시작하기 전에 EKS NodeGroup IAM 역활에 아래의 정책을 추가해줍니다.
CloudWatchAgentServerPolicy
CloudWatch Insight 역활 생성하기
CLUSTER_NAME=""OIDC_ID=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | sed 's|https://||')
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
OIDC_ARN="arn:aws:iam::$ACCOUNT_ID:oidc-provider/$OIDC_ID"
aws iam create-role --role-name wngnl_CloudWatch_Insight_Role --assume-role-policy-document "{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Principal\": {
\"Federated\": \"${OIDC_ARN}\"
},
\"Action\": \"sts:AssumeRoleWithWebIdentity\",
\"Condition\": {
\"StringEquals\": {
\"${OIDC_ID}:aud\": \"sts.amazonaws.com\",
\"${OIDC_ID}:sub\": \"wngnl-cloudwatch-agent\"
}
}
}
]
}"
# PowerUserAccess 정책 연결
aws iam attach-role-policy --role-name wngnl_CloudWatch_Insight_Role --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
aws iam attach-role-policy --role-name wngnl_CloudWatch_Insight_Role --policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
aws iam attach-role-policy --role-name wngnl_CloudWatch_Insight_Role --policy-arn arn:aws:iam::aws:policy/CloudWatchFullAccess
yaml 파일 다운로드
wget https://raw.githubusercontent.com/wngnl-dev/AWS/main/EKS/CloudWatch/Insight/configmap.yaml
wget https://raw.githubusercontent.com/wngnl-dev/AWS/main/EKS/CloudWatch/Insight/serviceaccount.yaml
wget https://raw.githubusercontent.com/wngnl-dev/AWS/main/EKS/CloudWatch/Insight/daemonset.yaml
CloudWatch > 인사이트 > Container Insight > 클러스터 개요
에 클러스터가 있는지 확인해줍니다.
