Prerequisites for using Windows Nodes with EKS Cluster
The prerequisites for using Windows nodes with EKS cluster are as follows:
- An existing VPC and security group that meets the requirement for an Amazon EKS cluster.
- An EKS cluster. Your cluster must have at least one Linux node (we recommend at least two) or Fargate pod to run CoreDNS.
- The cluster must be running one of the Kubernetes versions and platform versions
listed in the following table.
Kubernetes version Platform version 1.24eks.21.23eks.11.22eks.11.21eks.31.2eks.31.19eks.7 - Once your Cluster is active, Update the
vpc-cniadd-on plugin to latest available version as per the Kubernetes version (example, for Kubernetesv21, usev1.11.4-eksbuild.1) - Update the
corednsadd-on to the latest version available version for your Kubernetes version (example, for Kubernetesv21, usev1.8.4-eksbuild.2). - An existing Amazon EKS cluster IAM role to create the cluster.
- An existing IAM role (example:
AWS_EKS_WINNODE_IAM_ROLE) with necessary policy (example:AWS-EKS-WINNODE-IAM-POLICY) to execute the cloud formation stack to launch the Windows self-managed nodes.
Sample Policy:
AWS-EKS-WINNODE-IAM-POLICY.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"ec2:Describe*",
"ec2:List*",
"kms:DescribeKey",
"logs:PutRetentionPolicy",
"eks:*",
"kms:CreateGrant",
"iam:GetRole",
"ec2:CreateLaunchTemplate",
"iam:GetInstanceProfile",
"ec2:CreateSecurityGroup",
"ec2:RunInstances",
"ec2:GetConsoleOutput"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"eks.amazonaws.com",
"eks-nodegroup.amazonaws.com",
"cloudformation.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com",
"cloudformation.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:TagRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeletePolicy",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"ssm:GetParameter",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:GetRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:DeleteOpenIDConnectProvider",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:DeleteRole",
"ssm:GetParameters",
"iam:ListInstanceProfiles",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:GetOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::385481138434:policy/eksctl-*",
"arn:aws:iam::385481138434:oidc-provider/*",
"arn:aws:iam::385481138434:role/eksctl-*",
"arn:aws:iam::385481138434:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
"arn:aws:iam::385481138434:instance-profile/eksctl-*",
"arn:aws:iam::385481138434:role/*",
"arn:aws:iam::385481138434:instance-profile/*",
"arn:aws:ssm:*:385481138434:parameter/aws/*",
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::385481138434:role/*"
}
]
}