본문 바로가기
DevOps

[AWS EKS] (19) EKS 스터디 7주차 ( Fargate )

국두리 2025. 3. 22. 10:53
CloudNet@팀의 EKS 스터디 AEWS 2기에 작성된 자료를 토대로 작성합니다.

테라폼 설치 부터 ec2 배포까지

  • brew terraform 설치
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
mzc01-kook@MZC01-KOOK ~ % terraform version
Terraform v1.3.2
on darwin_arm64

Your version of Terraform is out of date! The latest version
is 1.5.4. You can update by downloading from https://www.terraform.io/downloads.html
  • aws cli 설치
# macOS 설치 방법
$ brew install awscli

# Linux 설치 방법
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install


# aws cli 버전 확인
aws --version
aws-cli/2.7.31 Python/3.10.7 Darwin/21.6.0 source/x86_64 prompt/off

# aws cli 사용 시도
aws s3 ls

---
# aws configure 로 자격증명 설정 : 방안1
aws configure
... >> 입력

aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************DYFF shared-credentials-file
secret_key     ****************m7Za shared-credentials-file
    region           ap-northeast-2      config-file    ~/.aws/config

# 환경 변수로 자격증명 설정 : 방안2
Linux or macOS
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-west-2

# 페이저 사용 비활성화
export AWS_PAGER=""

# aws cli 사용 시도
aws s3 ls
  • 실습에 편리한 툴 들 설치: watch, jq ,tree 등
# macOS
brew install tree jq watch

# Linux
sudo apt install -y tree jq
  • default vpc 확인
aws ec2 describe-vpcs --filter 'Name=isDefault,Values=true' | jq
{
...

aws ec2 describe-vpcs --filter 'Name=isDefault,Values=true' | jq '.Vpcs[0].VpcId'
"vpc-3912a952"


#aws ec2 describe-subnets --filter 'Name=vpc-id,Values=vpc-3912a952' --output table
aws ec2 describe-subnets --filter 'Name=vpc-id,Values=vpc-<자신의VPC ID>' --output table

 

  • 작업 디렉터리 생성 및 이동
# 각자 편한 디렉터리를 생성해주시면 됩니다
mkdir t101-1week-ec2
cd t101-1week-ec2
  • Amazon 최신 ami id 찾기 :  ami-0a0064415cdedc552 → 자주 업데이트가 됨
#aws ec2 describe-images --owners self amazon
aws ec2 describe-images --owners self amazon --query 'Images[*].[ImageId]' --output text

aws ssm get-parameters-by-path --path /aws/service/ami-amazon-linux-latest
aws ssm get-parameters-by-path --path /aws/service/ami-amazon-linux-latest --query "Parameters[].Name"
aws ssm get-parameters-by-path --path /aws/service/ami-amazon-linux-latest --query "Parameters[].Value"
  • EC2 생성 모니터링
# [터미널1] EC2 생성 모니터링
export AWS_PAGER=""
while true; do aws ec2 describe-instances** --query "Reservations[*].Instances[*].{PublicIPAdd:PublicIpAddress,InstanceName:Tags[?Key=='Name']|[0].Value,Status:State.Name}" --filters Name=instance-state-name,Values=running --output text ; echo "------------------------------" ; sleep 1; done



Amazon EKS Blueprints for Terraform 소개 

고려사항

  • EKS Blueprints for Terraform are not intended to be consumed as-is directly from this project. → 그대로 사용은 의도된 것이 아님
  • In "Terraform speak" - the patterns and snippets provided in this repository are not designed to be consumed as a Terraform module. → 패턴과 스니펫은 Terraform 모듈로 사용하도록 설계되지 않음
  • Therefore, the patterns provided only contain variables when certain information is required to deploy the pattern (i.e. - a Route53 hosted zone ID, or ACM certificate ARN) and generally use local variables. If you wish to deploy the patterns into a different region or with other changes, it is recommended that you make those modifications locally before applying the pattern. → 일반적으로 Local 블록을 통해 변경하고, 특정 정보가 필요한 경우(R53 호스트영역 ID 등)만 variables 블록을 사용
  • EKS Blueprints for Terraform will not expose variables and outputs in the same manner that Terraform modules follow in order to avoid confusion around the consumption model. → 복잡성(혼란?)을 줄이기 위해 variables 과 outputs 을 최대한 노출하지 않음

Fargate 란 무엇인가? 

  • 서버리스 컨테이너 - 완전 관리형 컨테이너 서비스
  • 도커 이미지만 배포하면 됨 
  • EC2를 안쓰고 Fargate를 사용함 
  • Cluster Autoscaler 불필요, VM 수준의 격리 가능(VM isolation at Pod Level)
  • 파게이트 프로파일(파드가 사용할 서브넷, 네임스페이스, 레이블 조건)을 생성하여 지정한 파드가 파게이트에서 동작하게 함
  • EKS 는 스케줄러가 특정 조건을 기준으로 어느 노드에 파드를 동작시킬지 결정, 혹은 지정할수도 있음

 

AWS EKS Fargate 특징

  • AWS EKS 와 Fargate를 같이 쓰면 장점?
  • EC2를 관리할 필요 없다. Cluster Autoscale을 사용할 필요가 없다.
  • 비용 줄일수 있음
  • VM 수준의 격리 
  • 기존 어플리케이션 변경없이 Fargate로 이동 가능

  • AWS EKS 와 Fargate를 같이 쓰면 단점?
  • 리소스 상한선 존재 ( 4CPU, 30GB)
  • Stateful 한 워크로드 사용 불가능
  • Daemonset 불가 (privileged Pod 사용 불가능)
  • NLB / ELB 불가 (?)

 

Fargate 배포 해보자. 테라폼으로 

  • aws-eks-blueprints 클론 
#
git clone https://github.com/aws-ia/terraform-aws-eks-blueprints
tree terraform-aws-eks-blueprints/patterns
cd terraform-aws-eks-blueprints/patterns/fargate-serverless

  • main.tf 변경 
provider "aws" {
  region = local.region
}

provider "kubernetes" {
  host                   = module.eks.cluster_endpoint
  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)

  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "aws"
    # This requires the awscli to be installed locally where Terraform is executed
    args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
  }
}

provider "helm" {
  kubernetes {
    host                   = module.eks.cluster_endpoint
    cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)

    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      command     = "aws"
      # This requires the awscli to be installed locally where Terraform is executed
      args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
    }
  }
}

data "aws_availability_zones" "available" {
  # Do not include local zones
  filter {
    name   = "opt-in-status"
    values = ["opt-in-not-required"]
  }
}

locals {
  name     = basename(path.cwd)
  region   = "ap-northeast-2"

  vpc_cidr = "10.10.0.0/16"
  azs      = slice(data.aws_availability_zones.available.names, 0, 3)

  tags = {
    Blueprint  = local.name
    GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints"
  }
}

################################################################################
# Cluster
################################################################################

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.11"

  cluster_name                   = local.name
  cluster_version                = "1.30"
  cluster_endpoint_public_access = true

  # Give the Terraform identity admin access to the cluster
  # which will allow resources to be deployed into the cluster
  enable_cluster_creator_admin_permissions = true

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  # Fargate profiles use the cluster primary security group so these are not utilized
  create_cluster_security_group = false
  create_node_security_group    = false

  fargate_profiles = {
    study_wildcard = {
      selectors = [
        { namespace = "study-*" }
      ]
    }
    kube_system = {
      name = "kube-system"
      selectors = [
        { namespace = "kube-system" }
      ]
    }
  }

  fargate_profile_defaults = {
    iam_role_additional_policies = {
      additional = module.eks_blueprints_addons.fargate_fluentbit.iam_policy[0].arn
    }
  }

  tags = local.tags
}

################################################################################
# EKS Blueprints Addons
################################################################################

module "eks_blueprints_addons" {
  source  = "aws-ia/eks-blueprints-addons/aws"
  version = "~> 1.16"

  cluster_name      = module.eks.cluster_name
  cluster_endpoint  = module.eks.cluster_endpoint
  cluster_version   = module.eks.cluster_version
  oidc_provider_arn = module.eks.oidc_provider_arn

  # We want to wait for the Fargate profiles to be deployed first
  create_delay_dependencies = [for prof in module.eks.fargate_profiles : prof.fargate_profile_arn]

  # EKS Add-ons
  eks_addons = {
    coredns = {
      configuration_values = jsonencode({
        computeType = "Fargate"
        # Ensure that the we fully utilize the minimum amount of resources that are supplied by
        # Fargate https://docs.aws.amazon.com/eks/latest/userguide/fargate-pod-configuration.html
        # Fargate adds 256 MB to each pod's memory reservation for the required Kubernetes
        # components (kubelet, kube-proxy, and containerd). Fargate rounds up to the following
        # compute configuration that most closely matches the sum of vCPU and memory requests in
        # order to ensure pods always have the resources that they need to run.
        resources = {
          limits = {
            cpu = "0.25"
            # We are targeting the smallest Task size of 512Mb, so we subtract 256Mb from the
            # request/limit to ensure we can fit within that task
            memory = "256M"
          }
          requests = {
            cpu = "0.25"
            # We are targeting the smallest Task size of 512Mb, so we subtract 256Mb from the
            # request/limit to ensure we can fit within that task
            memory = "256M"
          }
        }
      })
    }
    vpc-cni    = {}
    kube-proxy = {}
  }

  # Enable Fargate logging this may generate a large ammount of logs, disable it if not explicitly required
  enable_fargate_fluentbit = true
  fargate_fluentbit = {
    flb_log_cw = true
  }

  enable_aws_load_balancer_controller = true
  aws_load_balancer_controller = {
    set = [
      {
        name  = "vpcId"
        value = module.vpc.vpc_id
      },
      {
        name  = "podDisruptionBudget.maxUnavailable"
        value = 1
      },
    ]
  }

  tags = local.tags
}

################################################################################
# Supporting Resources
################################################################################

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 5.0"

  name = local.name
  cidr = local.vpc_cidr

  azs             = local.azs
  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]

  enable_nat_gateway = true
  single_nat_gateway = true

  public_subnet_tags = {
    "kubernetes.io/role/elb" = 1
  }

  private_subnet_tags = {
    "kubernetes.io/role/internal-elb" = 1
  }

  tags = local.tags
}

 

  • terraform init -> terraform apply
# init 초기화
terraform init
tree .terraform
cat .terraform/modules/modules.json | jq
tree .terraform/providers/registry.terraform.io/hashicorp -L 2

# plan
terraform plan
# 배포 : EKS, Add-ons, fargate profile - 13분 소요
terraform apply -target="module.eks" -auto-approve
terraform apply -target="module.eks_blueprints_addons" -auto-approve
terraform apply -auto-approve


# 배포 완료 후 확인
terraform state list
module.eks.data.aws_caller_identity.current
...

terraform output
...

# EKS 자격증명
$(terraform output -raw configure_kubectl) # aws eks --region ap-northeast-2 update-kubeconfig --name fargate-serverless
cat ~/.kube/config

# kubectl context 변경
kubectl ctx
kubectl config rename-context "arn:aws:eks:ap-northeast-2:$(aws sts get-caller-identity --query 'Account' --output text):cluster/fargate-serverless" "fargate-lab"

# k8s 노드, 파드 정보 확인
kubectl ns default
kubectl cluster-info
kubectl get node
kubectl get pod -A

# 상세 정보 확인
terraform show
...
terraform state list
terraform state show 'module.eks.aws_eks_cluster.this[0]'
terraform state show 'module.eks.data.tls_certificate.this[0]'
terraform state show 'module.eks.aws_cloudwatch_log_group.this[0]'
terraform state show 'module.eks.aws_eks_access_entry.this["cluster_creator"]'
terraform state show 'module.eks.aws_iam_openid_connect_provider.oidc_provider[0]'
terraform state show 'module.eks.data.aws_partition.current'
terraform state show 'module.eks.aws_iam_policy.cluster_encryption[0]'
terraform state show 'module.eks.aws_iam_role.this[0]'

terraform state show 'module.eks.time_sleep.this[0]'
terraform state show 'module.eks.module.kms.aws_kms_key.this[0]'
terraform state show 'module.eks.module.fargate_profile["kube_system"].aws_eks_fargate_profile.this[0]'
...
  • 기본정보 확인
# Added new context arn:aws:eks:ap-northeast-2:xx:cluster/fargate-serverless to /Users/kpkim/.kube/config
# Kubeconfig 파일을 생성하여 kubectl을 EKS 클러스터에 연결

aws eks --region ap-northeast-2 update-kubeconfig --name fargate-serverless

# contexts 확인 
kubectl config get-contexts 
CURRENT   NAME                                                                 CLUSTER                                                              AUTHINFO                                                             NAMESPACE
          admin                                                                arn:aws:eks:ap-northeast-2:015609516422:cluster/myeks                admin                                                                
*         arn:aws:eks:ap-northeast-2:015609516422:cluster/fargate-serverless   arn:aws:eks:ap-northeast-2:015609516422:cluster/fargate-serverless   arn:aws:eks:ap-northeast-2:015609516422:cluster/fargate-serverless   
          arn:aws:iam::015609516422:user/Ted                                   arn:aws:eks:ap-northeast-2:015609516422:cluster/myeks                arn:aws:iam::015609516422:user/Ted                                   
          babo                                                                 kind-myk8s                                                           kind-myk8s                                                           
          kind-myk8s                                                           kind-myk8s                                                           kind-myk8s                                                           

# k8s api service 확인 : ENDPOINTS 의 IP는 EKS Owned-ENI 2개
kubectl get svc,ep
NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   172.20.0.1   <none>        443/TCP   42m

NAME                   ENDPOINTS                           AGE
endpoints/kubernetes   10.10.21.253:443,10.10.32.164:443   42m

kubectl get node -owide                                                                          

NAME                                                      STATUS   ROLES    AGE   VERSION               INTERNAL-IP    EXTERNAL-IP   OS-IMAGE         KERNEL-VERSION                  CONTAINER-RUNTIME
fargate-ip-10-10-20-69.ap-northeast-2.compute.internal    Ready    <none>   35m   v1.30.8-eks-2d5f260   10.10.20.69    <none>        Amazon Linux 2   5.10.234-225.910.amzn2.x86_64   containerd://1.7.25
fargate-ip-10-10-21-254.ap-northeast-2.compute.internal   Ready    <none>   35m   v1.30.8-eks-2d5f260   10.10.21.254   <none>        Amazon Linux 2   5.10.234-225.910.amzn2.x86_64   containerd://1.7.25
fargate-ip-10-10-23-55.ap-northeast-2.compute.internal    Ready    <none>   35m   v1.30.8-eks-2d5f260   10.10.23.55    <none>        Amazon Linux 2   5.10.234-225.910.amzn2.x86_64   containerd://1.7.25
fargate-ip-10-10-4-50.ap-northeast-2.compute.internal     Ready    <none>   35m   v1.30.8-eks-2d5f260   10.10.4.50     <none>        Amazon Linux 2   5.10.234-225.910.amzn2.x86_64   containerd://1.7.25
  • 파드와 노드 ip가 같음
# 파드 확인 : 파드의 IP와 노드의 IP가 같다!

kubectl get pod -A -owide

NAMESPACE     NAME                                            READY   STATUS    RESTARTS   AGE   IP             NODE                                                      NOMINATED NODE   READINESS GATES
kube-system   aws-load-balancer-controller-57f5fc875b-gmrwt   1/1     Running   0          42m   10.10.20.69    fargate-ip-10-10-20-69.ap-northeast-2.compute.internal    <none>           <none>
kube-system   aws-load-balancer-controller-57f5fc875b-vcz79   1/1     Running   0          42m   10.10.21.254   fargate-ip-10-10-21-254.ap-northeast-2.compute.internal   <none>           <none>
kube-system   coredns-64696d8b7f-5vhdw                        1/1     Running   0          42m   10.10.4.50     fargate-ip-10-10-4-50.ap-northeast-2.compute.internal     <none>           <none>
kube-system   coredns-64696d8b7f-f6kpf                        1/1     Running   0          42m   10.10.23.55    fargate-ip-10-10-23-55.ap-northeast-2.compute.inter​
  • EC2 : EC2 읍다!, EBS, ENI(eks owned, fargate owned 확인)

EC2
EBS

 

EKS-Owned ENI는 설치되면 2개 생성됨 (kube api server와 하나는 뭘까? )
Fargate owned ENI 는 pod 1개 생성될때마다 생성됨

  • fargate 에 kube-ops-view
# helm 배포
helm repo add geek-cookbook https://geek-cookbook.github.io/charts/
helm install kube-ops-view geek-cookbook/kube-ops-view --version 1.2.2 --set env.TZ="Asia/Seoul" --namespace kube-system

# 포트 포워딩
kubectl port-forward deployment/kube-ops-view -n kube-system 8080:8080 &

# 접속 주소 확인 : 각각 1배, 1.5배, 3배 크기
echo -e "KUBE-OPS-VIEW URL = http://localhost:8080"
echo -e "KUBE-OPS-VIEW URL = http://localhost:8080/#scale=1.5"
echo -e "KUBE-OPS-VIEW URL = http://localhost:8080/#scale=3"

open "http://127.0.0.1:8080/#scale=1.5" # macOS

  • fargate 에 netshoot 파드
| --- | --- |
| 9.25 vCPU | 0.5 GB 1 GB, 2 GB |
| 0.5 vCPU | 1 GB, 2 GB, 3 GB, 4 GB |
| 1 vCPU | 2 GB, 3 GB, 4 GB, 5 GB, 6 GB, 7 GB, 8 GB |
| 2 vCPU | Between 4 GB and 16 GB in 1-GB increments |
| 4 vCPU | Between 8 GB and 30 GB in 1-GB increments |
| 8 vCPU | Between 16 GB and 60 GB in 4-GB increments |
| 16 vCPU | Between 32 GB and 120 GB in 8-GB increments |

# 네임스페이스 생성
kubectl create ns study-aews

# 테스트용 파드 netshoot 디플로이먼트 생성 : 0.5vCPU 1GB 할당되어, 아래 Limit 값은 의미가 없음. 배포 시 대략 시간 측정해보자!
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: netshoot
  namespace: study-aews
spec:
  replicas: 1
  selector:
    matchLabels:
      app: netshoot
  template:
    metadata:
      labels:
        app: netshoot
    spec:
      containers:
      - name: netshoot
        image: nicolaka/netshoot
        command: ["tail"]
        args: ["-f", "/dev/null"]
        resources: 
          requests:
            cpu: 500m
            memory: 500Mi
          limits:
            cpu: 2
            memory: 2Gi
      terminationGracePeriodSeconds: 0
EOF
kubectl get events -w --sort-by '.lastTimestamp'

# 확인 : 메모리 할당 측정은 어떻게 되었는지?
kubectl get pod -n study-aews -o wide
kubectl get pod -n study-aews -o jsonpath='{.items[0].metadata.annotations.CapacityProvisioned}'
0.5vCPU 1GB

# 디플로이먼트 상세 정보
kubectl get deploy -n study-aews netshoot -o yaml
...
  template:
    ...
    spec:
      ...
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 0
...

# 파드 상세 정보 : admission control 이 동작했음을 알 수 있음
kubectl get pod -n study-aews -l app=netshoot -o yaml
...
  metadata:
    annotations:
      CapacityProvisioned: 0.5vCPU 1GB
      Logging: LoggingEnabled
    ...
    preemptionPolicy: PreemptLowerPriority
    priority: 2000001000
    priorityClassName: system-node-critical
    restartPolicy: Always
    schedulerName: fargate-scheduler
    ...
    qosClass: Burstable

#
kubectl describe pod -n study-aews -l app=netshoot | grep Events: -A10

# 
kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io
kubectl describe mutatingwebhookconfigurations 0500-amazon-eks-fargate-mutation.amazonaws.com
kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io

# 파드 내부에 zsh 접속 후 확인
kubectl exec -it deploy/netshoot -n study-aews -- zsh
-----------------------------------------------------
ip -c a
cat /etc/resolv.conf
curl ipinfo.io/ip # 출력되는 IP는 어떤것? , 어떤 경로를 통해서 인터넷이 되는 걸까?
ping -c 1 <다른 파드 IP ex. coredns pod ip>
lsblk
df -hT /
cat /etc/fstab
exit
-----------------------------------------------------

 

Node가 스케쥴링 되는것이 kubectl get events로 볼수 있다

  • admission controller을 통해 인증 

  • mutatingwebhook / validating weebhook 

kubectl describe mutatingwebhookconfigurations 0500-amazon-eks-fargate-mutation.amazonaws.com
.......
Name:         0500-amazon-eks-fargate-mutation.amazonaws.com
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  admissionregistration.k8s.io/v1
Kind:         MutatingWebhookConfiguration
Metadata:
  Creation Timestamp:  2025-03-22T02:42:03Z
  Generation:          1
  Resource Version:    1204
  UID:                 0f174b14-d629-4ec4-a381-fd3207723518
Webhooks:
  Admission Review Versions:
    v1beta1
  Client Config:
    Ca Bundle:     LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJYTBpSnl6dytJc2d3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBek1qSXdNak14TURSYUZ3MHpOVEF6TWpBd01qTTJNRFJhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNldW94WUxEdXRnbS94THJ2cTF3UzhDVElCSGU4WUtWbzhHb05jWUVweHI3UXFUc3hEMTNoTko4dGIKZmN2L0dzSlQwNWplYXlLVEQxVVJuaGRSVzhTQWh3am8wcXdnZndiZWZrS0ZIOWRPN0cxb2pRczZnbXpuV2FzMAo4ODgvU2xYbEVMSVBEa3ZqSmRHb3BKa1pUWkdmZFlaT0FodThIUjd5Z0J6WUVKMDFZaGdhazZzZ3kxOUhMRGpFCkhiaTgwYy9XMmk5bmd3aFdudzh6dWN1b2dJcG8xZTNmdGw0dmorQ3JMdGxmUkp5ZDI3SkNsQmQvTVdpNkRDU0wKeUczb1daOUNSOVNFTDVzUENmeTRRNjRteHN3N3liSFMxaTNKMlRwdm1JMkVYYzkwRlBCNHdmNk84UkV4cWhDRgo2MUxQdXpQRjY0OWJidS8zY3llVUQzMTR6L3pGQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSR01aYlBzYWpDbjdCaHkzNDFyaytWdi85WW9EQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmhNRlVuOHFxMQpvK2NONTBmZitzdWd6ZFdmOWpZdTkvcCsxY1BlVWZOSUc5emhzU1poQkNZTlJmQTNkY2ZrNUpVc0hwVlJOY082Ck1rU1NTaUhZaVNkc3JFUXh3L0NsZ1pmc095a25NODJTMmt6aG5YcTU4bTUwNVNjcVcyUC81TU1XYnVBU1FEMEoKaWF2QzNQWmdEOTFDa04zV2pPSGY4S2Nvb2RuVG9uU002WE1JVWdCMnkxNThodVNrSlowRFBpamw5SnJCbHpHcgpWcVBSV3RKMDdXaHFlNG1YUmlrbEcxWFlJMkFSdnl6T0hTTzk2dkdtZm1JL0JWaGZnYmttWU9QYVU4Wlc3VUhhCi94dGNydW16QzNOWTlBeTIzLzFUMmNoYUpNMFJRMHNDM0g4Q29JY1FVQjh2Y20wWmNwR2FwdDNKMy9VanN6bzMKanpvWGxUUzIzVW5SCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    URL:           https://127.0.0.1:23445/mutate
  Failure Policy:  Ignore
  Match Policy:    Equivalent
  Name:            0500-amazon-eks-fargate-mutation.amazonaws.com
  Namespace Selector:
  Object Selector:
  Reinvocation Policy:  Never
  Rules:
    API Groups:
      *
    API Versions:
      *
    Operations:
      CREATE
    Resources:
      pods
    Scope:          *
  Side Effects:     None
  Timeout Seconds:  5
  Admission Review Versions:
    v1beta1
  Client Config:
    Ca Bundle:     LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJYTBpSnl6dytJc2d3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBek1qSXdNak14TURSYUZ3MHpOVEF6TWpBd01qTTJNRFJhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNldW94WUxEdXRnbS94THJ2cTF3UzhDVElCSGU4WUtWbzhHb05jWUVweHI3UXFUc3hEMTNoTko4dGIKZmN2L0dzSlQwNWplYXlLVEQxVVJuaGRSVzhTQWh3am8wcXdnZndiZWZrS0ZIOWRPN0cxb2pRczZnbXpuV2FzMAo4ODgvU2xYbEVMSVBEa3ZqSmRHb3BKa1pUWkdmZFlaT0FodThIUjd5Z0J6WUVKMDFZaGdhazZzZ3kxOUhMRGpFCkhiaTgwYy9XMmk5bmd3aFdudzh6dWN1b2dJcG8xZTNmdGw0dmorQ3JMdGxmUkp5ZDI3SkNsQmQvTVdpNkRDU0wKeUczb1daOUNSOVNFTDVzUENmeTRRNjRteHN3N3liSFMxaTNKMlRwdm1JMkVYYzkwRlBCNHdmNk84UkV4cWhDRgo2MUxQdXpQRjY0OWJidS8zY3llVUQzMTR6L3pGQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSR01aYlBzYWpDbjdCaHkzNDFyaytWdi85WW9EQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmhNRlVuOHFxMQpvK2NONTBmZitzdWd6ZFdmOWpZdTkvcCsxY1BlVWZOSUc5emhzU1poQkNZTlJmQTNkY2ZrNUpVc0hwVlJOY082Ck1rU1NTaUhZaVNkc3JFUXh3L0NsZ1pmc095a25NODJTMmt6aG5YcTU4bTUwNVNjcVcyUC81TU1XYnVBU1FEMEoKaWF2QzNQWmdEOTFDa04zV2pPSGY4S2Nvb2RuVG9uU002WE1JVWdCMnkxNThodVNrSlowRFBpamw5SnJCbHpHcgpWcVBSV3RKMDdXaHFlNG1YUmlrbEcxWFlJMkFSdnl6T0hTTzk2dkdtZm1JL0JWaGZnYmttWU9QYVU4Wlc3VUhhCi94dGNydW16QzNOWTlBeTIzLzFUMmNoYUpNMFJRMHNDM0g4Q29JY1FVQjh2Y20wWmNwR2FwdDNKMy9VanN6bzMKanpvWGxUUzIzVW5SCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    URL:           https://127.0.0.1:23445/mutate
  Failure Policy:  Ignore
  Match Policy:    Equivalent
  Name:            0500-amazon-eks-fargate-configmaps-admission.amazonaws.com
  Namespace Selector:
    Match Labels:
      Aws - Observability:  enabled
  Object Selector:
  Reinvocation Policy:  Never
  Rules:
    API Groups:
      *
    API Versions:
      *
    Operations:
      CREATE
      UPDATE
    Resources:
      configmaps
    Scope:          *
  Side Effects:     None
  Timeout Seconds:  5
Events:             <none>​
  • validating webhook configuration
Name:         aws-load-balancer-webhook
Namespace:
Labels:       app.kubernetes.io/instance=aws-load-balancer-controller
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=aws-load-balancer-controller
              app.kubernetes.io/version=v2.7.1
              helm.sh/chart=aws-load-balancer-controller-1.7.1
Annotations:  meta.helm.sh/release-name: aws-load-balancer-controller
              meta.helm.sh/release-namespace: kube-system
API Version:  admissionregistration.k8s.io/v1
Kind:         ValidatingWebhookConfiguration
Metadata:
  Creation Timestamp:  2025-03-22T02:43:47Z
  Generation:          1
  Resource Version:    1545
  UID:                 819c41d7-ca2f-4197-a42d-82af5842dea3
Webhooks:
  Admission Review Versions:
    v1beta1
  Client Config:
    Ca Bundle:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRRENDQWlpZ0F3SUJBZ0lSQU1vYjZDR2syV3MwTlJDMG9WUXF2YTh3RFFZSktvWklodmNOQVFFTEJRQXcKS2pFb01DWUdBMVVFQXhNZllYZHpMV3h2WVdRdFltRnNZVzVqWlhJdFkyOXVkSEp2Ykd4bGNpMWpZVEFlRncweQpOVEF6TWpJd01qUXpORFZhRncwek5UQXpNakF3TWpRek5EVmFNQ294S0RBbUJnTlZCQU1USDJGM2N5MXNiMkZrCkxXSmhiR0Z1WTJWeUxXTnZiblJ5YjJ4c1pYSXRZMkV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUROZzFoNzkxN3JnU0FIT1YwbkZNSUg4Q0tYYlBVN0F6SHpkcjZNUFRiWlJ6dDcrd2Z5MVZFOQpyVndsNXQwUFBYV2FFeFNFSkEyMnlrajJJaHNsOUlPZ3crWTNucER2SlZOcENyQ1A2Q0gySDBxUUxHMUM4L3ZYCjAzNDNDa2paSFIyb3ExWEhiK0NXRklOZlZlYS93RitnaDhYSlFweDBvN1d6aFBhSnAwb0pSdTFDbVFFV0FLMG8KQmRVNWVORndQL0JBNlorMkM0cFdnb056blhSa01XRlN6SVEyNTNjRnB6ckkvN21SQ2YvNzFDTU5KVDBlMTJOLwpxRHBkMDVCTFYwc1NML1Z0M0hhRmJkdTcycWNvclM4d2prUjcwdE5qWllnTWR6Rnh6a3hPL0J5dWJtR2JsMDZKCnhxbEpHaUZYVGxQNlRyTUxLellQekh1TzFBSW5zTFJwQWdNQkFBR2pZVEJmTUE0R0ExVWREd0VCL3dRRUF3SUMKcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEd1lEVlIwVEFRSC9CQVV3QXdFQgovekFkQmdOVkhRNEVGZ1FVQmExUlNudStHMi9COGVYT1RkSW8zYmwyemZJd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBSC82K1dTQytYRUtVRjhSNnhObXh5dUVLZ3dqM2lvMzBaOTAvNng0b1BFc09SKzFOaitxZlN5M3FIVzQKemo3TFNJUzhXRnN6bi9YcjlPN0xYR2Q3blJkUUtJNzRqUTF5WXhiQlo5OTcxVXpEQXU3SXZyZGpFcFZTM21uQgoxRURHN3IrTGRYcmhQVFZ6dVhaSVBtb3pQd0dieHhncFJjWVh4b0h2a25ZRjBUL0dUN1NrOGFPa2RwMVVlQlF1Cnl5RURnTE5ncGJLRXlFamxlNEJjTkNiTTdGN0Y3b1MrT0xERzA0QmZsMDZGQzYwZXB2OGVDcXgrR2dzOW5HKzEKSW5NTkhPWVZibDR0Nkd1L3VLQzh3dDBiM2pqbzQyT0Evb05zSWpBcHdNeTY1ZU5qUTlrcUpkd1NySld3UXkzaQp4dHBaQWRTamFGWDQwK2M5OUJzSFI5cW9Ucmc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    Service:
      Name:        aws-load-balancer-webhook-service
      Namespace:   kube-system
      Path:        /validate-elbv2-k8s-aws-v1beta1-ingressclassparams
      Port:        443
  Failure Policy:  Fail
  Match Policy:    Equivalent
  Name:            vingressclassparams.elbv2.k8s.aws
  Namespace Selector:
  Object Selector:
    Match Expressions:
      Key:       app.kubernetes.io/name
      Operator:  NotIn
      Values:
        aws-load-balancer-controller
  Rules:
    API Groups:
      elbv2.k8s.aws
    API Versions:
      v1beta1
    Operations:
      CREATE
      UPDATE
    Resources:
      ingressclassparams
    Scope:          *
  Side Effects:     None
  Timeout Seconds:  10
  Admission Review Versions:
    v1beta1
  Client Config:
    Ca Bundle:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRRENDQWlpZ0F3SUJBZ0lSQU1vYjZDR2syV3MwTlJDMG9WUXF2YTh3RFFZSktvWklodmNOQVFFTEJRQXcKS2pFb01DWUdBMVVFQXhNZllYZHpMV3h2WVdRdFltRnNZVzVqWlhJdFkyOXVkSEp2Ykd4bGNpMWpZVEFlRncweQpOVEF6TWpJd01qUXpORFZhRncwek5UQXpNakF3TWpRek5EVmFNQ294S0RBbUJnTlZCQU1USDJGM2N5MXNiMkZrCkxXSmhiR0Z1WTJWeUxXTnZiblJ5YjJ4c1pYSXRZMkV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUROZzFoNzkxN3JnU0FIT1YwbkZNSUg4Q0tYYlBVN0F6SHpkcjZNUFRiWlJ6dDcrd2Z5MVZFOQpyVndsNXQwUFBYV2FFeFNFSkEyMnlrajJJaHNsOUlPZ3crWTNucER2SlZOcENyQ1A2Q0gySDBxUUxHMUM4L3ZYCjAzNDNDa2paSFIyb3ExWEhiK0NXRklOZlZlYS93RitnaDhYSlFweDBvN1d6aFBhSnAwb0pSdTFDbVFFV0FLMG8KQmRVNWVORndQL0JBNlorMkM0cFdnb056blhSa01XRlN6SVEyNTNjRnB6ckkvN21SQ2YvNzFDTU5KVDBlMTJOLwpxRHBkMDVCTFYwc1NML1Z0M0hhRmJkdTcycWNvclM4d2prUjcwdE5qWllnTWR6Rnh6a3hPL0J5dWJtR2JsMDZKCnhxbEpHaUZYVGxQNlRyTUxLellQekh1TzFBSW5zTFJwQWdNQkFBR2pZVEJmTUE0R0ExVWREd0VCL3dRRUF3SUMKcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEd1lEVlIwVEFRSC9CQVV3QXdFQgovekFkQmdOVkhRNEVGZ1FVQmExUlNudStHMi9COGVYT1RkSW8zYmwyemZJd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBSC82K1dTQytYRUtVRjhSNnhObXh5dUVLZ3dqM2lvMzBaOTAvNng0b1BFc09SKzFOaitxZlN5M3FIVzQKemo3TFNJUzhXRnN6bi9YcjlPN0xYR2Q3blJkUUtJNzRqUTF5WXhiQlo5OTcxVXpEQXU3SXZyZGpFcFZTM21uQgoxRURHN3IrTGRYcmhQVFZ6dVhaSVBtb3pQd0dieHhncFJjWVh4b0h2a25ZRjBUL0dUN1NrOGFPa2RwMVVlQlF1Cnl5RURnTE5ncGJLRXlFamxlNEJjTkNiTTdGN0Y3b1MrT0xERzA0QmZsMDZGQzYwZXB2OGVDcXgrR2dzOW5HKzEKSW5NTkhPWVZibDR0Nkd1L3VLQzh3dDBiM2pqbzQyT0Evb05zSWpBcHdNeTY1ZU5qUTlrcUpkd1NySld3UXkzaQp4dHBaQWRTamFGWDQwK2M5OUJzSFI5cW9Ucmc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    Service:
      Name:        aws-load-balancer-webhook-service
      Namespace:   kube-system
      Path:        /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding
      Port:        443
  Failure Policy:  Fail
  Match Policy:    Equivalent
  Name:            vtargetgroupbinding.elbv2.k8s.aws
  Namespace Selector:
  Object Selector:
  Rules:
    API Groups:
      elbv2.k8s.aws
    API Versions:
      v1beta1
    Operations:
      CREATE
      UPDATE
    Resources:
      targetgroupbindings
    Scope:          *
  Side Effects:     None
  Timeout Seconds:  10
  Admission Review Versions:
    v1beta1
  Client Config:
    Ca Bundle:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRRENDQWlpZ0F3SUJBZ0lSQU1vYjZDR2syV3MwTlJDMG9WUXF2YTh3RFFZSktvWklodmNOQVFFTEJRQXcKS2pFb01DWUdBMVVFQXhNZllYZHpMV3h2WVdRdFltRnNZVzVqWlhJdFkyOXVkSEp2Ykd4bGNpMWpZVEFlRncweQpOVEF6TWpJd01qUXpORFZhRncwek5UQXpNakF3TWpRek5EVmFNQ294S0RBbUJnTlZCQU1USDJGM2N5MXNiMkZrCkxXSmhiR0Z1WTJWeUxXTnZiblJ5YjJ4c1pYSXRZMkV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUROZzFoNzkxN3JnU0FIT1YwbkZNSUg4Q0tYYlBVN0F6SHpkcjZNUFRiWlJ6dDcrd2Z5MVZFOQpyVndsNXQwUFBYV2FFeFNFSkEyMnlrajJJaHNsOUlPZ3crWTNucER2SlZOcENyQ1A2Q0gySDBxUUxHMUM4L3ZYCjAzNDNDa2paSFIyb3ExWEhiK0NXRklOZlZlYS93RitnaDhYSlFweDBvN1d6aFBhSnAwb0pSdTFDbVFFV0FLMG8KQmRVNWVORndQL0JBNlorMkM0cFdnb056blhSa01XRlN6SVEyNTNjRnB6ckkvN21SQ2YvNzFDTU5KVDBlMTJOLwpxRHBkMDVCTFYwc1NML1Z0M0hhRmJkdTcycWNvclM4d2prUjcwdE5qWllnTWR6Rnh6a3hPL0J5dWJtR2JsMDZKCnhxbEpHaUZYVGxQNlRyTUxLellQekh1TzFBSW5zTFJwQWdNQkFBR2pZVEJmTUE0R0ExVWREd0VCL3dRRUF3SUMKcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEd1lEVlIwVEFRSC9CQVV3QXdFQgovekFkQmdOVkhRNEVGZ1FVQmExUlNudStHMi9COGVYT1RkSW8zYmwyemZJd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBSC82K1dTQytYRUtVRjhSNnhObXh5dUVLZ3dqM2lvMzBaOTAvNng0b1BFc09SKzFOaitxZlN5M3FIVzQKemo3TFNJUzhXRnN6bi9YcjlPN0xYR2Q3blJkUUtJNzRqUTF5WXhiQlo5OTcxVXpEQXU3SXZyZGpFcFZTM21uQgoxRURHN3IrTGRYcmhQVFZ6dVhaSVBtb3pQd0dieHhncFJjWVh4b0h2a25ZRjBUL0dUN1NrOGFPa2RwMVVlQlF1Cnl5RURnTE5ncGJLRXlFamxlNEJjTkNiTTdGN0Y3b1MrT0xERzA0QmZsMDZGQzYwZXB2OGVDcXgrR2dzOW5HKzEKSW5NTkhPWVZibDR0Nkd1L3VLQzh3dDBiM2pqbzQyT0Evb05zSWpBcHdNeTY1ZU5qUTlrcUpkd1NySld3UXkzaQp4dHBaQWRTamFGWDQwK2M5OUJzSFI5cW9Ucmc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    Service:
      Name:        aws-load-balancer-webhook-service
      Namespace:   kube-system
      Path:        /validate-networking-v1-ingress
      Port:        443
  Failure Policy:  Fail
  Match Policy:    Equivalent
  Name:            vingress.elbv2.k8s.aws
  Namespace Selector:
  Object Selector:
  Rules:
    API Groups:
      networking.k8s.io
    API Versions:
      v1
    Operations:
      CREATE
      UPDATE
    Resources:
      ingresses
    Scope:          *
  Side Effects:     None
  Timeout Seconds:  10
Events:             <none>


Name:         vpc-resource-validating-webhook
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  admissionregistration.k8s.io/v1
Kind:         ValidatingWebhookConfiguration
Metadata:
  Creation Timestamp:  2025-03-22T02:36:48Z
  Generation:          1
  Resource Version:    1162
  UID:                 8eb3f65e-aa01-45e9-b4b9-b3b85241415c
Webhooks:
  Admission Review Versions:
    v1
  Client Config:
    Ca Bundle:     LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJYTBpSnl6dytJc2d3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBek1qSXdNak14TURSYUZ3MHpOVEF6TWpBd01qTTJNRFJhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNldW94WUxEdXRnbS94THJ2cTF3UzhDVElCSGU4WUtWbzhHb05jWUVweHI3UXFUc3hEMTNoTko4dGIKZmN2L0dzSlQwNWplYXlLVEQxVVJuaGRSVzhTQWh3am8wcXdnZndiZWZrS0ZIOWRPN0cxb2pRczZnbXpuV2FzMAo4ODgvU2xYbEVMSVBEa3ZqSmRHb3BKa1pUWkdmZFlaT0FodThIUjd5Z0J6WUVKMDFZaGdhazZzZ3kxOUhMRGpFCkhiaTgwYy9XMmk5bmd3aFdudzh6dWN1b2dJcG8xZTNmdGw0dmorQ3JMdGxmUkp5ZDI3SkNsQmQvTVdpNkRDU0wKeUczb1daOUNSOVNFTDVzUENmeTRRNjRteHN3N3liSFMxaTNKMlRwdm1JMkVYYzkwRlBCNHdmNk84UkV4cWhDRgo2MUxQdXpQRjY0OWJidS8zY3llVUQzMTR6L3pGQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSR01aYlBzYWpDbjdCaHkzNDFyaytWdi85WW9EQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmhNRlVuOHFxMQpvK2NONTBmZitzdWd6ZFdmOWpZdTkvcCsxY1BlVWZOSUc5emhzU1poQkNZTlJmQTNkY2ZrNUpVc0hwVlJOY082Ck1rU1NTaUhZaVNkc3JFUXh3L0NsZ1pmc095a25NODJTMmt6aG5YcTU4bTUwNVNjcVcyUC81TU1XYnVBU1FEMEoKaWF2QzNQWmdEOTFDa04zV2pPSGY4S2Nvb2RuVG9uU002WE1JVWdCMnkxNThodVNrSlowRFBpamw5SnJCbHpHcgpWcVBSV3RKMDdXaHFlNG1YUmlrbEcxWFlJMkFSdnl6T0hTTzk2dkdtZm1JL0JWaGZnYmttWU9QYVU4Wlc3VUhhCi94dGNydW16QzNOWTlBeTIzLzFUMmNoYUpNMFJRMHNDM0g4Q29JY1FVQjh2Y20wWmNwR2FwdDNKMy9VanN6bzMKanpvWGxUUzIzVW5SCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    URL:           https://127.0.0.1:9443/validate-v1-pod
  Failure Policy:  Ignore
  Match Policy:    Equivalent
  Name:            vpod.vpc.k8s.aws
  Namespace Selector:
  Object Selector:
  Rules:
    API Groups:

    API Versions:
      v1
    Operations:
      CREATE
      UPDATE
    Resources:
      pods
    Scope:          *
  Side Effects:     None
  Timeout Seconds:  5
  Admission Review Versions:
    v1
  Client Config:
    Ca Bundle:     LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJYTBpSnl6dytJc2d3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBek1qSXdNak14TURSYUZ3MHpOVEF6TWpBd01qTTJNRFJhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNldW94WUxEdXRnbS94THJ2cTF3UzhDVElCSGU4WUtWbzhHb05jWUVweHI3UXFUc3hEMTNoTko4dGIKZmN2L0dzSlQwNWplYXlLVEQxVVJuaGRSVzhTQWh3am8wcXdnZndiZWZrS0ZIOWRPN0cxb2pRczZnbXpuV2FzMAo4ODgvU2xYbEVMSVBEa3ZqSmRHb3BKa1pUWkdmZFlaT0FodThIUjd5Z0J6WUVKMDFZaGdhazZzZ3kxOUhMRGpFCkhiaTgwYy9XMmk5bmd3aFdudzh6dWN1b2dJcG8xZTNmdGw0dmorQ3JMdGxmUkp5ZDI3SkNsQmQvTVdpNkRDU0wKeUczb1daOUNSOVNFTDVzUENmeTRRNjRteHN3N3liSFMxaTNKMlRwdm1JMkVYYzkwRlBCNHdmNk84UkV4cWhDRgo2MUxQdXpQRjY0OWJidS8zY3llVUQzMTR6L3pGQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSR01aYlBzYWpDbjdCaHkzNDFyaytWdi85WW9EQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmhNRlVuOHFxMQpvK2NONTBmZitzdWd6ZFdmOWpZdTkvcCsxY1BlVWZOSUc5emhzU1poQkNZTlJmQTNkY2ZrNUpVc0hwVlJOY082Ck1rU1NTaUhZaVNkc3JFUXh3L0NsZ1pmc095a25NODJTMmt6aG5YcTU4bTUwNVNjcVcyUC81TU1XYnVBU1FEMEoKaWF2QzNQWmdEOTFDa04zV2pPSGY4S2Nvb2RuVG9uU002WE1JVWdCMnkxNThodVNrSlowRFBpamw5SnJCbHpHcgpWcVBSV3RKMDdXaHFlNG1YUmlrbEcxWFlJMkFSdnl6T0hTTzk2dkdtZm1JL0JWaGZnYmttWU9QYVU4Wlc3VUhhCi94dGNydW16QzNOWTlBeTIzLzFUMmNoYUpNMFJRMHNDM0g4Q29JY1FVQjh2Y20wWmNwR2FwdDNKMy9VanN6bzMKanpvWGxUUzIzVW5SCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    URL:           https://127.0.0.1:9443/validate-v1-node
  Failure Policy:  Ignore
  Match Policy:    Equivalent
  Name:            vnode.vpc.k8s.aws
  Namespace Selector:
  Object Selector:
  Rules:
    API Groups:

    API Versions:
      v1
    Operations:
      UPDATE
    Resources:
      nodes
    Scope:          *
  Side Effects:     None
  Timeout Seconds:  5
Events:             <none>
  • Admission Control도 Webhook으로 사용자에게 API가 열려있고, 사용자는 자신만의 Admission Controller를 구현할 수 있으며, 이를 Dynamic Admission Controller라고 부르고, 크게 MutatingWebhookValidatingWebhook 로 나뉩니다.
  • MutatingWebhook은 사용자가 요청한 request에 대해서 관리자가 임의로 값을 변경하는 작업입니다.
  • ValidatingWebhook은 사용자가 요청한 request에 대해서 관리자기 허용을 막는 작업입니다.

Fargate ALB 배포 + ingress 

  • ALB 배포 + ingress 
# 게임 디플로이먼트와 Service, Ingress 배포
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: study-aews
  name: deployment-2048
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: app-2048
  replicas: 2
  template:
    metadata:
      labels:
        app.kubernetes.io/name: app-2048
    spec:
      containers:
      - image: public.ecr.aws/l6m2t8p7/docker-2048:latest
        imagePullPolicy: Always
        name: app-2048
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  namespace: study-aews
  name: service-2048
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: ClusterIP
  selector:
    app.kubernetes.io/name: app-2048
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: study-aews
  name: ingress-2048
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: service-2048
              port:
                number: 80
EOF


# 모니터링
watch -d kubectl get pod,ingress,svc,ep,endpointslices -n study-aews

# 생성 확인
kubectl get-all -n study-aews
kubectl get ingress,svc,ep,pod -n study-aews
kubectl get targetgroupbindings -n study-aews

# Ingress 확인
kubectl describe ingress -n study-aews ingress-2048
kubectl get ingress -n study-aews ingress-2048 -o jsonpath="{.status.loadBalancer.ingress[*].hostname}{'\n'}"

# 게임 접속 : ALB 주소로 웹 접속
kubectl get ingress -n study-aews ingress-2048 -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' | awk '{ print "Game URL = http://"$1 }'

# 파드 IP 확인
kubectl get pod -n study-aews -owide

# 파드 증가
kubectl scale deployment -n study-aews  deployment-2048 --replicas 4

# 게임 실습 리소스  삭제
kubectl delete ingress ingress-2048 -n study-aews
kubectl delete svc service-2048 -n study-aews && kubectl delete deploy deployment-2048 -n study-aews

 

저작자표시

'DevOps' 카테고리의 다른 글

[AWS EKS] (22) EKS 스터디 8주차 ( jenkins + harbor+ agrocd - CICD )  (0) 2025.03.29
[AWS EKS] (21) EKS 스터디 8주차 ( Gogs+ jenkins - CICD )  (1) 2025.03.29
[AWS EKS] (18) EKS 스터디 6주차 ( EKS 인증/인가 )  (0) 2025.03.15
[AWS EKS] (17) EKS 스터디 6주차 ( X.509 )  (0) 2025.03.15
[AWS EKS] (16) EKS 스터디 6주차 ( 암호학 - 대칭키와 비대칭키)  (0) 2025.03.14

'DevOps' Related Articles

티스토리툴바