Getting started with Amazon Fargate using Amazon EKS
This topic describes how to get started running Pods on Amazon Fargate with your Amazon EKS cluster.
If you restrict access to the public endpoint of your cluster using CIDR blocks, we recommend that you also enable private endpoint access. This way, Fargate Pods can communicate with the cluster. Without the private endpoint enabled, the CIDR blocks that you specify for public access must include the outbound sources from your VPC. For more information, see Amazon EKS cluster endpoint access control.
Prerequisite
An existing cluster. If you don't already have an Amazon EKS cluster, see Getting started with Amazon EKS.
Ensure that existing nodes can communicate with Fargate Pods
If you're working with a new cluster with no nodes, or a cluster with only managed node groups, you can skip to Create a Fargate Pod execution role.
Assume that you're working with an existing cluster that already has nodes that are associated with it. Make sure that Pods on these nodes can communicate freely with the Pods that are running on Fargate. Pods that are running on Fargate are automatically configured to use the cluster security group for the cluster that they're associated with. Ensure that any existing nodes in your cluster can send and receive traffic to and from the cluster security group. Managed node groups are automatically configured to use the cluster security group as well, so you don't need to modify or check them for this compatibility.
For existing node groups that were created with eksctl
or the Amazon EKS
managed Amazon CloudFormation templates, you can add the cluster security group to the nodes manually.
Or, alternatively, you can modify the Auto Scaling group launch template for the node group to
attach the cluster security group to the instances. For more information, see Changing an instance's security groups in the
Amazon VPC User Guide.
You can check for a security group for your cluster in the Amazon Web Services Management Console under the
Networking section for the cluster. Or, you can do this using
the following Amazon CLI command. When using this command, replace
with the name of your
cluster.my-cluster
aws eks describe-cluster --name
my-cluster
--query cluster.resourcesVpcConfig.clusterSecurityGroupId
Create a Fargate Pod execution role
When your cluster creates Pods on Amazon Fargate, the components that run on the Fargate infrastructure must make calls to Amazon APIs on your behalf. The Amazon EKS Pod execution role provides the IAM permissions to do this. To create an Amazon Fargate Pod execution role, see Amazon EKS Pod execution IAM role.
Note
If you created your cluster with eksctl
using the --fargate
option,
your cluster already has a Pod execution role that you can find in
the IAM console with the pattern
eksctl-
.
Similarly, if you use my-cluster
-FargatePodExecutionRole-ABCDEFGHIJKL
eksctl
to create your Fargate profiles, eksctl
creates
your Pod execution role if one isn't already created.
Create a Fargate profile for your cluster
Before you can schedule Pods that are running on Fargate in your cluster, you must define a Fargate profile that specifies which Pods use Fargate when they're launched. For more information, see Amazon Fargate profile.
Note
If you created your cluster with eksctl
using the --fargate
option,
then a Fargate profile is already created for your cluster with selectors for all
Pods in the kube-system
and default
namespaces. Use the following procedure to create Fargate profiles for any other
namespaces you would like to use with Fargate.
You can create a Fargate profile using eksctl
or the Amazon Web Services Management Console.
Update CoreDNS
By default, CoreDNS is configured to run on Amazon EC2 infrastructure on Amazon EKS clusters. If you want to only run your Pods on Fargate in your cluster, complete the following steps.
Note
If you created your cluster with eksctl
using the
--fargate
option, then you can skip to Next steps.
Create a Fargate profile for CoreDNS with the following command. Replace
with your cluster name,my-cluster
with your account ID,111122223333
with the name of your Pod execution role, andAmazonEKSFargatePodExecutionRole
,0000000000000001
, and0000000000000002
with the IDs of your private subnets. If you don't have a Pod execution role, you must create one first.0000000000000003
Important
The role ARN can't include a path. The format of the role ARN must be
arn:aws-cn:iam::
. For more information, see aws-auth ConfigMap does not grant access to the cluster.111122223333
:role/role-name
aws eks create-fargate-profile \ --fargate-profile-name coredns \ --cluster-name
my-cluster
\ --pod-execution-role-arn arn:aws-cn:iam::111122223333
:role/AmazonEKSFargatePodExecutionRole
\ --selectors namespace=kube-system,labels={k8s-app=kube-dns} \ --subnets subnet-0000000000000001
subnet-0000000000000002
subnet-0000000000000003
Run the following command to remove the
eks.amazonaws.com/compute-type : ec2
annotation from the CoreDNS Pods.kubectl patch deployment coredns \ -n kube-system \ --type json \ -p='[{"op": "remove", "path": "/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type"}]'
Next steps
-
You can start migrating your existing applications to run on Fargate with the following workflow.
-
Create a Fargate profile that matches your application's Kubernetes namespace and Kubernetes labels.
-
Delete and re-create any existing Pods so that they're scheduled on Fargate. For example, the following command triggers a rollout of the
coredns
deployment. You can modify the namespace and deployment type to update your specific Pods.kubectl rollout restart -n
kube-system
deployment coredns
-
-
Deploy the Application load balancing on Amazon EKS to allow Ingress objects for your Pods running on Fargate.
-
You can use the Vertical Pod Autoscaler to set the initial correct size of CPU and memory for your Fargate Pods, and then use the Horizontal Pod Autoscaler to scale those Pods. If you want the Vertical Pod Autoscaler to automatically re-deploy Pods to Fargate with higher CPU and memory combinations, set the Vertical Pod Autoscaler's mode to either
Auto
orRecreate
. This is to ensure correct functionality. For more information, see the Vertical Pod Autoscalerdocumentation on GitHub. -
You can set up the Amazon Distro for OpenTelemetry
(ADOT) collector for application monitoring by following these instructions.