NetBackup™ Marketplace Deployment on Amazon Elastic Kubernetes Service (EKS) Cluster
- Introduction to NetBackup Marketplace deployment on EKS Cluster
- Deployment with the AWS Marketplace offer
- Prerequisites for deployment
- Policies required in creating IAM roles for new and existing clusters
- Before you begin the deployment
- Subscribe to the AWS Marketplace
- Deploy NetBackup powered by Cloud Scale Technology on AWS
- Configuration Parameters
- Basics
- Cluster Configuration
- Primary server Node group Configuration
- Media Server Node group Configuration
- Storage server Node group Configuration
- Snapshot Manager Data Plane node group Configuration
- Primary server details
- Media server details
- Storage server details
- Snapshot Manager details
- Other Configuration
- Accessing the NetBackup
- Cleanup the environment
Prerequisites for deployment
Ensure that the following prerequisites are met before proceeding with the deployment:
Subnets which are used for the deployment must be tagged as below:
Private subnets
Public subnets
Key: kubernetes.io/role/internal-elb
Key: kubernetes.io/role/elb
Value: 1
Value: 1
Refer the documentation for more details - Network load balancing on Amazon EKS - Amazon EKS
Create IAM role required for EKS Cluster and Nodes to make calls to other AWS services on your behalf to manage the resources. For minimum required policies in IAM role See Policies required in creating IAM roles for new and existing clusters.
Create IAM role required to access EKS Cluster from EC2. This must be a different role from the cluster role created in step 2. For minimum required policies in IAM role See Policies required in creating IAM roles for new and existing clusters.
The IP:FQDN mapping that is provided in Primary server, Media server, Storage server and Snapshot Manager must be resolved with DNS to the provided IP address.
If the internal IP address are used, reserve the internal IPs and make sure they are not used. These IPs are used for network load balancer services. For the private IPs, please do not use the same subnet with the node group to avoid IP address conflict with the secondary private IPs used in the node group. For the DNS name, you can use the Private IP DNS name Amazon provided, or you can create DNS and reverse the DNS entries under Route53.
Ensure that your additional security group of cluster contains inbound rule which allows communication within VPC.
Ensure that subnets used for EKS cluster and node groups should have minimum /22 CIDR range and subnet used for load balancer (DNS) should have minimum /26 CIDR range.
Ensure that at least one node group with minimum of one node is present in the cluster. It can be deleted once the deployment is successful.
Subnets that are used for deployment must be tagged as below:
Private subnets
Public subnets
Key: kubernetes.io/role/internal-elb
Key: kubernetes.io/role/elb
Value: 1
Value: 1
Refer the official documentation for more details - Network load balancing on Amazon EKS
Create IAM role required for EKS Cluster and nodes make calls to other AWS services on your behalf to manage the resources. For minimum required policies in IAM role See Policies required in creating IAM roles for new and existing clusters.
Create IAM role required to access EKS Cluster from EC2. This must be a different role from the cluster role created in step2. For minimum required policies in IAM role See Policies required in creating IAM roles for new and existing clusters.
The IP:FQDN mapping that is provided in Primary server, Media server, Storage server and Snapshot Manager server must be resolved using DNS to the provided IP address.
If the internal IPs are used, reserve internal IPs and avoid using them further. These IPs are used for network load balancer services. For the private IPs, do not use the same subnet with the node group to avoid IP conflict with the secondary private IPs used in the node group. For the DNS name, you can use the Private IP DNS name Amazon provided, or you can create DNS and reverse DNS entries under Route53.
Ensure that your additional security group of cluster contains inbound rule which allows communication within VPC.
Ensure that subnets used for EKS cluster and node groups should have minimum /22 CIDR range and subnet used for load balancer (DNS) should have minimum /26 CIDR range.
Check if CloudFormation extensions AWSQS::EKS::Cluster, AWSQS::Kubernetes::Helm and AWSQS::Kubernetes::Resource are activated or not. To check status of CloudFormation extensions follow CloudFormation (amazon.com)
If not activated, follow the below steps:
a. IAM role is required to activate extension.
b. Create IAM Role for AWSQS::EKS::Cluster. For required permissions - IAM Role. You need to add the below mentioned permissions along with these Permissions .
ec2:CreateNetworkInterface
ec2:DescribeNetworkInterfaces
ec2:DeleteNetworkInterface
c. Create IAM Role for AWSQS::Kubernetes::Helm. For required permissions - IAM Role
d. Create IAM Role for AWSQS::Kubernetes::Resource. For required permissions - IAM Role
e. Sign into the AWS Management Console and open the AWS CloudFormation console
f. From the CloudFormation navigation pane, under CloudFormation registry, select Public extensions.
g. Use the Filter to select the extension type, and select Third party.
h. Search for AWSQS::EKS::Cluster and then select Activate. Specify IAM role created in step b as Execution role ARN. Choose automatic updates as off and finally Activate Extension.
i. Follow same process to activate AWSQS::Kubernetes::Helm and AWSQS::Kubernetes::Resource extensions. While activating extensions specify IAM roles created in step c and d as execution role arn respectively.
Run the below command check IAM roles used for activating AWSQS::Kubernetes::Helm and AWSQS::Kubernetes::Resource extensions are added to the configuration map of your cluster or not. Check the entries for the IAM roles.
kubectl describe -n kube-system configmap/aws-auth
If IAM roles are not added then add the IAM roles created for activating AWSQS::Kubernetes::Helm and AWSQS::Kubernetes::Resource extensions to the configuration map of your cluster.
Connect to your EKS cluster.
Run the following command from the system that already has access to the EKS cluster:
kubectl edit -n kube-system configmap/aws-auth
For more information, see Enabling IAM user and role access to your cluster
Install cert-manager by using the following command:
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
For more information, see Documentation for cert-manager installation
Create the OIDC provider for the AWS EKS cluster. For more information on creating the OIDC provider, see Create an IAM OIDC provider for your Cluster
Create an IAM service account for the AWS EFS CSI driver and install the driver. For more information on creating an IAM service account and installing the driver, see Amazon EFS CSI driver.
It is required to create an IAM service account for the AWS EBS CSI driver and install the EBS driver for EKS cluster version 1.23. For more information on creating an IAM service account and installing the driver, see Amazon EBS CSI driver.
To use the driver, you must add it as an Amazon EKS add-on or as a self-managed add-on. For more information see Managing the Amazon EBS CSI driver as an Amazon EKS add-on.
AWS Load Balancer controller must be installed on EKS cluster. For more information see Installing Load Balancer Controller addon
Enable autoscaling for EKS cluster. For information, refer Autoscaling - Amazon EKS