AWS Amazon EKS Fargate Profile
This page shows how to write Terraform and CloudFormation for Amazon EKS Fargate Profile and write them securely.
aws_eks_fargate_profile (Terraform)
The Fargate Profile in Amazon EKS can be configured in Terraform with the resource name aws_eks_fargate_profile. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_eks_fargate_profile" "this" {
count = var.run_on_fargate ? 1 : 0
cluster_name = module.eks.cluster_id
fargate_profile_name = "default"
pod_execution_role_arn = aws_iam_role.fargate[0].arn
resource "aws_eks_fargate_profile" "tv" {
cluster_name = aws_eks_cluster.cluster-terraform.name
fargate_profile_name = "tv"
pod_execution_role_arn = aws_iam_role.cluster-terraform-fargate-profile.arn
subnet_ids = aws_subnet.priv[*].id
selector {
resource "aws_eks_fargate_profile" "Gitlab_EKS_fargate_profile" {
cluster_name = aws_eks_cluster.EKS_cluster.id
fargate_profile_name = "Gitlab_Fargate_Profile"
pod_execution_role_arn = aws_iam_role.Gitlab_fargate_profile.arn
subnet_ids = module.vpc.private_subnets
resource "aws_eks_fargate_profile" "example" {
cluster_name = var.clustername
fargate_profile_name = var.fargetname
pod_execution_role_arn = var.rolearnfargate
subnet_ids = var.subnetprivatefargate
Parameters
-
arnoptional computed - string -
cluster_namerequired - string -
fargate_profile_namerequired - string -
idoptional computed - string -
pod_execution_role_arnrequired - string -
statusoptional computed - string -
subnet_idsoptional - set of string -
tagsoptional - map from string to string -
selectorset block -
timeoutssingle block
Explanation in Terraform Registry
Manages an EKS Fargate Profile.
Tips: Best Practices for The Other AWS Amazon EKS Resources
In addition to the aws_eks_cluster, AWS Amazon EKS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_eks_cluster
Ensure public access for AWS EKS cluster endpoint is disabled
It is better to disable public access for the AWS EKS cluster endpoint. To reduce the security risks, it is recommended to disable public access and to use VPC to connect to the cluster.
AWS::EKS::FargateProfile (CloudFormation)
The FargateProfile in EKS can be configured in CloudFormation with the resource name AWS::EKS::FargateProfile. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: 'AWS::EKS::FargateProfile'
Properties:
FargateProfileName: coredns
ClusterName: !Ref EKSCluster
PodExecutionRoleArn: !GetAtt FargatePodExecutionRole.Arn
Subnets:
Type: 'AWS::EKS::FargateProfile'
Properties:
FargateProfileName: cs-x-profile
ClusterName: !Ref EKSCluster
PodExecutionRoleArn: !GetAtt PodExecutionRole.Arn
Subnets:
Type: AWS::EKS::FargateProfile
Properties:
ClusterName: !Sub ${StackNamePrefix}-eks-cluster
FargateProfileName: !Sub ${AWS::StackName}
PodExecutionRoleArn:
Fn::ImportValue: !Sub ${StackNamePrefix}-base-iam-FargatePodExecutionRoleArn
Type: AWS::EKS::FargateProfile
Properties:
ClusterName: 'ControlPlane'
FargateProfileName: 'FargateProfile'
PodExecutionRoleArn: arn:aws:iam::710836223938:role/AmazonEKSFargatePodExecutionRole
Selectors:
Type: AWS::EKS::FargateProfile
Properties:
ClusterName: 'ControlPlane'
FargateProfileName: 'FargateProfile'
PodExecutionRoleArn: arn:aws:iam::710836223938:role/AmazonEKSFargatePodExecutionRole
Selectors:
"Type": "AWS::EKS::FargateProfile",
"Properties": {
"ClusterName": { "Ref": "clusterMagmaEks"},
"FargateProfileName": "profileFargateDefault",
"PodExecutionRoleArn": {"Fn::GetAtt": ["roleMagmaFargateCluster", "Arn"]},
"Selectors":[
"Type": "AWS::EKS::FargateProfile",
"Properties": {
"ClusterName": { "Ref": "clusterMagmaEks"},
"FargateProfileName": "profileFargateDefault",
"PodExecutionRoleArn": {"Fn::GetAtt": ["roleMagmaFargateCluster", "Arn"]},
"Selectors":[
"Type": "AWS::EKS::FargateProfile",
"Properties": {
"ClusterName": "eksfargate1",
"FargateProfileName": "fargateprofile2",
"PodExecutionRoleArn": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/eksctl-demo-cluster-FargatePodExecutionRole-1U9UA0NHXES6F"
"Type": "AWS::EKS::FargateProfile",
"Properties": {
"ClusterName": "eksfargate1",
"FargateProfileName": "fargateprofile2",
"PodExecutionRoleArn": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/eksctl-demo-cluster-FargatePodExecutionRole-1U9UA0NHXES6F"
"AWS::EKS::FargateProfile": {
"Type": "AWS::EKS::FargateProfile",
"Properties": {}
},
"AWS::LookoutMetrics::AnomalyDetector": {
"Type": "AWS::LookoutMetrics::AnomalyDetector",
Parameters
-
ClusterNamerequired - String -
FargateProfileNameoptional - String -
PodExecutionRoleArnrequired - String -
Subnetsoptional - List -
Selectorsrequired - List of Selector -
Tagsoptional - List of Tag
Explanation in CloudFormation Registry
Creates an AWS Fargate profile for your Amazon EKS cluster. You must have at least one Fargate profile in a cluster to be able to run pods on Fargate.
The Fargate profile allows an administrator to declare which pods run on Fargate and specify which pods run on which Fargate profile. This declaration is done through the profile’s selectors. Each profile can have up to five selectors that contain a namespace and labels. A namespace is required for every selector. The label field consists of multiple optional key-value pairs. Pods that match the selectors are scheduled on Fargate. If a to-be-scheduled pod matches any of the selectors in the Fargate profile, then that pod is run on Fargate.
When you create a Fargate profile, you must specify a pod execution role to use with the pods that are scheduled with the profile. This role is added to the cluster's Kubernetes Role Based Access Control (RBAC) for authorization so that the
kubeletthat is running on the Fargate infrastructure can register with your Amazon EKS cluster so that it can appear in your cluster as a node. The pod execution role also provides IAM permissions to the Fargate infrastructure to allow read access to Amazon ECR image repositories. For more information, see Pod Execution Role in the Amazon EKS User Guide.Fargate profiles are immutable. However, you can create a new updated profile to replace an existing profile and then delete the original after the updated profile has finished creating.
If any Fargate profiles in a cluster are in the
DELETINGstatus, you must wait for that Fargate profile to finish deleting before you can create any other profiles in that cluster.For more information, see AWS Fargate Profile in the Amazon EKS User Guide.
Frequently asked questions
What is AWS Amazon EKS Fargate Profile?
AWS Amazon EKS Fargate Profile is a resource for Amazon EKS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EKS Fargate Profile?
For Terraform, the GloballogicPractices/ecs-eks-fargate-demo, virtmerlin/mglab-share-eks and KanchiMoe/tf-practice source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the samriddhac/kubernetes-experiments, samriddhac/kubernetes-experiments and sjakthol/aws-eks-playground source code examples are useful. See the CloudFormation Example section for further details.
