Kubernetes (EKS) Fundamentals - In-Depth Guide

ShubhankarDev — Sat, 22 Feb 2025 13:41:25 +0000

Kubernetes (EKS) Fundamentals - In-Depth Guide
This guide will cover everything you need to successfully deploy a secure application on Amazon Elastic Kubernetes Service (EKS) while following AWS best practices.

EKS Cluster Setup To deploy a secure Kubernetes cluster on AWS, you need to: ✅ Set up a VPC with private and public subnets ✅ Create an EKS cluster ✅ Add worker nodes in private subnets ✅ Configure IAM roles and security groups

Step 1: Create a VPC for EKS
AWS Elastic Kubernetes Service (EKS) requires a custom VPC with both public and private subnets across multiple Availability Zones (AZs).

You can create the VPC manually or use eksctl:

eksctl create cluster \ --name my-eks-cluster \ --region us-east-1 \ --vpc-private-subnets subnet-abc123,subnet-def456 \ --without-nodegroup
This command creates:

An EKS cluster in us-east-1
Private subnets for worker nodes
No default node group (so we manually add worker nodes later)
Step 2: Create an EKS Node Group in Private Subnets
Worker nodes must only exist in private subnets (no public IPs).
Use eksctl to create a private node group:

eksctl create nodegroup \ --cluster my-eks-cluster \ --name private-nodes \ --node-type t3.medium \ --nodes 2 \ --nodes-min 2 \ --nodes-max 4 \ --node-private-networking
This provisions 2 worker nodes in private subnets.
The --node-private-networking flag ensures no public IPs.
✅ Now your EKS cluster has worker nodes only accessible within the VPC.

Kubernetes Manifests (Deployments, Services, Ingress) What are Kubernetes Manifests? A manifest file is a YAML file that defines Kubernetes resources like:

Deployments (to run applications)
Services (to expose applications inside the cluster)
Ingress (to expose applications externally via ALB)
Step 1: Create a Deployment
We deploy an Nginx web app using a Deployment manifest:

`yaml

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-app
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80`
Creates 2 replicas of Nginx
Labels help services find this deployment
Ports define where the container listens
Apply the deployment:

kubectl apply -f deployment.yaml
Step 2: Create a Service
A Service allows other Kubernetes components to access the Deployment:

`yaml

apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
type: NodePort`
This exposes Nginx internally within the cluster.
Apply the service:

kubectl apply -f service.yaml

Step 3: Configure an Ingress with AWS ALB
To expose the service externally via ALB, use an Ingress manifest:

yaml

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nginx-ingress annotations: alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' alb.ingress.kubernetes.io/ssl-redirect: "443" alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:your-certificate-arn spec: rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: nginx-service port: number: 80
Uses AWS ALB for external traffic
Redirects HTTP (80) to HTTPS (443)
Uses an SSL certificate from ACM
Apply the ingress:

kubectl apply -f ingress.yaml
Now your app is publicly accessible over HTTPS via the ALB.

AWS ALB Ingress Controller AWS provides an Ingress Controller that integrates ALB with Kubernetes.

Step 1: Install ALB Ingress Controller
Using helm:

helm repo add eks https://aws.github.io/eks-charts helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ --set clusterName=my-eks-cluster \ --set serviceAccount.create=false \ --set serviceAccount.name=aws-load-balancer-controller
Step 2: Verify Deployment

kubectl get pods -n kube-system
✅ You should see aws-load-balancer-controller running.

Now, Ingress rules will automatically create and configure an ALB.

Kubernetes Network Policies By default, all pods can communicate with each other. To restrict intra-cluster communication, use NetworkPolicy rules.

Step 1: Restrict Pod Communication
Example: Only allow ALB → Nginx, block other traffic.

`yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nginx-network-policy
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:

Ingress ingress:
from:
- ipBlock: cidr: 10.0.0.0/16 ports:
- protocol: TCP port: 80` Blocks all pod-to-pod traffic except from ALB. Ensures that only the Load Balancer can reach Nginx. Apply the policy:

`sh

kubectl apply -f network-policy.yaml`
Final Steps
✅ Check ALB

`sh

aws elbv2 describe-load-balancers`
✅ Check Deployment

`sh

kubectl get pods
kubectl get svc
kubectl get ingress`
✅ Test HTTPS Visit: https://myapp.example.com

Should only be accessible over HTTPS
HTTP should redirect to HTTPS
🚀 Summary
✔ EKS Cluster Setup with private worker nodes
✔ Kubernetes Manifests (Deployments, Services, Ingress)
✔ ALB Ingress Controller to expose applications
✔ Network Policies to restrict communication

DEV Community: ShubhankarDev

Kubernetes (EKS) Fundamentals - In-Depth Guide