xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity
Files
4b4ee898df1917fd97e061fb4c225337d8eb56a8ce2dbb4b2ba0d0bb6bd70584
terraform.examples/EksIp6Nginxpod
T
History
xpk 958e4977e9 chore: renamed layers
2026-02-13 17:48:17 +08:00
..
k8s-manifests
chore: renamed layers
2026-02-13 17:48:17 +08:00
eks-bastion.tf
chore: renamed layers
2026-02-13 17:48:17 +08:00
main.tf
chore: renamed layers
2026-02-13 17:48:17 +08:00
pod_identities.tf
chore: renamed layers
2026-02-13 17:48:17 +08:00
provider.tf
chore: renamed layers
2026-02-13 17:48:17 +08:00
README.md
chore: renamed layers
2026-02-13 17:48:17 +08:00
variables.tf
chore: renamed layers
2026-02-13 17:48:17 +08:00

README.md

Post-install steps

Create lbc service account

kubectl apply -f 1-lbc.yaml

Install AWS Load Balancer Controller in EKS

helm repo add eks https://aws.github.io/eks-charts helm repo update

helm install aws-load-balancer-controller eks/aws-load-balancer-controller
-n kube-system
--set clusterName=xpk-eks01-sunbird
--set serviceAccount.create=false
--set serviceAccount.name=aws-load-balancer-controller-sa

kubectl -n kube-system get deployment aws-load-balancer-controller

kubectl logs -n kube-system deployment/aws-load-balancer-controller -f

Allow web traffic to nodes

Port 80 needs to be allowed on eks node's SGs. Then ALB can successfully register targets. This is now done in main.tf.

Testing

ALB correctly sending traffic to nginx pods!

curl k8s-default-nginxing-a42064aa7e-1786392641.ap-east-1.elb.amazonaws.com
<h1>Web Server nginx-web-f5988bf66-9lghc - Unique ID: </h1><p>Deployed on EKS Wed Feb 11 09:46:41 UTC 2026</p>

curl k8s-default-nginxing-a42064aa7e-1786392641.ap-east-1.elb.amazonaws.com
<h1>Web Server nginx-web-f5988bf66-6ptff - Unique ID: </h1><p>Deployed on EKS Wed Feb 11 09:46:41 UTC 2026</p>

curl k8s-default-nginxing-a42064aa7e-1786392641.ap-east-1.elb.amazonaws.com
<h1>Web Server nginx-web-f5988bf66-tw6rr - Unique ID: </h1><p>Deployed on EKS Wed Feb 11 09:46:45 UTC 2026</p>

Notes on IPv6

EKS could not be deployed on ipv6-only private subnets. It appears AWS requires at least 2 free IPv4 addresses in the subnet. I tried and the following error was returned.

Error: creating EKS Cluster (xpk-eks01-akita): operation error EKS: CreateCluster, https response error StatusCode: 400, 
RequestID: b25794cc-3220-4393-a435-c92e2f8aafdd, InvalidParameterException: Atleast one subnet in each AZ should have 2 free IPs. 
Invalid AZs: { [ap-east-1c, ap-east-1b] }, provided subnets: { subnet-02aaf75a3e4700f74, subnet-02071b29e2883d5b1 }

Notes on KMS key

I tried using aws-managed key for EKS, but it failed to deploy with an error.

  encryption_config = {
    provider_key_arn = "arn:aws:kms:${data.aws_region.this.id}:${data.aws_caller_identity.current.account_id}:alias/aws/secretsmanager"
    resources        = ["secrets"]
  }

 Error: creating EKS Cluster (xpk-eks01-vervet): operation error EKS: CreateCluster, https response error StatusCode: 400, RequestID: 
 0b866e07-352a-439c-9196-f7a671bdd0ee, api error InvalidRequestException: User not authorized to perform kms:CreateGrant operation

When I used create_kms_key = true, EKS was created successfully. I can see that the EKS cluster role is explicitly allowed in the key policy.

View Git Blame Copy Permalink