- /rancher/v2.x/en/tasks/clusters/creating-a-cluster/create-cluster-amazon-ec2/
Use {{< product >}} to create a Kubernetes cluster in Amazon EC2.
Prerequisites
Create the cluster
- From the Clusters page, click Add Cluster.
- Choose Amazon EC2.
- Enter a Cluster Name.
- {{< step_create-cluster_member-roles >}}
- {{< step_create-cluster_cluster-options >}}Refer to Selecting Cloud Providers to configure the Kubernetes Cloud Provider.
{{< step_create-cluster_node-pools >}}
Click Add Node Template.
Complete each of the following forms using information available from the EC2 Management Console.
-
Account Access is where you configure the region of the nodes, and the credentials (Access Key and Secret Key) used to create the machine. See Prerequisistes how to create the Access Key and Secret Key and the needed permissions.
-
Zone and Network configures the availability zone and network settings for your cluster.
- Security Groups creates or configures the Security Groups applied to your nodes. Please refer to Amazon EC2 security group when using Node Driver to see what rules are created in the
rancher-nodes Security Group.
- Instance configures the instances that will be created. Make sure you configure the correct SSH User for the configured AMI.
If you need to pass an IAM Instance Profile Name (not ARN), for example, when you want to use a Kubernetes Cloud Provider, you will need an additional permission in your policy. See Example IAM policy with PassRole for an example policy.
- {{< step_rancher-template >}}
- Click Create.
- Optional: Add additional node pools.
- Review your cluster settings to confirm they are correct. Then click Create.
{{< result_create-cluster >}}
Example IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteKeyPair"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:REGION::image/ami-*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:placement-group/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:volume/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:subnet/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:security-group/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*"
}
]
}
Example IAM Policy with PassRole
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteKeyPair"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:REGION::image/ami-*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:placement-group/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:volume/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:subnet/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:REGION:AWS_ACCOUNT_ID:security-group/*",
"arn:aws:iam::AWS_ACCOUNT_ID:role/your-role-name"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:REGION:AWS_ACCOUNT_ID:instance/*"
}
]
}