Menu Close

Istio on Amazon EKS

Amazon EKS is a managed service which setups and manages the Kubernetes control plane. Kubernetes control plane spans across multiple Availability zones for the high availability. In Amazon EKS, worker nodes need to be deployed separately and configured with the Amazon EKS cluster. Kubectl can be used to manage the cluster. It also require the AWS IAM Authenticator for Kubernetes to allow IAM authentication for the Kubernetes cluster

In this example, CLI method of launching Amazon EKS cluster will be used and CloudFormation will be used for the worker nodes.


  1. Create a VPC or use default VPC with two public subnets and a security group with no inbound rules. Everything will be deployed in public subnet for this demo.

Note down the <VPC ID>, <SUBNET ID01>, <SUBNET ID02>, <SG ID>

  • Create an IAM role for the kubernetes cluster. This role will be used by the kubernetes cluster to launch the AWS resources.

In the IAM console, select RoleàEKSà Allows EKS to manage clusters on your behalf. Use the default existing polices. 

Note down the <ROLE ARN>:  arn:aws:iam::<12345678900>:role/ISTIODEMO

  1. Amazon EKS needs many utilities, so launch a micro Amazon Linux instance with a role and below policy. Ensure awscli is updated to the latest version and “aws eks” command is available.


  • Kubectl utility .  Refer installing kubectl section below.
    • aws-iam-authenticator utility. Refer installing aws-iam-authenticator.

Stage 1: Installing Kubectl

Kubernetes uses kubectl command-line utility for communicating with the cluster API server

  1. Download the Amazon EKS-vended kubectl binary from Amazon S3:

curl -o kubectl

  • Run the following commands

chmod +x ./kubectl

mkdir $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$HOME/bin:$PATH

echo ‘export PATH=$HOME/bin:$PATH’ >> ~/.bashrc

kubectl version –short –client

Stage 2: Installing aws-iam-authenticator

A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster

1. Download the Amazon EKS-vended aws-iam-authenticator binary from Amazon S3:

curl -o aws-iam-authenticator

2. Run the following commands

chmod +x ./aws-iam-authenticator

cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator

aws-iam-authenticator help

Stage 3: Launching Amazon EKS Cluster

  1. Use the below command to launch the Amazon EKS Cluster

aws eks create-cluster –name <CLUSTER NAME> –role-arn <ROLE ARN> –resources-vpc-config subnetIds=<SUBNET ID01>, <SUBNET ID02>,securityGroupIds=<SG ID>

<CLUSTER NAME>= istio-demo

  1. Use the below command to check the status of the cluster.

aws eks describe-cluster –name <CLUSTER NAME> –query cluster.status

  1. Ensure cluster state is “Active” and then proceed further.
  • Update kubeconfig by running the  AWS CLI update-kubeconfig command. Default kubeconfig path (.kube/config) in the home directory

aws eks update-kubeconfig –name <CLUSTER NAME>

  • Test the configuration by running the below command. Command should return the cluster details.

kubectl get svc

Stage 4: Launching Worker nodes

Ensure cluster status is ACTIVE before launching the worker nodes.

  1. Launch the CloudFormation template in the below link with the required details.

ClusterName <CLUSTER NAME>. Ensure same name which is used while launching cluster is used or else worker nodes will not join with the cluster
ClusterControlPlaneSecurityGroup <SG ID>
NodeGroupName istioworker. Enter any required name.
NodeAutoScalingGroupMinSize 1
NodeAutoScalingGroupMaxSize 2
NodeInstanceType t2.medium
NodeImageId ami-0a0b913ef3249b655 Use the Amazon EKS-optimized AMI be provided by Amazon  
VpcId <VPC ID>
Subnets <SUBNET ID01>, <SUBNET ID02>
BootstrapArguments Empty
  1. Worker node CloudFormation creates an autoscaling group and launches the worker instances. Note down the NodeInstanceRole name attached to the worker nodes from the CloudFormation output. 

Stage 5: Enabling worker nodes to join cluster

  1. Download the AWS IAM Authenticator configuration map

curl -O

  • Update the <ARN of instance role (not instance profile)> with NodeInstanceRole
  1. Run the below command to apply the configuration

kubectl apply -f aws-auth-cm.yaml

  1. Check the status of the worker nodes using the below command.  On successful joining, nodes will be listed and wait for the status to be Ready to proceed further.

Now, Amazon EKS master and worker cluster nodes are successfully launched and running, Follow the Istio installation and configuration posted earlier in article Configure Istio Service Mesh in GKE

Posted in Uncategorized

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *