Prerequisites for using Windows Nodes with EKS Cluster
The prerequisites for using Windows nodes with EKS cluster are as follows:
- An existing VPC and security group that meets the requirement for an Amazon EKS cluster.
- An EKS cluster. Your cluster must have at least one Linux node (we recommend at least two) or Fargate pod to run CoreDNS.
- The cluster must be running one of the Kubernetes versions and platform versions
listed in the following table.
Kubernetes version Platform version 1.24
eks.2
1.23
eks.1
1.22
eks.1
1.21
eks.3
1.2
eks.3
1.19
eks.7
- Once your Cluster is active, Update the
vpc-cni
add-on plugin to latest available version as per the Kubernetes version (example, for Kubernetesv21
, usev1.11.4-eksbuild.1
) - Update the
coredns
add-on to the latest version available version for your Kubernetes version (example, for Kubernetesv21
, usev1.8.4-eksbuild.2
). - An existing Amazon EKS cluster IAM role to create the cluster.
- An existing IAM role (example:
AWS_EKS_WINNODE_IAM_ROLE
) with necessary policy (example:AWS-EKS-WINNODE-IAM-POLICY
) to execute the cloud formation stack to launch the Windows self-managed nodes.
Sample Policy:
AWS-EKS-WINNODE-IAM-POLICY.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"ec2:Describe*",
"ec2:List*",
"kms:DescribeKey",
"logs:PutRetentionPolicy",
"eks:*",
"kms:CreateGrant",
"iam:GetRole",
"ec2:CreateLaunchTemplate",
"iam:GetInstanceProfile",
"ec2:CreateSecurityGroup",
"ec2:RunInstances",
"ec2:GetConsoleOutput"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"eks.amazonaws.com",
"eks-nodegroup.amazonaws.com",
"cloudformation.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com",
"cloudformation.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:TagRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeletePolicy",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"ssm:GetParameter",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:GetRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:DeleteOpenIDConnectProvider",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:DeleteRole",
"ssm:GetParameters",
"iam:ListInstanceProfiles",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:GetOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::385481138434:policy/eksctl-*",
"arn:aws:iam::385481138434:oidc-provider/*",
"arn:aws:iam::385481138434:role/eksctl-*",
"arn:aws:iam::385481138434:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
"arn:aws:iam::385481138434:instance-profile/eksctl-*",
"arn:aws:iam::385481138434:role/*",
"arn:aws:iam::385481138434:instance-profile/*",
"arn:aws:ssm:*:385481138434:parameter/aws/*",
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::385481138434:role/*"
}
]
}