a></li> <li><code>eksctl</code> (&gt;= v0.202.0) - <a href="https://eksctl.io/installation">the CLI for AWS EKS</a></li> <li><code>helm</code> - <a href="https://helm.sh/docs/intro/install/">the package manager for Kubernetes</a></li> </ol> <p><a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html">Configure the AWS CLI</a> with a user that has sufficient privileges to create an EKS cluster. Verify that the CLI can authenticate properly by running <code>aws sts get-caller-identity</code>.</p> <h3 id="2-set-environment-variables">2. Set environment variables</h3> <p>After setting up the tools, set the Karpenter and Kubernetes version:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;kube-system&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">KARPENTER_VERSION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;1.4.0&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">K8S_VERSION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;1.32&#34;</span> </span></span></code></pre></div><p>Then set the following environment variable:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">AWS_PARTITION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;aws&#34;</span> <span style="color:#8f5902;font-style:italic"># if you are not using standard partitions, you may need to configure to aws-cn / aws-us-gov</span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">CLUSTER_NAME</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">USER</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">-karpenter-demo&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">AWS_DEFAULT_REGION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;us-west-2&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">AWS_ACCOUNT_ID</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#204a87;font-weight:bold">$(</span>aws sts get-caller-identity --query Account --output text<span style="color:#204a87;font-weight:bold">)</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">TEMPOUT</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#204a87;font-weight:bold">$(</span>mktemp<span style="color:#204a87;font-weight:bold">)</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">ALIAS_VERSION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#204a87;font-weight:bold">$(</span>aws ssm get-parameter --name <span style="color:#4e9a06">&#34;/aws/service/eks/optimized-ami/</span><span style="color:#4e9a06">${</span><span style="color:#000">K8S_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">/amazon-linux-2023/x86_64/standard/recommended/image_id&#34;</span> --query Parameter.Value <span style="color:#000;font-weight:bold">|</span> xargs aws ec2 describe-images --query <span style="color:#4e9a06">&#39;Images[0].Name&#39;</span> --image-ids <span style="color:#000;font-weight:bold">|</span> sed -r <span style="color:#4e9a06">&#39;s/^.*(v[[:digit:]]+).*$/\1/&#39;</span><span style="color:#204a87;font-weight:bold">)</span><span style="color:#4e9a06">&#34;</span> </span></span></code></pre></div> <div class="alert alert-warning" role="alert"> <h4 class="alert-heading">Warning</h4> <p>If you open a new shell to run steps in this procedure, you need to set some or all of the environment variables again. To remind yourself of these values, type:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#204a87">echo</span> <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">K8S_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_DEFAULT_REGION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_ACCOUNT_ID</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">TEMPOUT</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">ALIAS_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span></code></pre></div> </div> <h3 id="3-create-a-cluster">3. Create a Cluster</h3> <p>Create a basic cluster with <code>eksctl</code>. The following cluster configuration will:</p> <ul> <li>Use CloudFormation to set up the infrastructure needed by the EKS cluster. See <a href="https://pr-35.d2bgfookghzifw.amplifyapp.com/v1.4/reference/cloudformation/">CloudFormation</a> for a complete description of what <code>cloudformation.yaml</code> does for Karpenter.</li> <li>Create a Kubernetes service account and AWS IAM Role, and associate them using IRSA to let Karpenter launch instances.</li> <li>Add the Karpenter node role to the aws-auth configmap to allow nodes to connect.</li> <li>Use <a href="https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html">AWS EKS managed node groups</a> for the kube-system and karpenter namespaces. Uncomment fargateProfiles settings (and comment out managedNodeGroups settings) to use Fargate for both namespaces instead.</li> <li>Set KARPENTER_IAM_ROLE_ARN variables.</li> <li>Create a role to allow spot instances.</li> <li>Run Helm to install Karpenter</li> </ul> <ul class="nav nav-tabs" id="tabs-3" role="tablist"> <li class="nav-item"> <a class="nav-link disabled" id="tabs-03-00-tab" data-toggle="tab" href="#tabs-03-00" role="tab" aria-controls="tabs-03-00" aria-selected="false"> <strong>Create cluster command</strong>: </a> </li><li class="nav-item"> <a class="nav-link active" id="tabs-03-01-tab" data-toggle="tab" href="#tabs-03-01" role="tab" aria-controls="tabs-03-01" aria-selected="false"> Managed NodeGroups </a> </li><li class="nav-item"> <a class="nav-link" id="tabs-03-02-tab" data-toggle="tab" href="#tabs-03-02" role="tab" aria-controls="tabs-03-02" aria-selected="false"> Fargate </a> </li> </ul> <div class="tab-content" id="tabs-3-content"> <div class="tab-body tab-pane fade" id="tabs-03-00" role="tabpanel" aria-labelled-by="tabs-03-00-tab"> </div> <div class="tab-body tab-pane fade show active" id="tabs-03-01" role="tabpanel" aria-labelled-by="tabs-03-01-tab"> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -fsSL https://raw.githubusercontent.com/aws/karpenter-provider-aws/v<span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span>/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml &gt; <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">TEMPOUT</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span><span style="color:#ce5c00;font-weight:bold">&amp;&amp;</span> aws cloudformation deploy <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --stack-name <span style="color:#4e9a06">&#34;Karpenter-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --template-file <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">TEMPOUT</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --capabilities CAPABILITY_NAMED_IAM <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --parameter-overrides <span style="color:#4e9a06">&#34;ClusterName=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>eksctl create cluster -f - <span style="color:#4e9a06">&lt;&lt;EOF </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">--- </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">apiVersion: eksctl.io/v1alpha5 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">kind: ClusterConfig </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: ${CLUSTER_NAME} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> region: ${AWS_DEFAULT_REGION} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> version: &#34;${K8S_VERSION}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> tags: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> karpenter.sh/discovery: ${CLUSTER_NAME} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">iam: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> withOIDC: true </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> podIdentityAssociations: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - namespace: &#34;${KARPENTER_NAMESPACE}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> serviceAccountName: karpenter </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> roleName: ${CLUSTER_NAME}-karpenter </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> permissionPolicyARNs: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:policy/KarpenterControllerPolicy-${CLUSTER_NAME} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">iamIdentityMappings: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">- arn: &#34;arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> username: system:node:{{EC2PrivateDNSName}} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> groups: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - system:bootstrappers </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - system:nodes </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> ## If you intend to run Windows workloads, the kube-proxy group should be specified. </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> # For more information, see https://github.com/aws/karpenter/issues/5099. </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> # - eks:kube-proxy-windows </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">managedNodeGroups: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">- instanceType: m5.large </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> amiFamily: AmazonLinux2023 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: ${CLUSTER_NAME}-ng </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> desiredCapacity: 2 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> minSize: 1 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> maxSize: 10 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">addons: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">- name: eks-pod-identity-agent </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">CLUSTER_ENDPOINT</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#204a87;font-weight:bold">$(</span>aws eks describe-cluster --name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --query <span style="color:#4e9a06">&#34;cluster.endpoint&#34;</span> --output text<span style="color:#204a87;font-weight:bold">)</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">KARPENTER_IAM_ROLE_ARN</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;arn:</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_PARTITION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:iam::</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_ACCOUNT_ID</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:role/</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">-karpenter&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#204a87">echo</span> <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_ENDPOINT</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06"> </span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_IAM_ROLE_ARN</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span></code></pre></div> </div> <div class="tab-body tab-pane fade" id="tabs-03-02" role="tabpanel" aria-labelled-by="tabs-03-02-tab"> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -fsSL https://raw.githubusercontent.com/aws/karpenter-provider-aws/v<span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span>/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml &gt; <span style="color:#000">$TEMPOUT</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span><span style="color:#ce5c00;font-weight:bold">&amp;&amp;</span> aws cloudformation deploy <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --stack-name <span style="color:#4e9a06">&#34;Karpenter-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --template-file <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">TEMPOUT</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --capabilities CAPABILITY_NAMED_IAM <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --parameter-overrides <span style="color:#4e9a06">&#34;ClusterName=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>eksctl create cluster -f - <span style="color:#4e9a06">&lt;&lt;EOF </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">--- </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">apiVersion: eksctl.io/v1alpha5 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">kind: ClusterConfig </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: ${CLUSTER_NAME} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> region: ${AWS_DEFAULT_REGION} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> version: &#34;${K8S_VERSION}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> tags: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> karpenter.sh/discovery: ${CLUSTER_NAME} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">iam: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> withOIDC: true </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> serviceAccounts: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: karpenter </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> namespace: &#34;${KARPENTER_NAMESPACE}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> roleName: ${CLUSTER_NAME}-karpenter </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> attachPolicyARNs: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:policy/KarpenterControllerPolicy-${CLUSTER_NAME} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> roleOnly: true </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">iamIdentityMappings: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">- arn: &#34;arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> username: system:node:{{EC2PrivateDNSName}} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> groups: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - system:bootstrappers </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - system:nodes </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> ## If you intend to run Windows workloads, the kube-proxy group should be specified. </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> # For more information, see https://github.com/aws/karpenter/issues/5099. </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> # - eks:kube-proxy-windows </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">fargateProfiles: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">- name: karpenter </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> selectors: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - namespace: &#34;${KARPENTER_NAMESPACE}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">CLUSTER_ENDPOINT</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#204a87;font-weight:bold">$(</span>aws eks describe-cluster --name <span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span> --query <span style="color:#4e9a06">&#34;cluster.endpoint&#34;</span> --output text<span style="color:#204a87;font-weight:bold">)</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">KARPENTER_IAM_ROLE_ARN</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;arn:</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_PARTITION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:iam::</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_ACCOUNT_ID</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:role/</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">-karpenter&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#204a87">echo</span> <span style="color:#000">$CLUSTER_ENDPOINT</span> <span style="color:#000">$KARPENTER_IAM_ROLE_ARN</span> </span></span></code></pre></div> </div> </div> <p>Unless your AWS account has already onboarded to EC2 Spot, you will need to create the service linked role to avoid the <a href="https://pr-35.d2bgfookghzifw.amplifyapp.com/v1.4/troubleshooting/#missing-service-linked-role"><code>ServiceLinkedRoleCreationNotPermitted</code> error</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws iam create-service-linked-role --aws-service-name spot.amazonaws.com <span style="color:#ce5c00;font-weight:bold">||</span> <span style="color:#204a87">true</span> </span></span><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># If the role has already been successfully created, you will see:</span> </span></span><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># An error occurred (InvalidInput) when calling the CreateServiceLinkedRole operation: Service role name AWSServiceRoleForEC2Spot has been taken in this account, please try a different suffix.</span> </span></span></code></pre></div> <div class="alert alert-warning" role="alert"> <h4 class="alert-heading">Windows Support Notice</h4> In order to run Windows workloads, Windows support should be enabled in your EKS Cluster. See <a href="https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html#enable-windows-support">Enabling Windows support</a> to learn more. </div> <h3 id="4-install-karpenter">4. Install Karpenter</h3> <ul class="nav nav-tabs" id="tabs-7" role="tablist"> <li class="nav-item"> <a class="nav-link disabled" id="tabs-07-00-tab" data-toggle="tab" href="#tabs-07-00" role="tab" aria-controls="tabs-07-00" aria-selected="false"> <strong>Karpenter installation command</strong>: </a> </li><li class="nav-item"> <a class="nav-link active" id="tabs-07-01-tab" data-toggle="tab" href="#tabs-07-01" role="tab" aria-controls="tabs-07-01" aria-selected="false"> Managed NodeGroups </a> </li><li class="nav-item"> <a class="nav-link" id="tabs-07-02-tab" data-toggle="tab" href="#tabs-07-02" role="tab" aria-controls="tabs-07-02" aria-selected="false"> Fargate </a> </li> </ul> <div class="tab-content" id="tabs-7-content"> <div class="tab-body tab-pane fade" id="tabs-07-00" role="tabpanel" aria-labelled-by="tabs-07-00-tab"> </div> <div class="tab-body tab-pane fade show active" id="tabs-07-01" role="tabpanel" aria-labelled-by="tabs-07-01-tab"> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># Logout of helm registry to perform an unauthenticated pull against the public ECR</span> </span></span><span style="display:flex;"><span>helm registry <span style="color:#204a87">logout</span> public.ecr.aws </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>helm upgrade --install karpenter oci://public.ecr.aws/karpenter/karpenter --version <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --namespace <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --create-namespace <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set <span style="color:#4e9a06">&#34;settings.clusterName=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set <span style="color:#4e9a06">&#34;settings.interruptionQueue=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.requests.cpu<span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#0000cf;font-weight:bold">1</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.requests.memory<span style="color:#ce5c00;font-weight:bold">=</span>1Gi <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.limits.cpu<span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#0000cf;font-weight:bold">1</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.limits.memory<span style="color:#ce5c00;font-weight:bold">=</span>1Gi <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --wait </span></span></code></pre></div> </div> <div class="tab-body tab-pane fade" id="tabs-07-02" role="tabpanel" aria-labelled-by="tabs-07-02-tab"> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># Logout of helm registry to perform an unauthenticated pull against the public ECR</span> </span></span><span style="display:flex;"><span>helm registry <span style="color:#204a87">logout</span> public.ecr.aws </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>helm upgrade --install karpenter oci://public.ecr.aws/karpenter/karpenter --version <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --namespace <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --create-namespace <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set <span style="color:#4e9a06">&#34;settings.clusterName=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set <span style="color:#4e9a06">&#34;settings.interruptionQueue=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.requests.cpu<span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#0000cf;font-weight:bold">1</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.requests.memory<span style="color:#ce5c00;font-weight:bold">=</span>1Gi <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.limits.cpu<span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#0000cf;font-weight:bold">1</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.limits.memory<span style="color:#ce5c00;font-weight:bold">=</span>1Gi <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set serviceAccount.annotations.<span style="color:#4e9a06">&#34;eks\.amazonaws\.com/role-arn&#34;</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;arn:</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_PARTITION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:iam::</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_ACCOUNT_ID</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:role/</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">-karpenter&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --wait </span></span></code></pre></div> </div> </div> <p>As the OCI Helm chart is signed by <a href="https://github.com/sigstore/cosign">Cosign</a> as part of the release process you can verify the chart before installing it by running the following command.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cosign verify public.ecr.aws/karpenter/karpenter:1.4.0 <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --certificate-oidc-issuer<span style="color:#ce5c00;font-weight:bold">=</span>https://token.actions.githubusercontent.com <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --certificate-identity-regexp<span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#39;https://github\.com/aws/karpenter-provider-aws/\.github/workflows/release\.yaml@.+&#39;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --certificate-github-workflow-repository<span style="color:#ce5c00;font-weight:bold">=</span>aws/karpenter-provider-aws <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --certificate-github-workflow-name<span style="color:#ce5c00;font-weight:bold">=</span>Release <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --certificate-github-workflow-ref<span style="color:#ce5c00;font-weight:bold">=</span>refs/tags/v1.4.0 <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --annotations <span style="color:#000">version</span><span style="color:#ce5c00;font-weight:bold">=</span>1.4.0 </span></span></code></pre></div> <div class="alert alert-warning" role="alert"> <h4 class="alert-heading">DNS Policy Notice</h4> <p>Karpenter uses the <code>ClusterFirst</code> pod DNS policy by default. This is the Kubernetes cluster default and this ensures that Karpenter can reach-out to internal Kubernetes services during its lifetime. There may be cases where you do not have the DNS service that you are using on your cluster up-and-running before Karpenter starts up. The most common case of this is you want Karpenter to manage the node capacity where your DNS service pods are running.</p> <p>If you need Karpenter to manage the DNS service pods&rsquo; capacity, this means that DNS won&rsquo;t be running when Karpenter starts-up. In this case, you will need to set the pod DNS policy to <code>Default</code> with <code>--set dnsPolicy=Default</code>. This will tell Karpenter to use the host&rsquo;s DNS resolution instead of the internal DNS resolution, ensuring that you don&rsquo;t have a dependency on the DNS service pods to run. More details on this issue can be found in the following Github issues: <a href="https://github.com/aws/karpenter-provider-aws/issues/2186">#2186</a> and <a href="https://github.com/aws/karpenter-provider-aws/issues/4947">#4947</a>.</p> </div> <div class="alert alert-warning" role="alert"> <h4 class="alert-heading">Warning</h4> <p>Karpenter creates a mapping between CloudProvider machines and CustomResources in the cluster for capacity tracking. To ensure this mapping is consistent, Karpenter utilizes the following tag keys:</p> <ul> <li><code>karpenter.sh/managed-by</code></li> <li><code>karpenter.sh/nodepool</code></li> <li><code>kubernetes.io/cluster/${CLUSTER_NAME}</code></li> </ul> <p>Because Karpenter takes this dependency, any user that has the ability to Create/Delete these tags on CloudProvider machines will have the ability to orchestrate Karpenter to Create/Delete CloudProvider machines as a side effect. We recommend that you <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html">enforce tag-based IAM policies</a> on these tags against any EC2 instance resource (<code>i-*</code>) for any users that might have <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html">CreateTags</a>/<a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTags.html">DeleteTags</a> permissions but should not have <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html">RunInstances</a>/<a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TerminateInstances.html">TerminateInstances</a> permissions.</p> </div> <h3 id="5-create-nodepool">5. Create NodePool</h3> <p>A single Karpenter NodePool is capable of handling many different pod shapes. Karpenter makes scheduling and provisioning decisions based on pod attributes such as labels and affinity. In other words, Karpenter eliminates the need to manage many different node groups.</p> <p>Create a default NodePool using the command below. This NodePool uses <code>securityGroupSelectorTerms</code> and <code>subnetSelectorTerms</code> to discover resources used to launch nodes. We applied the tag <code>karpenter.sh/discovery</code> in the <code>eksctl</code> command above. Depending on how these resources are shared between clusters, you may need to use different tagging schemes.</p> <p>The <code>consolidationPolicy</code> set to <code>WhenEmptyOrUnderutilized</code> in the <code>disruption</code> block configures Karpenter to reduce cluster cost by removing and replacing nodes. As a result, consolidation will terminate any empty nodes on the cluster. This behavior can be disabled by setting <code>consolidateAfter</code> to <code>Never</code>, telling Karpenter that it should never consolidate nodes. Review the <a href="https://pr-35.d2bgfookghzifw.amplifyapp.com/v1.4/concepts/nodepools/">NodePool API docs</a> for more information.</p> <p>Note: This NodePool will create capacity as long as the sum of all created capacity is less than the specified limit.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cat <span style="color:#4e9a06">&lt;&lt;EOF | envsubst | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">apiVersion: karpenter.sh/v1 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">kind: NodePool </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: default </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> template: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> requirements: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: kubernetes.io/arch </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: In </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;amd64&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: kubernetes.io/os </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: In </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;linux&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: karpenter.sh/capacity-type </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: In </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;on-demand&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: karpenter.k8s.aws/instance-category </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: In </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;c&#34;, &#34;m&#34;, &#34;r&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: karpenter.k8s.aws/instance-generation </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: Gt </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;2&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> nodeClassRef: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> group: karpenter.k8s.aws </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> kind: EC2NodeClass </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: default </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> expireAfter: 720h # 30 * 24h = 720h </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> limits: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> cpu: 1000 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> disruption: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> consolidationPolicy: WhenEmptyOrUnderutilized </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> consolidateAfter: 1m </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">--- </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">apiVersion: karpenter.k8s.aws/v1 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">kind: EC2NodeClass </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: default </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> role: &#34;KarpenterNodeRole-${CLUSTER_NAME}&#34; # replace with your cluster name </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> amiSelectorTerms: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - alias: &#34;al2023@${ALIAS_VERSION}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> subnetSelectorTerms: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - tags: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> karpenter.sh/discovery: &#34;${CLUSTER_NAME}&#34; # replace with your cluster name </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> securityGroupSelectorTerms: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - tags: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> karpenter.sh/discovery: &#34;${CLUSTER_NAME}&#34; # replace with your cluster name </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">EOF</span> </span></span></code></pre></div><p>Karpenter is now active and ready to begin provisioning nodes.</p> <h3 id="6-scale-up-deployment">6. Scale up deployment</h3> <p>This deployment uses the <a href="https://www.ianlewis.org/en/almighty-pause-container">pause image</a> and starts with zero replicas.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cat <span style="color:#4e9a06">&lt;&lt;EOF | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">apiVersion: apps/v1 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">kind: Deployment </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: inflate </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> replicas: 0 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> selector: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> matchLabels: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> app: inflate </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> template: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> labels: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> app: inflate </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> terminationGracePeriodSeconds: 0 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> securityContext: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> runAsUser: 1000 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> runAsGroup: 3000 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> fsGroup: 2000 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> containers: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - name: inflate </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> image: public.ecr.aws/eks-distro/kubernetes/pause:3.7 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> resources: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> requests: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> cpu: 1 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> securityContext: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> allowPrivilegeEscalation: false </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>kubectl scale deployment inflate --replicas <span style="color:#0000cf;font-weight:bold">5</span> </span></span><span style="display:flex;"><span>kubectl logs -f -n <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> -l app.kubernetes.io/name<span style="color:#ce5c00;font-weight:bold">=</span>karpenter -c controller </span></span></code></pre></div><h3 id="7-scale-down-deployment">7. Scale down deployment</h3> <p>Now, delete the deployment. After a short amount of time, Karpenter should terminate the empty nodes due to consolidation.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl delete deployment inflate </span></span><span style="display:flex;"><span>kubectl logs -f -n <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> -l app.kubernetes.io/name<span style="color:#ce5c00;font-weight:bold">=</span>karpenter -c controller </span></span></code></pre></div><h3 id="8-delete-karpenter-nodes-manually">8. Delete Karpenter nodes manually</h3> <p>If you delete a node with kubectl, Karpenter will gracefully cordon, drain, and shutdown the corresponding instance. Under the hood, Karpenter adds a finalizer to the node object, which blocks deletion until all pods are drained and the instance is terminated. Keep in mind, this only works for nodes provisioned by Karpenter.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl delete node <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">NODE_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span></code></pre></div><h3 id="9-delete-the-cluster">9. Delete the cluster</h3> <p>To avoid additional charges, remove the demo infrastructure from your AWS account.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>helm uninstall karpenter --namespace <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span>aws cloudformation delete-stack --stack-name <span style="color:#4e9a06">&#34;Karpenter-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span>aws ec2 describe-launch-templates --filters <span style="color:#4e9a06">&#34;Name=tag:karpenter.k8s.aws/cluster,Values=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#000;font-weight:bold">|</span> </span></span><span style="display:flex;"><span> jq -r <span style="color:#4e9a06">&#34;.LaunchTemplates[].LaunchTemplateName&#34;</span> <span style="color:#000;font-weight:bold">|</span> </span></span><span style="display:flex;"><span> xargs -I<span style="color:#ce5c00;font-weight:bold">{}</span> aws ec2 delete-launch-template --launch-template-name <span style="color:#ce5c00;font-weight:bold">{}</span> </span></span><span style="display:flex;"><span>eksctl delete cluster --name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span></code></pre></div><h2 id="monitoring-with-grafana-optional">Monitoring with Grafana (optional)</h2> <p>This section describes optional ways to configure Karpenter to enhance its capabilities. In particular, the following commands deploy a Prometheus and Grafana stack that is suitable for this guide but does not include persistent storage or other configurations that would be necessary for monitoring a production deployment of Karpenter. This deployment includes two Karpenter dashboards that are automatically onboarded to Grafana. They provide a variety of visualization examples on Karpenter metrics.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>helm repo add grafana-charts https://grafana.github.io/helm-charts </span></span><span style="display:flex;"><span>helm repo add prometheus-community https://prometheus-community.github.io/helm-charts </span></span><span style="display:flex;"><span>helm repo update </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>kubectl create namespace monitoring </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>curl -fsSL https://raw.githubusercontent.com/aws/karpenter-provider-aws/v<span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span>/website/content/en/preview/getting-started/getting-started-with-karpenter/prometheus-values.yaml <span style="color:#000;font-weight:bold">|</span> envsubst <span style="color:#000;font-weight:bold">|</span> tee prometheus-values.yaml </span></span><span style="display:flex;"><span>helm install --namespace monitoring prometheus prometheus-community/prometheus --values prometheus-values.yaml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>curl -fsSL https://raw.githubusercontent.com/aws/karpenter-provider-aws/v<span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span>/website/content/en/preview/getting-started/getting-started-with-karpenter/grafana-values.yaml <span style="color:#000;font-weight:bold">|</span> tee grafana-values.yaml </span></span><span style="display:flex;"><span>helm install --namespace monitoring grafana grafana-charts/grafana --values grafana-values.yaml </span></span></code></pre></div><p>The Grafana instance may be accessed using port forwarding.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl port-forward --namespace monitoring svc/grafana 3000:80 </span></span></code></pre></div><p>The new stack has only one user, <code>admin</code>, and the password is stored in a secret. The following command will retrieve the password.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl get secret --namespace monitoring grafana -o <span style="color:#000">jsonpath</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;{.data.admin-password}&#34;</span> <span style="color:#000;font-weight:bold">|</span> base64 --decode </span></span></code></pre></div><h2 id="advanced-installation">Advanced Installation</h2> <p>The section below covers advanced installation techniques for installing Karpenter. This includes things such as running Karpenter on a cluster without public internet access or ensuring that Karpenter avoids getting throttled by other components in your cluster.</p> <h3 id="private-clusters">Private Clusters</h3> <p>You can optionally install Karpenter on a <a href="https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html#private-cluster-requirements">private cluster</a> using the <code>eksctl</code> installation by setting <code>privateCluster.enabled</code> to true in your <a href="https://eksctl.io/usage/eks-private-cluster/#eks-fully-private-cluster">ClusterConfig</a> and by setting <code>--set settings.isolatedVPC=true</code> when installing the <code>karpenter</code> Helm chart.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>privateCluster: </span></span><span style="display:flex;"><span> enabled: <span style="color:#204a87">true</span> </span></span></code></pre></div><p>Private clusters have no outbound access to the internet. This means that in order for Karpenter to reach out to the services that it needs to access, you need to enable specific VPC private endpoints. Below shows the endpoints that you need to enable to successfully run Karpenter in a private cluster:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>com.amazonaws.&lt;region&gt;.ec2 </span></span><span style="display:flex;"><span>com.amazonaws.&lt;region&gt;.ecr.api </span></span><span style="display:flex;"><span>com.amazonaws.&lt;region&gt;.ecr.dkr </span></span><span style="display:flex;"><span>com.amazonaws.&lt;region&gt;.s3 – For pulling container images </span></span><span style="display:flex;"><span>com.amazonaws.&lt;region&gt;.sts – For IAM roles for service accounts </span></span><span style="display:flex;"><span>com.amazonaws.&lt;region&gt;.ssm - For resolving default AMIs </span></span><span style="display:flex;"><span>com.amazonaws.&lt;region&gt;.sqs - For accessing SQS if using interruption handling </span></span><span style="display:flex;"><span>com.amazonaws.&lt;region&gt;.eks - For Karpenter to discover the cluster endpoint </span></span></code></pre></div><p>If you do not currently have these endpoints surfaced in your VPC, you can add the endpoints by running</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws ec2 create-vpc-endpoint --vpc-id <span style="color:#4e9a06">${</span><span style="color:#000">VPC_ID</span><span style="color:#4e9a06">}</span> --service-name <span style="color:#4e9a06">${</span><span style="color:#000">SERVICE_NAME</span><span style="color:#4e9a06">}</span> --vpc-endpoint-type Interface --subnet-ids <span style="color:#4e9a06">${</span><span style="color:#000">SUBNET_IDS</span><span style="color:#4e9a06">}</span> --security-group-ids <span style="color:#4e9a06">${</span><span style="color:#000">SECURITY_GROUP_IDS</span><span style="color:#4e9a06">}</span> </span></span></code></pre></div> <div class="alert alert-primary" role="alert"> <h4 class="alert-heading">Note</h4> Karpenter (controller and webhook deployment) container images must be in or copied to Amazon ECR private or to another private registry accessible from inside the VPC. If these are not available from within the VPC, or from networks peered with the VPC, you will get Image pull errors when Kubernetes tries to pull these images from ECR public. </div> <div class="alert alert-primary" role="alert"> <h4 class="alert-heading">Note</h4> <p>There is currently no VPC private endpoint for the <a href="https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html">IAM API</a>. As a result, you cannot use the default <code>spec.role</code> field in your <code>EC2NodeClass</code>. Instead, you need to provision and manage an instance profile manually and then specify Karpenter to use this instance profile through the <code>spec.instanceProfile</code> field.</p> <p>You can provision an instance profile manually and assign a Node role to it by calling the following command</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws iam create-instance-profile --instance-profile-name <span style="color:#4e9a06">&#34;KarpenterNodeInstanceProfile-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span>aws iam add-role-to-instance-profile --instance-profile-name <span style="color:#4e9a06">&#34;KarpenterNodeInstanceProfile-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --role-name <span style="color:#4e9a06">&#34;KarpenterNodeRole-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span></code></pre></div> </div> <div class="alert alert-primary" role="alert"> <h4 class="alert-heading">Note</h4> <p>There is currently no VPC private endpoint for the <a href="https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/using-price-list-query-api.html">Price List Query API</a>. As a result, pricing data can go stale over time. By default, Karpenter ships a static price list that is updated when each binary is released.</p> <p>Failed requests for pricing data will result in the following error messages</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ERROR controller.aws.pricing updating on-demand pricing, RequestError: send request failed </span></span><span style="display:flex;"><span>caused by: Post <span style="color:#4e9a06">&#34;https://api.pricing.us-east-1.amazonaws.com/&#34;</span>: dial tcp 52.94.231.236:443: i/o timeout<span style="color:#000;font-weight:bold">;</span> RequestError: send request failed </span></span><span style="display:flex;"><span>caused by: Post <span style="color:#4e9a06">&#34;https://api.pricing.us-east-1.amazonaws.com/&#34;</span>: dial tcp 52.94.231.236:443: i/o timeout, using existing pricing data from 2022-08-17T00:19:52Z <span style="color:#ce5c00;font-weight:bold">{</span><span style="color:#4e9a06">&#34;commit&#34;</span>: <span style="color:#4e9a06">&#34;4b5f953&#34;</span><span style="color:#ce5c00;font-weight:bold">}</span> </span></span></code></pre></div> </div> <h3 id="preventing-apiserver-request-throttling">Preventing APIServer Request Throttling</h3> <p>Kubernetes uses <a href="https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#flowschema">FlowSchemas</a> and <a href="https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration">PriorityLevelConfigurations</a> to map calls to the API server into buckets which determine each user agent&rsquo;s throttling limits.</p> <p>By default, Karpenter is installed into the <code>kube-system</code> namespace, which leverages the <code>system-leader-election</code> and <code>kube-system-service-accounts</code> <a href="https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#flowschema">FlowSchemas</a> to map calls from the <code>kube-system</code> namespace to the <code>leader-election</code> and <code>workload-high</code> PriorityLevelConfigurations respectively. By putting Karpenter in these PriorityLevelConfigurations, we ensure that Karpenter and other critical cluster components are able to run even if other components on the cluster are throttled in other PriorityLevelConfigurations.</p> <p>If you install Karpenter in a different namespace than the default <code>kube-system</code> namespace, Karpenter will not be put into these higher-priority FlowSchemas by default. Instead, you will need to create custom FlowSchemas for the namespace and service account where Karpenter is installed to ensure that requests are put into this higher PriorityLevelConfiguration.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cat <span style="color:#4e9a06">&lt;&lt;EOF | envsubst | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">--- </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">apiVersion: flowcontrol.apiserver.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">kind: FlowSchema </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: karpenter-leader-election </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> distinguisherMethod: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> type: ByUser </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> matchingPrecedence: 200 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> priorityLevelConfiguration: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: leader-election </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> rules: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - resourceRules: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - apiGroups: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - coordination.k8s.io </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> namespaces: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - &#39;*&#39; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> resources: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - leases </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> verbs: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - get </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - create </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - update </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> subjects: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> serviceAccount: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: karpenter </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> namespace: &#34;${KARPENTER_NAMESPACE}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">--- </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">apiVersion: flowcontrol.apiserver.k8s.io/v1 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">kind: FlowSchema </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: karpenter-workload </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> distinguisherMethod: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> type: ByUser </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> matchingPrecedence: 1000 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> priorityLevelConfiguration: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: workload-high </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> rules: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - nonResourceRules: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - nonResourceURLs: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - &#39;*&#39; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> verbs: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - &#39;*&#39; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> resourceRules: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - apiGroups: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - &#39;*&#39; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> clusterScope: true </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> namespaces: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - &#39;*&#39; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> resources: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - &#39;*&#39; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> verbs: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - &#39;*&#39; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> subjects: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - kind: ServiceAccount </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> serviceAccount: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: karpenter </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> namespace: &#34;${KARPENTER_NAMESPACE}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">EOF</span> </span></span></code></pre></div>https://pr-35.d2bgfookghzifw.amplifyapp.com/v1.4/getting-started/migrating-from-cas/Mon, 01 Jan 0001 00:00:00 +0000https://pr-35.d2bgfookghzifw.amplifyapp.com/v1.4/getting-started/migrating-from-cas/ <p>This guide will show you how to switch from the <a href="https://github.com/kubernetes/autoscaler">Kubernetes Cluster Autoscaler</a> to Karpenter for automatic node provisioning. We will make the following assumptions in this guide</p> <ul> <li>You will use an existing EKS cluster</li> <li>You will use existing VPC and subnets</li> <li>You will use existing security groups</li> <li>Your nodes are part of one or more node groups</li> <li>Your workloads have pod disruption budgets that adhere to <a href="https://aws.github.io/aws-eks-best-practices/karpenter/">EKS best practices</a></li> <li>Your cluster has an <a href="https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html">OIDC provider</a> for service accounts</li> </ul> <p>This guide will also assume you have the <code>aws</code> CLI installed. You can also perform many of these steps in the console, but we will use the command line for simplicity.</p> <p>Set a variable for your cluster name.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#ce5c00;font-weight:bold">=</span>kube-system </span></span><span style="display:flex;"><span><span style="color:#000">CLUSTER_NAME</span><span style="color:#ce5c00;font-weight:bold">=</span>&lt;your cluster name&gt; </span></span></code></pre></div><p>Set other variables from your cluster configuration.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000">AWS_PARTITION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;aws&#34;</span> <span style="color:#8f5902;font-style:italic"># if you are not using standard partitions, you may need to configure to aws-cn / aws-us-gov</span> </span></span><span style="display:flex;"><span><span style="color:#000">AWS_REGION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#204a87;font-weight:bold">$(</span>aws configure list <span style="color:#000;font-weight:bold">|</span> grep region <span style="color:#000;font-weight:bold">|</span> tr -s <span style="color:#4e9a06">&#34; &#34;</span> <span style="color:#000;font-weight:bold">|</span> cut -d<span style="color:#4e9a06">&#34; &#34;</span> -f3<span style="color:#204a87;font-weight:bold">)</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#000">OIDC_ENDPOINT</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#204a87;font-weight:bold">$(</span>aws eks describe-cluster --name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --query <span style="color:#4e9a06">&#34;cluster.identity.oidc.issuer&#34;</span> --output text<span style="color:#204a87;font-weight:bold">)</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#000">AWS_ACCOUNT_ID</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#204a87;font-weight:bold">$(</span>aws sts get-caller-identity --query <span style="color:#4e9a06">&#39;Account&#39;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --output text<span style="color:#204a87;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#000">K8S_VERSION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#204a87;font-weight:bold">$(</span>aws eks describe-cluster --name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --query <span style="color:#4e9a06">&#34;cluster.version&#34;</span> --output text<span style="color:#204a87;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#000">ALIAS_VERSION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#204a87;font-weight:bold">$(</span>aws ssm get-parameter --name <span style="color:#4e9a06">&#34;/aws/service/eks/optimized-ami/</span><span style="color:#4e9a06">${</span><span style="color:#000">K8S_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">/amazon-linux-2023/x86_64/standard/recommended/image_id&#34;</span> --query Parameter.Value <span style="color:#000;font-weight:bold">|</span> xargs aws ec2 describe-images --query <span style="color:#4e9a06">&#39;Images[0].Name&#39;</span> --image-ids <span style="color:#000;font-weight:bold">|</span> sed -r <span style="color:#4e9a06">&#39;s/^.*(v[[:digit:]]+).*$/\1/&#39;</span><span style="color:#204a87;font-weight:bold">)</span><span style="color:#4e9a06">&#34;</span> </span></span></code></pre></div><p>Use that information to create our IAM roles, inline policy, and trust relationship.</p> <h2 id="create-iam-roles">Create IAM roles</h2> <p>To get started with our migration we first need to create two new IAM roles for nodes provisioned with Karpenter and the Karpenter controller.</p> <p>To create the Karpenter node role we will use the following policy and commands.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#204a87">echo</span> <span style="color:#4e9a06">&#39;{ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Version&#34;: &#34;2012-10-17&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Statement&#34;: [ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Principal&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Service&#34;: &#34;ec2.amazonaws.com&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: &#34;sts:AssumeRole&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> ] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">}&#39;</span> &gt; node-trust-policy.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>aws iam create-role --role-name <span style="color:#4e9a06">&#34;KarpenterNodeRole-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --assume-role-policy-document file://node-trust-policy.json </span></span></code></pre></div><p>Now attach the required policies to the role</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws iam attach-role-policy --role-name <span style="color:#4e9a06">&#34;KarpenterNodeRole-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --policy-arn <span style="color:#4e9a06">&#34;arn:</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_PARTITION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:iam::aws:policy/AmazonEKSWorkerNodePolicy&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>aws iam attach-role-policy --role-name <span style="color:#4e9a06">&#34;KarpenterNodeRole-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --policy-arn <span style="color:#4e9a06">&#34;arn:</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_PARTITION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:iam::aws:policy/AmazonEKS_CNI_Policy&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>aws iam attach-role-policy --role-name <span style="color:#4e9a06">&#34;KarpenterNodeRole-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --policy-arn <span style="color:#4e9a06">&#34;arn:</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_PARTITION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>aws iam attach-role-policy --role-name <span style="color:#4e9a06">&#34;KarpenterNodeRole-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --policy-arn <span style="color:#4e9a06">&#34;arn:</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_PARTITION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:iam::aws:policy/AmazonSSMManagedInstanceCore&#34;</span> </span></span></code></pre></div><p>Now we need to create an IAM role that the Karpenter controller will use to provision new instances. The controller will be using <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IAM Roles for Service Accounts (IRSA)</a> which requires an OIDC endpoint.</p> <p>If you have another option for using IAM credentials with workloads (e.g. <a href="https://github.com/jtblin/kube2iam">kube2iam</a>) your steps will be different.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cat <span style="color:#4e9a06">&lt;&lt; EOF &gt; controller-trust-policy.json </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">{ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Version&#34;: &#34;2012-10-17&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Statement&#34;: [ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Principal&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Federated&#34;: &#34;arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT#*//}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: &#34;sts:AssumeRoleWithWebIdentity&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Condition&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;StringEquals&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;${OIDC_ENDPOINT#*//}:aud&#34;: &#34;sts.amazonaws.com&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;${OIDC_ENDPOINT#*//}:sub&#34;: &#34;system:serviceaccount:${KARPENTER_NAMESPACE}:karpenter&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> ] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>aws iam create-role --role-name <span style="color:#4e9a06">&#34;KarpenterControllerRole-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --assume-role-policy-document file://controller-trust-policy.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>cat <span style="color:#4e9a06">&lt;&lt; EOF &gt; controller-policy.json </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">{ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Statement&#34;: [ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: [ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ssm:GetParameter&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:DescribeImages&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:RunInstances&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:DescribeSubnets&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:DescribeSecurityGroups&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:DescribeLaunchTemplates&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:DescribeInstances&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:DescribeInstanceTypes&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:DescribeInstanceTypeOfferings&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:DeleteLaunchTemplate&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:CreateTags&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:CreateLaunchTemplate&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:CreateFleet&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:DescribeSpotPriceHistory&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;pricing:GetProducts&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> ], </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Resource&#34;: &#34;*&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Sid&#34;: &#34;Karpenter&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: &#34;ec2:TerminateInstances&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Condition&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;StringLike&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;ec2:ResourceTag/karpenter.sh/nodepool&#34;: &#34;*&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Resource&#34;: &#34;*&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Sid&#34;: &#34;ConditionalEC2Termination&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: &#34;iam:PassRole&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Resource&#34;: &#34;arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME}&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Sid&#34;: &#34;PassNodeIAMRole&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: &#34;eks:DescribeCluster&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Resource&#34;: &#34;arn:${AWS_PARTITION}:eks:${AWS_REGION}:${AWS_ACCOUNT_ID}:cluster/${CLUSTER_NAME}&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Sid&#34;: &#34;EKSClusterEndpointLookup&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Sid&#34;: &#34;AllowScopedInstanceProfileCreationActions&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Resource&#34;: &#34;*&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: [ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;iam:CreateInstanceProfile&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> ], </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Condition&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;StringEquals&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}&#34;: &#34;owned&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:RequestTag/topology.kubernetes.io/region&#34;: &#34;${AWS_REGION}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;StringLike&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:RequestTag/karpenter.k8s.aws/ec2nodeclass&#34;: &#34;*&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Sid&#34;: &#34;AllowScopedInstanceProfileTagActions&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Resource&#34;: &#34;*&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: [ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;iam:TagInstanceProfile&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> ], </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Condition&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;StringEquals&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}&#34;: &#34;owned&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:ResourceTag/topology.kubernetes.io/region&#34;: &#34;${AWS_REGION}&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}&#34;: &#34;owned&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:RequestTag/topology.kubernetes.io/region&#34;: &#34;${AWS_REGION}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;StringLike&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass&#34;: &#34;*&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:RequestTag/karpenter.k8s.aws/ec2nodeclass&#34;: &#34;*&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Sid&#34;: &#34;AllowScopedInstanceProfileActions&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Resource&#34;: &#34;*&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: [ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;iam:AddRoleToInstanceProfile&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;iam:RemoveRoleFromInstanceProfile&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;iam:DeleteInstanceProfile&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> ], </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Condition&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;StringEquals&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}&#34;: &#34;owned&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:ResourceTag/topology.kubernetes.io/region&#34;: &#34;${AWS_REGION}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;StringLike&#34;: { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass&#34;: &#34;*&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> }, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> { </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Sid&#34;: &#34;AllowInstanceProfileReadActions&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Effect&#34;: &#34;Allow&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Resource&#34;: &#34;*&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Action&#34;: &#34;iam:GetInstanceProfile&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> } </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> ], </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> &#34;Version&#34;: &#34;2012-10-17&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">} </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>aws iam put-role-policy --role-name <span style="color:#4e9a06">&#34;KarpenterControllerRole-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --policy-name <span style="color:#4e9a06">&#34;KarpenterControllerPolicy-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --policy-document file://controller-policy.json </span></span></code></pre></div><h2 id="add-tags-to-subnets-and-security-groups">Add tags to subnets and security groups</h2> <p>We need to add tags to our nodegroup subnets so Karpenter will know which subnets to use.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">for</span> NODEGROUP in <span style="color:#204a87;font-weight:bold">$(</span>aws eks list-nodegroups --cluster-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --query <span style="color:#4e9a06">&#39;nodegroups&#39;</span> --output text<span style="color:#204a87;font-weight:bold">)</span><span style="color:#000;font-weight:bold">;</span> <span style="color:#204a87;font-weight:bold">do</span> </span></span><span style="display:flex;"><span> aws ec2 create-tags <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --tags <span style="color:#4e9a06">&#34;Key=karpenter.sh/discovery,Value=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --resources <span style="color:#204a87;font-weight:bold">$(</span>aws eks describe-nodegroup --cluster-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --nodegroup-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">NODEGROUP</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --query <span style="color:#4e9a06">&#39;nodegroup.subnets&#39;</span> --output text <span style="color:#204a87;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">done</span> </span></span></code></pre></div><p>Add tags to our security groups. This command only tags the security groups for the first nodegroup in the cluster. If you have multiple nodegroups or multiple security groups you will need to decide which one Karpenter should use.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000">NODEGROUP</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#204a87;font-weight:bold">$(</span>aws eks list-nodegroups --cluster-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --query <span style="color:#4e9a06">&#39;nodegroups[0]&#39;</span> --output text<span style="color:#204a87;font-weight:bold">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#000">LAUNCH_TEMPLATE</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#204a87;font-weight:bold">$(</span>aws eks describe-nodegroup --cluster-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --nodegroup-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">NODEGROUP</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --query <span style="color:#4e9a06">&#39;nodegroup.launchTemplate.{id:id,version:version}&#39;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --output text <span style="color:#000;font-weight:bold">|</span> tr -s <span style="color:#4e9a06">&#34;\t&#34;</span> <span style="color:#4e9a06">&#34;,&#34;</span><span style="color:#204a87;font-weight:bold">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># If your EKS setup is configured to use only Cluster security group, then please execute -</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#000">SECURITY_GROUPS</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#204a87;font-weight:bold">$(</span>aws eks describe-cluster <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --query <span style="color:#4e9a06">&#34;cluster.resourcesVpcConfig.clusterSecurityGroupId&#34;</span> --output text<span style="color:#204a87;font-weight:bold">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#8f5902;font-style:italic"># If your setup uses the security groups in the Launch template of a managed node group, then :</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#000">SECURITY_GROUPS</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;</span><span style="color:#204a87;font-weight:bold">$(</span>aws ec2 describe-launch-template-versions <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --launch-template-id <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">LAUNCH_TEMPLATE</span><span style="color:#000;font-weight:bold">%,*</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --versions <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">LAUNCH_TEMPLATE</span><span style="color:#000;font-weight:bold">#*,</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --query <span style="color:#4e9a06">&#39;LaunchTemplateVersions[0].LaunchTemplateData.[NetworkInterfaces[0].Groups||SecurityGroupIds]&#39;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --output text<span style="color:#204a87;font-weight:bold">)</span><span style="color:#4e9a06">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>aws ec2 create-tags <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --tags <span style="color:#4e9a06">&#34;Key=karpenter.sh/discovery,Value=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --resources <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">SECURITY_GROUPS</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> </span></span></code></pre></div><h2 id="update-aws-auth-configmap">Update aws-auth ConfigMap</h2> <p>We need to allow nodes that are using the node IAM role we just created to join the cluster. To do that we have to modify the <code>aws-auth</code> ConfigMap in the cluster.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl edit configmap aws-auth -n kube-system </span></span></code></pre></div><p>You will need to add a section to the mapRoles that looks something like this. Replace the <code>${AWS_PARTITION}</code> variable with the account partition, <code>${AWS_ACCOUNT_ID}</code> variable with your account ID, and <code>${CLUSTER_NAME}</code> variable with the cluster name, but do not replace the <code>{{EC2PrivateDNSName}}</code>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#204a87;font-weight:bold">groups</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#000">system:bootstrappers</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#000">system:nodes</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#8f5902;font-style:italic">## If you intend to run Windows workloads, the kube-proxy group should be specified.</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#8f5902;font-style:italic"># For more information, see https://github.com/aws/karpenter/issues/5099.</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#8f5902;font-style:italic"># - eks:kube-proxy-windows</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">rolearn</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME}</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">username</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">system:node:{{EC2PrivateDNSName}}</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span></code></pre></div><p>The full aws-auth configmap should have two groups. One for your Karpenter node role and one for your existing node group.</p> <h2 id="deploy-karpenter">Deploy Karpenter</h2> <p>First set the Karpenter release you want to deploy.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#204a87">export</span> <span style="color:#000">KARPENTER_VERSION</span><span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#4e9a06">&#34;1.4.0&#34;</span> </span></span></code></pre></div><p>We can now generate a full Karpenter deployment yaml from the Helm chart.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>helm template karpenter oci://public.ecr.aws/karpenter/karpenter --version <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> --namespace <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set <span style="color:#4e9a06">&#34;settings.clusterName=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set <span style="color:#4e9a06">&#34;settings.interruptionQueue=</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set <span style="color:#4e9a06">&#34;serviceAccount.annotations.eks\.amazonaws\.com/role-arn=arn:</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_PARTITION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:iam::</span><span style="color:#4e9a06">${</span><span style="color:#000">AWS_ACCOUNT_ID</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">:role/KarpenterControllerRole-</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.requests.cpu<span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#0000cf;font-weight:bold">1</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.requests.memory<span style="color:#ce5c00;font-weight:bold">=</span>1Gi <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.limits.cpu<span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#0000cf;font-weight:bold">1</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --set controller.resources.limits.memory<span style="color:#ce5c00;font-weight:bold">=</span>1Gi &gt; karpenter.yaml </span></span></code></pre></div><p>Modify the following lines in the karpenter.yaml file.</p> <h3 id="set-node-affinity">Set node affinity</h3> <p>Edit the karpenter.yaml file and find the karpenter deployment affinity rules. Modify the affinity so karpenter will run on one of the existing node group nodes.</p> <p>The rules should look something like this. Modify the value to match your <code>$NODEGROUP</code>, one node group per line.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">affinity</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">nodeAffinity</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">requiredDuringSchedulingIgnoredDuringExecution</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">nodeSelectorTerms</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#204a87;font-weight:bold">matchExpressions</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#204a87;font-weight:bold">key</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">karpenter.sh/nodepool</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">operator</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">DoesNotExist</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#204a87;font-weight:bold">key</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">eks.amazonaws.com/nodegroup</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">operator</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">In</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">values</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#000">${NODEGROUP}</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">podAntiAffinity</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">requiredDuringSchedulingIgnoredDuringExecution</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#204a87;font-weight:bold">topologyKey</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#4e9a06">&#34;kubernetes.io/hostname&#34;</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span></code></pre></div><p>Now that our deployment is ready we can create the karpenter namespace, create the NodePool CRD, and then deploy the rest of the karpenter resources.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl create namespace <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#ce5c00;font-weight:bold">||</span> <span style="color:#204a87">true</span> </span></span><span style="display:flex;"><span>kubectl create -f <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> <span style="color:#4e9a06">&#34;https://raw.githubusercontent.com/aws/karpenter-provider-aws/v</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">/pkg/apis/crds/karpenter.sh_nodepools.yaml&#34;</span> </span></span><span style="display:flex;"><span>kubectl create -f <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> <span style="color:#4e9a06">&#34;https://raw.githubusercontent.com/aws/karpenter-provider-aws/v</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">/pkg/apis/crds/karpenter.k8s.aws_ec2nodeclasses.yaml&#34;</span> </span></span><span style="display:flex;"><span>kubectl create -f <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> <span style="color:#4e9a06">&#34;https://raw.githubusercontent.com/aws/karpenter-provider-aws/v</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_VERSION</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">/pkg/apis/crds/karpenter.sh_nodeclaims.yaml&#34;</span> </span></span><span style="display:flex;"><span>kubectl apply -f karpenter.yaml </span></span></code></pre></div><h2 id="create-default-nodepool">Create default NodePool</h2> <p>We need to create a default NodePool so Karpenter knows what types of nodes we want for unscheduled workloads. You can refer to some of the <a href="https://github.com/aws/karpenter/tree/v1.4.0/examples/v1">example NodePool</a> for specific needs.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cat <span style="color:#4e9a06">&lt;&lt;EOF | envsubst | kubectl apply -f - </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">apiVersion: karpenter.sh/v1 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">kind: NodePool </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: default </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> template: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> requirements: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: kubernetes.io/arch </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: In </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;amd64&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: kubernetes.io/os </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: In </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;linux&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: karpenter.sh/capacity-type </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: In </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;spot&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: karpenter.k8s.aws/instance-category </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: In </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;c&#34;, &#34;m&#34;, &#34;r&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - key: karpenter.k8s.aws/instance-generation </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> operator: Gt </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> values: [&#34;2&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> nodeClassRef: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> group: karpenter.k8s.aws </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> kind: EC2NodeClass </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: default </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> expireAfter: 720h # 30 * 24h = 720h </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> limits: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> cpu: 1000 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> disruption: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> consolidationPolicy: WhenEmptyOrUnderutilized </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> consolidateAfter: 1m </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">--- </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">apiVersion: karpenter.k8s.aws/v1 </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">kind: EC2NodeClass </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> name: default </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">spec: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> role: &#34;KarpenterNodeRole-${CLUSTER_NAME}&#34; # replace with your cluster name </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> amiSelectorTerms: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - alias: &#34;al2023@${ALIAS_VERSION}&#34; </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> subnetSelectorTerms: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - tags: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> karpenter.sh/discovery: &#34;${CLUSTER_NAME}&#34; # replace with your cluster name </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> securityGroupSelectorTerms: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> - tags: </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"> karpenter.sh/discovery: &#34;${CLUSTER_NAME}&#34; # replace with your cluster name </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06">EOF</span> </span></span></code></pre></div><h2 id="set-nodeaffinity-for-critical-workloads-optional">Set nodeAffinity for critical workloads (optional)</h2> <p>You may also want to set a nodeAffinity for other critical cluster workloads.</p> <p>Some examples are</p> <ul> <li>coredns</li> <li>metric-server</li> </ul> <p>You can edit them with <code>kubectl edit deploy ...</code> and you should add node affinity for your static node group instances. Modify the value to match your <code>$NODEGROUP</code>, one node group per line.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">affinity</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">nodeAffinity</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">requiredDuringSchedulingIgnoredDuringExecution</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">nodeSelectorTerms</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#204a87;font-weight:bold">matchExpressions</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#204a87;font-weight:bold">key</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">eks.amazonaws.com/nodegroup</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">operator</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#000">In</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span><span style="color:#204a87;font-weight:bold">values</span><span style="color:#000;font-weight:bold">:</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span><span style="display:flex;"><span><span style="color:#f8f8f8;text-decoration:underline"> </span>- <span style="color:#000">${NODEGROUP}</span><span style="color:#f8f8f8;text-decoration:underline"> </span></span></span></code></pre></div><h2 id="remove-cas">Remove CAS</h2> <p>Now that karpenter is running we can disable the cluster autoscaler. To do that we will scale the number of replicas to zero.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl scale deploy/cluster-autoscaler -n kube-system --replicas<span style="color:#ce5c00;font-weight:bold">=</span><span style="color:#0000cf;font-weight:bold">0</span> </span></span></code></pre></div><p>To get rid of the instances that were added from the node group we can scale our nodegroup down to a minimum size to support Karpenter and other critical services.</p> <blockquote> <p>Note: If your workloads do not have <a href="https://kubernetes.io/docs/tasks/run-application/configure-pdb/">pod disruption budgets</a> set, the following command <strong>will cause workloads to be unavailable.</strong></p> </blockquote> <p>If you have a single multi-AZ node group, we suggest a minimum of 2 instances.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws eks update-nodegroup-config --cluster-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --nodegroup-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">NODEGROUP</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --scaling-config <span style="color:#4e9a06">&#34;minSize=2,maxSize=2,desiredSize=2&#34;</span> </span></span></code></pre></div><p>Or, if you have multiple single-AZ node groups, we suggest a minimum of 1 instance each.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">for</span> NODEGROUP in <span style="color:#204a87;font-weight:bold">$(</span>aws eks list-nodegroups --cluster-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --query <span style="color:#4e9a06">&#39;nodegroups&#39;</span> --output text<span style="color:#204a87;font-weight:bold">)</span><span style="color:#000;font-weight:bold">;</span> <span style="color:#204a87;font-weight:bold">do</span> aws eks update-nodegroup-config --cluster-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">CLUSTER_NAME</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --nodegroup-name <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">NODEGROUP</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> <span style="color:#4e9a06">\ </span></span></span><span style="display:flex;"><span><span style="color:#4e9a06"></span> --scaling-config <span style="color:#4e9a06">&#34;minSize=1,maxSize=1,desiredSize=1&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#204a87;font-weight:bold">done</span> </span></span></code></pre></div> <div class="alert alert-warning" role="alert"> <h4 class="alert-heading">Note</h4> If you have a lot of nodes or workloads you may want to slowly scale down your node groups by a few instances at a time. It is recommended to watch the transition carefully for workloads that may not have enough replicas running or disruption budgets configured. </div> <h2 id="verify-karpenter">Verify Karpenter</h2> <p>As nodegroup nodes are drained you can verify that Karpenter is creating nodes for your workloads.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl logs -f -n <span style="color:#4e9a06">&#34;</span><span style="color:#4e9a06">${</span><span style="color:#000">KARPENTER_NAMESPACE</span><span style="color:#4e9a06">}</span><span style="color:#4e9a06">&#34;</span> -l app.kubernetes.io/name<span style="color:#ce5c00;font-weight:bold">=</span>karpenter -c controller </span></span></code></pre></div><p>You should also see new nodes created in your cluster as the old nodes are removed</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl get nodes </span></span></code></pre></div>