Part 2: How to Establish Connection Between Multiple EKS Clusters Using Gateway API and VPC Lattice?
Gateway API is a Kubernetes interface that handles ingress/egress traffic in the cluster.
Ingress or Gateway API?
Each Ingress implementation has a different implementation. The main difference between ingress and the Gateway API is that the Gateway API provides a universal standard to handle network traffic.
AWS provides a component to use on EKS: AWS Gateway API Controller
AWS is leveraging VPC Lattice to use the Gateway API on EKS
(See: How to use VPC Lattice in AWS?)
You may benefit from the official page of the AWS Gateway API Controller.
You may benefit from the official page of the Kubernetes Gateway API.
How to enable the Gateway API in an EKS Cluster?
Since VPC Lattice is used for the Gateway API, we must allow VPC Lattice’s IP range in the EKS Cluster’s security group.
VPC Lattice’s default IPv4 range is 169.254.171.0/24 and IPv6 is fd00:ec2:80::/64
To confirm this, go to VPC Console, and click “Managed prefix lists”:
Find the VPC Lattice entries:
Check the IP range:
We found the VPC Lattice’s IP range.
Go to the EKS Cluster’s overview page and click Networking.
Find the cluster’s primary security group and click:
Add the VPC Lattice’s IP range to the inbound rules:
Connection between IAM and EKS
We need an IAM policy and an OIDC provider to establish the IAM authentications.
Either you can add the OIDC url via Web Console or eksctl :
eksctl utils associate-iam-oidc-provider --region=<YOUR-REGION> --cluster=<YOUR-CLUSTER> --approveGo to the EKS Cluster’s overview page and copy the Cluster’s “OpenID Connect provider URL”:
Go to the IAM Dashboard and click “Identity providers”:
Click “Add Provider” on the next page. Paste the OIDC URL, add “sts.amazonaws.com” to the audience field, and click “Get thumbprint”
It should look like this:
Click “Add provider”.
Create an IAM Policy
Go to the IAM Dashboard and click Policies. Click “Create policy”:
Click JSON and add this JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"vpc-lattice:*",
"iam:CreateServiceLinkedRole",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeTags"
],
"Resource": "*"
}
]
}
Click “Next”. Add a policy name:
Click “Create policy”
Copy the policy’s ARN:
Create the required namespace
A particular namespace for the Gateway API Controller is required:
Create the namespace: aws-application-networking-system
Here’s the YAML file: https://github.com/aws/aws-application-networking-k8s/blob/v0.0.17/examples/deploy-namesystem.yaml
Apply:
➜ ~ kubectl apply -f deploy-namesystem.yaml
namespace/aws-application-networking-system createdWe need a service account for the VPC Lattice
(See: Kubernetes Core Concepts: Service Account)
eksctl create iamserviceaccount \
--cluster=<YOUR_CLUSTER_NAME> \
--namespace=aws-application-networking-system \
--name=gateway-api-controller \
--attach-policy-arn=arn:aws:iam::<ACCOUNT_ID>:policy/VPCLatticeControllerIAMPolicy \
--override-existing-serviceaccounts \
--region <YOUR_REGION> \
--approveDeploy the Gateway API Controller CRDs
Go to the official GitHub repository and find the latest deploy.yaml file. The latest version was deploy-v0.0.17.yaml when this article was posted.
Apply:
➜ ~ kubectl apply -f examples/deploy-v0.0.17.yaml
namespace/aws-application-networking-system unchanged
customresourcedefinition.apiextensions.k8s.io/dnsendpoints.externaldns.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/serviceexports.multicluster.x-k8s.io created
customresourcedefinition.apiextensions.k8s.io/serviceimports.multicluster.x-k8s.io created
customresourcedefinition.apiextensions.k8s.io/targetgrouppolicies.application-networking.k8s.aws created
customresourcedefinition.apiextensions.k8s.io/vpcassociationpolicies.application-networking.k8s.aws created
Warning: resource serviceaccounts/gateway-api-controller is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
serviceaccount/gateway-api-controller configured
clusterrole.rbac.authorization.k8s.io/aws-application-networking-controller created
clusterrole.rbac.authorization.k8s.io/metrics-reader created
clusterrole.rbac.authorization.k8s.io/proxy-role created
clusterrolebinding.rbac.authorization.k8s.io/aws-application-networking-controller created
clusterrolebinding.rbac.authorization.k8s.io/proxy-rolebinding created
configmap/manager-config created
service/gateway-api-controller-metrics-service created
deployment.apps/gateway-api-controller createdCreate required the GatewayClass: amazon-vpc-lattice
Here’s the YAML file: https://github.com/aws/aws-application-networking-k8s/blob/v0.0.17/examples/gatewayclass.yaml
➜ ~ kubectl apply -f examples/gatewayclass.yaml
gatewayclass.gateway.networking.k8s.io/amazon-vpc-lattice createdYou can validate the installation:
