"virtualServiceName": "my-service-a.my-apps.svc.cluster.local"
} }
Though not covered in this tutorial, the controller can also deploy App Mesh the section called “Virtual gateways” (p. 58) and the section called “Gateway routes” (p. 62). For a walkthrough of deploying these resources with the controller, see Configuring Inbound Gateway, or a sample manifest that includes the resources on GitHub.
Step 3: Create or update services
Any pods that you want to use with App Mesh must have the App Mesh sidecar containers added to them. The injector automatically adds the sidecar containers to any pod deployed with a label that you specify.
1. Enable proxy authorization. We recommend that you enable each Kubernetes deployment to stream only the configuration for its own App Mesh virtual node.
a. Save the following contents to a file named proxy-auth.json on your computer. Make sure to replace the alternate-colored values with your own.
{
"Version": "2012-10-17", "Statement": [
{
"Effect": "Allow",
"Action": "appmesh:StreamAggregatedResources", "Resource": [
"arn:aws:appmesh:Region-code:111122223333:mesh/my-mesh/virtualNode/
my-service-a_my-apps"
aws iam create-policy --policy-name my-policy --policy-document file://proxy-auth.json
c. Create an IAM role, attach the policy you created in the previous step to it, create a Kubernetes service account, and bind the policy to the Kubernetes service account. The role enables the controller to add, remove, and change App Mesh resources.
eksctl create iamserviceaccount \ --cluster $CLUSTER_NAME \ --namespace my-apps \ --name my-service-a \
--attach-policy-arn arn:aws:iam::111122223333:policy/my-policy \
Step 3: Create or update services
--override-existing-serviceaccounts \ --approve
If you prefer to create the service account using the AWS Management Console or AWS CLI, see Creating an IAM Role and policy for your service account in the Amazon EKS User Guide. If you use the AWS Management Console or AWS CLI to create the account, you also need to map the role to a Kubernetes service account. For more information, see Specifying an IAM role for your service account in the Amazon EKS User Guide.
2. (Optional) If you want to deploy your deployment to Fargate pods, then you need to create a Fargate profile. If you don't have eksctl installed, you can install it with the instructions in Installing or Upgrading eksctl in the Amazon EKS User Guide. If you'd prefer to create the profile using the console, see Creating a Fargate profile in the Amazon EKS User Guide.
eksctl create fargateprofile --cluster cluster --region Region-code --name my-service-a --namespace my-apps
3. Create a Kubernetes service and deployment. If you have an existing deployment that you want to use with App Mesh, then you need to deploy a virtual node, as you did in sub-step 3 of the section called “Step 2: Deploy App Mesh resources” (p. 28). Update your deployment to make sure that its label matches the label that you set on the virtual node, so that the sidecar containers are automatically added to the pods and the pods are redeployed.
a. Save the following contents to a file named example-service.yaml on your computer. If you change the namespace name and are using Fargate pods, make sure that the namespace name matches the namespace name that you defined in your Fargate profile.
apiVersion: v1
serviceAccountName: my-service-a containers:
- name: nginx
Step 3: Create or update services
image: nginx:1.19.0 ports:
- containerPort: 80
Important
The value for the app matchLabels selector in the spec must match the value that you specified when you created the virtual node in sub-step 3 of the section called
“Step 2: Deploy App Mesh resources” (p. 28), or the sidecar containers won't be injected into the pod. In the previous example, the value for the label is my-app-1.
If you deploy a virtual gateway, rather than a virtual node, then the Deployment manifest should include only the Envoy container. For more information about the image to use, see Envoy (p. 121). For a sample manfest, see the deployment example on GitHub.
b. Deploy the service.
kubectl apply -f example-service.yaml c. View the service and deployment.
kubectl -n my-apps get pods d. View the details for one of the pods that was deployed.
kubectl -n my-apps describe pod my-service-a-54776556f6-2cxd9
Abbreviated output
Name: my-service-a-54776556f6-2cxd9 Namespace: my-app-1
Priority: 0
Node: ip-192-168-44-157.us-west-2.compute.internal/192.168.44.157 Start Time: Wed, 17 Jun 2020 11:08:59 -0500
Labels: app=nginx
Image: 111345817488.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-proxy-route-manager:v2
Image ID: docker-pullable://111345817488.dkr.ecr.us-west-2.amazonaws.com/
aws-appmesh-proxy-route-manager Port: <none>
Host Port: <none>
State: Terminated Reason: Completed
Step 3: Create or update services
APPMESH_EGRESS_IGNORED_IP: 169.254.169.254 APPMESH_EGRESS_IGNORED_PORTS: 22
AWS_ROLE_ARN: arn:aws:iam::111122223333:role/eksctl-app-mesh-addon-iamserviceaccount-my-a-Role1-NMNCVWB6PL0N
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/
serviceaccount/token
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/
serviceaccount/token ...
envoy:
Container ID:
docker://905b55cbf33ef3b3debc51cb448401d24e2e7c2dbfc6a9754a2c49dd55a216b6 Image: 840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.12.4.0-prod
Image ID: docker-pullable://840364872350.dkr.ecr.us-west-2.amazonaws.com/
aws-appmesh-envoy
APPMESH_RESOURCE_ARN: arn:aws:iam::111122223333:mesh/my-mesh/
virtualNode/my-service-a_my-apps
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/
serviceaccount/token ...