Created
December 3, 2019 03:08
-
-
Save inductor/83b2b14fdf0893cfd417ab66b951f199 to your computer and use it in GitHub Desktop.
昔のノードグループ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: 'EKS nodes' | |
| Resources: | |
| EgressInterCluster: | |
| Type: AWS::EC2::SecurityGroupEgress | |
| Properties: | |
| Description: Allow control plane to communicate with worker nodes in group ng-1 | |
| (kubelet and workload TCP ports) | |
| DestinationSecurityGroupId: | |
| Ref: SG | |
| FromPort: 1025 | |
| GroupId: | |
| Fn::ImportValue: eksctl-foo-2-cluster::SecurityGroup | |
| IpProtocol: tcp | |
| ToPort: 65535 | |
| EgressInterClusterAPI: | |
| Type: AWS::EC2::SecurityGroupEgress | |
| Properties: | |
| Description: Allow control plane to communicate with worker nodes in group ng-1 | |
| (workloads using HTTPS port, commonly used with extension API servers) | |
| DestinationSecurityGroupId: | |
| Ref: SG | |
| FromPort: 443 | |
| GroupId: | |
| Fn::ImportValue: eksctl-foo-2-cluster::SecurityGroup | |
| IpProtocol: tcp | |
| ToPort: 443 | |
| IngressInterCluster: | |
| Type: AWS::EC2::SecurityGroupIngress | |
| Properties: | |
| Description: Allow worker nodes in group ng-1 to communicate with control plane | |
| (kubelet and workload TCP ports) | |
| FromPort: 1025 | |
| GroupId: | |
| Ref: SG | |
| IpProtocol: tcp | |
| SourceSecurityGroupId: | |
| Fn::ImportValue: eksctl-foo-2-cluster::SecurityGroup | |
| ToPort: 65535 | |
| IngressInterClusterAPI: | |
| Type: AWS::EC2::SecurityGroupIngress | |
| Properties: | |
| Description: Allow worker nodes in group ng-1 to communicate with control plane | |
| (workloads using HTTPS port, commonly used with extension API servers) | |
| FromPort: 443 | |
| GroupId: | |
| Ref: SG | |
| IpProtocol: tcp | |
| SourceSecurityGroupId: | |
| Fn::ImportValue: eksctl-foo-2-cluster::SecurityGroup | |
| ToPort: 443 | |
| IngressInterClusterCP: | |
| Type: AWS::EC2::SecurityGroupIngress | |
| Properties: | |
| Description: Allow control plane to receive API requests from worker nodes in | |
| group ng-1 | |
| FromPort: 443 | |
| GroupId: | |
| Fn::ImportValue: eksctl-foo-2-cluster::SecurityGroup | |
| IpProtocol: tcp | |
| SourceSecurityGroupId: | |
| Ref: SG | |
| ToPort: 443 | |
| NodeGroup: | |
| Type: AWS::AutoScaling::AutoScalingGroup | |
| Properties: | |
| DesiredCapacity: '3' | |
| LaunchTemplate: | |
| LaunchTemplateName: | |
| Fn::Sub: "${AWS::StackName}" | |
| Version: | |
| Fn::GetAtt: NodeGroupLaunchTemplate.LatestVersionNumber | |
| MaxSize: '4' | |
| MinSize: '1' | |
| Tags: | |
| - Key: Name | |
| PropagateAtLaunch: 'true' | |
| Value: foo-2-ng-1-Node | |
| - Key: kubernetes.io/cluster/foo-2 | |
| PropagateAtLaunch: 'true' | |
| Value: owned | |
| - Key: k8s.io/cluster-autoscaler/enabled | |
| PropagateAtLaunch: 'true' | |
| Value: 'true' | |
| - Key: k8s.io/cluster-autoscaler/foo-2 | |
| PropagateAtLaunch: 'true' | |
| Value: owned | |
| VPCZoneIdentifier: | |
| Fn::Split: | |
| - "," | |
| - Fn::ImportValue: eksctl-foo-2-cluster::SubnetsPublic | |
| UpdatePolicy: | |
| AutoScalingRollingUpdate: | |
| MaxBatchSize: '1' | |
| MinInstancesInService: '0' | |
| NodeGroupLaunchTemplate: | |
| Type: AWS::EC2::LaunchTemplate | |
| Properties: | |
| LaunchTemplateData: | |
| IamInstanceProfile: | |
| Arn: | |
| Fn::GetAtt: NodeInstanceProfile.Arn | |
| ImageId: ami-0361e14efd56a71c7 | |
| InstanceType: t3.medium | |
| NetworkInterfaces: | |
| - AssociatePublicIpAddress: true | |
| DeviceIndex: 0 | |
| Groups: | |
| - Fn::ImportValue: eksctl-foo-2-cluster::SharedNodeSecurityGroup | |
| - Ref: SG | |
| UserData: H4sIAAAAAAAA/6xae3PiuJb/P59Cm+m6NV1pGxvzSLjD1howhDQQCIQ8ZmdTwhZGwbbcsoyB3t7PviWbh2157mS6brqqKR+dc3SevyMjfjEdElqSSbwlti98aK6hjYIG8ELHuaChZ7pW40ICEihtIC05eFGKBUqBSbHPgpKPqIS9gEHPRKUFISxgFPoydMpysLqIKGbobYkdFHAtJvEY8lgD/O8FAAD8AtA6MJkjBT4y8RKbINgFDLkWsCjxJeyB0MMMLAkF63CBHMS+xA+6C/fEAwPshVtQBr/qg/Lni1jj71NEN9hEfxz0D4gJHeAiBi3IIPAhhS5iiAYN8GD0+vejL0B/mr51jK7+OJi9JbRY1vA2mBLPRR7rYgc1S4iZpcTc0lGfjLzNYaOeQxbQAdCzQMAgw2Zmr/bgcTozHt46o+kXMLrvGG8DvWUMjg8zvT+aTf9y20MMUrsm7nnEkwo2jVX3x19AfzSd6aO28dbvfHgPh2uOd0pEtsicMkhZM/dYCgNaWmDvKAj+O2YAQJI8YiEJ+81P3w+W/MgvOnCBnODIkITkxxfo+CsoJ/bImJSO1SVhq/npe8qZtD4XbiWfWFzZUH9+G993pullimwcMETjfZuMhihNjDBbSQxij52MSVKSVgEdh0SST/EGO8hGVqLlvJ70kU/JBluINmEUpBeJx/UjKtHQY9hFTYuYa0TTEUEsInQt+U5oY69pejgt72FpgT3JwrRZIj4rmR7mYc+x8C5OeHhKOY+HmGyluHxiSdhbUpgyCbvQRs1P33knGF+nb0b74U1vt+8fR7MfsrWmMjKpnCxnG+WHDONOhFEgm8TlNVTyYRggCbpWrdLQZDW1Na+QBGaEikvI8g66TjZoRcy8PDnnBQAk8hBtAEoIa/D/LgDwIVs1QCxzAJPD50k2SCBCtkqqInG9Dovhim/HFSDq4iDAxAsa4FKpVSqXGeSSYvvEYDShLwUkZCsEAyapJy4e0WP/j/Sh0dyTPZGwJVloI5UzbMaoM77vj2bNFWN+0CiV1KrSKlcN9bqrtlRVUbXrtq62K91OWW2XKxVN3jkVObsvb5xsWrJbnHPbrCnliqKqFa1SLf9lMIuh72PBSrV3M9/dphMmjQldlA2NAAS8d21KQj9h9uxDlFMN2/yoH1ks/Ss34m2gZVEUBA2gyPG/hOjjOaJcsnGcUfKhmtfXAbd6oy4Qg4mlkKfJY9iEjEscKh16xNu5JAyOBACQBxcOshpgCZ0AHcgRWqwIWZ+5TGiu0Gw2aICyqwSiMEeoA3VbVW5Sgg5GHmvrHP6zcTGhbFJ2MpZQvM/Y6hILNcBTYsm/tEs/iCMrtrCatjBmePRglkU7cJhxkjsUb3gek6flYSmpls5omuwmAVWRVYXnQ1UyHMSF2GscH5N5FjMsEWQhRT3I0CngD4RBhr4m+eNHCETbiDJ+JIEMpQK5xp7VAAfGdpznkMYBipeDWHQ2mLaOB6GT7N+qygO8fagsJf7XMnr9EWgbD7N+t9/WZ0ZMjdeH/X5712m39UXb1qN+S7f7Lb2jj1r2+ttqjXs3kdLSJ0FX7+jz4cMwMiYvnflk0jEin1pPd0nQTLfqWL35ftiqPHdmRnXYsXfDjl4ZdfrRsEueO7M+p21H+xMt6s6M2bBl9HT10UgwaDv8CrU5fn2+C1+fHxxz327r037UmbzcfSWv/dXGHOkTo9Wa6B3bNsY6t3pC2rZttPQBm8dKuuMa6UbavjaabZG5m991gpLdUvpPrzNztXFvLEfZ9GotF/ZUPNBqry8zZavMvW3dXbvfyMiKlbTrT7etq8rVrj3Dvckr7o8HWrhaDZT1rlshxrS8RtMRVcs1GxKq3+77j/t3LSRP2h2lpZEfxkpWvfXD9G509fqCK3e3Uc379oz8YauDZ+v+t6vn0t3k/dlQb8ebx1qrty/TwXrwUGL7cTDv2tWa04qV9OH7/V0PRiXFcbfO8838MTQddxy0zPu6Sdqw9/gSPsL9/NbczswNI9toPh0Y5l0wVl/flyUzVtLaVAfznr7eXONJNFfs5a63Grdq5tYKHerapG3f9/XBslcPcTR4eg/V4ctmstrs9q/hO7u5Smp3Y/d66/ZL13aXba07vqr1zbYeGboOh+/DthF17JfO/EEZ65PbUkufdHT763qoX/P0WkZkJO6Uokl3qA9b+vI6n9bBIa0t3ai+XHvXdcd+dr7No+fVVaXivM4G7xslOQM/bx7p7nnh1dF4983oTl6Wut2nWt8M3nftyZUxdq7Vd223X73YKLp61166U92tliynVVveVKZ3sZLJgvTvJjAYt6z19c2+tnOi2f1S2bTr5n1Nq6BBbW4EvvoyfnjYfB28P8In1DLM8a1Tp1/D+vwhseReCztKT7tBi7qypM/bsvNQqWFr2lb2zqvt6gG7UVC0e6wuR8q8vLGunmrPt5POLXyaXA2nvViJSttP38L326+EDL/d7LvjBSQPzhVWd7rXem23mB48ThYrZRXtv26rPdi6n8G9dq9cRebsrkaeYiWVK2MU3JRMxZi+4s5mrNSnerm+618/1O/qrv5y/9IN3VdzodUfn5kXvte0JQtgZMyW180zTBijThFIfAibTpPhY8MyNRc3ahqZgyNyH55TY+MMudJhNLDdn46nM942wL//vAQAP2M0QOZEUiCaHE0S/3gEtuzsX/KcnrqJw39HKf8LAy50mA3/9beEEyd+QtQMKUUek45O/IyOZFgmUzIm+BQtEUWeiYIG+P7j4ujcKWQ/be4hSOcj0BaZ56dsOSaHHzl7Fjuf1uJTp5qWpXaQ1iUBRtbIy1AknHkUj/iHCiCuC3lQYBRIGLpSyghCU4zI2xy+gvkbJ4fUW9RH29StyJWtA6mNQFmrJKQqlNVyjkhFPqbJR67qdcJUtQQus5LnMqt5Ci4LYliTrwUS8uQD6SaxVJSjVTm3m5YnVGX1qLqu1Q80K89llgUDfM3y5HIlJ8udzljFynLgQscBqnqMQN4CS4hcRdiN5sX2qiXX8tEVcsCV3wgZLTC7IqtHbcnrHwBbFZ0CmlKX8c7WAjmfdbFcmJaLgSq7yMKhC9TyOZmCmFs+uaOq1wfbxWBVoegP0047HHPqiYnGmljuWs40psouNikBR1dg3gC7nKe4aq4y1VyQ3FS4042WkaIFeWLlvF+iC9zVIpoQtoJQWkWhhGITZQy1xMazRbN4OQlOc2K+ZMXiN6uCtpUqIkI5H+XYRbFDoYhLvJtO9XfCAVq4iZjspLhPvZvtfw3KHvTS9ZPpBUtQaItYw2ujAJhzzcibQ+y9U1QqZwvSFc1TcJ21AKpCZQjIwiNWUD1CpeRdsQq8q8iqIoJU0SQqSLA4nMSJwuFFy8kK1ZJHWLea60ct358Fm/NobjNsUC2aghkWDqsCOC1FuVUBKRBrlINfKsFufgi6RR3ga2J3snK6dG0xmW5+nNKCQsW5uGEOsQw6J0/dUziUM8iLbSseOc6tk67tDD6yvIVQzcc++7xUU3GolI8Giv0gnjUE/M53CC8OTZhyAhvMjwuO3vkpzmm5USyO8JUq0uJmyGOYJkxaKmabCohjFhzxcIEdrpZHKmGK0sJe3qpiVXLk0XK0pYBYsZtZkl8WlfkiHHH9OWXsaL9WPWboUGbXxzgL2xfMiezJIm7DfGcWNqZwqBMSmCQ13zNu0dGIFh3oWTnrID9npCCEhySb+HyJUrFF8vD5JzkXDDTFlwuzWlD/OQusPKDjwjkq5NYverfIq+LhFQ9sQoqFw78Gs3HdqkUAIObDzztDi5C2IJpC3Z4A/GP3OXD75hMrkF3of/Sl8Zf/iG98FzBYJbfDAWJAIgBRiraYpUk+9tESYidN80joBYglosvQM/n7N7ARezsa8+tn8D1eBSBaYQcBiqAFjvfAb2znI8D5/gms87ckeAnA77+Dy0/fM4w/LkGzyanqj0vwxx/gH/84cHEFfPH/wP/8rkg3f1x94sv/BPyF/KQUAGSuCDhwp8gUsZCe+ZbH93+LeAj89q9CDMCPxPXDrXjz8tOvZkgdIEkBdpDH4m+zGqWSWruRy1X+4hB/lhzIUMDiGzjJggyW4jsNCfubyufLWGPqbvzntaau2/NqZy9j49+gmKfl8+WhdEhITfRnV3PgF8BWOAAm9ADZIEqxhcDxfj9RYEIG/rNQ/vQTBvDbb8Z9NxPz828ShMBlf2JQEIAUA39OWI5GpX5/0JA+/Zqual50WcnLz4kwty6JRnxTbTIHWBC5xJMocgi0cmvJ/d7xa7LcYsAgZam1P0eBn/k9j4AQ9Wr18uL/AwAA//9UUesKRCQAAA== | |
| LaunchTemplateName: | |
| Fn::Sub: "${AWS::StackName}" | |
| NodeInstanceProfile: | |
| Type: AWS::IAM::InstanceProfile | |
| Properties: | |
| Path: "/" | |
| Roles: | |
| - Ref: NodeInstanceRole | |
| NodeInstanceRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Statement: | |
| - Action: | |
| - sts:AssumeRole | |
| Effect: Allow | |
| Principal: | |
| Service: | |
| - ec2.amazonaws.com | |
| Version: '2012-10-17' | |
| ManagedPolicyArns: | |
| - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy | |
| - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy | |
| - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly | |
| - arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy | |
| Path: "/" | |
| PolicyALBIngress: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyDocument: | |
| Statement: | |
| - Action: | |
| - acm:DescribeCertificate | |
| - acm:ListCertificates | |
| - acm:GetCertificate | |
| - ec2:AuthorizeSecurityGroupIngress | |
| - ec2:CreateSecurityGroup | |
| - ec2:CreateTags | |
| - ec2:DeleteTags | |
| - ec2:DeleteSecurityGroup | |
| - ec2:DescribeAccountAttributes | |
| - ec2:DescribeAddresses | |
| - ec2:DescribeInstances | |
| - ec2:DescribeInstanceStatus | |
| - ec2:DescribeInternetGateways | |
| - ec2:DescribeNetworkInterfaces | |
| - ec2:DescribeSecurityGroups | |
| - ec2:DescribeSubnets | |
| - ec2:DescribeTags | |
| - ec2:DescribeVpcs | |
| - ec2:ModifyInstanceAttribute | |
| - ec2:ModifyNetworkInterfaceAttribute | |
| - ec2:RevokeSecurityGroupIngress | |
| - elasticloadbalancing:AddListenerCertificates | |
| - elasticloadbalancing:AddTags | |
| - elasticloadbalancing:CreateListener | |
| - elasticloadbalancing:CreateLoadBalancer | |
| - elasticloadbalancing:CreateRule | |
| - elasticloadbalancing:CreateTargetGroup | |
| - elasticloadbalancing:DeleteListener | |
| - elasticloadbalancing:DeleteLoadBalancer | |
| - elasticloadbalancing:DeleteRule | |
| - elasticloadbalancing:DeleteTargetGroup | |
| - elasticloadbalancing:DeregisterTargets | |
| - elasticloadbalancing:DescribeListenerCertificates | |
| - elasticloadbalancing:DescribeListeners | |
| - elasticloadbalancing:DescribeLoadBalancers | |
| - elasticloadbalancing:DescribeLoadBalancerAttributes | |
| - elasticloadbalancing:DescribeRules | |
| - elasticloadbalancing:DescribeSSLPolicies | |
| - elasticloadbalancing:DescribeTags | |
| - elasticloadbalancing:DescribeTargetGroups | |
| - elasticloadbalancing:DescribeTargetGroupAttributes | |
| - elasticloadbalancing:DescribeTargetHealth | |
| - elasticloadbalancing:ModifyListener | |
| - elasticloadbalancing:ModifyLoadBalancerAttributes | |
| - elasticloadbalancing:ModifyRule | |
| - elasticloadbalancing:ModifyTargetGroup | |
| - elasticloadbalancing:ModifyTargetGroupAttributes | |
| - elasticloadbalancing:RegisterTargets | |
| - elasticloadbalancing:RemoveListenerCertificates | |
| - elasticloadbalancing:RemoveTags | |
| - elasticloadbalancing:SetIpAddressType | |
| - elasticloadbalancing:SetSecurityGroups | |
| - elasticloadbalancing:SetSubnets | |
| - elasticloadbalancing:SetWebACL | |
| - iam:CreateServiceLinkedRole | |
| - iam:GetServerCertificate | |
| - iam:ListServerCertificates | |
| - waf-regional:GetWebACLForResource | |
| - waf-regional:GetWebACL | |
| - waf-regional:AssociateWebACL | |
| - waf-regional:DisassociateWebACL | |
| - tag:GetResources | |
| - tag:TagResources | |
| - waf:GetWebACL | |
| Effect: Allow | |
| Resource: "*" | |
| Version: '2012-10-17' | |
| PolicyName: | |
| Fn::Sub: "${AWS::StackName}-PolicyALBIngress" | |
| Roles: | |
| - Ref: NodeInstanceRole | |
| PolicyAutoScaling: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyDocument: | |
| Statement: | |
| - Action: | |
| - autoscaling:DescribeAutoScalingGroups | |
| - autoscaling:DescribeAutoScalingInstances | |
| - autoscaling:DescribeLaunchConfigurations | |
| - autoscaling:DescribeTags | |
| - autoscaling:SetDesiredCapacity | |
| - autoscaling:TerminateInstanceInAutoScalingGroup | |
| - ec2:DescribeLaunchTemplateVersions | |
| Effect: Allow | |
| Resource: "*" | |
| Version: '2012-10-17' | |
| PolicyName: | |
| Fn::Sub: "${AWS::StackName}-PolicyAutoScaling" | |
| Roles: | |
| - Ref: NodeInstanceRole | |
| PolicyCertManagerChangeSet: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyDocument: | |
| Statement: | |
| - Action: | |
| - route53:ChangeResourceRecordSets | |
| Effect: Allow | |
| Resource: arn:aws:route53:::hostedzone/* | |
| Version: '2012-10-17' | |
| PolicyName: | |
| Fn::Sub: "${AWS::StackName}-PolicyCertManagerChangeSet" | |
| Roles: | |
| - Ref: NodeInstanceRole | |
| PolicyCertManagerGetChange: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyDocument: | |
| Statement: | |
| - Action: | |
| - route53:GetChange | |
| Effect: Allow | |
| Resource: arn:aws:route53:::change/* | |
| Version: '2012-10-17' | |
| PolicyName: | |
| Fn::Sub: "${AWS::StackName}-PolicyCertManagerGetChange" | |
| Roles: | |
| - Ref: NodeInstanceRole | |
| PolicyCertManagerHostedZones: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyDocument: | |
| Statement: | |
| - Action: | |
| - route53:ListHostedZones | |
| - route53:ListResourceRecordSets | |
| - route53:ListHostedZonesByName | |
| Effect: Allow | |
| Resource: "*" | |
| Version: '2012-10-17' | |
| PolicyName: | |
| Fn::Sub: "${AWS::StackName}-PolicyCertManagerHostedZones" | |
| Roles: | |
| - Ref: NodeInstanceRole | |
| SG: | |
| Type: AWS::EC2::SecurityGroup | |
| Properties: | |
| GroupDescription: Communication between the control plane and worker nodes in | |
| group ng-1 | |
| Tags: | |
| - Key: kubernetes.io/cluster/foo-2 | |
| Value: owned | |
| - Key: Name | |
| Value: | |
| Fn::Sub: "${AWS::StackName}/SG" | |
| VpcId: | |
| Fn::ImportValue: eksctl-foo-2-cluster::VPC | |
| Outputs: | |
| FeatureLocalSecurityGroup: | |
| Value: true | |
| FeaturePrivateNetworking: | |
| Value: false | |
| FeatureSharedSecurityGroup: | |
| Value: true | |
| InstanceProfileARN: | |
| Export: | |
| Name: | |
| Fn::Sub: "${AWS::StackName}::InstanceProfileARN" | |
| Value: | |
| Fn::GetAtt: NodeInstanceProfile.Arn | |
| InstanceRoleARN: | |
| Export: | |
| Name: | |
| Fn::Sub: "${AWS::StackName}::InstanceRoleARN" | |
| Value: | |
| Fn::GetAtt: NodeInstanceRole.Arn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment