Amazon EKS Cheat Sheet

Overview

Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes service that runs the Kubernetes control plane across multiple AWS Availability Zones, automatically managing the availability and scalability of the API servers and etcd persistence layer. EKS is certified Kubernetes conformant, so all existing tools and plugins from the Kubernetes ecosystem work seamlessly. It integrates natively with AWS services including IAM for authentication, VPC for networking, ELB for load balancing, and CloudWatch for logging and monitoring.

EKS supports multiple compute options for worker nodes: self-managed EC2 instances, EKS Managed Node Groups (which automate provisioning and lifecycle management), and AWS Fargate for serverless pods. EKS also provides EKS Anywhere for on-premises deployments and EKS Distro for running the same Kubernetes distribution outside AWS. The service supports add-ons like CoreDNS, kube-proxy, VPC CNI, and EBS CSI driver that can be managed through the EKS API.

Installation

Install eksctl

# macOS
brew tap weaveworks/tap
brew install weaveworks/tap/eksctl

# Linux
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin

# Verify
eksctl version

Install kubectl and aws-iam-authenticator

# kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

# aws-iam-authenticator
curl -Lo aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.6.14/aws-iam-authenticator_0.6.14_linux_amd64
chmod +x ./aws-iam-authenticator
sudo mv ./aws-iam-authenticator /usr/local/bin/

Cluster Management

Command	Description
`eksctl create cluster`	Create cluster with default settings
`eksctl delete cluster --name <name>`	Delete a cluster
`eksctl get cluster`	List EKS clusters
`eksctl upgrade cluster`	Upgrade cluster control plane
`aws eks update-kubeconfig --name <name>`	Update kubeconfig for cluster access
`eksctl utils describe-stacks --cluster <name>`	Show CloudFormation stacks

Create a Cluster

# Simple cluster with defaults
eksctl create cluster --name my-cluster --region us-east-1

# Production cluster with managed node groups
eksctl create cluster \
  --name production \
  --region us-east-1 \
  --version 1.29 \
  --nodegroup-name workers \
  --node-type m5.xlarge \
  --nodes 3 \
  --nodes-min 2 \
  --nodes-max 5 \
  --managed \
  --with-oidc \
  --ssh-access \
  --ssh-public-key my-key

# Create from config file
eksctl create cluster -f cluster.yaml

Cluster Config File

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: production
  region: us-east-1
  version: "1.29"

iam:
  withOIDC: true

managedNodeGroups:
  - name: general
    instanceType: m5.xlarge
    minSize: 2
    maxSize: 5
    desiredCapacity: 3
    volumeSize: 100
    labels:
      role: general
    tags:
      environment: production
    iam:
      withAddonPolicies:
        autoScaler: true
        ebs: true
        cloudWatch: true

  - name: spot-workers
    instanceTypes: ["m5.xlarge", "m5a.xlarge", "m4.xlarge"]
    spot: true
    minSize: 0
    maxSize: 10
    desiredCapacity: 2
    labels:
      role: spot-worker

addons:
  - name: vpc-cni
    version: latest
  - name: coredns
    version: latest
  - name: kube-proxy
    version: latest
  - name: aws-ebs-csi-driver
    version: latest

Node Group Operations

# Create managed node group
eksctl create nodegroup \
  --cluster my-cluster \
  --name new-workers \
  --node-type m5.large \
  --nodes 3 \
  --managed

# Scale node group
eksctl scale nodegroup --cluster my-cluster --name workers --nodes 5

# Delete node group
eksctl delete nodegroup --cluster my-cluster --name old-workers --drain

# List node groups
eksctl get nodegroup --cluster my-cluster

# Update node group (rolling update)
eksctl upgrade nodegroup \
  --cluster my-cluster \
  --name workers \
  --kubernetes-version 1.29

IAM and RBAC

# Create IAM OIDC provider
eksctl utils associate-iam-oidc-provider --cluster my-cluster --approve

# Create service account with IAM role
eksctl create iamserviceaccount \
  --cluster my-cluster \
  --namespace default \
  --name s3-reader \
  --attach-policy-arn arn:aws:iam::policy/AmazonS3ReadOnlyAccess \
  --approve

# Map IAM user to Kubernetes RBAC
eksctl create iamidentitymapping \
  --cluster my-cluster \
  --arn arn:aws:iam::123456789012:user/admin \
  --group system:masters \
  --username admin

# Map IAM role
eksctl create iamidentitymapping \
  --cluster my-cluster \
  --arn arn:aws:iam::123456789012:role/DevRole \
  --group dev-team \
  --username dev-user

EKS Add-ons

# List available add-ons
aws eks describe-addon-versions --kubernetes-version 1.29

# Install add-on
aws eks create-addon --cluster-name my-cluster --addon-name aws-ebs-csi-driver

# List installed add-ons
aws eks list-addons --cluster-name my-cluster

# Update add-on
aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.16.0-eksbuild.1

# Delete add-on
aws eks delete-addon --cluster-name my-cluster --addon-name aws-ebs-csi-driver

Networking

AWS Load Balancer Controller

# Install via Helm
helm repo add eks https://aws.github.io/eks-charts
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=my-cluster \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller

Ingress with ALB

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abc123
spec:
  rules:
    - host: app.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-app
                port:
                  number: 80

Advanced Usage

Cluster Autoscaler

# Deploy Cluster Autoscaler
kubectl apply -f https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/aws/examples/cluster-autoscaler-autodiscover.yaml

# Patch with cluster name
kubectl -n kube-system annotate deployment.apps/cluster-autoscaler \
  cluster-autoscaler.kubernetes.io/safe-to-evict="false"

Fargate Profiles

# Create Fargate profile
eksctl create fargateprofile \
  --cluster my-cluster \
  --name fp-default \
  --namespace default \
  --labels app=serverless

# List Fargate profiles
eksctl get fargateprofile --cluster my-cluster

EKS with Karpenter

# Install Karpenter
helm install karpenter oci://public.ecr.aws/karpenter/karpenter \
  --version v0.33.0 \
  --namespace karpenter --create-namespace \
  --set clusterName=my-cluster \
  --set clusterEndpoint=$(aws eks describe-cluster --name my-cluster --query "cluster.endpoint" --output text)

Troubleshooting

Issue	Solution
`error: You must be logged in`	Run `aws eks update-kubeconfig --name <cluster>`
Nodes not joining cluster	Check security groups allow communication on port 443 to control plane
Pods stuck in Pending	Check node capacity, resource requests, and taints/tolerations
DNS resolution failing	Verify CoreDNS add-on is running: `kubectl get pods -n kube-system -l k8s-app=kube-dns`
ALB not creating	Ensure AWS Load Balancer Controller is installed and IAM role is correct
OIDC provider errors	Run `eksctl utils associate-iam-oidc-provider --cluster <name> --approve`
`Unauthorized` on kubectl	Verify the IAM identity mapping in aws-auth ConfigMap