https://pulumi.com logo
#aws
Title
# aws
w

worried-xylophone-86184

06/16/2022, 2:34 AM
Hi all ! Is there a way to provision Private EKS clusters (EKS clusters within private subnets having NAT Gateways attached to them) using the Pulumi EKS package. I am able to bring up the cluster but it fails with the below traceback and does not forward with NodeGroup provisioning.
Copy code
error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: Get "<https://URL.eks.amazonaws.com/openapi/v2?timeout=32s>": dial tcp 10.1.3.211:443: i/o timeout
🙌 1
b

billowy-army-68599

06/16/2022, 2:45 AM
hey Sushant, there's a lot of stuff this could be unfortunately. security groups configured correctly? route tables configured properly?
w

worried-xylophone-86184

06/16/2022, 4:39 AM
Hey Lee ! Thanks for getting back. Security Group wise I havent configured anything , assuming that pulumi_eks will bring it up accordingly. Route Tables wise I have created new route tables for the private subnets which have the traffic 0.0.0.0/0 routed to NAT Gateways (public in public subnet)
This is the code
Copy code
eks_cluster = eks.Cluster(
    cluster_name,
    name=cluster_name,
    private_subnet_ids=list(private_subnets.values()),
    tags={"Name": cluster_name, "Stack": stack_name},
    vpc_id=vpc_id,
    version="1.21",
    instance_role=eks_ec2_role,
    endpoint_public_access=False,
    endpoint_private_access=True,
    node_associate_public_ip_address=True,
    skip_default_node_group=True,
)


node_group = eks.ManagedNodeGroup(
    node_group_name,
    cluster=eks_cluster.core,
    capacity_type="SPOT",
    instance_types=["t3a.medium"],
    node_group_name=node_group_name,
    node_role=eks_ec2_role,
    tags={"Name": cluster_name, "Stack": stack_name},
    subnet_ids=list(private_subnets.values()),
    scaling_config=pulumi_aws.eks.NodeGroupScalingConfigArgs(
        desired_size=1,
        min_size=1,
        max_size=3,
    ),
)
This is what the pulumi up output is
b

billowy-army-68599

06/16/2022, 3:23 PM
@worried-xylophone-86184 that IP address is a private IP in one of your subnets?
w

worried-xylophone-86184

06/16/2022, 3:32 PM
Yes
p

polite-napkin-90098

06/16/2022, 4:52 PM
It's been a wee while since I made this work for me, but the most obvious difference between my cluster block and yours is the serviceRole I have created and added to the cluster command. The other thing to be aware of is that you will need various VPC Endpoints to make the cluster work in a private subnet. https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html should have all the details
b

billowy-army-68599

06/16/2022, 5:04 PM
i bet its the VPC Endpoints, good find @polite-napkin-90098!
😃 1
37 Views