EKS CloudWatch Insight

Link

 

시작하기 전에 EKS NodeGroup IAM 역활에 아래의 정책을 추가해줍니다.

CloudWatchAgentServerPolicy

 

CloudWatch Insight 역활 생성하기

CLUSTER_NAME=""

OIDC_ID=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | sed 's|https://||')
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
OIDC_ARN="arn:aws:iam::$ACCOUNT_ID:oidc-provider/$OIDC_ID"
aws iam create-role --role-name wngnl_CloudWatch_Insight_Role --assume-role-policy-document "{
    \"Version\": \"2012-10-17\",
    \"Statement\": [
        {
            \"Effect\": \"Allow\",
            \"Principal\": {
                \"Federated\": \"${OIDC_ARN}\"
            },
            \"Action\": \"sts:AssumeRoleWithWebIdentity\",
            \"Condition\": {
                \"StringEquals\": {
                    \"${OIDC_ID}:aud\": \"sts.amazonaws.com\",
                    \"${OIDC_ID}:sub\": \"wngnl-cloudwatch-agent\"
                }
            }
        }
    ]
}"
# PowerUserAccess 정책 연결
aws iam attach-role-policy --role-name wngnl_CloudWatch_Insight_Role --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
aws iam attach-role-policy --role-name wngnl_CloudWatch_Insight_Role --policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
aws iam attach-role-policy --role-name wngnl_CloudWatch_Insight_Role --policy-arn arn:aws:iam::aws:policy/CloudWatchFullAccess

 

yaml 파일 다운로드

wget https://raw.githubusercontent.com/wngnl-dev/AWS/main/EKS/CloudWatch/Insight/configmap.yaml
wget https://raw.githubusercontent.com/wngnl-dev/AWS/main/EKS/CloudWatch/Insight/serviceaccount.yaml
wget https://raw.githubusercontent.com/wngnl-dev/AWS/main/EKS/CloudWatch/Insight/daemonset.yaml

 

 

 

 

CloudWatch > 인사이트 > Container Insight > 클러스터 개요

에 클러스터가 있는지 확인해줍니다.