Amazon cloudformation Cloudformation使用加密卷创建EKS受管节点组
我有一个创建托管节点组的CloudFormation模板:Amazon cloudformation Cloudformation使用加密卷创建EKS受管节点组,amazon-cloudformation,amazon-eks,Amazon Cloudformation,Amazon Eks,我有一个创建托管节点组的CloudFormation模板: NodeGroup: Type: AWS::EKS::Nodegroup Properties: ClusterName: !Ref Cluster InstanceTypes: - !Ref NodeInstanceClass NodegroupName: ng-0 NodeRole: !GetAtt NodeInstanceRole.Arn
NodeGroup:
Type: AWS::EKS::Nodegroup
Properties:
ClusterName: !Ref Cluster
InstanceTypes:
- !Ref NodeInstanceClass
NodegroupName: ng-0
NodeRole: !GetAtt NodeInstanceRole.Arn
ScalingConfig:
MinSize: !Ref ClusterMinSize
DesiredSize: !Ref ClusterDesiredSize
MaxSize: !Ref ClusterMaxSize
Subnets:
- !Ref AppSubnetID1
- !Ref AppSubnetID2
可能有加密的AMI吗 基于EKS,我们需要为k8s集群制作加密的PV/PVC 本在线教程包含以下步骤: 不过,这只会向您展示如何在k8s中执行此操作 我们需要使其适应EKS Cloudformation模板 我们可以在此处使用EKS群集加密提供程序的相关CloudFormation标记来实现这一点: 您需要设置以下参数:
Type: AWS::EKS::Cluster
Properties:
EncryptionConfig:
Provider:
Provider
Resources:
- String
Name: String
ResourcesVpcConfig:
ResourcesVpcConfig
RoleArn: String
Version: String
使用普通节点,在works上切换帐户的默认加密。。。我还没有尝试过托管节点组(我们需要soms sysctl设置),它只会在etcd中加密机密。它不会影响EBS卷。。。
NodeGroup:
Type: AWS::EKS::Nodegroup
Properties:
ClusterName: !Ref Cluster
InstanceTypes:
- !Ref NodeInstanceClass
NodegroupName: ng-0
LaunchTemplate:
Version: !GetAtt NodeLaunchTemplate.LatestVersionNumber
Id: !Ref NodeLaunchTemplate
NodeRole: !GetAtt NodeInstanceRole.Arn
ScalingConfig:
MinSize: !Ref ClusterMinSize
DesiredSize: !Ref ClusterDesiredSize
MaxSize: !Ref ClusterMaxSize
Subnets:
- !Ref AppSubnetID1
- !Ref AppSubnetID2
NodeLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateData:
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: !Ref NodeVolumeSize
VolumeType: gp3
Encrypted: true
DeleteOnTermination: true
KeyName: !Ref KeyName
NetworkInterfaces:
- DeviceIndex: 0
Groups:
- !Ref NodeSecurityGroup
LaunchTemplateName: !Sub ${Cluster}-${NodeGroupName}-template