Issue was encountered with a space in ssh key pair and cloud formation failed silently. Handle space in the ssh key pair

exam Pod's traffic
yum install -y tcpdump
tcpdump -i eni61b9c53e3d2

AWS re:Invent 2018: NET410 Workshop

ssh into EKS console
Find out EksEC2Instance and EC2 instance ID from Cloudformation resource
ssh into EKS instance

[ec2-user@ip-172-31-21-42 configFiles]$ ls
busyboxDeployment.yaml serviceClusterIp.yaml serviceNodePort.yaml
client.yaml serviceLoadBalancer.yaml simpleHttpServer.yaml
[ec2-user@ip-172-31-21-42 configFiles]$ kubectl apply -f serviceClusterIp.yaml
service/service-clusterip created
[ec2-user@ip-172-31-21-42 configFiles]$

[ec2-user@ip-172-31-21-42 configFiles]$ kubectl apply -f client.yaml
deployment.apps/simple-client created
[ec2-user@ip-172-31-21-42 configFiles]$

Create Pods
kubectl apply -f eks-cni-demo/worker_hello.yaml

CNI DEMO
Setup a EKS cluster
Create a t2.micro instance (using AWS console)
create EC2 key pair, e.g. my-eks-key
create a t2.micro instance using AMI ami-0965d7fbfc86df411 using my-eks-key
run aws configure to configure instance with right permission
Create a EKS cluster

create a EKS cluster

eksctl create cluster --name reinvent-eks-1 --node-type=t2.medium --ssh-access --ssh-public-key=my-eks-key

EKS, security group given to (aws eks create-cluster...) is not right
worker node have proxy setup
worker node have taint

We should mention kops also have option to use our aws eks CNI

• Parameterize the name for eks cluster

Change to Pod "Network" Stack Internal

as of now if AWS CFT is deleted without deleting kops cluster, it leaves kops cluster orphaned. Handle clean up efficiently

t2.micro is too small for eks cluster, can we have t2.medium?

Set region to eu-west-1 (Ireland)

To create ssh key-pair using Amazon EC2 Console, click on Amazon EC2 console.

Documentation can be found here

vethxx interfaces are for pods that are running in kube-system name space:
$: kubectl get pods -o wide --all-namespaces |grep 10-1-2-179
kube-system kube-dns-5fbcb4d67b-hr4vr 3/3 Running 0 18h 100.65.129.4 ip-10-1-2-179.us-west-2.compute.internal
kube-system kube-dns-autoscaler-6874c546dd-k2twt 1/1 Running 0 2d 100.65.129.2 ip-10-1-2-179.us-west-2.compute.internal
kube-system kube-proxy-ip-10-1-2-179.us-west-2.compute.internal 1/1 Running 0 2d 10.1.2.179 ip-10-1-2-179.us-west-2.compute.internal
kube-system kubernetes-dashboard-7b9c7bc8c9-ttc7z 1/1 Running 0 2d 100.65.129.3 ip-10-1-2-179.us-west-2.compute.internal
$:

install calico policy add-on
kubectl apply -f calico.yaml
daemonset.extensions "calico-node" created
customresourcedefinition.apiextensions.k8s.io "felixconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "bgpconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "ippools.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "hostendpoints.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "clusterinformations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworkpolicies.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworksets.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "networkpolicies.crd.projectcalico.org" created
serviceaccount "calico-node" created
clusterrole.rbac.authorization.k8s.io "calico-node" created
clusterrolebinding.rbac.authorization.k8s.io "calico-node" created
deployment.extensions "calico-typha" created
clusterrolebinding.rbac.authorization.k8s.io "typha-cpha" created
clusterrole.rbac.authorization.k8s.io "typha-cpha" created
configmap "calico-typha-horizontal-autoscaler" created
deployment.extensions "calico-typha-horizontal-autoscaler" created
role.rbac.authorization.k8s.io "typha-cpha" created
serviceaccount "typha-cpha" created
rolebinding.rbac.authorization.k8s.io "typha-cpha" created
service "calico-typha" created

Examine calico add-on
kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
aws-node-2c5zn 1/1 Running 0 3h
aws-node-ng546 1/1 Running 0 3h
aws-node-wx4nh 1/1 Running 1 3h
calico-node-g779n 1/1 Running 0 1m
calico-node-k2svs 1/1 Running 0 1m
calico-node-wmzbw 1/1 Running 0 1m
calico-typha-75667d89cb-7m4jr 1/1 Running 0 1m
calico-typha-horizontal-autoscaler-78f747b679-qf965 1/1 Running 0 1m
kube-dns-64b69465b4-57l8d 3/3 Running 0 8h
kube-proxy-8mf7f 1/1 Running 0 3h
kube-proxy-9t9n8 1/1 Running 0 3h
kube-proxy-nmnz9 1/1 Running 0 3h
Simple Policy Demo
Configure Namespaces
kubectl create ns policy-demo
Create demo pods

Run the Pods.

kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx

Create the Service.

kubectl expose --namespace=policy-demo deployment nginx --port=80

Run a Pod and try to access the nginx Service.

$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false

If you don't see a command prompt, try pressing enter.

/ # wget -q nginx -O -

enable isolation

kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
name: default-deny
namespace: policy-demo
spec:
podSelector:
matchLabels: {}
EOF

test isolation

Run a Pod and try to access the nginx Service.

$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false

If you don't see a command prompt, try pressing enter.

/ # wget -q --timeout=5 nginx -O -
wget: download timed out
/ #
Allow Access using a Network Policy
kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
name: access-nginx
namespace: policy-demo
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels:
run: access
EOF

with label is able to access nginx

Run a Pod and try to access the nginx Service.

$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false

If you don't see a command prompt, try pressing enter.

/ # wget -q --timeout=5 nginx -O -

Run a Pod without label and try to access the nginx Service.

$ kubectl run --namespace=policy-demo cant-access --rm -ti --image busybox /bin/sh
Waiting for pod policy-demo/cant-access-472357175-y0m47 to be running, status is Pending, pod ready: false

If you don't see a command prompt, try pressing enter.

/ # wget -q --timeout=5 nginx -O -
wget: download timed out
/ #

cleanup

kubectl delete ns policy-demo

[ec2-user@ip-172-31-23-130 ~]$ aws eks list-clusters

[ec2-user@ip-172-31-21-42 kops-kubenet-demo]$ cd configFiles/
[ec2-user@ip-172-31-21-42 configFiles]$ ls
busyboxDeployment.yaml serviceClusterIp.yaml serviceNodePort.yaml
client.yaml serviceLoadBalancer.yaml simpleHttpServer.yaml
[ec2-user@ip-172-31-21-42 configFiles]$ kubectl apply -f busyboxDeployment.yaml
deployment.apps/net410-kops-busybox created
[ec2-user@ip-172-31-21-42 configFiles]$
[ec2-user@ip-172-31-21-42 configFiles]$
[ec2-user@ip-172-31-21-42 configFiles]$ kubectl get deployment -o wide
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
net410-kops-busybox 2 2 2 2 59s net410-kops-busybox busybox app=net410-kops-busybox
[ec2-user@ip-172-31-21-42 configFiles]$

Near here: https://github.com/liwenwu-amazon/reinvent2018-NET410/tree/master/kops-kubenet-demo#cluster-that-was-created-using-aws-cloudformation-consists-of-1-master-node-and-2-worker-nodes

Minor typo in kubectl command
kubeclt --> kubectl

aws ec2 describe-network-interfaces --network-interface-ids eni-0f96810f42e4f53e8 --region eu-west-1