EKS Setup


This section includes the following topics:



Assuming that all EKS related steps are executed from Preparation.

A couple of new AWS resources will be spun up when building the cluster.

By default, the setup will create a new VPC ( ) with all 3 subnets, private and public route tables, Internet and NAT gateways, as well as 3 node groups in different availability zones inside us-west-2 region. Each node will be created with the t3.medium instance type.


Creating an EKS Cluster

Define shell environment variables before continuing to execute the commands:

export AWS_PROFILE='default'
export AWS_REGION='us-west-1'
export AWS_ACCOUNT=$(aws sts get-caller-identity --query 'Account' --output text)
export CLUSTER_NAME='zerosystems-cluster'
export HELM_VERSION='1.9.0'
export IMAGE_TAG=''
export SECRET_NAME=''
export CERT_ARN=''

SECRET_NAME - get the secret Name from the Secrets Manager that you created in Preparation page.

CERT_ARN - ARN value you noted in the SSL Certificate section.

Open zero-eksctl.yaml and edit availabilityZones, region in the cluster section, and availabilityZones in the nodegroups section per your needs. In case of need, edit the VPC CIDR and cluster name. Save the file, then run eksctl:

$ eksctl create cluster -f zero-eksctl.yaml

After the command execution displayed above, a new VPC will be created which can now be used to setup a database. For details on how to setup a database, see Database Setup.

Find the VPC ID using this CLI command. It will be used later in the helm install.

$ export VPC_ID=$(aws ec2 describe-vpcs --filter Name=tag:Name,Values=eksctl-${CLUSTER_NAME}-cluster/VPC --query 'Vpcs[].VpcId' --output text)


Create an IAM policy:

  1. Download an IAM policy for the AWS Load Balancer Controller so it can make calls to AWS APIs on your behalf.

    • AWS GovCloud (US-East) or AWS GovCloud (US-West) AWS regions

      $ curl -o iam_policy_us-gov.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.3/docs/install/iam_policy_us-gov.json
    • All other AWS regions

      $ curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.3/docs/install/iam_policy.json
  2. Create an IAM policy using the policy downloaded in the previous step. In case you downloaded iam_policy_us-gov.json then rename it to iam_policy.json before running the command:

    $ aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://iam_policy.json


Create an IAM service account:

$ eksctl create iamserviceaccount \
--cluster=${CLUSTER_NAME} \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--role-name "AmazonEKSLoadBalancerControllerRoleZero" \
--attach-policy-arn=arn:aws:iam::${AWS_ACCOUNT}:policy/AWSLoadBalancerControllerIAMPolicy \
$ kubectl annotate serviceaccount -n kube-system aws-load-balancer-controller eks.amazonaws.com/sts-regional-endpoints=true 

Load balancing is handled by ALB (Application Load Balancer).


Updating the Helm Repository

Use the following script to update the Helm repository:

$ helm repo add eks https://aws.github.io/eks-charts
$ helm repo add zeroconnectapi https://saas-repo.zerosystems.com/helm/
$ helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
$ helm repo update


Creating an Application Load Balancer

$ helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
-n kube-system --set clusterName=${CLUSTER_NAME} \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller \
--set region=${AWS_REGION} \
--set vpcId=${VPC_ID} \
--set image.repository=602401143452.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-load-balancer-controller

602401143452 may be a different value depending on the region you're deploying to. For details, refer to the list of Amazon container image registries.


Installing the Kubernetes Secrets store CSI driver

Execute helm and kubectl commands:

$ helm install -n kube-system --set syncSecret.enabled=true csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver

$ kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml


Create an IAM policy:

POLICY_ARN=$(aws --query Policy.Arn --output text iam create-policy --policy-name secretsmanager-policy --policy-document '{
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"Resource": "*"
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"

Create the service account to be used by the pod and associate the IAM policy above with the created service account.

$ eksctl create iamserviceaccount --name secretsmanager-policy-sa --cluster ${CLUSTER_NAME} --attach-policy-arn "$POLICY_ARN" --approve --override-existing-serviceaccounts


Deploying EKS Services

Finalize cluster creation process:

$ helm install zeroconnectapi zeroconnectapi/zeroconnectapi --version $HELM_VERSION --set secretsName="${SECRET_NAME}" --set ingress.certificateARN=${CERT_ARN} --set image.tag=$IMAGE_TAG

After completion, go to EC2 service -> Load Balancers. You will find a new ELB instance prefixed with zero-connect. Take the DNS name and open it in a browser.

Was this article helpful?

0 out of 0 found this helpful



Still have some questions?