AEWS 3주차 정리

🚀 실습 환경 배포

2개의 VPC(EKS 배포, 운영용 구분), myeks-vpc의 public 에 EFS 추가

🏗️ AWS CloudFormation을 통해 기본 실습 환경 배포

1. yaml 파일 다운로드

curl -O https://s3.ap-northeast-2.amazonaws.com/cloudformation.cloudneta.net/K8S/myeks-3week.yaml
# 결과
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--100 14933  100 14933    0     0   141k      0 --:--:-- --:--:-- --:--:--  140k

2. 배포

aws cloudformation deploy --template-file ~/Downloads/myeks-3week.yaml \
   --stack-name myeks --parameter-overrides KeyName=kp-aews SgIngressSshCidr=$(curl -s ipinfo.io/ip)/32 --region ap-northeast-2

# 결과
Waiting for changeset to be created..
Waiting for stack create/update to complete
Successfully created/updated stack - myeks

3. 운영서버 EC2 에 SSH 접속

ssh -i kp-aews.pem ec2-user@$(aws cloudformation describe-stacks --stack-name myeks --query 'Stacks[*].Outputs[0].OutputValue' --output text)
   ,     #_
   ~\_  ####_        Amazon Linux 2
  ~~  \_#####\
  ~~     \###|       AL2 End of Life is 2026-06-30.
  ~~       \#/ ___
   ~~       V~' '->
    ~~~         /    A newer version of Amazon Linux is available!
      ~~._.   _/
         _/ _/       Amazon Linux 2023, GA and supported until 2028-03-15.
       _/m/'           https://aws.amazon.com/linux/amazon-linux-2023/

[root@operator-host ~]# 

EFS의 네트워크 인터페이스(ENI)를 통해 서브넷 ID 및 IPv4 주소가 할당됨

EFS > Network 메뉴에서 서브넷 ID, IPv4 Address 확인 가능 ✅

🛠️ eksctl 을 통해 EKS 배포

1. 변수 설정

• Cluster Name, VPC ID, Public Subnet, SSH Key 변수로 저장

export CLUSTER_NAME=myeks

# VPC ID 가져오기
export VPCID=$(aws ec2 describe-vpcs --filters "Name=tag:Name,Values=$CLUSTER_NAME-VPC" --query 'Vpcs[*].VpcId' --output text)
echo $VPCID
vpc-0e32b5a6653acdcd9

# Public Subnet ID 가져오기
export PubSubnet1=$(aws ec2 describe-subnets --filters Name=tag:Name,Values="$CLUSTER_NAME-Vpc1PublicSubnet1" --query "Subnets[0].[SubnetId]" --output text)
export PubSubnet2=$(aws ec2 describe-subnets --filters Name=tag:Name,Values="$CLUSTER_NAME-Vpc1PublicSubnet2" --query "Subnets[0].[SubnetId]" --output text)
export PubSubnet3=$(aws ec2 describe-subnets --filters Name=tag:Name,Values="$CLUSTER_NAME-Vpc1PublicSubnet3" --query "Subnets[0].[SubnetId]" --output text)
echo $PubSubnet1 $PubSubnet2 $PubSubnet3
subnet-0fed28a1b3e108719 subnet-0e4fb63cb543698fe subnet-0861bd68771150000

# 자신의 SSH Keypair 이름
SSHKEYNAME=kp-aews

2. EKS 클러스터 설정 파일 생성

• myeks.yaml 파일 생성

cat << EOF > myeks.yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: myeks
  region: ap-northeast-2
  version: "1.31"

iam:
  withOIDC: true # enables the IAM OIDC provider as well as IRSA for the Amazon CNI plugin

  serviceAccounts: # service accounts to create in the cluster. See IAM Service Accounts
  - metadata:
      name: aws-load-balancer-controller
      namespace: kube-system
    wellKnownPolicies:
      awsLoadBalancerController: true

vpc:
  cidr: 192.168.0.0/16
  clusterEndpoints:
    privateAccess: true # if you only want to allow private access to the cluster
    publicAccess: true # if you want to allow public access to the cluster
  id: $VPCID
  subnets:
    public:
      ap-northeast-2a:
        az: ap-northeast-2a
        cidr: 192.168.1.0/24
        id: $PubSubnet1
      ap-northeast-2b:
        az: ap-northeast-2b
        cidr: 192.168.2.0/24
        id: $PubSubnet2
      ap-northeast-2c:
        az: ap-northeast-2c
        cidr: 192.168.3.0/24
        id: $PubSubnet3

addons:
  - name: vpc-cni # no version is specified so it deploys the default version
    version: latest # auto discovers the latest available
    attachPolicyARNs: # attach IAM policies to the add-on's service account
      - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
    configurationValues: |-
      enableNetworkPolicy: "true"

  - name: kube-proxy
    version: latest

  - name: coredns
    version: latest

  - name: metrics-server
    version: latest

managedNodeGroups:
- amiFamily: AmazonLinux2023
  desiredCapacity: 3
  iam:
    withAddonPolicies:
      certManager: true # Enable cert-manager
      externalDNS: true # Enable ExternalDNS
  instanceType: t3.medium
  preBootstrapCommands:
    # install additional packages
    - "dnf install nvme-cli links tree tcpdump sysstat ipvsadm ipset bind-utils htop -y"
  labels:
    alpha.eksctl.io/cluster-name: myeks
    alpha.eksctl.io/nodegroup-name: ng1
  maxPodsPerNode: 100
  maxSize: 3
  minSize: 3
  name: ng1
  ssh:
    allow: true
    publicKeyName: $SSHKEYNAME
  tags:
    alpha.eksctl.io/nodegroup-name: ng1
    alpha.eksctl.io/nodegroup-type: managed
  volumeIOPS: 3000
  volumeSize: 120
  volumeThroughput: 125
  volumeType: gp3
EOF

• 실제 작성된 myeks.yaml 파일

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: myeks
  region: ap-northeast-2
  version: "1.31"

iam:
  withOIDC: true # enables the IAM OIDC provider as well as IRSA for the Amazon CNI plugin

  serviceAccounts: # service accounts to create in the cluster. See IAM Service Accounts
  - metadata:
      name: aws-load-balancer-controller
      namespace: kube-system
    wellKnownPolicies:
      awsLoadBalancerController: true

vpc:
  cidr: 192.168.0.0/16
  clusterEndpoints:
    privateAccess: true # if you only want to allow private access to the cluster
    publicAccess: true # if you want to allow public access to the cluster
  id: vpc-0e32b5a6653acdcd9
  subnets:
    public:
      ap-northeast-2a:
        az: ap-northeast-2a
        cidr: 192.168.1.0/24
        id: subnet-0fed28a1b3e108719
      ap-northeast-2b:
        az: ap-northeast-2b
        cidr: 192.168.2.0/24
        id: subnet-0e4fb63cb543698fe
      ap-northeast-2c:
        az: ap-northeast-2c
        cidr: 192.168.3.0/24
        id: subnet-0861bd68771150000

addons:
  - name: vpc-cni # no version is specified so it deploys the default version
    version: latest # auto discovers the latest available
    attachPolicyARNs: # attach IAM policies to the add-on's service account
      - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
    configurationValues: |-
      enableNetworkPolicy: "true"

  - name: kube-proxy
    version: latest

  - name: coredns
    version: latest

  - name: metrics-server
    version: latest

managedNodeGroups:
- amiFamily: AmazonLinux2023
  desiredCapacity: 3
  iam:
    withAddonPolicies:
      certManager: true # Enable cert-manager
      externalDNS: true # Enable ExternalDNS
  instanceType: t3.medium
  preBootstrapCommands:
    # install additional packages
    - "dnf install nvme-cli links tree tcpdump sysstat ipvsadm ipset bind-utils htop -y"
  labels:
    alpha.eksctl.io/cluster-name: myeks
    alpha.eksctl.io/nodegroup-name: ng1
  maxPodsPerNode: 100
  maxSize: 3
  minSize: 3
  name: ng1
  ssh:
    allow: true
    publicKeyName: kp-aews
  tags:
    alpha.eksctl.io/nodegroup-name: ng1
    alpha.eksctl.io/nodegroup-type: managed
  volumeIOPS: 3000
  volumeSize: 120
  volumeThroughput: 125
  volumeType: gp3

3. eks 배포

eksctl create cluster -f myeks.yaml --verbose 4

# 결과
2025-02-18 11:31:47 [▶]  Setting credentials expiry window to 30 minutes
2025-02-18 11:31:48 [▶]  role ARN for the current session is "arn:aws:iam::378102432899:user/eks-user"
2025-02-18 11:31:48 [ℹ]  eksctl version 0.203.0
2025-02-18 11:31:48 [ℹ]  using region ap-northeast-2
2025-02-18 11:31:48 [✔]  using existing VPC (vpc-0e32b5a6653acdcd9) and subnets (private:map[] public:map[ap-northeast-2a:{subnet-0fed28a1b3e108719 ap-northeast-2a 192.168.1.0/24 0 } ap-northeast-2b:{subnet-0e4fb63cb543698fe ap-northeast-2b 192.168.2.0/24 0 } ap-northeast-2c:{subnet-0861bd68771150000 ap-northeast-2c 192.168.3.0/24 0 }])
2025-02-18 11:31:48 [!]  custom VPC/subnets will be used; if resulting cluster doesn't function as expected, make sure to review the configuration of VPC/subnets
2025-02-18 11:31:48 [ℹ]  nodegroup "ng1" will use "" [AmazonLinux2023/1.31]
2025-02-18 11:31:48 [ℹ]  using EC2 key pair "kp-aews"
2025-02-18 11:31:48 [ℹ]  using Kubernetes version 1.31
2025-02-18 11:31:48 [ℹ]  creating EKS cluster "myeks" in "ap-northeast-2" region with managed nodes
2025-02-18 11:31:48 [▶]  cfg.json = \
.......

4. EKS 네임스페이스 및 컨텍스트 설정 변경

• 네임스페이스 default 변경 적용

kubens default
# 결과
✔ Active namespace is "default"

• EKS 컨텍스트명 변경 (eks-user → eksworkshop)

kubectl ctx
# 결과
Switched to context "eks-user@myeks.ap-northeast-2.eksctl.io".

kubectl config rename-context "eks-user@myeks.ap-northeast-2.eksctl.io" "eksworkshop"
# 결과
Context "eks-user@myeks.ap-northeast-2.eksctl.io" renamed to "eksworkshop".

5. EKS 클러스터 정보 확인

kubectl cluster-info

✅ 출력

Kubernetes control plane is running at https://791BC5A9BB3716EA88C45304E0696F83.gr7.ap-northeast-2.eks.amazonaws.com
CoreDNS is running at https://791BC5A9BB3716EA88C45304E0696F83.gr7.ap-northeast-2.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

6. EKS 노드 정보 조회

• 클러스터의 노드 상태, 인스턴스 유형, 용량 유형(온디맨드), 가용 영역 확인

kubectl get node --label-columns=node.kubernetes.io/instance-type,eks.amazonaws.com/capacityType,topology.kubernetes.io/zone

✅ 출력

NAME                                               STATUS   ROLES    AGE   VERSION               INSTANCE-TYPE   CAPACITYTYPE   ZONE
ip-192-168-1-207.ap-northeast-2.compute.internal   Ready    <none>   26m   v1.31.5-eks-5d632ec   t3.medium       ON_DEMAND      ap-northeast-2a
ip-192-168-2-84.ap-northeast-2.compute.internal    Ready    <none>   26m   v1.31.5-eks-5d632ec   t3.medium       ON_DEMAND      ap-northeast-2b
ip-192-168-3-80.ap-northeast-2.compute.internal    Ready    <none>   26m   v1.31.5-eks-5d632ec   t3.medium       ON_DEMAND      ap-northeast-2c

7. 관리형 노드 그룹 확인

eksctl get nodegroup --cluster $CLUSTER_NAME

✅ 출력

CLUSTER	NODEGROUP	STATUS	CREATED			MIN SIZE	MAX SIZE	DESIRED CAPACITY	INSTANCE TYPE	IMAGE ID		ASG NAME					TYPE
myeks	ng1		ACTIVE	2025-02-18T02:45:19Z	3		3		3			t3.medium	AL2023_x86_64_STANDARD	eks-ng1-c8ca8b79-064a-1771-a08d-6ace8e163bd4	managed

aws eks describe-nodegroup --cluster-name $CLUSTER_NAME --nodegroup-name ng1 | jq

✅ 출력

{
  "nodegroup": {
    "nodegroupName": "ng1",
    "nodegroupArn": "arn:aws:eks:ap-northeast-2:378102432899:nodegroup/myeks/ng1/c8ca8b79-064a-1771-a08d-6ace8e163bd4",
    "clusterName": "myeks",
    "version": "1.31",
    "releaseVersion": "1.31.5-20250212",
    "createdAt": "2025-02-18T11:45:19.813000+09:00",
    "modifiedAt": "2025-02-18T12:06:04.747000+09:00",
    "status": "ACTIVE",
    "capacityType": "ON_DEMAND",
    "scalingConfig": {
      "minSize": 3,
      "maxSize": 3,
      "desiredSize": 3
    },
    "instanceTypes": [
      "t3.medium"
    ],
    "subnets": [
      "subnet-0fed28a1b3e108719",
      "subnet-0e4fb63cb543698fe",
      "subnet-0861bd68771150000"
    ],
    "amiType": "AL2023_x86_64_STANDARD",
    "nodeRole": "arn:aws:iam::378102432899:role/eksctl-myeks-nodegroup-ng1-NodeInstanceRole-rGyQG9rZlOwl",
    "labels": {
      "alpha.eksctl.io/cluster-name": "myeks",
      "alpha.eksctl.io/nodegroup-name": "ng1"
    },
    "resources": {
      "autoScalingGroups": [
        {
          "name": "eks-ng1-c8ca8b79-064a-1771-a08d-6ace8e163bd4"
        }
      ]
    },
    "health": {
      "issues": []
    },
    "updateConfig": {
      "maxUnavailable": 1
    },
    "launchTemplate": {
      "name": "eksctl-myeks-nodegroup-ng1",
      "version": "1",
      "id": "lt-070d49ace29ca00a6"
    },
    "tags": {
      "aws:cloudformation:stack-name": "eksctl-myeks-nodegroup-ng1",
      "alpha.eksctl.io/cluster-name": "myeks",
      "alpha.eksctl.io/nodegroup-name": "ng1",
      "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-northeast-2:378102432899:stack/eksctl-myeks-nodegroup-ng1/55132e60-eda2-11ef-876d-06d9644ecb71",
      "eksctl.cluster.k8s.io/v1alpha1/cluster-name": "myeks",
      "aws:cloudformation:logical-id": "ManagedNodeGroup",
      "alpha.eksctl.io/nodegroup-type": "managed",
      "alpha.eksctl.io/eksctl-version": "0.203.0"
    }
  }
}

8. EKS addon 상태 확인

eksctl get addon --cluster $CLUSTER_NAME

✅ 출력

2025-02-18 12:16:16 [ℹ]  Kubernetes version "1.31" in use by cluster "myeks"
2025-02-18 12:16:16 [ℹ]  getting all addons
2025-02-18 12:16:18 [ℹ]  to see issues for an addon run `eksctl get addon --name <addon-name> --cluster <cluster-name>`
NAME		VERSION			STATUS	ISSUES	IAMROLE										UPDATE AVAILABLE	CONFIGURATION VALUES		POD IDENTITY ASSOCIATION ROLES
coredns		v1.11.4-eksbuild.2	ACTIVE	0													
kube-proxy	v1.31.3-eksbuild.2	ACTIVE	0													
metrics-server	v0.7.2-eksbuild.2	ACTIVE	0													
vpc-cni		v1.19.2-eksbuild.5	ACTIVE	0	arn:aws:iam::378102432899:role/eksctl-myeks-addon-vpc-cni-Role1-ZTYxtOMDwfFu			enableNetworkPolicy: "true"	

9. AWS Load Balancer Controller용 IAM 서비스 계정 확인

(1) IAM 서비스 계정 확인

• aws-load-balancer-controller 서비스 계정이 IAM Role과 올바르게 바인딩되었는지 확인

eksctl get iamserviceaccount --cluster $CLUSTER_NAME

✅ 출력

NAMESPACE	NAME				ROLE ARN
kube-system	aws-load-balancer-controller	arn:aws:iam::378102432899:role/eksctl-myeks-addon-iamserviceaccount-kube-sys-Role1-O6YEYsN7iVeQ

(2) myeks.yaml 파일 확인

• certManager 및 externalDNS를 활성화하여 SSL 인증서 자동화 및 외부 DNS 레코드 관리 기능 추가했음

managedNodeGroups:
- amiFamily: AmazonLinux2023
  desiredCapacity: 3
  iam:
    withAddonPolicies:
      certManager: true # Enable cert-manager
      externalDNS: true # Enable ExternalDNS

(3) EC2 인스턴스의 IAM Role 확인

• 클러스터의 관리형 노드 그룹(myeks-ng1-Node)에 연결된 IAM Role 확인
• eksctl-myeks-nodegroup-ng1-NodeInstanceRole-rGyQG9rZlOwl 역할이 부여됨

• 이 역할을 통해 externalDNS 및 certManager의 IAM 정책이 적용됨

---

🖥️ 관리형 노드 그룹(EC2) 접속

1. 인스턴스 정보 확인

aws ec2 describe-instances --query "Reservations[*].Instances[*].{InstanceID:InstanceId, PublicIPAdd:PublicIpAddress, PrivateIPAdd:PrivateIpAddress, InstanceName:Tags[?Key=='Name']|[0].Value, Status:State.Name}" --filters Name=instance-state-name,Values=running --output table

✅ 출력

----------------------------------------------------------------------------------------
|                                   DescribeInstances                                  |
+----------------------+-----------------+----------------+----------------+-----------+
|      InstanceID      |  InstanceName   | PrivateIPAdd   |  PublicIPAdd   |  Status   |
+----------------------+-----------------+----------------+----------------+-----------+
|  i-0484d2b724be33973 |  myeks-ng1-Node |  192.168.3.80  |  15.164.49.232 |  running  |
|  i-0b995a92db06f58d8 |  operator-host  |  172.20.1.100  |  3.35.230.35   |  running  |
|  i-093ad32d5ff5a8770 |  myeks-ng1-Node |  192.168.1.207 |  3.35.47.226   |  running  |
|  i-0a80fdc36a856f394 |  myeks-ng1-Node |  192.168.2.84  |  43.203.131.45 |  running  |
+----------------------+-----------------+----------------+----------------+-----------+

2. 가용 영역(AZ)별 EC2 공인 IP 조회

• AZ1 배치된 EC2 공인 IP

aws ec2 describe-instances \
    --filters "Name=tag:Name,Values=myeks-ng1-Node" "Name=availability-zone,Values=ap-northeast-2a" \
    --query 'Reservations[*].Instances[*].PublicIpAddress' \
    --output text

# 결과
3.35.47.226

• AZ2 배치된 EC2 공인 IP

aws ec2 describe-instances \
    --filters "Name=tag:Name,Values=myeks-ng1-Node" "Name=availability-zone,Values=ap-northeast-2b" \
    --query 'Reservations[*].Instances[*].PublicIpAddress' \
    --output text

# 결과
43.203.131.45

• AZ3 배치된 EC2 공인 IP

aws ec2 describe-instances \
    --filters "Name=tag:Name,Values=myeks-ng1-Node" "Name=availability-zone,Values=ap-northeast-2c" \
    --query 'Reservations[*].Instances[*].PublicIpAddress' \
    --output text

# 결과
15.164.49.232

3. AZ별 EC2 공인 IP를 환경 변수에 저장

• 각 가용 영역(AZ)에 배치된 EC2 공인 IP를 변수(N1, N2, N3)에 저장

export N1=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=myeks-ng1-Node" "Name=availability-zone,Values=ap-northeast-2a" --query 'Reservations[*].Instances[*].PublicIpAddress' --output text)
export N2=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=myeks-ng1-Node" "Name=availability-zone,Values=ap-northeast-2b" --query 'Reservations[*].Instances[*].PublicIpAddress' --output text)
export N3=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=myeks-ng1-Node" "Name=availability-zone,Values=ap-northeast-2c" --query 'Reservations[*].Instances[*].PublicIpAddress' --output text)

echo $N1, $N2, $N3

✅ 출력

3.35.47.226, 43.203.131.45, 15.164.49.232

4. EKS 워커노드의 SSH 보안 그룹 자동 추가 확인

• myeks.yaml에서 ssh.allow: true로 설정하면 EKS 워커노드 보안 그룹이 자동 생성됨

  ssh:
    allow: true
    publicKeyName: kp-aews

• 생성된 보안 그룹: sg-0edd80591095505a9 (eksctl-myeks-nodegroup-ng1-remoteAccess)

• 기본설정: 포트 22번(SSH)이 Any(0.0.0.0/0)로 오픈됨
• 보안 위험: 불특정 다수가 SSH 접근 가능하여 보안 취약점 발생 가능
• 개선 방안: ssh.allow: false로 설정하고, 직접 보안 그룹에서 IP를 통제하는 방식이 안전

5. 특정 IP에서만 접근 허용 (보안 강화)

• 보안 그룹(remoteAccess)에서 집 IP와 운영 서버 EC2만 접근 가능하도록 수정
• 모든 트래픽을 허용하지 않고, 특정 IP에서만 접근 가능하도록 제한

(1) remoteAccess 포함된 보안 그룹 ID 확인

aws ec2 describe-security-groups --filters "Name=group-name,Values=*remoteAccess*" | jq
export MNSGID=$(aws ec2 describe-security-groups --filters "Name=group-name,Values=*remoteAccess*" --query 'SecurityGroups[*].GroupId' --output text)

✅ 출력

{
  "SecurityGroups": [
    {
      "GroupId": "sg-0edd80591095505a9",
      "IpPermissionsEgress": [
        {
          "IpProtocol": "-1",
          "UserIdGroupPairs": [],
          "IpRanges": [
            {
              "CidrIp": "0.0.0.0/0"
            }
          ],
          "Ipv6Ranges": [],
          "PrefixListIds": []
        }
      ],
      "Tags": [
        {
          "Key": "alpha.eksctl.io/nodegroup-type",
          "Value": "managed"
        },
        {
          "Key": "aws:cloudformation:logical-id",
          "Value": "SSH"
        },
        {
          "Key": "alpha.eksctl.io/nodegroup-name",
          "Value": "ng1"
        },
        {
          "Key": "alpha.eksctl.io/cluster-name",
          "Value": "myeks"
        },
        {
          "Key": "Name",
          "Value": "eksctl-myeks-nodegroup-ng1/SSH"
        },
        {
          "Key": "aws:cloudformation:stack-name",
          "Value": "eksctl-myeks-nodegroup-ng1"
        },
        {
          "Key": "aws:cloudformation:stack-id",
          "Value": "arn:aws:cloudformation:ap-northeast-2:378102432899:stack/eksctl-myeks-nodegroup-ng1/55132e60-eda2-11ef-876d-06d9644ecb71"
        },
        {
          "Key": "alpha.eksctl.io/eksctl-version",
          "Value": "0.203.0"
        },
        {
          "Key": "eksctl.cluster.k8s.io/v1alpha1/cluster-name",
          "Value": "myeks"
        }
      ],
      "VpcId": "vpc-0e32b5a6653acdcd9",
      "SecurityGroupArn": "arn:aws:ec2:ap-northeast-2:378102432899:security-group/sg-0edd80591095505a9",
      "OwnerId": "378102432899",
      "GroupName": "eksctl-myeks-nodegroup-ng1-remoteAccess",
      "Description": "Allow SSH access",
      "IpPermissions": [
        {
          "IpProtocol": "tcp",
          "FromPort": 22,
          "ToPort": 22,
          "UserIdGroupPairs": [],
          "IpRanges": [
            {
              "Description": "Allow SSH access to managed worker nodes in group ng1",
              "CidrIp": "0.0.0.0/0"
            }
          ],
          "Ipv6Ranges": [
            {
              "Description": "Allow SSH access to managed worker nodes in group ng1",
              "CidrIpv6": "::/0"
            }
          ],
          "PrefixListIds": []
        }
      ]
    }
  ]
}

(2) 집 공인 IP를 보안 그룹 Inbound에 추가

• 현재 접속 중인 집 공인 IP를 보안 그룹(remoteAccess)의 Inbound 룰에 추가

aws ec2 authorize-security-group-ingress --group-id $MNSGID --protocol '-1' --cidr $(curl -s ipinfo.io/ip)/32
{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-08fceda8b8811d00b",
            "GroupId": "sg-0edd80591095505a9",
            "GroupOwnerId": "378102432899",
            "IsEgress": false,
            "IpProtocol": "-1",
            "FromPort": -1,
            "ToPort": -1,
            "CidrIpv4": "182.230.60.93/32",
            "SecurityGroupRuleArn": "arn:aws:ec2:ap-northeast-2:378102432899:security-group-rule/sgr-08fceda8b8811d00b"
        }
    ]
}

(3) 운영 서버 내부 IP를 보안 그룹 Inbound에 추가

• 운영 서버 내부 IP(172.20.1.100/32)도 보안 그룹의 Inbound 룰에 추가

aws ec2 authorize-security-group-ingress --group-id $MNSGID --protocol '-1' --cidr 172.20.1.100/32
{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-02799adf73d669efa",
            "GroupId": "sg-0edd80591095505a9",
            "GroupOwnerId": "378102432899",
            "IsEgress": false,
            "IpProtocol": "-1",
            "FromPort": -1,
            "ToPort": -1,
            "CidrIpv4": "172.20.1.100/32",
            "SecurityGroupRuleArn": "arn:aws:ec2:ap-northeast-2:378102432899:security-group-rule/sgr-02799adf73d669efa"
        }
    ]
}

(4) 워커노드 ping 테스트

ping -c 2 $N1

✅ 출력

PING 3.35.47.226 (3.35.47.226) 56(84) bytes of data.
64 bytes from 3.35.47.226: icmp_seq=1 ttl=115 time=13.7 ms
64 bytes from 3.35.47.226: icmp_seq=2 ttl=115 time=13.8 ms

--- 3.35.47.226 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 13.744/13.779/13.815/0.035 ms

(5) 워커노드 SSH 접속 테스트

ssh -i kp-aews.pem -o StrictHostKeyChecking=no ec2-user@$N1 hostname

✅ 출력

ip-192-168-1-207.ap-northeast-2.compute.internal

for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh -o StrictHostKeyChecking=no ec2-user@$i hostname; echo; done

✅ 출력

>> node 3.35.47.226 <<
ip-192-168-1-207.ap-northeast-2.compute.internal

>> node 43.203.131.45 <<
ip-192-168-2-84.ap-northeast-2.compute.internal

>> node 15.164.49.232 <<
ip-192-168-3-80.ap-northeast-2.compute.internal

ssh ec2-user@$N1

# 결과
A newer release of "Amazon Linux" is available.
  Version 2023.6.20250211:
Run "/usr/bin/dnf check-release-update" for full release and version update info
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Wed Feb 12 05:52:48 2025 from 52.94.123.236
[ec2-user@ip-192-168-1-207 ~]$ 

ssh ec2-user@$N2

# 결과
A newer release of "Amazon Linux" is available.
  Version 2023.6.20250211:
Run "/usr/bin/dnf check-release-update" for full release and version update info
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Wed Feb 12 05:52:48 2025 from 52.94.123.236
[ec2-user@ip-192-168-2-84 ~]$ 

ssh ec2-user@$N3

# 결과
A newer release of "Amazon Linux" is available.
  Version 2023.6.20250211:
Run "/usr/bin/dnf check-release-update" for full release and version update info
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Wed Feb 12 05:52:48 2025 from 52.94.123.236
[ec2-user@ip-192-168-3-80 ~]$ 

---

🔍 노드 정보 확인

1. EKS 워커노드 기본 정보 확인

for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i hostnamectl; echo; done

✅ 출력

>> node 3.35.47.226 <<
 Static hostname: ip-192-168-1-207.ap-northeast-2.compute.internal
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: ec26a612d3fd1934a5b6b39b72fa9d18
         Boot ID: 98d99077d96a424daa3ab81b196f38a0
  Virtualization: amazon
Operating System: Amazon Linux 2023.6.20250203
     CPE OS Name: cpe:2.3:o:amazon:amazon_linux:2023
          Kernel: Linux 6.1.127-135.201.amzn2023.x86_64
    Architecture: x86-64
 Hardware Vendor: Amazon EC2
  Hardware Model: t3.medium
Firmware Version: 1.0

>> node 43.203.131.45 <<
 Static hostname: ip-192-168-2-84.ap-northeast-2.compute.internal
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: ec2f16bc9e1f90914542402b6bd7e2db
         Boot ID: b921993e9cd54993bed4e93693d89aab
  Virtualization: amazon
Operating System: Amazon Linux 2023.6.20250203
     CPE OS Name: cpe:2.3:o:amazon:amazon_linux:2023
          Kernel: Linux 6.1.127-135.201.amzn2023.x86_64
    Architecture: x86-64
 Hardware Vendor: Amazon EC2
  Hardware Model: t3.medium
Firmware Version: 1.0

>> node 15.164.49.232 <<
 Static hostname: ip-192-168-3-80.ap-northeast-2.compute.internal
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: ec2e2414fefb5afd3b0c3ec76d9735ce
         Boot ID: 909e95d8c70f4b00a9cd6545fad4d33b
  Virtualization: amazon
Operating System: Amazon Linux 2023.6.20250203
     CPE OS Name: cpe:2.3:o:amazon:amazon_linux:2023
          Kernel: Linux 6.1.127-135.201.amzn2023.x86_64
    Architecture: x86-64
 Hardware Vendor: Amazon EC2
  Hardware Model: t3.medium
Firmware Version: 1.0

2. EKS 워커노드 네트워크 인터페이스 확인

for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i sudo ip -c addr; echo; done

✅ 출력

>> node 3.35.47.226 <<
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 02:e7:74:d0:4e:63 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    inet 192.168.1.207/24 metric 1024 brd 192.168.1.255 scope global dynamic ens5
       valid_lft 1811sec preferred_lft 1811sec
    inet6 fe80::e7:74ff:fed0:4e63/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

>> node 43.203.131.45 <<
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 06:3b:f6:53:20:41 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    inet 192.168.2.84/24 metric 1024 brd 192.168.2.255 scope global dynamic ens5
       valid_lft 1812sec preferred_lft 1812sec
    inet6 fe80::43b:f6ff:fe53:2041/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

>> node 15.164.49.232 <<
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0a:2f:05:2e:be:c1 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    inet 192.168.3.80/24 metric 1024 brd 192.168.3.255 scope global dynamic ens5
       valid_lft 1805sec preferred_lft 1805sec
    inet6 fe80::82f:5ff:fe2e:bec1/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
3: eni81d769258b0@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether ae:50:23:e1:4f:0f brd ff:ff:ff:ff:ff:ff link-netns cni-fa2faa2f-0179-8831-ef6d-458723488300
    inet6 fe80::ac50:23ff:fee1:4f0f/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
4: enia025c0419e6@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 4e:d3:3a:8d:e9:53 brd ff:ff:ff:ff:ff:ff link-netns cni-994c349e-66b0-685d-52c0-6358456a1ee1
    inet6 fe80::4cd3:3aff:fe8d:e953/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
5: eni181f90d8a40@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether be:89:71:d7:fc:1c brd ff:ff:ff:ff:ff:ff link-netns cni-dca67549-f5c2-daf8-b13c-c641ff9b4191
    inet6 fe80::bc89:71ff:fed7:fc1c/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
6: enifa068c4d7bd@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 92:11:37:91:87:7f brd ff:ff:ff:ff:ff:ff link-netns cni-99f480e7-d3cc-12d0-c204-65a883192bdb
    inet6 fe80::9011:37ff:fe91:877f/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
7: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0a:75:29:ce:c9:4d brd ff:ff:ff:ff:ff:ff
    altname enp0s6
    inet 192.168.3.26/24 brd 192.168.3.255 scope global ens6
       valid_lft forever preferred_lft forever
    inet6 fe80::875:29ff:fece:c94d/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

3. EKS 워커노드 스토리지 정보 확인

• 스토리지 확인 및 루트 볼륨 크기 체크
• 루트 볼륨 120GB (nvme0n1)
• /boot/efi 포함된 파티션 구조 확인

for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i lsblk; echo; done

✅ 출력

>> node 3.35.47.226 <<
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
nvme0n1       259:0    0  120G  0 disk 
├─nvme0n1p1   259:1    0  120G  0 part /
├─nvme0n1p127 259:2    0    1M  0 part 
└─nvme0n1p128 259:3    0   10M  0 part /boot/efi

>> node 43.203.131.45 <<
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
nvme0n1       259:0    0  120G  0 disk 
├─nvme0n1p1   259:1    0  120G  0 part /
├─nvme0n1p127 259:2    0    1M  0 part 
└─nvme0n1p128 259:3    0   10M  0 part /boot/efi

>> node 15.164.49.232 <<
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
nvme0n1       259:0    0  120G  0 disk 
├─nvme0n1p1   259:1    0  120G  0 part /
├─nvme0n1p127 259:2    0    1M  0 part 
└─nvme0n1p128 259:3    0   10M  0 part /boot/efi

4. EKS 워커노드 디스크 사용량 확인

• 루트 파일 시스템의 디스크 사용량 확인

for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i df -hT /; echo; done

✅ 출력

>> node 3.35.47.226 <<
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/nvme0n1p1 xfs   120G  3.4G  117G   3% /

>> node 43.203.131.45 <<
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/nvme0n1p1 xfs   120G  3.4G  117G   3% /

>> node 15.164.49.232 <<
Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/nvme0n1p1 xfs   120G  3.5G  117G   3% /

5. 기본 스토리지 클래스 확인

• 기본적으로 gp2(AWS EBS) 스토리지 클래스 사용
• gp3가 성능 및 비용 측면에서 더 유리하므로 이후 gp3 스토리지 클래스를 추가할 예정

kubectl get sc

✅ 출력

NAME   PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2    kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  102m

• 기본 스토리지 클래스(gp2) 상세 정보 조회

kubectl describe sc gp2

✅ 출력

Name:            gp2
IsDefaultClass:  No
Annotations:     kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"gp2"},"parameters":{"fsType":"ext4","type":"gp2"},"provisioner":"kubernetes.io/aws-ebs","volumeBindingMode":"WaitForFirstConsumer"}

Provisioner:           kubernetes.io/aws-ebs
Parameters:            fsType=ext4,type=gp2
AllowVolumeExpansion:  <unset>
MountOptions:          <none>
ReclaimPolicy:         Delete
VolumeBindingMode:     WaitForFirstConsumer
Events:                <none>

6. 현재 설치된 CRD 확인

• 기본 CRD 목록 조회
• 컨트롤러 설치 후 CRD가 추가될 예정

kubectl get crd

✅ 출력

NAME                                         CREATED AT
cninodes.vpcresources.k8s.aws                2025-02-18T02:37:25Z
eniconfigs.crd.k8s.amazonaws.com             2025-02-18T02:40:58Z
policyendpoints.networking.k8s.aws           2025-02-18T02:37:25Z
securitygrouppolicies.vpcresources.k8s.aws   2025-02-18T02:37:25Z

7. CSI 노드 확인

• 현재 CSI(Storage Interface) 드라이버 없음
• 이후 스토리지 관련 컨트롤러 설치 시 추가될 예정

kubectl get csinodes

✅ 출력

NAME                                               DRIVERS   AGE
ip-192-168-1-207.ap-northeast-2.compute.internal   0         97m
ip-192-168-2-84.ap-northeast-2.compute.internal    0         97m
ip-192-168-3-80.ap-northeast-2.compute.internal    0         97m

8. EKS 노드별 최대 Pod 개수 확인

kubectl describe node | grep Capacity: -A13

✅ 출력

Capacity:
  cpu:                2
  ephemeral-storage:  125751276Ki
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  memory:             3919536Ki
  pods:               100
Allocatable:
  cpu:                1930m
  ephemeral-storage:  114818633946
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  memory:             3364528Ki
  pods:               100
--
Capacity:
  cpu:                2
  ephemeral-storage:  125751276Ki
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  memory:             3919536Ki
  pods:               100
Allocatable:
  cpu:                1930m
  ephemeral-storage:  114818633946
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  memory:             3364528Ki
  pods:               100
--
Capacity:
  cpu:                2
  ephemeral-storage:  125751276Ki
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  memory:             3919544Ki
  pods:               100
Allocatable:
  cpu:                1930m
  ephemeral-storage:  114818633946
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  memory:             3364536Ki
  pods:               100

kubectl get nodes -o custom-columns="NAME:.metadata.name,MAXPODS:.status.capacity.pods"

✅ 출력

NAME                                               MAXPODS
ip-192-168-1-207.ap-northeast-2.compute.internal   100
ip-192-168-2-84.ap-northeast-2.compute.internal    100
ip-192-168-3-80.ap-northeast-2.compute.internal    100

9. Kubelet maxPods 기본값 확인

• /etc/kubernetes/kubelet/config.json

for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i sudo cat /etc/kubernetes/kubelet/config.json | grep maxPods; echo; done

✅ 출력

>> node 3.35.47.226 <<
    "maxPods": 17,

>> node 43.203.131.45 <<
    "maxPods": 17,

>> node 15.164.49.232 <<
    "maxPods": 17,

10. 사용자 정의 Kubelet 설정 확인

• /etc/kubernetes/kubelet/config.json.d/00-nodeadm.conf
• maxPods: 100이 설정된 파일 확인
• 기본 값(17)이 오버라이드되어 100으로 적용됨

for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i sudo cat /etc/kubernetes/kubelet/config.json.d/00-nodeadm.conf | grep maxPods; echo; done
>> node 3.35.47.226 <<
    "maxPods": 100

>> node 43.203.131.45 <<
    "maxPods": 100

>> node 15.164.49.232 <<
    "maxPods": 100

---

🔗 운영서버 EC2 : eks kubeconfig 설정, EFS 마운트 테스트

1. 운영 서버 SSH 접속

ssh -i kp-aews.pem ec2-user@$(aws cloudformation describe-stacks --stack-name myeks --query 'Stacks[*].Outputs[0].OutputValue' --output text)
Last login: Tue Feb 18 11:20:41 2025 from 182.230.60.93
   ,     #_
   ~\_  ####_        Amazon Linux 2
  ~~  \_#####\
  ~~     \###|       AL2 End of Life is 2026-06-30.
  ~~       \#/ ___
   ~~       V~' '->
    ~~~         /    A newer version of Amazon Linux is available!
      ~~._.   _/
         _/ _/       Amazon Linux 2023, GA and supported until 2028-03-15.
       _/m/'           https://aws.amazon.com/linux/amazon-linux-2023/

Last login: Tue Feb 18 11:20:41 KST 2025 on pts/0
[root@operator-host ~]# 

2. AWS CLI 자격증명 설정

[root@operator-host ~]# aws configure
AWS Access Key ID [None]: XXXXXXXXXXXXXXXXXX
AWS Secret Access Key [None]: XXXXXXXXXXXXXXXXXX
Default region name [None]: ap-northeast-2
Default output format [None]: json

• AWS Access Key ID: (발급받은 Access Key ID 입력)
• AWS Secret Access Key: (Secret Access Key 입력)
• Default region name: ap-northeast-2 (서울 리전, 원하는 리전 선택 가능)
• Default output format: json 또는 yaml (기본값: json)

3. 현재 IAM 사용자 확인

[root@operator-host ~]# aws sts get-caller-identity --query Arn

# 결과
"arn:aws:iam::378102432899:user/eks-user"

4. kubeconfig 생성 및 EKS 연결 설정

• 운영 서버에서 EKS 클러스터와 연결하기 위해 kubeconfig 파일을 생성

[root@operator-host ~]# aws eks update-kubeconfig --name myeks --user-alias eks-user
Added new context eks-user to /root/.kube/config
(eks-user:N/A) [root@operator-host ~]# 

• kubectl을 사용하여 클러스터 정보 확인

(eks-user:N/A) [root@operator-host ~]# kubectl cluster-info

✅ 출력

Kubernetes control plane is running at https://791BC5A9BB3716EA88C45304E0696F83.gr7.ap-northeast-2.eks.amazonaws.com
CoreDNS is running at https://791BC5A9BB3716EA88C45304E0696F83.gr7.ap-northeast-2.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

• 네임스페이스 변경
• 기본 네임스페이스를 default로 설정

(eks-user:N/A) [root@operator-host ~]# kubectl ns default
Context "eks-user" modified.
Active namespace is "default".
(eks-user:default) [root@operator-host ~]# 

5. EKS 클러스터의 노드 상태 확인

(eks-user:default) [root@operator-host ~]# kubectl get node -v6

✅ 출력

I0218 13:47:55.441335    2910 loader.go:395] Config loaded from file:  /root/.kube/config
I0218 13:47:56.203890    2910 round_trippers.go:553] GET https://791BC5A9BB3716EA88C45304E0696F83.gr7.ap-northeast-2.eks.amazonaws.com/api/v1/nodes?limit=500 200 OK in 755 milliseconds
NAME                                               STATUS   ROLES    AGE    VERSION
ip-192-168-1-207.ap-northeast-2.compute.internal   Ready    <none>   121m   v1.31.5-eks-5d632ec
ip-192-168-2-84.ap-northeast-2.compute.internal    Ready    <none>   121m   v1.31.5-eks-5d632ec
ip-192-168-3-80.ap-northeast-2.compute.internal    Ready    <none>   121m   v1.31.5-eks-5d632ec

6. EFS 마운트 테스트 준비

• 운영 서버(172.20.1.100/24)가 VPC Peering을 통해 EFS를 원격 마운트하여 스토리지 사용 예정
• 현재 운영 서버와 EKS 클러스터가 다른 VPC에 있으므로, VPC Peering을 통해 운영 서버에서 EFS에 접근할 수 있도록 설정할 것

7. 파일 시스템 ID 확인

• 현재 사용 중인 EFS 파일 시스템 ID 확인

(eks-user:default) [root@operator-host ~]# aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text

✅ 출력

fs-0aeb6f8c0c228b9d2

8. EFS 마운트 대상 정보 확인

• EFS에 연결 가능한 마운트 타겟(Subnet 및 IP) 조회

(eks-user:default) [root@operator-host ~]# aws efs describe-mount-targets --file-system-id $(aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text) | jq

✅ 출력

{
  "MountTargets": [
    {
      "OwnerId": "378102432899",
      "MountTargetId": "fsmt-0604d5d000fcd5bac",
      "FileSystemId": "fs-0aeb6f8c0c228b9d2",
      "SubnetId": "subnet-0e4fb63cb543698fe",
      "LifeCycleState": "available",
      "IpAddress": "192.168.2.121",
      "NetworkInterfaceId": "eni-01a6638b93a0f3c69",
      "AvailabilityZoneId": "apne2-az2",
      "AvailabilityZoneName": "ap-northeast-2b",
      "VpcId": "vpc-0e32b5a6653acdcd9"
    },
    {
      "OwnerId": "378102432899",
      "MountTargetId": "fsmt-06d0ec46b5d5eb2e7",
      "FileSystemId": "fs-0aeb6f8c0c228b9d2",
      "SubnetId": "subnet-0fed28a1b3e108719",
      "LifeCycleState": "available",
      "IpAddress": "192.168.1.145",
      "NetworkInterfaceId": "eni-081306b696d34563b",
      "AvailabilityZoneId": "apne2-az1",
      "AvailabilityZoneName": "ap-northeast-2a",
      "VpcId": "vpc-0e32b5a6653acdcd9"
    },
    {
      "OwnerId": "378102432899",
      "MountTargetId": "fsmt-079d4fd81a4d39374",
      "FileSystemId": "fs-0aeb6f8c0c228b9d2",
      "SubnetId": "subnet-0861bd68771150000",
      "LifeCycleState": "available",
      "IpAddress": "192.168.3.250",
      "NetworkInterfaceId": "eni-05a1c8ad9d2d52f44",
      "AvailabilityZoneId": "apne2-az3",
      "AvailabilityZoneName": "ap-northeast-2c",
      "VpcId": "vpc-0e32b5a6653acdcd9"
    }
  ]
}

9. 마운트 대상 IP만 출력

• 마운트 가능한 EFS 네트워크 인터페이스 IP 목록 조회

(eks-user:default) [root@operator-host ~]# aws efs describe-mount-targets --file-system-id $(aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text) --query "MountTargets[*].IpAddress" --output text
192.168.2.121	192.168.1.145	192.168.3.250

10. VPC Peering 환경에서 마운트 방식 결정

• 같은 VPC 내부라면 fs-xxxx.efs.ap-northeast-2.amazonaws.com 형식의 DNS 기반 마운트 가능
• 다른 VPC에서 VPC Peering을 통해 접근하는 경우 → IP 기반 마운트 필요

# DNS 질의 테스트: 같은 VPC가 아니므로 DNS 질의 실패
(eks-user:default) [root@operator-host ~]# dig +short $(aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text).efs.ap-northeast-2.amazonaws.com

11. EFS 마운트 IP 선택 및 환경 변수 설정

• 마운트할 IP 주소(예: 192.168.1.145) 선택 후 환경 변수 저장

(eks-user:default) [root@operator-host ~]# EFSIP1=192.168.1.145

12. EFS 마운트 수행

• 운영 서버에서 EFS를 마운트할 디렉터리 생성
• 192.168.1.145:/mnt/myefs 경로로 마운트됨

(eks-user:default) [root@operator-host ~]# mkdir /mnt/myefs
(eks-user:default) [root@operator-host ~]# mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport $EFSIP1:/ /mnt/myefs

• AWS 콘솔 → EFS → Attach 옵션에서 마운트 방법 및 명령어 제공

• sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 192.168.1.145:/ efs

13. 마운트 상태 확인

(eks-user:default) [root@operator-host ~]# findmnt -t nfs4

✅ 출력

TARGET     SOURCE          FSTYPE OPTIONS
/mnt/myefs 192.168.1.145:/ nfs4   rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,noresvport,proto=tcp,timeo=600,retrans=2,sec=sy

NFS4 타입 파일 시스템만 확인

(eks-user:default) [root@operator-host ~]# df -hT --type nfs4

✅ 출력

Filesystem      Type  Size  Used Avail Use% Mounted on
192.168.1.145:/ nfs4  8.0E     0  8.0E   0% /mnt/myefs

14. EFS에 파일 저장 및 NFS 통계 확인

(1) 파일 저장 전 NFS 상태 확인

(eks-user:default) [root@operator-host ~]# nfsstat

✅ 출력

Client rpc stats:
calls      retrans    authrefrsh
22         0          22      

Client nfs v4:
null         read         write        commit       open         open_conf    
1         4% 0         0% 0         0% 0         0% 0         0% 0         0% 
open_noat    open_dgrd    close        setattr      fsinfo       renew        
0         0% 0         0% 0         0% 0         0% 2         9% 0         0% 
setclntid    confirm      lock         lockt        locku        access       
0         0% 0         0% 0         0% 0         0% 0         0% 0         0% 
getattr      lookup       lookup_root  remove       rename       link         
2         9% 0         0% 1         4% 0         0% 0         0% 0         0% 
symlink      create       pathconf     statfs       readlink     readdir      
0         0% 0         0% 1         4% 1         4% 0         0% 0         0% 
server_caps  delegreturn  getacl       setacl       fs_locations rel_lkowner  
3        13% 0         0% 0         0% 0         0% 0         0% 0         0% 
secinfo      exchange_id  create_ses   destroy_ses  sequence     get_lease_t  
0         0% 0         0% 2         9% 1         4% 0         0% 6        27% 
reclaim_comp layoutget    getdevinfo   layoutcommit layoutreturn getdevlist   
0         0% 1         4% 0         0% 0         0% 0         0% 0         0% 
(null)       
1         4%

• 총 요청(Call) 수: 22
• write 요청 없음

(2) 파일 저장 실행

• EFS 마운트 디렉토리(/mnt/myefs)에 파일 생성
• 원격 NFS 저장소에 파일(memo.txt) 생성됨

(eks-user:default) [root@operator-host ~]# echo "EKS Workshop" > /mnt/myefs/memo.txt

(3) 파일 저장 후 NFS 상태 확인

(eks-user:default) [root@operator-host ~]# nfsstat

✅ 출력

Client rpc stats:
calls      retrans    authrefrsh
27         0          27      

Client nfs v4:
null         read         write        commit       open         open_conf    
1         3% 0         0% 1         3% 0         0% 1         3% 0         0% 
open_noat    open_dgrd    close        setattr      fsinfo       renew        
0         0% 0         0% 1         3% 0         0% 2         7% 0         0% 
setclntid    confirm      lock         lockt        locku        access       
0         0% 0         0% 0         0% 0         0% 0         0% 1         3% 
getattr      lookup       lookup_root  remove       rename       link         
2         7% 0         0% 1         3% 0         0% 0         0% 0         0% 
symlink      create       pathconf     statfs       readlink     readdir      
0         0% 0         0% 1         3% 1         3% 0         0% 0         0% 
server_caps  delegreturn  getacl       setacl       fs_locations rel_lkowner  
3        11% 0         0% 0         0% 0         0% 0         0% 0         0% 
secinfo      exchange_id  create_ses   destroy_ses  sequence     get_lease_t  
0         0% 0         0% 2         7% 1         3% 0         0% 7        25% 
reclaim_comp layoutget    getdevinfo   layoutcommit layoutreturn getdevlist   
0         0% 1         3% 0         0% 0         0% 0         0% 0         0% 
(null)       
1         3% 

• 총 요청(Call) 수: 27
• write 요청 1회 기록됨

15. 저장된 파일 확인

(1) 저장된 파일 목록 확인

(eks-user:default) [root@operator-host ~]# ls -l /mnt/myefs

✅ 출력

total 4
-rw-r--r-- 1 root root 13 Feb 18 14:09 memo.txt

(2) 파일 내용 확인

(eks-user:default) [root@operator-host ~]# cat /mnt/myefs/memo.txt

✅ 출력

EKS Workshop

16. EFS 자동 마운트 설정 (EC2 재부팅 후 유지)

(1) 현재 /etc/fstab 상태 확인

• 기존 마운트 설정 확인

(eks-user:default) [root@operator-host ~]# cat /etc/fstab

✅ 출력

UUID=43b4f483-987f-429f-ad61-9e2993518248     /           xfs    defaults,noatime  1   1

(2) /etc/fstab 파일 수정 (EFS 자동 마운트 추가)

• fstab 파일 열기

sudo vim /etc/fstab

• 파일 맨 아래에 EFS 마운트 정보 추가

192.168.1.145:/ /mnt/myefs nfs4 defaults,_netdev,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 0 0

(3) 변경 사항 적용

• 수정한 /etc/fstab 내용을 즉시 반영

(eks-user:default) [root@operator-host ~]# sudo mount -a

(4) 마운트 상태 확인

• 마운트가 정상적으로 적용되었는지 확인

(eks-user:default) [root@operator-host ~]# df -hT

✅ 출력

Filesystem      Type      Size  Used Avail Use% Mounted on
devtmpfs        devtmpfs  981M     0  981M   0% /dev
tmpfs           tmpfs     990M     0  990M   0% /dev/shm
tmpfs           tmpfs     990M  432K  989M   1% /run
tmpfs           tmpfs     990M     0  990M   0% /sys/fs/cgroup
/dev/xvda1      xfs        30G  3.0G   28G  10% /
tmpfs           tmpfs     198M     0  198M   0% /run/user/1000
192.168.1.145:/ nfs4      8.0E     0  8.0E   0% /mnt/myefs

---

🏗️ EKS 배포 후 실습을 위한 편의 설정

1. 환경 변수 자동 설정 배경

• 이전 실습에서 환경 변수를 매번 수동으로 설정해야 하는 불편함이 있었음
• 신규 터미널 창을 열 때마다 환경 변수가 유지되도록 자동 설정

2. 환경 변수 설정 (~/.bashrc에 추가)

• Route 53 도메인 및 Hosted Zone ID 가져오기

MyDomain=gagajin.com
MyDnzHostedZoneId=$(aws route53 list-hosted-zones-by-name --dns-name "$MyDomain." --query "HostedZones[0].Id" --output text)

• 환경 변수를 ~/.bashrc에 추가하여 새 터미널에서도 유지

cat << EOF >> ~/.bashrc

# eksworkshop
export CLUSTER_NAME=myeks
export VPCID=$(aws ec2 describe-vpcs --filters "Name=tag:Name,Values=$CLUSTER_NAME-VPC" --query 'Vpcs[*].VpcId' --output text)
export PubSubnet1=$(aws ec2 describe-subnets --filters Name=tag:Name,Values="$CLUSTER_NAME-Vpc1PublicSubnet1" --query "Subnets[0].[SubnetId]" --output text)
export PubSubnet2=$(aws ec2 describe-subnets --filters Name=tag:Name,Values="$CLUSTER_NAME-Vpc1PublicSubnet2" --query "Subnets[0].[SubnetId]" --output text)
export PubSubnet3=$(aws ec2 describe-subnets --filters Name=tag:Name,Values="$CLUSTER_NAME-Vpc1PublicSubnet3" --query "Subnets[0].[SubnetId]" --output text)
export N1=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=$CLUSTER_NAME-ng1-Node" "Name=availability-zone,Values=ap-northeast-2a" --query 'Reservations[*].Instances[*].PublicIpAddress' --output text)
export N2=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=$CLUSTER_NAME-ng1-Node" "Name=availability-zone,Values=ap-northeast-2b" --query 'Reservations[*].Instances[*].PublicIpAddress' --output text)
export N3=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=$CLUSTER_NAME-ng1-Node" "Name=availability-zone,Values=ap-northeast-2c" --query 'Reservations[*].Instances[*].PublicIpAddress' --output text)
MyDomain=gagajin.com # 각자 자신의 도메인 이름 입력
MyDnzHostedZoneId=$(aws route53 list-hosted-zones-by-name --dns-name "$MyDomain." --query "HostedZones[0].Id" --output text)
EOF

3. 환경 변수 적용 확인

• 신규 터미널에서 환경 변수 확인

echo $CLUSTER_NAME $VPCID $PubSubnet1 $PubSubnet2 $PubSubnet3
echo $N1 $N2 $N3 $MyDomain $MyDnzHostedZoneId

✅ 출력

myeks vpc-0e32b5a6653acdcd9 subnet-0fed28a1b3e108719 subnet-0e4fb63cb543698fe subnet-0861bd68771150000
3.35.47.226 43.203.131.45 15.164.49.232 gagajin.com /hostedzone/Z099663315X74TRCYB7J5

• 환경 변수가 ~/.bashrc에 정상적으로 추가되었는지 확인

tail -n 12 ~/.bashrc

✅ 출력

# eksworkshop
export CLUSTER_NAME=myeks
export VPCID=vpc-0e32b5a6653acdcd9
export PubSubnet1=subnet-0fed28a1b3e108719
export PubSubnet2=subnet-0e4fb63cb543698fe
export PubSubnet3=subnet-0861bd68771150000
export N1=3.35.47.226
export N2=43.203.131.45
export N3=15.164.49.232
MyDomain=gagajin.com # 각자 자신의 도메인 이름 입력
MyDnzHostedZoneId=/hostedzone/Z099663315X74TRCYB7J5

4. 실습 후 환경 변수 삭제 필요

• 새로운 터미널 창에서도 환경 변수가 자동 설정되어 편리하게 사용 가능
• 실습이 끝나면 ~/.bashrc에서 해당 내용을 삭제할 것

---

🌐 AWS LoadBalancerController, ExternalDNS, kube-ops-view 설치

1. Helm 저장소 추가 및 업데이트

helm repo add geek-cookbook https://geek-cookbook.github.io/charts/
helm repo add eks https://aws.github.io/eks-charts
helm repo update

✅ 출력

"geek-cookbook" already exists with the same configuration, skipping
"eks" already exists with the same configuration, skipping
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "eks" chart repository
...Successfully got an update from the "prometheus-community" chart repository
...Successfully got an update from the "geek-cookbook" chart repository
Update Complete. ⎈Happy Helming!⎈

2. kube-ops-view 설치

helm install kube-ops-view geek-cookbook/kube-ops-view --version 1.2.2 --set service.main.type=ClusterIP  --set env.TZ="Asia/Seoul" --namespace kube-system

✅ 출력

NAME: kube-ops-view
LAST DEPLOYED: Tue Feb 18 14:43:54 2025
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Get the application URL by running these commands:
  export POD_NAME=$(kubectl get pods --namespace kube-system -l "app.kubernetes.io/name=kube-ops-view,app.kubernetes.io/instance=kube-ops-view" -o jsonpath="{.items[0].metadata.name}")
  echo "Visit http://127.0.0.1:8080 to use your application"
  kubectl port-forward $POD_NAME 8080:8080

3. AWS LoadBalancerController 배포

helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=$CLUSTER_NAME \
  --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller

✅ 출력

NAME: aws-load-balancer-controller
LAST DEPLOYED: Tue Feb 18 14:46:39 2025
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
AWS Load Balancer controller installed!

4. ExternalDNS 컨트롤러 설치

도메인과 Route 53 Hosted Zone을 연동하여 자동으로 DNS 레코드 관리

curl -s https://raw.githubusercontent.com/gasida/PKOS/main/aews/externaldns.yaml | MyDomain=$MyDomain MyDnzHostedZoneId=$MyDnzHostedZoneId envsubst | kubectl apply -f -

✅ 출력

serviceaccount/external-dns created
clusterrole.rbac.authorization.k8s.io/external-dns created
clusterrolebinding.rbac.authorization.k8s.io/external-dns-viewer created
deployment.apps/external-dns created

5. HTTPS 설정을 위한 인증서 발급 (AWS Certificate Manager)

(1) 도메인 인증서 발급 요청

요청 후, Create records in Route 53 클릭하여 CNAME 레코드 추가

Route 53에 CNAME 레코드가 자동으로 추가됨

인증서 상태가 “Issued”로 변경되면 완료

(2) 인증서 ARN 확인

CERT_ARN=$(aws acm list-certificates --query 'CertificateSummaryList[].CertificateArn[]' --output text)
echo $CERT_ARN

✅ 출력

arn:aws:acm:ap-northeast-2:378102432899:certificate/f967e8ca-f0b5-471d-bbe4-bee231aeb32b

6. ALB 기반 Ingress 설정 및 kube-ops-view 배포

(1) Ingress 배포

• ALB 그룹 이름을 추가하여 여러 Ingress에서 동일한 ALB 사용 가능
• Ingress를 배포하여 HTTPS 기반으로 도메인(kubeopsview.$MyDomain) 연결

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: $CERT_ARN
    alb.ingress.kubernetes.io/group.name: study
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
    alb.ingress.kubernetes.io/load-balancer-name: myeks-ingress-alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/success-codes: 200-399
    alb.ingress.kubernetes.io/target-type: ip
  labels:
    app.kubernetes.io/name: kubeopsview
  name: kubeopsview
  namespace: kube-system
spec:
  ingressClassName: alb
  rules:
  - host: kubeopsview.$MyDomain
    http:
      paths:
      - backend:
          service:
            name: kube-ops-view
            port:
              number: 8080
        path: /
        pathType: Prefix
EOF

# 결과
ingress.networking.k8s.io/kubeopsview created

(2) 배포된 파드 확인

kubectl get pods -n kube-system

✅ 출력

NAME                                          READY   STATUS    RESTARTS   AGE
aws-load-balancer-controller-554fbd9d-vk2p8   1/1     Running   0          74m
aws-load-balancer-controller-554fbd9d-xnx6r   1/1     Running   0          74m
aws-node-rf9bf                                2/2     Running   0          4h14m
aws-node-tbbhl                                2/2     Running   0          4h14m
aws-node-xb7dt                                2/2     Running   0          4h14m
coredns-86f5954566-mskq6                      1/1     Running   0          4h20m
coredns-86f5954566-wxwqw                      1/1     Running   0          4h20m
external-dns-dc4878f5f-mvnt9                  1/1     Running   0          72m
kube-ops-view-657dbc6cd8-fgbqc                1/1     Running   0          77m
kube-proxy-6bc4m                              1/1     Running   0          4h14m
kube-proxy-qsd8t                              1/1     Running   0          4h14m
kube-proxy-rvw86                              1/1     Running   0          4h14m
metrics-server-6bf5998d9c-nt4ks               1/1     Running   0          4h20m
metrics-server-6bf5998d9c-prz6f               1/1     Running   0          4h20m

(3) 서비스(Service), 엔드포인트(Endpoints), Ingress 정보 확인

kubectl get ingress,svc,ep -n kube-system

✅ 출력

NAME                                    CLASS   HOSTS                     ADDRESS                                                       PORTS   AGE
ingress.networking.k8s.io/kubeopsview   alb     kubeopsview.gagajin.com   myeks-ingress-alb-60898722.ap-northeast-2.elb.amazonaws.com   80      100s

NAME                                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE
service/aws-load-balancer-webhook-service   ClusterIP   10.100.118.159   <none>        443/TCP                  75m
service/eks-extension-metrics-api           ClusterIP   10.100.124.121   <none>        443/TCP                  4h24m
service/kube-dns                            ClusterIP   10.100.0.10      <none>        53/UDP,53/TCP,9153/TCP   4h20m
service/kube-ops-view                       ClusterIP   10.100.136.90    <none>        8080/TCP                 77m
service/metrics-server                      ClusterIP   10.100.110.47    <none>        443/TCP                  4h20m

NAME                                          ENDPOINTS                                                        AGE
endpoints/aws-load-balancer-webhook-service   192.168.1.218:9443,192.168.2.198:9443                            75m
endpoints/eks-extension-metrics-api           172.0.32.0:10443                                                 4h24m
endpoints/kube-dns                            192.168.3.104:53,192.168.3.131:53,192.168.3.104:53 + 3 more...   4h20m
endpoints/kube-ops-view                       192.168.1.204:8080                                               77m
endpoints/metrics-server                      192.168.3.152:10251,192.168.3.77:10251                           4h20m

(4) kube-ops-view 접속 URL 확인

echo -e "Kube Ops View URL = https://kubeopsview.$MyDomain/#scale=1.5"

✅ 출력

Kube Ops View URL = https://kubeopsview.gagajin.com/#scale=1.5

(5) 접속 결과

---

📦 Pod 기본 저장소를 활용한 데이터 유지 테스트

1. EBS 컨트롤러 배포 전 상태 확인

• EBS 컨트롤러 배포 전에는 kubectl describe csinodes 명령어 실행 시 Spec 정보가 표시되지 않음
• EBS 컨트롤러 배포 후에는 각 노드에서 관련 정보를 확인할 수 있음

kubectl describe csinodes

✅ 출력

Name:               ip-192-168-1-207.ap-northeast-2.compute.internal
Labels:             <none>
Annotations:        storage.alpha.kubernetes.io/migrated-plugins:
                      kubernetes.io/aws-ebs,kubernetes.io/azure-disk,kubernetes.io/azure-file,kubernetes.io/cinder,kubernetes.io/gce-pd,kubernetes.io/portworx-v...
CreationTimestamp:  Tue, 18 Feb 2025 11:46:46 +0900
Spec:
Events:  <none>

Name:               ip-192-168-2-84.ap-northeast-2.compute.internal
Labels:             <none>
Annotations:        storage.alpha.kubernetes.io/migrated-plugins:
                      kubernetes.io/aws-ebs,kubernetes.io/azure-disk,kubernetes.io/azure-file,kubernetes.io/cinder,kubernetes.io/gce-pd,kubernetes.io/portworx-v...
CreationTimestamp:  Tue, 18 Feb 2025 11:46:49 +0900
Spec:
Events:  <none>

Name:               ip-192-168-3-80.ap-northeast-2.compute.internal
Labels:             <none>
Annotations:        storage.alpha.kubernetes.io/migrated-plugins:
                      kubernetes.io/aws-ebs,kubernetes.io/azure-disk,kubernetes.io/azure-file,kubernetes.io/cinder,kubernetes.io/gce-pd,kubernetes.io/portworx-v...
CreationTimestamp:  Tue, 18 Feb 2025 11:46:42 +0900
Spec:
Events:  <none>

2. 터미널 환경 준비

• 운영 서버와 로컬 PC에서 각각 터미널 창을 열어 모니터링

ssh -i kp-aews.pem ec2-user@$(aws cloudformation describe-stacks --stack-name myeks --query 'Stacks[*].Outputs[0].OutputValue' --output text)
# 결과
Last login: Tue Feb 18 16:22:43 2025 from 182.230.60.93
   ,     #_
   ~\_  ####_        Amazon Linux 2
  ~~  \_#####\
  ~~     \###|       AL2 End of Life is 2026-06-30.
  ~~       \#/ ___
   ~~       V~' '->
    ~~~         /    A newer version of Amazon Linux is available!
      ~~._.   _/
         _/ _/       Amazon Linux 2023, GA and supported until 2028-03-15.
       _/m/'           https://aws.amazon.com/linux/amazon-linux-2023/

Last login: Tue Feb 18 16:22:43 KST 2025 on pts/0
(eks-user:default) [root@operator-host ~]#

• Pod 상태 실시간 확인

(eks-user:default) [root@operator-host ~]# kubectl get pod -w

3. Redis 파드 배포

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: **Pod**
metadata:
  name: **redis**
spec:
  terminationGracePeriodSeconds: 0
  containers:
  - name: redis
    image: **redis**
EOF

4. Redis Pod 내 데이터 저장 및 확인

(1) Redis Pod의 기본 작업 디렉토리(/data) 확인

kubectl exec -it redis -- pwd
# 결과
/data

(2) Pod 내부 data 디렉토리에 파일 생성

kubectl exec -it redis -- sh -c "echo hello > /data/hello.txt"

(3) 파일 내용 확인

kubectl exec -it redis -- cat /data/hello.txt
# 결과
hello

5. Pod 재시작 및 데이터 유실 테스트

(1) ps 설치

kubectl exec -it redis -- sh -c "apt update && apt install procps -y"

Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8792 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [13.5 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [246 kB]
Fetched 9306 kB in 1s (6437 kB/s)
Reading package lists... Done
Building dependency tree... Done
....

(2) Redis 컨테이너 프로세스 종료 (kill 1)

• Pod 내에서 실행 중인 프로세스 확인 (redis-server가 PID 1로 실행됨)

kubectl exec -it redis -- ps aux

✅ 출력

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
redis          1  0.2  0.2 143876 10436 ?        Ssl  07:27   0:01 redis-server 
root         227  0.0  0.1   8088  4100 pts/0    Rs+  07:34   0:00 ps aux

• PID 1(메인 프로세스) 종료

kubectl exec -it redis -- kill 1

(3) Pod 상태 변화 확인

(eks-user:default) [root@operator-host ~]# kubectl get pod -w
NAME    READY   STATUS              RESTARTS     AGE
redis   0/1     Pending             0            0s
redis   0/1     Pending             0            0s
redis   0/1     ContainerCreating   0            0s
redis   1/1     Running             0            9s
redis   0/1     Completed           0            9m2s
redis   1/1     Running             1 (3s ago)   9m4s

• Pod가 삭제되지 않고 컨테이너만 재시작됨
• 컨테이너의 Restart Count 값이 증가함 (RESTARTS: 1)

(4) Redis Pod의 재시작 원인 확인

k describe pod

✅ 출력

Name:             redis
Namespace:        default
Priority:         0
Service Account:  default
Node:             ip-192-168-1-207.ap-northeast-2.compute.internal/192.168.1.207
Start Time:       Tue, 18 Feb 2025 16:27:11 +0900
Labels:           <none>
Annotations:      <none>
Status:           Running
IP:               192.168.1.234
IPs:
  IP:  192.168.1.234
Containers:
  redis:
    Container ID:   containerd://c76cf2a72506effed078046cd25d30bcfed857b594b228071541967ade2058c7
    Image:          redis
    Image ID:       docker.io/library/redis@sha256:93a8d83b707d0d6a1b9186edecca2e37f83722ae0e398aee4eea0ff17c2fad0e
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Tue, 18 Feb 2025 16:36:14 +0900
    Last State:     Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Tue, 18 Feb 2025 16:27:19 +0900
      Finished:     Tue, 18 Feb 2025 16:36:12 +0900
    Ready:          True
    Restart Count:  1
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-dr52g (ro)
...

• Redis 컨테이너가 “Completed” 상태로 종료됨 → Kubernetes가 자동으로 재시작
• Pod 자체는 유지되지만 컨테이너 내부 프로세스가 재시작됨

(5) Redis Pod 재시작 후 데이터 유실 확인

• 기존에 저장한 파일 확인

kubectl exec -it redis -- cat /data/redis/hello.txt

✅ 출력

cat: /data/redis/hello.txt: No such file or directory
command terminated with exit code 1

• Pod가 삭제되지 않았지만, 컨테이너 재시작으로 인해 내부 저장 데이터가 유실됨
• 기본적으로 Pod 내부의 파일 시스템은 휘발성이며, 재시작 후에도 데이터를 유지하려면 볼륨 설정이 필요

6. Redis Pod 삭제

kubectl delete pod redis

# 결과
pod "redis" deleted

---

🗂️ emptyDir를 활용한 Pod 데이터 유지 테스트

1. emptyDir 볼륨을 활용한 Redis Pod 배포

• Pod 내에서 emptyDir 볼륨을 생성 후 /data/redis 경로에 마운트
• Pod가 재시작되더라도 emptyDir 볼륨은 유지됨

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: redis
spec:
  terminationGracePeriodSeconds: 0
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: redis-storage
      mountPath: /data/redis
  volumes:
  - name: redis-storage
    emptyDir: {}
EOF

# 결과
pod/redis created

2. Pod 내부 데이터 저장 및 확인

(1) Pod 내부에서 파일 생성

kubectl exec -it redis -- sh -c "echo hello > /data/redis/hello.txt"

(2) 파일 내용 확인

kubectl exec -it redis -- cat /data/redis/hello.txt

✅ 출력

hello

3. Pod 재시작 및 데이터 유지 확인

(1) ps 설치

kubectl exec -it redis -- sh -c "apt update && apt install procps -y"

Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8792 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [13.5 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [246 kB]
Fetched 9306 kB in 2s (6071 kB/s)
Reading package lists... Done
Building dependency tree... Done
...

(2) Redis 컨테이너 프로세스 종료 (kill 1)

• Pod 내에서 실행 중인 프로세스 확인

kubectl exec -it redis -- ps aux

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
redis          1  0.2  0.2 143876 10416 ?        Ssl  07:50   0:00 redis
root         228 33.3  0.1   8088  4000 pts/0    Rs+  07:53   0:00 ps au

• Redis 프로세스 종료 (Pod 재시작 유도)

kubectl exec -it redis -- kill 1

(3) Pod 상태 확인

kubectl get pod

✅ 출력

NAME    READY   STATUS    RESTARTS      AGE
redis   1/1     Running   1 (17s ago)   4m52s

(4) 파일 데이터 유지 여부 확인

kubectl exec -it redis -- ls -l

✅ 출력

total 0
drwxrwxrwx. 2 redis root 23 Feb 18 07:51 redis

kubectl exec -it redis -- cat /data/redis/hello.txt

✅ 출력

hello

• Pod가 재시작되더라도 emptyDir 볼륨은 유지됨
• 컨테이너가 재시작되더라도 데이터는 보존됨

4. Pod 삭제 및 데이터 유실 테스트

(1) Redis Pod 삭제

kubectl delete pod redis
# 결과
pod "redis" deleted

k get pod

✅ 출력

No resources found in default namespace.

(2) 새로운 Redis Pod 재배포

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: redis
spec:
  terminationGracePeriodSeconds: 0
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: redis-storage
      mountPath: /data/redis
  volumes:
  - name: redis-storage
    emptyDir: {}
EOF
# 결과
pod/redis created

(3) 파일 데이터 확인

kubectl exec -it redis -- ls -l /data/redis

✅ 출력

total 0

kubectl exec -it redis -- cat /data/redis/hello.txt

✅ 출력

cat: /data/redis/hello.txt: No such file or directory
command terminated with exit code 1

• Pod를 삭제하면 emptyDir 볼륨도 함께 삭제됨
• 새로운 Pod가 생성되면 새로운 emptyDir 볼륨이 생성되므로 기존 데이터는 유지되지 않음

5. Redis Pod 삭제

kubectl delete pod redis
# 결과
pod "redis" deleted

---

📂 EKS에서 Local Path Provisioner를 활용한 동적 볼륨 관리

1. Pod 저장소와 볼륨 라이프사이클 개념

• Pod 삭제 시 내부 데이터도 함께 삭제됨
• 데이터 보존을 위해 Persistent Volume(PV) 사용 필요
• PV를 활용하여 Pod의 라이프사이클과 데이터 저장소를 분리해 지속적인 데이터 유지 가능
• hostPath를 사용하여 노드의 특정 디렉토리에 데이터를 저장하는 방법 실습

2. Local Path Provisioner 설치

• 노드의 특정 디렉토리(/opt/local-path-provisioner 등)를 동적으로 마운트하여 저장소로 활용
• StorageClass를 사용해 PVC 요청 시 자동으로 PV를 생성 및 할당

kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.31/deploy/local-path-storage.yaml

# 결과
namespace/local-path-storage created
serviceaccount/local-path-provisioner-service-account created
role.rbac.authorization.k8s.io/local-path-provisioner-role created
clusterrole.rbac.authorization.k8s.io/local-path-provisioner-role created
rolebinding.rbac.authorization.k8s.io/local-path-provisioner-bind created
clusterrolebinding.rbac.authorization.k8s.io/local-path-provisioner-bind created
deployment.apps/local-path-provisioner created
storageclass.storage.k8s.io/local-path created
configmap/local-path-config created

3. Local Path Provisioner 구성 확인

kubectl get-all -n local-path-storage

✅ 출력

NAME                                                               NAMESPACE           AGE
configmap/kube-root-ca.crt                                         local-path-storage  2m40s  
configmap/local-path-config                                        local-path-storage  2m40s  
pod/local-path-provisioner-84967477f-g6xvh                         local-path-storage  2m40s  
serviceaccount/default                                             local-path-storage  2m40s  
serviceaccount/local-path-provisioner-service-account              local-path-storage  2m40s  
deployment.apps/local-path-provisioner                             local-path-storage  2m40s  
replicaset.apps/local-path-provisioner-84967477f                   local-path-storage  2m40s  
rolebinding.rbac.authorization.k8s.io/local-path-provisioner-bind  local-path-storage  2m40s  
role.rbac.authorization.k8s.io/local-path-provisioner-role         local-path-storage  2m40s  

kubectl get pod -n local-path-storage -owide

✅ 출력

NAME                                     READY   STATUS    RESTARTS   AGE     IP             NODE                                              NOMINATED NODE   READINESS GATES
local-path-provisioner-84967477f-g6xvh   1/1     Running   0          3m14s   192.168.2.14   ip-192-168-2-84.ap-northeast-2.compute.internal   <none>           <none>

4. ConfigMap 설정 확인

PV가 동적으로 생성될 경로를 지정하는 ConfigMap 확인

kubectl describe cm -n local-path-storage local-path-config

✅ 출력 (config.json)

config.json:
----
{
        "nodePathMap":[
        {
                "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
                "paths":["/opt/local-path-provisioner"]
        }
        ]
}

• /opt/local-path-provisioner 하위에 동적 디렉토리 생성 및 관리
• PVC 요청 시 해당 경로에 PV가 자동 생성됨

✅ 출력 (helperPod.yaml)

디렉토리 생성 및 삭제를 관리하는 Pod 설정

helperPod.yaml:
----
apiVersion: v1
kind: Pod
metadata:
  name: helper-pod
spec:
  priorityClassName: system-node-critical
  tolerations:
    - key: node.kubernetes.io/disk-pressure
      operator: Exists
      effect: NoSchedule
  containers:
  - name: helper-pod
    image: busybox
    imagePullPolicy: IfNotPresent
    
setup:
----
#!/bin/sh
set -eu
mkdir -m 0777 -p "$VOL_DIR"

teardown:
----
#!/bin/sh
set -eu
rm -rf "$VOL_DIR"

BinaryData
====

• helperPod를 통해 동적 디렉토리 생성 (setup 스크립트)
• PV 삭제 시 해당 디렉토리도 제거 (teardown 스크립트)

5. StorageClass 확인

kubectl get sc local-path

✅ 출력

NAME         PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
local-path   rancher.io/local-path   Delete          WaitForFirstConsumer   false                  5m28s

6. PVC(Persistent Volume Claim) 생성 및 상태 확인

(1) PVC 상태 모니터링

(eks-user:default) [root@operator-host ~]# watch -d kubectl get pv,pvc,pod

✅ 출력

Every 2.0s: kubectl get pv,pvc,pod              Tue Feb 18 17:18:32 2025

No resources found

(2) PVC 생성을 위한 환경 확인

k get pod -A

✅ 출력

NAMESPACE            NAME                                          READY   STATUS    RESTARTS   AGE
kube-system          aws-load-balancer-controller-554fbd9d-vk2p8   1/1     Running   0          158m
kube-system          aws-load-balancer-controller-554fbd9d-xnx6r   1/1     Running   0          158m
kube-system          aws-node-rf9bf                                2/2     Running   0          5h38m
kube-system          aws-node-tbbhl                                2/2     Running   0          5h38m
kube-system          aws-node-xb7dt                                2/2     Running   0          5h38m
kube-system          coredns-86f5954566-mskq6                      1/1     Running   0          5h44m
kube-system          coredns-86f5954566-wxwqw                      1/1     Running   0          5h44m
kube-system          external-dns-dc4878f5f-mvnt9                  1/1     Running   0          156m
kube-system          kube-ops-view-657dbc6cd8-fgbqc                1/1     Running   0          161m
kube-system          kube-proxy-6bc4m                              1/1     Running   0          5h38m
kube-system          kube-proxy-qsd8t                              1/1     Running   0          5h38m
kube-system          kube-proxy-rvw86                              1/1     Running   0          5h38m
kube-system          metrics-server-6bf5998d9c-nt4ks               1/1     Running   0          5h44m
kube-system          metrics-server-6bf5998d9c-prz6f               1/1     Running   0          5h44m
local-path-storage   local-path-provisioner-84967477f-g6xvh        1/1     Running   0          16m

• local-path-provisioner Pod가 배포되어 있어야 PVC를 동적으로 관리할 수 있음

(3) PVC(Persistent Volume Claim) 생성

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: localpath-claim
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 1Gi
EOF

# 결과
persistentvolumeclaim/localpath-claim created

(4) PVC 상태 확인

• PVC가 Pending 상태
• PVC가 아직 바인딩되지 않았으며, Pod가 생성되면 바인딩됨

Every 2.0s: kubectl get pv,pvc,pod              Tue Feb 18 17:28:31 2025

NAME                                    STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
persistentvolumeclaim/localpath-claim   Pending                                      local-path     <unset>                 31s

(5) StorageClass 확인

• StorageClass의 VOLUMEBINDINGMODE가 WaitForFirstConsumer 상태
• PVC가 Pod에 의해 요청될 때까지 PV가 자동 생성되지 않음

k get sc

✅ 출력

NAME         PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2          kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  5h52m
local-path   rancher.io/local-path   Delete          WaitForFirstConsumer   false                  20m

(6) PVC 상세 정보 확인

• PVC가 바인딩되지 않은 이유 및 이벤트 확인
• Pod 생성 전까지 PVC는 WaitForFirstConsumer 상태

kubectl describe pvc

✅ 출력

Name:          localpath-claim
Namespace:     default
StorageClass:  local-path
Status:        Pending
Volume:        
Labels:        <none>
Annotations:   <none>
Finalizers:    [kubernetes.io/pvc-protection]
Capacity:      
Access Modes:  
VolumeMode:    Filesystem
Used By:       <none>
Events:
  Type    Reason                Age                  From                         Message
  ----    ------                ----                 ----                         -------
  Normal  WaitForFirstConsumer  6s (x15 over 3m25s)  persistentvolume-controller  waiting for first consumer to be created before binding

(7) Pod 생성 및 PVC 바인딩

• PVC를 사용하는 Pod 생성
• Pod에서 localpath-claim PVC를 /data 경로에 마운트

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  terminationGracePeriodSeconds: 3
  containers:
  - name: app
    image: centos
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo \$(date -u) >> /data/out.txt; sleep 5; done"]
    volumeMounts:
    - name: persistent-storage
      mountPath: /data
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: localpath-claim
EOF

# 결과
pod/app created

• Pod가 생성되면 PVC가 자동으로 PV에 바인딩됨

(8) PVC 및 PV 바인딩 확인

• PVC 상태가 Bound로 변경됨
• PV가 자동 생성되어 PVC와 연결됨

k get pod,pv,pvc

✅ 출력

NAME      READY   STATUS    RESTARTS   AGE
pod/app   1/1     Running   0          109s

NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                     STORAGECLASS   VOLUMEATTRIBUTESCLASS   REASON   AGE
persistentvolume/pvc-fc043ac6-1fdc-4ef1-b03b-cabf03df8018   1Gi        RWO            Delete           Bound    default/localpath-claim   local-path     <unset>                          101s

NAME                                    STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
persistentvolumeclaim/localpath-claim   Bound    pvc-fc043ac6-1fdc-4ef1-b03b-cabf03df8018   1Gi        RWO            local-path     <unset>                 11m

(9) PV 상세 정보 확인

• PV는 특정 노드(192.168.1.207)에 바인딩됨 (Node Affinity 설정)
• 저장소는 HostPath를 사용하여 노드의 특정 경로(/opt/local-path-provisioner/...)에 저장됨
• Pod가 다른 노드로 이동하면 기존 PV를 사용할 수 없음

kubectl describe pv

✅ 출력

Name:              pvc-fc043ac6-1fdc-4ef1-b03b-cabf03df8018
Labels:            <none>
Annotations:       local.path.provisioner/selected-node: ip-192-168-1-207.ap-northeast-2.compute.internal
                   pv.kubernetes.io/provisioned-by: rancher.io/local-path
Finalizers:        [kubernetes.io/pv-protection]
StorageClass:      local-path
Status:            Bound
Claim:             default/localpath-claim
Reclaim Policy:    Delete
Access Modes:      RWO
VolumeMode:        Filesystem
Capacity:          1Gi
Node Affinity:     
  Required Terms:  
    Term 0:        kubernetes.io/hostname in [ip-192-168-1-207.ap-northeast-2.compute.internal]
Message:           
Source:
    Type:          HostPath (bare host directory volume)
    Path:          /opt/local-path-provisioner/pvc-fc043ac6-1fdc-4ef1-b03b-cabf03df8018_default_localpath-claim
    HostPathType:  DirectoryOrCreate
Events:            <none>

7. Pod 내 데이터 저장 및 영속성 테스트

(1) 데이터 저장 확인

• Pod는 5초마다 /data/out.txt에 타임스탬프 기록
• 데이터가 정상적으로 저장되는지 확인

kubectl exec -it app -- tail -f /data/out.txt

✅ 출력

Tue Feb 18 08:48:00 UTC 2025
Tue Feb 18 08:48:05 UTC 2025
Tue Feb 18 08:48:10 UTC 2025
Tue Feb 18 08:48:15 UTC 2025
Tue Feb 18 08:48:20 UTC 2025
Tue Feb 18 08:48:25 UTC 2025
Tue Feb 18 08:48:30 UTC 2025
Tue Feb 18 08:48:35 UTC 2025
Tue Feb 18 08:48:40 UTC 2025
Tue Feb 18 08:48:45 UTC 2025
...

(2) 데이터 저장 위치 확인

• 현재 클러스터에 3개의 워커 노드 존재
• 각 노드의 /opt/local-path-provisioner 경로를 확인하여 데이터 저장 여부 확인

for node in $N1 $N2 $N3; do ssh ec2-user@$node tree /opt/local-path-provisioner; done

✅ 출력

/opt/local-path-provisioner
└── pvc-fc043ac6-1fdc-4ef1-b03b-cabf03df8018_default_localpath-claim
    └── out.txt

1 directory, 1 file
/opt/local-path-provisioner [error opening dir]

0 directories, 0 files
/opt/local-path-provisioner [error opening dir]

0 directories, 0 files

• Pod가 배포된 노드에서만 데이터가 저장됨
• 다른 노드에서는 데이터가 존재하지 않음

(3) 노드 직접 접근하여 데이터 확인

• 서버에 직접 접근하여 out.txt 파일 내용 확인
• Pod 내에서 확인하는 것과 동일한 결과 확인 가능

ssh ec2-user@$N1 tail -f /opt/local-path-provisioner/pvc-fc043ac6-1fdc-4ef1-b03b-cabf03df8018_default_localpath-claim/out.txt

✅ 출력

Tue Feb 18 08:53:46 UTC 2025
Tue Feb 18 08:53:51 UTC 2025
Tue Feb 18 08:53:56 UTC 2025
Tue Feb 18 08:54:01 UTC 2025
Tue Feb 18 08:54:06 UTC 2025
Tue Feb 18 08:54:11 UTC 2025
Tue Feb 18 08:54:16 UTC 2025
Tue Feb 18 08:54:21 UTC 2025
Tue Feb 18 08:54:26 UTC 2025
...

8. Pod 삭제 후 데이터 유지 확인

(1) pod 삭제

• Pod를 삭제하여 데이터가 유지되는지 확인

kubectl delete pod app
# 결과
pod "app" deleted

(2) pod 삭제 후 PVC 상태 확인

kubectl get pod,pv,pvc

✅ 출력

NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                     STORAGECLASS   VOLUMEATTRIBUTESCLASS   REASON   AGE
persistentvolume/pvc-fc043ac6-1fdc-4ef1-b03b-cabf03df8018   1Gi        RWO            Delete           Bound    default/localpath-claim   local-path     <unset>                          21m

NAME                                    STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
persistentvolumeclaim/localpath-claim   Bound    pvc-fc043ac6-1fdc-4ef1-b03b-cabf03df8018   1Gi        RWO            local-path     <unset>                 31m

• PVC와 PV는 삭제되지 않고 유지됨
• Pod가 없어도 데이터는 보존됨

(3) 서버에서 데이터 유지 여부 확인

• Pod가 삭제된 후에도 데이터가 유지되는지 직접 확인
• 각 노드의 /opt/local-path-provisioner 경로를 확인하여 파일 존재 여부 확인

for node in $N1 $N2 $N3; do ssh ec2-user@$node tree /opt/local-path-provisioner; done

✅ 출력

/opt/local-path-provisioner
└── pvc-fc043ac6-1fdc-4ef1-b03b-cabf03df8018_default_localpath-claim
    └── out.txt

1 directory, 1 file
/opt/local-path-provisioner [error opening dir]

0 directories, 0 files
/opt/local-path-provisioner [error opening dir]

0 directories, 0 files

• Pod가 배포된 노드(1번 서버)에 데이터가 유지됨
• Pod가 삭제되었어도 파일(out.txt)이 보존됨

(4) Pod 재배포

• Pod를 다시 배포하여 기존 PVC에 연결

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  terminationGracePeriodSeconds: 3
  containers:
  - name: app
    image: centos
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo \$(date -u) >> /data/out.txt; sleep 5; done"]
    volumeMounts:
    - name: persistent-storage
      mountPath: /data
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: localpath-claim
EOF

# 결과
pod/app created

(5) 기존 데이터 유지 여부 확인

kubectl exec -it app -- tail -f /data/out.txt
Tue Feb 18 08:38:35 UTC 2025
Tue Feb 18 08:38:40 UTC 2025
Tue Feb 18 09:02:27 UTC 2025
Tue Feb 18 09:02:32 UTC 2025
Tue Feb 18 09:02:37 UTC 2025
Tue Feb 18 09:02:42 UTC 2025
Tue Feb 18 09:02:47 UTC 2025
Tue Feb 18 09:02:52 UTC 2025
Tue Feb 18 09:02:57 UTC 2025
Tue Feb 18 09:03:02 UTC 2025
Tue Feb 18 09:03:07 UTC 2025
Tue Feb 18 09:03:12 UTC 2025
...

• Pod 삭제 후에도 기존 데이터(out.txt)가 유지됨
• emptyDir와 달리 PVC를 사용하면 Pod가 삭제되어도 데이터가 보존됨

9. PVC 삭제 후 데이터 완전 삭제 확인

(1) PVC 삭제

kubectl delete pvc localpath-claim

✅ 출력

persistentvolumeclaim "localpath-claim" deleted

(2) PV 상태 확인

kubectl get pv

✅ 출력

No resources found

• PVC를 삭제하면 PV도 자동으로 삭제됨
• 데이터도 함께 삭제됨

(3) 노드에서 데이터 삭제 확인

for node in $N1 $N2 $N3; do ssh ec2-user@$node tree /opt/local-path-provisioner; done

✅ 출력

/opt/local-path-provisioner

0 directories, 0 files
/opt/local-path-provisioner [error opening dir]

0 directories, 0 files
/opt/local-path-provisioner [error opening dir]

0 directories, 0 files

• PVC 삭제 시 PV도 삭제되며, 저장된 데이터도 완전히 제거됨
• PVC를 유지하면 데이터 보존, 삭제하면 데이터 완전 삭제됨

---

📊 디스크 성능 측정 및 Kubestr 활용

1. 디스크 성능 측정 개요

(1) 디스크 성능 측정 시 주요 지표

• IOPS (Input/Output Operations Per Second): 초당 처리할 수 있는 I/O 작업 수
• Bandwidth (Throughput): 초당 데이터 전송량

(2) 현재 워커 노드의 디스크 정보

• 사용 중인 디스크: AWS EBS gp3 타입
• IOPS: 3000
• Throughput: 125 MB/s

2. Kubestr 설치

• Kubestr: Kubernetes에서 스토리지 클래스별 성능 측정을 위한 도구
• PV를 생성하여 특정한 스토리지 클래스의 속도를 측정 후 자동 삭제

(1) Kubestr 다운로드 및 설치

(eks-user:default) [root@operator-host ~]# wget https://github.com/kastenhq/kubestr/releases/download/v0.4.48/kubestr_0.4.48_Linux_amd64.tar.gz

✅ 출력

--2025-02-18 18:36:53--  https://github.com/kastenhq/kubestr/releases/download/v0.4.48/kubestr_0.4.48_Linux_amd64.tar.gz
Resolving github.com (github.com)... 20.200.245.247
Connecting to github.com (github.com)|20.200.245.247|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/291834502/210e8359-9fb9-4740-afef-17a5b458ab0e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250218%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250218T093653Z&X-Amz-Expires=300&X-Amz-Signature=8fb0bacd16f3bcb0eec0ff2fc8939dd6fe2549fcea74b7edcb30e345e4bf026b&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dkubestr_0.4.48_Linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2025-02-18 18:36:53--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/291834502/210e8359-9fb9-4740-afef-17a5b458ab0e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250218%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250218T093653Z&X-Amz-Expires=300&X-Amz-Signature=8fb0bacd16f3bcb0eec0ff2fc8939dd6fe2549fcea74b7edcb30e345e4bf026b&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dkubestr_0.4.48_Linux_amd64.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14703952 (14M) [application/octet-stream]
Saving to: ‘kubestr_0.4.48_Linux_amd64.tar.gz’

100%[========================================================================================================>] 14,703,952  38.6MB/s   in 0.4s   

2025-02-18 18:36:55 (38.6 MB/s) - ‘kubestr_0.4.48_Linux_amd64.tar.gz’ saved [14703952/14703952]

(eks-user:default) [root@operator-host ~]# tar xvfz kubestr_0.4.48_Linux_amd64.tar.gz && mv kubestr /usr/local/bin/ && chmod +x /usr/local/bin/kubestr

✅ 출력

LICENSE
README.md
kubestr

(2) 설치 확인

(eks-user:default) [root@operator-host ~]# kubestr -h

✅ 출력

kubestr is a tool that will scan your k8s cluster
		and validate that the storage systems in place as well as run
		performance tests.

Usage:
  kubestr [flags]
  kubestr [command]

Available Commands:
  blockmount   Checks if a storage class supports block volumes
  completion   Generate the autocompletion script for the specified shell
  csicheck     Runs the CSI snapshot restore check
  file-restore Restore file(s) from a Snapshot or PVC to it's source PVC
  fio          Runs an fio test
  help         Help about any command

Flags:
  -h, --help             help for kubestr
  -e, --outfile string   The file where test results will be written
  -o, --output string    Options(json)

Use "kubestr [command] --help" for more information about a command.

3. 클러스터 내 스토리지 클래스 확인

(eks-user:default) [root@operator-host ~]# kubestr

✅ 출력

**************************************
  _  ___   _ ___ ___ ___ _____ ___
  | |/ / | | | _ ) __/ __|_   _| _ \
  | ' <| |_| | _ \ _|\__ \ | | |   /
  |_|\_\\___/|___/___|___/ |_| |_|_\

Explore your Kubernetes storage options
**************************************
Kubernetes Version Check:
  Valid kubernetes version (v1.31.5-eks-8cce635)  -  OK

RBAC Check:
  Kubernetes RBAC is enabled  -  OK

Aggregated Layer Check:
  The Kubernetes Aggregated Layer is enabled  -  OK

Available Storage Provisioners:

  kubernetes.io/aws-ebs:
    This is an in tree provisioner.

    Storage Classes:
      * gp2

    To perform a FIO test, run-
      ./kubestr fio -s <storage class>

    To perform a check for block device support, run-
      ./kubestr blockmount -s <storage class>

  rancher.io/local-path:
    Unknown driver type.

    Storage Classes:
      * local-path

    To perform a FIO test, run-
      ./kubestr fio -s <storage class>

    To perform a check for block device support, run-
      ./kubestr blockmount -s <storage class>

• 스토리지 클래스 목록 확인 (gp2, local-path)
• 해당 스토리지 클래스를 대상으로 성능 테스트 가능

4. 모니터링 설정

(1) 스토리지 성능 모니터링

(eks-user:default) [root@operator-host ~]# watch 'kubectl get pod -owide;echo;kubectl get pv,pvc'

✅ 출력

Every 2.0s: kubectl get pod -owide;echo;kubectl get pv,pvc                                                                Tue Feb 18 18:39:29 2025

No resources found in default namespace.

No resources found

(2) 노드별 디스크 성능 모니터링 (iostat)

ssh ec2-user@$N1

A newer release of "Amazon Linux" is available.
  Version 2023.6.20250211:
Run "/usr/bin/dnf check-release-update" for full release and version update info
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Tue Feb 18 10:13:47 2025 from 182.230.60.93
[ec2-user@ip-192-168-1-207 ~]$ iostat -xmdz 1

ssh ec2-user@$N2

A newer release of "Amazon Linux" is available.
  Version 2023.6.20250211:
Run "/usr/bin/dnf check-release-update" for full release and version update info
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Tue Feb 18 10:13:58 2025 from 182.230.60.93
[ec2-user@ip-192-168-2-84 ~]$ iostat -xmdz 1

ssh ec2-user@$N3

A newer release of "Amazon Linux" is available.
  Version 2023.6.20250211:
Run "/usr/bin/dnf check-release-update" for full release and version update info
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Tue Feb 18 10:14:06 2025 from 182.230.60.93
[ec2-user@ip-192-168-3-80 ~]$ iostat -xmdz 1

• 1초 단위로 디스크 부하 모니터링 (nvme0n1)

5. Kubestr를 활용한 디스크 성능 측정

랜덤읽기 성능 테스트

(1) FIO 테스트 설정 파일 생성

(eks-user:default) [root@operator-host ~]# cat << EOF > fio-read.fio
> [global]
> ioengine=libaio
> direct=1
> bs=4k
> runtime=120
> time_based=1
> iodepth=16
> numjobs=4
> group_reporting
> size=1g
> rw=randread
> [read]
> EOF

(2) Kubestr를 이용한 성능 테스트 실행

(eks-user:default) [root@operator-host ~]# kubestr fio -f fio-read.fio -s local-path --size 10G

✅ 출력

PVC created kubestr-fio-pvc-lsl6j
Pod created kubestr-fio-pod-xdnwx
Running FIO test (fio-read.fio) on StorageClass (local-path) with a PVC of Size (10G)

• PV, PVC, Pod를 생성 후 스토리지 클래스(local-path)의 성능 테스트 진행

• 테스트가 192.168.1.207 노드에서 실행됨

(3) 성능 측정 결과 (IOPS 및 Bandwidth)

✅ 출력

FIO test results:
  
FIO version - fio-3.36
Global options - ioengine=libaio verify= direct=1 gtod_reduce=

JobName: 
  blocksize= filesize= iodepth= rw=
read:
  IOPS=3023.845947 BW(KiB/s)=12095
  iops: min=2220 max=9001 avg=3025.832520
  bw(KiB/s): min=8880 max=36007 avg=12103.798828

Disk stats (read/write):
  nvme0n1: ios=362379/201 merge=0/30 ticks=6373605/3593 in_queue=6377198, util=95.415291%
  -  OK

• IOPS (초당 입출력 작업 수) : 평균 3024 (최소 2220, 최대 9001)
• Bandwidth (Throughput) : 약 11.8 MB/s (최소 8.7 MB/s, 최대 35.2 MB/s)
• AWS EBS gp3의 기본 성능(3000 IOPS, 125 MB/s)과 유사
• 디스크 사용률 : 95.4% 활용됨

랜덤쓰기 성능 테스트

(1) 랜덤 쓰기 테스트 설정

(eks-user:default) [root@operator-host ~]# cat << EOF > fio-write.fio
> [global]
> ioengine=libaio
> numjobs=16
> iodepth=16
> direct=1
> bs=4k
> runtime=120
> time_based=1
> size=1g
> group_reporting
> rw=randrw
> rwmixread=0
> rwmixwrite=100
> [write]
> EOF

(2) 랜덤 쓰기 성능 테스트 실행

• StorageClass local-path를 사용하여 20GB PVC 생성 후 테스트 진행

(eks-user:default) [root@operator-host ~]# kubestr fio -f fio-write.fio -s local-path --size 20G

✅ 출력

PVC created kubestr-fio-pvc-ntvm4
Pod created kubestr-fio-pod-lhstx

• 테스트가 192.168.1.207 노드에서 실행됨

(3) 성능 측정 결과 (IOPS 및 Bandwidth)

✅ 출력

Running FIO test (fio-write.fio) on StorageClass (local-path) with a PVC of Size (20G)
Elapsed time- 4m10.953340777s
FIO test results:
  
FIO version - fio-3.36
Global options - ioengine=libaio verify= direct=1 gtod_reduce=

JobName: 
  blocksize= filesize= iodepth= rw=
write:
  IOPS=3024.511475 BW(KiB/s)=12098
  iops: min=1456 max=8625 avg=3024.983154
  bw(KiB/s): min=5824 max=34517 avg=12101.912109

Disk stats (read/write):
  nvme0n1: ios=0/362366 merge=0/8 ticks=0/7063240 in_queue=7063240, util=94.799950%
  -  OK

• IOPS: 평균 3024.98, 최소 1456, 최대 8625
• Bandwidth: 평균 12,101 KiB/s, 최소 5824 KiB/s, 최대 34,517 KiB/s
• 디스크 활용률 94.8%

---

💾 EBS CSI 컨트롤러 설정 및 구성

1. EBS CSI 컨트롤러 개요

• HostPath 볼륨의 한계: 노드의 디스크가 꽉 차면 사용 불가
• AWS EBS의 장점: 블록 스토리지 제공, Pod에서 쉽게 볼륨을 생성 및 부착 가능
• EBS CSI 컨트롤러 역할
  • EBS 볼륨을 생성하고 Pod에 Attach
  • Kubernetes API 서버를 통해 요청을 처리하는 CSI 컨트롤러 역할 수행

2. EBS CSI 드라이버 버전 확인

• EKS에서 사용 가능한 EBS CSI 드라이버 버전 조회

(eks-user:default) [root@operator-host ~]# aws eks describe-addon-versions \
>     --addon-name aws-ebs-csi-driver \
>     --kubernetes-version 1.31 \
>     --query "addons[].addonVersions[].[addonVersion, compatibilities[].defaultVersion]" \
>     --output text

✅ 출력

v1.39.0-eksbuild.1
True
v1.38.1-eksbuild.2
False
v1.38.1-eksbuild.1
False
v1.37.0-eksbuild.2
False
v1.37.0-eksbuild.1
False
...

3. IAM Role for Service Account (IRSA) 생성

• EBS CSI 드라이버가 AWS EBS에 접근할 수 있도록 IAM 역할 생성
• AWS EKS 클러스터에 IAM ServiceAccount 추가

eksctl create iamserviceaccount \
  --name ebs-csi-controller-sa \
  --namespace kube-system \
  --cluster ${CLUSTER_NAME} \
  --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
  --approve \
  --role-only \
  --role-name AmazonEKS_EBS_CSI_DriverRole

✅ 출력

2025-02-18 20:00:11 [ℹ]  1 existing iamserviceaccount(s) (kube-system/aws-load-balancer-controller) will be excluded
2025-02-18 20:00:11 [ℹ]  1 iamserviceaccount (kube-system/ebs-csi-controller-sa) was included (based on the include/exclude rules)
2025-02-18 20:00:11 [!]  serviceaccounts in Kubernetes will not be created or modified, since the option --role-only is used
2025-02-18 20:00:11 [ℹ]  1 task: { create IAM role for serviceaccount "kube-system/ebs-csi-controller-sa" }
2025-02-18 20:00:11 [ℹ]  building iamserviceaccount stack "eksctl-myeks-addon-iamserviceaccount-kube-system-ebs-csi-controller-sa"
2025-02-18 20:00:11 [ℹ]  deploying stack "eksctl-myeks-addon-iamserviceaccount-kube-system-ebs-csi-controller-sa"
2025-02-18 20:00:11 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-addon-iamserviceaccount-kube-system-ebs-csi-controller-sa"
2025-02-18 20:00:42 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-addon-iamserviceaccount-kube-system-ebs-csi-controller-sa"

• CloudFormation에 새로운 Stack이 생성됨

• ISRA 확인

eksctl get iamserviceaccount --cluster ${CLUSTER_NAME}

✅ 출력

NAMESPACE	NAME				ROLE ARN
kube-system	aws-load-balancer-controller	arn:aws:iam::378102432899:role/eksctl-myeks-addon-iamserviceaccount-kube-sys-Role1-O6YEYsN7iVeQ
kube-system	ebs-csi-controller-sa		arn:aws:iam::378102432899:role/AmazonEKS_EBS_CSI_DriverRole

4. Amazon EBS CSI 드라이버 배포

(1) EBS CSI 드라이버 Add-on 설치

export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
eksctl create addon --name aws-ebs-csi-driver --cluster ${CLUSTER_NAME} --service-account-role-arn arn:aws:iam::${ACCOUNT_ID}:role/AmazonEKS_EBS_CSI_DriverRole --force

✅ 출력

2025-02-18 20:05:22 [ℹ]  Kubernetes version "1.31" in use by cluster "myeks"
2025-02-18 20:05:23 [ℹ]  IRSA is set for "aws-ebs-csi-driver" addon; will use this to configure IAM permissions
2025-02-18 20:05:23 [!]  the recommended way to provide IAM permissions for "aws-ebs-csi-driver" addon is via pod identity associations; after addon creation is completed, run `eksctl utils migrate-to-pod-identity`
2025-02-18 20:05:23 [ℹ]  using provided ServiceAccountRoleARN "arn:aws:iam::378102432899:role/AmazonEKS_EBS_CSI_DriverRole"
2025-02-18 20:05:23 [ℹ]  creating addon

(2) 설치된 Add-on 확인

eksctl get addon --cluster ${CLUSTER_NAME}

✅ 출력

2025-02-18 20:09:13 [ℹ]  Kubernetes version "1.31" in use by cluster "myeks"
2025-02-18 20:09:13 [ℹ]  getting all addons
2025-02-18 20:09:15 [ℹ]  to see issues for an addon run `eksctl get addon --name <addon-name> --cluster <cluster-name>`
NAME			VERSION			STATUS	ISSUES	IAMROLE										UPDATE AVAILABLE	CONFIGURATION VALUES		POD IDENTITY ASSOCIATION ROLES
aws-ebs-csi-driver	v1.39.0-eksbuild.1	ACTIVE	0	arn:aws:iam::378102432899:role/AmazonEKS_EBS_CSI_DriverRole				
coredns			v1.11.4-eksbuild.2	ACTIVE	0												
kube-proxy		v1.31.3-eksbuild.2	ACTIVE	0												
metrics-server		v0.7.2-eksbuild.2	ACTIVE	0												
vpc-cni			v1.19.2-eksbuild.5	ACTIVE	0	arn:aws:iam::378102432899:role/eksctl-myeks-addon-vpc-cni-Role1-ZTYxtOMDwfFu		enableNetworkPolicy: "true"	

5. EBS CSI 컨트롤러 및 DaemonSet 확인

kubectl get deploy,ds -l=app.kubernetes.io/name=aws-ebs-csi-driver -n kube-system

✅ 출력

NAME                                 READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/ebs-csi-controller   2/2     2            2           5m36s

NAME                                  DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR              AGE
daemonset.apps/ebs-csi-node           3         3         3       3            3           kubernetes.io/os=linux     5m36s
daemonset.apps/ebs-csi-node-windows   0         0         0       0            0           kubernetes.io/os=windows   5m36s

• Pod 목록 확인

kubectl get pod -n kube-system -l app=ebs-csi-controller -o jsonpath='{.items[0].spec.containers[*].name}' ; echo

✅ 출력

ebs-plugin csi-provisioner csi-attacher csi-snapshotter csi-resizer liveness-probe

• 전체 Pod 목록 확인

k get pod -A

✅ 출력

NAMESPACE            NAME                                          READY   STATUS    RESTARTS   AGE
kube-system          aws-load-balancer-controller-554fbd9d-vk2p8   1/1     Running   0          5h26m
kube-system          aws-load-balancer-controller-554fbd9d-xnx6r   1/1     Running   0          5h26m
kube-system          aws-node-rf9bf                                2/2     Running   0          8h
kube-system          aws-node-tbbhl                                2/2     Running   0          8h
kube-system          aws-node-xb7dt                                2/2     Running   0          8h
kube-system          coredns-86f5954566-mskq6                      1/1     Running   0          8h
kube-system          coredns-86f5954566-wxwqw                      1/1     Running   0          8h
kube-system          ebs-csi-controller-7f8f8cb84-fd2bm            6/6     Running   0          7m35s
kube-system          ebs-csi-controller-7f8f8cb84-tsvk8            6/6     Running   0          7m35s
kube-system          ebs-csi-node-8d77m                            3/3     Running   0          7m35s
kube-system          ebs-csi-node-b2qcp                            3/3     Running   0          7m35s
kube-system          ebs-csi-node-rkk64                            3/3     Running   0          7m35s
kube-system          external-dns-dc4878f5f-mvnt9                  1/1     Running   0          5h24m
kube-system          kube-ops-view-657dbc6cd8-fgbqc                1/1     Running   0          5h29m
kube-system          kube-proxy-6bc4m                              1/1     Running   0          8h
kube-system          kube-proxy-qsd8t                              1/1     Running   0          8h
kube-system          kube-proxy-rvw86                              1/1     Running   0          8h
kube-system          metrics-server-6bf5998d9c-nt4ks               1/1     Running   0          8h
kube-system          metrics-server-6bf5998d9c-prz6f               1/1     Running   0          8h
local-path-storage   local-path-provisioner-84967477f-g6xvh        1/1     Running   0          3h3m

6. CSI Node 및 Driver 확인

(1) CSI 관련 리소스 확인

kubectl api-resources | grep -i csi

✅ 출력

csidrivers                                       storage.k8s.io/v1                 false        CSIDriver
csinodes                                         storage.k8s.io/v1                 false        CSINode
csistoragecapacities                             storage.k8s.io/v1                 true         CSIStorageCapacity

(2) CSI 노드 상태 확인

kubectl get csinodes

✅ 출력

NAME                                               DRIVERS   AGE
ip-192-168-1-207.ap-northeast-2.compute.internal   1         8h
ip-192-168-2-84.ap-northeast-2.compute.internal    1         8h
ip-192-168-3-80.ap-northeast-2.compute.internal    1         8h

• 각 노드에 ebs.csi.aws.com 드라이버가 설치됨

(3) CSI Node 상세 정보 확인

kubectl describe csinodes

✅ 출력

Name:               ip-192-168-1-207.ap-northeast-2.compute.internal
Labels:             <none>
Annotations:        storage.alpha.kubernetes.io/migrated-plugins:
                      kubernetes.io/aws-ebs,kubernetes.io/azure-disk,kubernetes.io/azure-file,kubernetes.io/cinder,kubernetes.io/gce-pd,kubernetes.io/portworx-v...
CreationTimestamp:  Tue, 18 Feb 2025 11:46:46 +0900
Spec:
  Drivers:
    ebs.csi.aws.com:
      Node ID:  i-093ad32d5ff5a8770
      Allocatables:
        Count:        25
      Topology Keys:  [kubernetes.io/os topology.ebs.csi.aws.com/zone topology.kubernetes.io/zone]
Events:               <none>

Name:               ip-192-168-2-84.ap-northeast-2.compute.internal
Labels:             <none>
Annotations:        storage.alpha.kubernetes.io/migrated-plugins:
                      kubernetes.io/aws-ebs,kubernetes.io/azure-disk,kubernetes.io/azure-file,kubernetes.io/cinder,kubernetes.io/gce-pd,kubernetes.io/portworx-v...
CreationTimestamp:  Tue, 18 Feb 2025 11:46:49 +0900
Spec:
  Drivers:
    ebs.csi.aws.com:
      Node ID:  i-0a80fdc36a856f394
      Allocatables:
        Count:        25
      Topology Keys:  [kubernetes.io/os topology.ebs.csi.aws.com/zone topology.kubernetes.io/zone]
Events:               <none>

Name:               ip-192-168-3-80.ap-northeast-2.compute.internal
Labels:             <none>
Annotations:        storage.alpha.kubernetes.io/migrated-plugins:
                      kubernetes.io/aws-ebs,kubernetes.io/azure-disk,kubernetes.io/azure-file,kubernetes.io/cinder,kubernetes.io/gce-pd,kubernetes.io/portworx-v...
CreationTimestamp:  Tue, 18 Feb 2025 11:46:42 +0900
Spec:
  Drivers:
    ebs.csi.aws.com:
      Node ID:  i-0484d2b724be33973
      Allocatables:
        Count:        25
      Topology Keys:  [kubernetes.io/os topology.ebs.csi.aws.com/zone topology.kubernetes.io/zone]
Events:               <none>

• 각 노드에서 최대 25개의 EBS 볼륨을 부착 가능

(4) CSI 드라이버 목록 조회

kubectl get csidrivers

✅ 출력

NAME              ATTACHREQUIRED   PODINFOONMOUNT   STORAGECAPACITY   TOKENREQUESTS   REQUIRESREPUBLISH   MODES        AGE
ebs.csi.aws.com   true             false            false             <unset>         false               Persistent   12m
efs.csi.aws.com   false            false            false             <unset>         false               Persistent   8h

• EBS CSI 드라이버(ebs.csi.aws.com)가 정상적으로 등록됨

(5) CSI 드라이버 상세 정보 확인

kubectl describe csidrivers ebs.csi.aws.com

✅ 출력

Name:         ebs.csi.aws.com
Namespace:    
Labels:       app.kubernetes.io/component=csi-driver
              app.kubernetes.io/managed-by=EKS
              app.kubernetes.io/name=aws-ebs-csi-driver
              app.kubernetes.io/version=1.39.0
Annotations:  <none>
API Version:  storage.k8s.io/v1
Kind:         CSIDriver
Metadata:
  Creation Timestamp:  2025-02-18T11:05:31Z
  Resource Version:    112312
  UID:                 4db549f5-c7ef-42b5-8dbc-7611b898b6fc
Spec:
  Attach Required:     true
  Fs Group Policy:     ReadWriteOnceWithFSType
  Pod Info On Mount:   false
  Requires Republish:  false
  Se Linux Mount:      false
  Storage Capacity:    false
  Volume Lifecycle Modes:
    Persistent
Events:  <none>

7. 노드의 최대 EBS 부착 수량 변경

• 기본적으로 노드당 EBS 볼륨 최대 25개까지 부착 가능
• 최대 부착 수량을 31개로 증가

aws eks update-addon --cluster-name ${CLUSTER_NAME} --addon-name aws-ebs-csi-driver \
  --addon-version v1.39.0-eksbuild.1 --configuration-values '{
    "node": {
      "volumeAttachLimit": 31,
      "enableMetrics": true
    }
  }'

✅ 출력

{
    "update": {
        "id": "31bc4279-d50f-30e0-aebe-de2971095881",
        "status": "InProgress",
        "type": "AddonUpdate",
        "params": [
            {
                "type": "AddonVersion",
                "value": "v1.39.0-eksbuild.1"
            },
            {
                "type": "ConfigurationValues",
                "value": "{\n    \"node\": {\n      \"volumeAttachLimit\": 31,\n      \"enableMetrics\": true\n    }\n  }"
            }
        ],
        "createdAt": "2025-02-18T20:19:34.938000+09:00",
        "errors": []
    }

• EKS Add-ons에서 aws-ebs-csi-driver의 설정 변경 가능

8. EBS CSI Node 데몬셋 설정 확인

kubectl get ds -n kube-system ebs-csi-node -o yaml

✅ 출력 (일부)

containers:
  - args:
    - node
    - --endpoint=$(CSI_ENDPOINT)
    - --http-endpoint=0.0.0.0:3302
    - --csi-mount-point-prefix=/var/lib/kubelet/plugins/kubernetes.io/csi/ebs.csi.aws.com/
    - --volume-attach-limit=31

• EBS CSI Node 데몬셋이 재기동되면서 Argument 값이 적용됨
• 각 노드에서 -volume-attach-limit=31 설정이 반영됨

9. CSI Node 볼륨 부착 한도 증가 확인

kubectl describe csinodes

✅ 출력

Name:               ip-192-168-1-207.ap-northeast-2.compute.internal
Labels:             <none>
Annotations:        storage.alpha.kubernetes.io/migrated-plugins:
                      kubernetes.io/aws-ebs,kubernetes.io/azure-disk,kubernetes.io/azure-file,kubernetes.io/cinder,kubernetes.io/gce-pd,kubernetes.io/portworx-v...
CreationTimestamp:  Tue, 18 Feb 2025 11:46:46 +0900
Spec:
  Drivers:
    ebs.csi.aws.com:
      Node ID:  i-093ad32d5ff5a8770
      Allocatables:
        Count:        31
      Topology Keys:  [kubernetes.io/os topology.ebs.csi.aws.com/zone topology.kubernetes.io/zone]
Events:               <none>

Name:               ip-192-168-2-84.ap-northeast-2.compute.internal
Labels:             <none>
Annotations:        storage.alpha.kubernetes.io/migrated-plugins:
                      kubernetes.io/aws-ebs,kubernetes.io/azure-disk,kubernetes.io/azure-file,kubernetes.io/cinder,kubernetes.io/gce-pd,kubernetes.io/portworx-v...
CreationTimestamp:  Tue, 18 Feb 2025 11:46:49 +0900
Spec:
  Drivers:
    ebs.csi.aws.com:
      Node ID:  i-0a80fdc36a856f394
      Allocatables:
        Count:        31
      Topology Keys:  [kubernetes.io/os topology.ebs.csi.aws.com/zone topology.kubernetes.io/zone]
Events:               <none>

Name:               ip-192-168-3-80.ap-northeast-2.compute.internal
Labels:             <none>
Annotations:        storage.alpha.kubernetes.io/migrated-plugins:
                      kubernetes.io/aws-ebs,kubernetes.io/azure-disk,kubernetes.io/azure-file,kubernetes.io/cinder,kubernetes.io/gce-pd,kubernetes.io/portworx-v...
CreationTimestamp:  Tue, 18 Feb 2025 11:46:42 +0900
Spec:
  Drivers:
    ebs.csi.aws.com:
      Node ID:  i-0484d2b724be33973
      Allocatables:
        Count:        31
      Topology Keys:  [kubernetes.io/os topology.ebs.csi.aws.com/zone topology.kubernetes.io/zone]
Events:               <none>

10. 기존 스토리지 클래스 확인

kubectl get sc

✅ 출력

NAME         PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2          kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  8h
local-path   rancher.io/local-path   Delete          WaitForFirstConsumer   false                  3h19m

11. gp3 스토리지 클래스 생성

cat <<EOF | kubectl apply -f -
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: gp3
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
allowVolumeExpansion: true
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
  type: gp3
  #iops: "5000"
  #throughput: "250"
  allowAutoIOPSPerGBIncrease: 'true'
  encrypted: 'true'
  fsType: xfs # 기본값이 ext4
EOF

# 결과
storageclass.storage.k8s.io/gp3 created

• 스토리지 클래스 생성 확인

kubectl get sc

✅ 출력

NAME            PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2             kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  8h
gp3 (default)   ebs.csi.aws.com         Delete          WaitForFirstConsumer   true                   30s
local-path      rancher.io/local-path   Delete          WaitForFirstConsumer   false                  3h20m

12. gp3 스토리지 클래스 상세 정보 확인

kubectl describe sc gp3

✅ 출력

Name:            gp3
IsDefaultClass:  Yes
Annotations:     kubectl.kubernetes.io/last-applied-configuration={"allowVolumeExpansion":true,"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{"storageclass.kubernetes.io/is-default-class":"true"},"name":"gp3"},"parameters":{"allowAutoIOPSPerGBIncrease":"true","encrypted":"true","fsType":"xfs","type":"gp3"},"provisioner":"ebs.csi.aws.com","volumeBindingMode":"WaitForFirstConsumer"}
,storageclass.kubernetes.io/is-default-class=true
Provisioner:           ebs.csi.aws.com
Parameters:            allowAutoIOPSPerGBIncrease=true,encrypted=true,fsType=xfs,type=gp3
AllowVolumeExpansion:  True
MountOptions:          <none>
ReclaimPolicy:         Delete
VolumeBindingMode:     WaitForFirstConsumer
Events:                <none>

• 볼륨 확장 가능 (AllowVolumeExpansion: True)
• 기본 파일 시스템 xfs 적용

13. EBS 볼륨 생성 모니터링

while true; do aws ec2 describe-volumes --filters Name=tag:ebs.csi.aws.com/cluster,Values=true --query "Volumes[].{VolumeId: VolumeId, VolumeType: VolumeType, InstanceId: Attachments[0].InstanceId, State: Attachments[0].State}" --output text; date; sleep 1; done

✅ 출력

Tue Feb 18 08:36:24 PM KST 2025
Tue Feb 18 08:36:25 PM KST 2025
Tue Feb 18 08:36:27 PM KST 2025
Tue Feb 18 08:36:28 PM KST 2025

14. EBS PVC 생성

(1) StorageClass gp3를 사용하여 PVC를 생성

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ebs-claim
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 4Gi
  storageClassName: gp3
EOF

# 결과
persistentvolumeclaim/ebs-claim created

(2) 생성 확인

• 아직 PVC가 바인딩되지 않은 상태

k get pv
No resources found

k get pvc
NAME        STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
ebs-claim   Pending                                      gp3            <unset>                 96s

15. PVC를 사용하는 Pod 생성

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  terminationGracePeriodSeconds: 3
  containers:
  - name: app
    image: centos
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo \$(date -u) >> /data/out.txt; sleep 5; done"]
    volumeMounts:
    - name: persistent-storage
      mountPath: /data
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: ebs-claim
EOF

# 결과
pod/app created

16. PVC와 PV 바인딩 상태 확인

kubectl get pvc,pv,pod

✅ 출력

NAME                              STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
persistentvolumeclaim/ebs-claim   Bound    pvc-ef2fe3fe-7117-44f2-94d0-cdb253c47af5   4Gi        RWO            gp3            <unset>                 4m22s

NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM               STORAGECLASS   VOLUMEATTRIBUTESCLASS   REASON   AGE
persistentvolume/pvc-ef2fe3fe-7117-44f2-94d0-cdb253c47af5   4Gi        RWO            Delete           Bound    default/ebs-claim   gp3            <unset>                          26s

NAME      READY   STATUS    RESTARTS   AGE
pod/app   1/1     Running   0          29s

• PVC(ebs-claim)가 자동으로 PV(pvc-ef2fe3fe-7117-44f2-94d0-cdb253c47af5)와 바인딩됨

• Pod(app)이 정상적으로 실행됨 (Status: Running)

• Pod 실행 후 EBS 볼륨이 자동 생성 및 부착됨

17. EBS 볼륨이 특정 노드에 부착되었는지 확인

kubectl get VolumeAttachment

✅ 출력

NAME                                                                   ATTACHER          PV                                         NODE                                               ATTACHED   AGE
csi-2c549400779c2b0340a9261869f4798e1239dc965d8a47cf3b3c29fe8b2b4fd4   ebs.csi.aws.com   pvc-ef2fe3fe-7117-44f2-94d0-cdb253c47af5   ip-192-168-1-207.ap-northeast-2.compute.internal   true       7m45s

• EBS 볼륨이 ip-192-168-1-207 노드에 부착됨 (ATTACHED: true)

18. EBS 볼륨 사용량 확인

kubectl df-pv

✅ 출력

 PV NAME                                   PVC NAME   NAMESPACE  NODE NAME                                         POD NAME  VOLUME MOUNT NAME   SIZE  USED  AVAILABLE  %USED  IUSED  IFREE    %IUSED 
 pvc-ef2fe3fe-7117-44f2-94d0-cdb253c47af5  ebs-claim  default    ip-192-168-1-207.ap-northeast-2.compute.internal  app       persistent-storage  3Gi   60Mi  3Gi        1.50   4      2097148  0.00  

• 현재 1.5% 정도의 볼륨 공간이 사용됨

• Pod가 실행 중인 워커 노드(192.168.1.207)에서 해당 볼륨을 사용 중

• AWS 콘솔에서 볼륨 사용량 확인

19. EBS 볼륨의 Node Affinity 확인

• 현재 PV 설정 확인

kubectl get pv -o yaml

✅ 출력 (일부)

spec:
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: topology.kubernetes.io/zone
          operator: In
          values:
          - ap-northeast-2a

• 현재 ap-northeast-2a 가용 영역(AZ)에 있는 노드에서만 EBS 부착 가능

20. 현재 노드 목록 및 가용 영역 확인

kubectl get node --label-columns=topology.ebs.csi.aws.com/zone,topology.k8s.aws/zone-id

✅ 출력

NAME                                               STATUS   ROLES    AGE   VERSION               ZONE              ZONE-ID
ip-192-168-1-207.ap-northeast-2.compute.internal   Ready    <none>   9h    v1.31.5-eks-5d632ec   ap-northeast-2a   apne2-az1
ip-192-168-2-84.ap-northeast-2.compute.internal    Ready    <none>   9h    v1.31.5-eks-5d632ec   ap-northeast-2b   apne2-az2
ip-192-168-3-80.ap-northeast-2.compute.internal    Ready    <none>   9h    v1.31.5-eks-5d632ec   ap-northeast-2c   apne2-az3

• EBS 볼륨은 ap-northeast-2a에 있는 ip-192-168-1-207 노드에서만 사용 가능

21. EBS 볼륨 내 데이터 정상 저장 확인

kubectl exec app -- tail -f /data/out.txt

✅ 출력

Tue Feb 18 12:05:17 UTC 2025
Tue Feb 18 12:05:22 UTC 2025
Tue Feb 18 12:05:27 UTC 2025
Tue Feb 18 12:05:32 UTC 2025
Tue Feb 18 12:05:37 UTC 2025
Tue Feb 18 12:05:42 UTC 2025
Tue Feb 18 12:05:47 UTC 2025
...

• EBS 볼륨이 정상적으로 /data/out.txt 파일에 데이터 기록 중

22. EBS 볼륨 마운트 확인

(1) Overlay 파일시스템 확인

kubectl exec -it app -- sh -c 'df -hT --type=overlay'

✅ 출력

Filesystem     Type     Size  Used Avail Use% Mounted on
overlay        overlay  120G  4.5G  116G   4% /

(2) XFS 파일시스템 확인

kubectl exec -it app -- sh -c 'df -hT --type=xfs'

✅ 출력

Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/nvme1n1   xfs   4.0G   61M  3.9G   2% /data
/dev/nvme0n1p1 xfs   120G  4.5G  116G   4% /etc/hosts

• EBS 볼륨(/dev/nvme1n1)이 /data에 마운트됨
• 현재 4.0GiB 중 61MiB 사용됨 (2%)

23. EBS 볼륨 크기 확장 테스트

(1) 현재 PVC 크기 확인

kubectl get pvc ebs-claim -o jsonpath={.spec.resources.requests.storage} ; echo

✅ 출력

4Gi

(2) PVC 크기 확장 요청 (4GiB → 10GiB)

kubectl patch pvc ebs-claim -p '{"spec":{"resources":{"requests":{"storage":"10Gi"}}}}'

# 결과
persistentvolumeclaim/ebs-claim patched

(3) 변경된 볼륨 크기 확인

kubectl exec -it app -- sh -c 'df -hT --type=xfs'

✅ 출력

Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/nvme1n1   xfs    10G  105M  9.9G   2% /data
/dev/nvme0n1p1 xfs   120G  4.5G  116G   4% /etc/hosts

• EBS 볼륨 크기가 4GiB → 10GiB로 정상 확장됨

(4) PVC 상태 확인 (df-pv 활용)

kubectl df-pv

✅ 출력

 PV NAME                                   PVC NAME   NAMESPACE  NODE NAME                                         POD NAME  VOLUME MOUNT NAME   SIZE  USED   AVAILABLE  %USED  IUSED  IFREE    %IUSED 
 pvc-ef2fe3fe-7117-44f2-94d0-cdb253c47af5  ebs-claim  default    ip-192-168-1-207.ap-northeast-2.compute.internal  app       persistent-storage  9Gi   104Mi  9Gi        1.02   4      5242876  0.00 

• 볼륨 크기 9GiB, 사용량 1.02% 확인됨

(5) AWS에서 볼륨 크기 변경 사항 확인

aws ec2 describe-volumes --volume-ids $(kubectl get pv -o jsonpath="{.items[0].spec.csi.volumeHandle}") | jq

✅ 출력

{
  "Volumes": [
    {
      "Iops": 3000,
      "Tags": [
        {
          "Key": "kubernetes.io/created-for/pvc/name",
          "Value": "ebs-claim"
        },
        {
          "Key": "ebs.csi.aws.com/cluster",
          "Value": "true"
        },
        {
          "Key": "kubernetes.io/cluster/myeks",
          "Value": "owned"
        },
        {
          "Key": "kubernetes.io/created-for/pvc/namespace",
          "Value": "default"
        },
        {
          "Key": "KubernetesCluster",
          "Value": "myeks"
        },
        {
          "Key": "CSIVolumeName",
          "Value": "pvc-ef2fe3fe-7117-44f2-94d0-cdb253c47af5"
        },
        {
          "Key": "Name",
          "Value": "myeks-dynamic-pvc-ef2fe3fe-7117-44f2-94d0-cdb253c47af5"
        },
        {
          "Key": "kubernetes.io/created-for/pv/name",
          "Value": "pvc-ef2fe3fe-7117-44f2-94d0-cdb253c47af5"
        }
      ],
      "VolumeType": "gp3",
      "MultiAttachEnabled": false,
      "Throughput": 125,
      "Operator": {
        "Managed": false
      },
      "VolumeId": "vol-0b12360fbeebb9580",
      "Size": 10,
      "SnapshotId": "",
      "AvailabilityZone": "ap-northeast-2a",
      "State": "in-use",
      "CreateTime": "2025-02-18T11:46:58.192000+00:00",
      "Attachments": [
        {
          "DeleteOnTermination": false,
          "VolumeId": "vol-0b12360fbeebb9580",
          "InstanceId": "i-093ad32d5ff5a8770",
          "Device": "/dev/xvdaa",
          "State": "attached",
          "AttachTime": "2025-02-18T11:47:01+00:00"
        }
      ],
      "Encrypted": true,
      "KmsKeyId": "arn:aws:kms:ap-northeast-2:378102432899:key/8c9984ef-c009-4d66-bb63-428b05a0ed1e"
    }
  ]
}

• AWS 콘솔에서도 EBS 볼륨 크기 10GiB로 확장된 것 확인 가능

24. 볼륨 확장 후 Pod 및 PVC 삭제

kubectl delete pod app & kubectl delete pvc ebs-claim

✅ 출력

[1] 208891
pod "app" deleted
persistentvolumeclaim "ebs-claim" deleted
[1]+  Done                    kubecolor delete pod app

• Pod 삭제 후 PVC 삭제 시, EBS 볼륨도 함께 삭제됨

• AWS 콘솔에서 EBS 볼륨이 자동으로 제거됨

• AWS 콘솔에서 EBS 볼륨 삭제 확인

---

📸 EBS 볼륨 스냅샷 생성 및 복원

1. EBS 볼륨 스냅샷 기능 개요

• AWS EBS 볼륨의 스냅샷을 쿠버네티스 네이티브 방식으로 활용
• AWS Volume SnapShots Controller를 사용하여 스냅샷 생성 및 복원 가능

2. Volume Snapshot CRD 설치

kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/master/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/master/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/master/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml

✅ 출력

customresourcedefinition.apiextensions.k8s.io/volumesnapshots.snapshot.storage.k8s.io created
customresourcedefinition.apiextensions.k8s.io/volumesnapshotclasses.snapshot.storage.k8s.io created
customresourcedefinition.apiextensions.k8s.io/volumesnapshotcontents.snapshot.storage.k8s.io created

3. 설치 확인

(1) CRD에서 스냅샷 관련 리소스 확인

kubectl get crd | grep snapshot

✅ 출력

volumesnapshotclasses.snapshot.storage.k8s.io    2025-02-18T12:47:37Z
volumesnapshotcontents.snapshot.storage.k8s.io   2025-02-18T12:47:38Z
volumesnapshots.snapshot.storage.k8s.io          2025-02-18T12:47:36Z

(2) API 리소스에서 스냅샷 관련 리소스 확인

kubectl api-resources  | grep snapshot

✅ 출력

volumesnapshotclasses               vsclass,vsclasses   snapshot.storage.k8s.io/v1        false        VolumeSnapshotClass
volumesnapshotcontents              vsc,vscs            snapshot.storage.k8s.io/v1        false        VolumeSnapshotContent
volumesnapshots                     vs                  snapshot.storage.k8s.io/v1        true         VolumeSnapshot

4. 스냅샷 컨트롤러 배포

kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/master/deploy/kubernetes/snapshot-controller/rbac-snapshot-controller.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/master/deploy/kubernetes/snapshot-controller/setup-snapshot-controller.yaml

✅ 출력

serviceaccount/snapshot-controller created
clusterrole.rbac.authorization.k8s.io/snapshot-controller-runner created
clusterrolebinding.rbac.authorization.k8s.io/snapshot-controller-role created
role.rbac.authorization.k8s.io/snapshot-controller-leaderelection created
rolebinding.rbac.authorization.k8s.io/snapshot-controller-leaderelection created
deployment.apps/snapshot-controller created

5. 배포 확인

kubectl get deploy -n kube-system snapshot-controller

✅ 출력

NAME                  READY   UP-TO-DATE   AVAILABLE   AGE
snapshot-controller   2/2     2            2           48s

6. AWS EBS 스냅샷 클래스 생성

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/master/examples/kubernetes/snapshot/manifests/classes/snapshotclass.yaml

# 결과
volumesnapshotclass.snapshot.storage.k8s.io/csi-aws-vsc created

7. 스냅샷 클래스 확인

(1) 볼륨 스냅샷 클래스(VolumeSnapshotClass) 목록 확인

kubectl get vsclass

✅ 출력

NAME          DRIVER            DELETIONPOLICY   AGE
csi-aws-vsc   ebs.csi.aws.com   Delete           1s

(2) 볼륨 스냅샷 클래스(VolumeSnapshotClass) 상세 정보 확인

kubectl describe vsclass

✅ 출력

Name:             csi-aws-vsc
Namespace:        
Labels:           <none>
Annotations:      <none>
API Version:      snapshot.storage.k8s.io/v1
Deletion Policy:  Delete
Driver:           ebs.csi.aws.com
Kind:             VolumeSnapshotClass
Metadata:
  Creation Timestamp:  2025-02-18T12:53:56Z
  Generation:          1
  Resource Version:    142886
  UID:                 e310327c-0673-4a0d-bf3f-fa1c2791b063
Events:                <none>

8. PVC 및 Pod 생성

(1) 모니터링

watch -d kubectl get pv,pvc,pod

Every 2.0s: kubectl get pv,pvc,pod                                                                                             gram88: 09:57:32 PM
                                                                                                                                     in 0.813s (0)
No resources found

(2) PVC 생성

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ebs-claim
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 4Gi
  storageClassName: gp3
EOF

# 결과
persistentvolumeclaim/ebs-claim created

(3) PVC, PV 조회

kubectl get pvc,pv

✅ 출력

NAME                              STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
persistentvolumeclaim/ebs-claim   Pending                                      gp3            <unset>                 0s

(4) Pod 생성

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  terminationGracePeriodSeconds: 3
  containers:
  - name: app
    image: centos
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo \$(date -u) >> /data/out.txt; sleep 5; done"]
    volumeMounts:
    - name: persistent-storage
      mountPath: /data
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: ebs-claim
EOF

# 결과
pod/app created

9. 파일 저장 확인

kubectl exec app -- tail -f /data/out.txt

✅ 출력

Tue Feb 18 13:00:45 UTC 2025
Tue Feb 18 13:00:50 UTC 2025
Tue Feb 18 13:00:55 UTC 2025
Tue Feb 18 13:01:00 UTC 2025
Tue Feb 18 13:01:05 UTC 2025
Tue Feb 18 13:01:10 UTC 2025
Tue Feb 18 13:01:15 UTC 2025
Tue Feb 18 13:01:20 UTC 2025
Tue Feb 18 13:01:25 UTC 2025
...

10. EBS 볼륨 스냅샷 생성

cat <<EOF | kubectl apply -f -
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:
  name: ebs-volume-snapshot
spec:
  volumeSnapshotClassName: csi-aws-vsc
  source:
    persistentVolumeClaimName: ebs-claim
EOF

# 결과
volumesnapshot.snapshot.storage.k8s.io/ebs-volume-snapshot created

• AWS 콘솔에서 EBS 스냅샷이 정상적으로 생성됨

• Kubernetes의 Pod가 사용 중인 EBS 볼륨을 그대로 스냅샷으로 저장

11. 스냅샷 상태 확인

(1) 생성된 VolumeSnapshot 확인

kubectl get volumesnapshot

✅ 출력

NAME                  READYTOUSE   SOURCEPVC   SOURCESNAPSHOTCONTENT   RESTORESIZE   SNAPSHOTCLASS   SNAPSHOTCONTENT                                    CREATIONTIME   AGE
ebs-volume-snapshot   true         ebs-claim                           4Gi           csi-aws-vsc     snapcontent-9bd1cc5d-21d5-47f4-97de-c4b6a871ae01   4m             4m1s

(2) 특정 VolumeSnapshot의 SnapshotContent 바인딩 정보 조회

kubectl get volumesnapshot ebs-volume-snapshot -o jsonpath={.status.boundVolumeSnapshotContentName} ; echo

✅ 출력

snapcontent-9bd1cc5d-21d5-47f4-97de-c4b6a871ae01

(3) 특정 VolumeSnapshot 상세 정보 조회

kubectl describe volumesnapshot.snapshot.storage.k8s.io ebs-volume-snapshot

✅ 출력

Name:         ebs-volume-snapshot
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  snapshot.storage.k8s.io/v1
Kind:         VolumeSnapshot
Metadata:
  Creation Timestamp:  2025-02-18T13:03:27Z
  Finalizers:
    snapshot.storage.kubernetes.io/volumesnapshot-as-source-protection
    snapshot.storage.kubernetes.io/volumesnapshot-bound-protection
  Generation:        1
  Resource Version:  146033
  UID:               9bd1cc5d-21d5-47f4-97de-c4b6a871ae01
Spec:
  Source:
    Persistent Volume Claim Name:  ebs-claim
  Volume Snapshot Class Name:      csi-aws-vsc
Status:
  Bound Volume Snapshot Content Name:  snapcontent-9bd1cc5d-21d5-47f4-97de-c4b6a871ae01
  Creation Time:                       2025-02-18T13:03:28Z
  Ready To Use:                        true
  Restore Size:                        4Gi
Events:
  Type    Reason            Age    From                 Message
  ----    ------            ----   ----                 -------
  Normal  CreatingSnapshot  5m20s  snapshot-controller  Waiting for a snapshot default/ebs-volume-snapshot to be created by the CSI driver.
  Normal  SnapshotCreated   5m19s  snapshot-controller  Snapshot default/ebs-volume-snapshot was successfully created by the CSI driver.
  Normal  SnapshotReady     4m12s  snapshot-controller  Snapshot default/ebs-volume-snapshot is ready to use.

(4) 생성된 VolumeSnapshotContent 확인

kubectl get volumesnapshotcontents

✅ 출력

NAME                                               READYTOUSE   RESTORESIZE   DELETIONPOLICY   DRIVER            VOLUMESNAPSHOTCLASS   VOLUMESNAPSHOT        VOLUMESNAPSHOTNAMESPACE   AGE
snapcontent-9bd1cc5d-21d5-47f4-97de-c4b6a871ae01   true         4294967296    Delete           ebs.csi.aws.com   csi-aws-vsc           ebs-volume-snapshot   default                   5m52s

(5) VolumeSnapshot ID 확인

kubectl get volumesnapshotcontents -o jsonpath='{.items[*].status.snapshotHandle}' ; echo

✅ 출력

snap-0f1c3fa51d2fc9d33

(6) AWS EBS 스냅샷 목록 조회 (JSON 출력)

aws ec2 describe-snapshots --owner-ids self | jq

✅ 출력

{
  "Snapshots": [
    {
      "Tags": [
        {
          "Key": "Name",
          "Value": "myeks-dynamic-snapshot-9bd1cc5d-21d5-47f4-97de-c4b6a871ae01"
        },
        {
          "Key": "CSIVolumeSnapshotName",
          "Value": "snapshot-9bd1cc5d-21d5-47f4-97de-c4b6a871ae01"
        },
        {
          "Key": "kubernetes.io/cluster/myeks",
          "Value": "owned"
        },
        {
          "Key": "ebs.csi.aws.com/cluster",
          "Value": "true"
        }
      ],
      "StorageTier": "standard",
      "TransferType": "standard",
      "CompletionTime": "2025-02-18T13:04:04.793000+00:00",
      "SnapshotId": "snap-0f1c3fa51d2fc9d33",
      "VolumeId": "vol-090da41ed97dae65a",
      "State": "completed",
      "StartTime": "2025-02-18T13:03:28.688000+00:00",
      "Progress": "100%",
      "OwnerId": "378102432899",
      "Description": "Created by AWS EBS CSI driver for volume vol-090da41ed97dae65a",
      "VolumeSize": 4,
      "Encrypted": true,
      "KmsKeyId": "arn:aws:kms:ap-northeast-2:378102432899:key/8c9984ef-c009-4d66-bb63-428b05a0ed1e"
    }
  ]
}

(7) AWS EBS 스냅샷 목록 조회 (테이블 출력)

aws ec2 describe-snapshots --owner-ids self --query 'Snapshots[]' --output table

✅ 출력

--------------------------------------------------------------------------------------------------------
|                                           DescribeSnapshots                                          |
+----------------+-------------------------------------------------------------------------------------+
|  CompletionTime|  2025-02-18T13:04:04.793000+00:00                                                   |
|  Description   |  Created by AWS EBS CSI driver for volume vol-090da41ed97dae65a                     |
|  Encrypted     |  True                                                                               |
|  KmsKeyId      |  arn:aws:kms:ap-northeast-2:378102432899:key/8c9984ef-c009-4d66-bb63-428b05a0ed1e   |
|  OwnerId       |  378102432899                                                                       |
|  Progress      |  100%                                                                               |
|  SnapshotId    |  snap-0f1c3fa51d2fc9d33                                                             |
|  StartTime     |  2025-02-18T13:03:28.688000+00:00                                                   |
|  State         |  completed                                                                          |
|  StorageTier   |  standard                                                                           |
|  TransferType  |  standard                                                                           |
|  VolumeId      |  vol-090da41ed97dae65a                                                              |
|  VolumeSize    |  4                                                                                  |
+----------------+-------------------------------------------------------------------------------------+
||                                                Tags                                                ||
|+--------------------------------+-------------------------------------------------------------------+|
||               Key              |                               Value                               ||
|+--------------------------------+-------------------------------------------------------------------+|
||  Name                          |  myeks-dynamic-snapshot-9bd1cc5d-21d5-47f4-97de-c4b6a871ae01      ||
||  CSIVolumeSnapshotName         |  snapshot-9bd1cc5d-21d5-47f4-97de-c4b6a871ae01                    ||
||  kubernetes.io/cluster/myeks   |  owned                                                            ||
||  ebs.csi.aws.com/cluster       |  true                                                             ||
|+--------------------------------+-------------------------------------------------------------------+|

12. EBS 볼륨 삭제 (실수 가정)

• Pod 및 PVC 삭제
• 실수로 인해 볼륨이 삭제된 상황 가정

kubectl delete pod app && kubectl delete pvc ebs-claim

# 결과
pod "app" deleted
persistentvolumeclaim "ebs-claim" deleted

13. 스냅샷을 활용한 PVC 복원

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ebs-snapshot-restored-claim
spec:
  storageClassName: gp3
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 4Gi
  dataSource:
    name: ebs-volume-snapshot
    kind: VolumeSnapshot
    apiGroup: snapshot.storage.k8s.io
EOF

# 결과
persistentvolumeclaim/ebs-snapshot-restored-claim created

14. 복원된 PVC를 사용하는 Pod 생성

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  terminationGracePeriodSeconds: 3
  containers:
  - name: app
    image: centos
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo \$(date -u) >> /data/out.txt; sleep 5; done"]
    volumeMounts:
    - name: persistent-storage
      mountPath: /data
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: ebs-snapshot-restored-claim
EOF

# 결과
pod/app created

15. 복원된 데이터 확인

kubectl exec app -- cat /data/out.txt

✅ 출력

Tue Feb 18 13:03:00 UTC 2025
Tue Feb 18 13:03:05 UTC 2025
Tue Feb 18 13:03:10 UTC 2025
Tue Feb 18 13:03:15 UTC 2025
Tue Feb 18 13:18:15 UTC 2025
Tue Feb 18 13:18:20 UTC 2025
Tue Feb 18 13:18:25 UTC 2025
Tue Feb 18 13:18:30 UTC 2025
Tue Feb 18 13:18:35 UTC 2025

• 스냅샷 생성 시점(13:03:15)까지의 데이터가 복원됨
• 새로운 데이터(13:18:15 이후)도 정상적으로 저장됨

16. 삭제

kubectl delete pod app && kubectl delete pvc ebs-snapshot-restored-claim && kubectl delete volumesnapshots ebs-volume-snapshot

✅ 출력

pod "app" deleted
persistentvolumeclaim "ebs-snapshot-restored-claim" deleted
volumesnapshot.snapshot.storage.k8s.io "ebs-volume-snapshot" deleted

---

📁 AWS EFS Controller

1. EFS Controller 개요

• 기존 EBS는 Block Storage, EFS는 File System 기반의 스토리지
• Amazon EFS 파일 시스템을 CloudFormation을 통해 생성
• 이후 EFS를 사용하기 위해 CSI 드라이버 설정 진행

2. 생성된 EFS 파일 시스템 확인

aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text

✅ 출력

fs-0aeb6f8c0c228b9d2

3. EFS CSI 드라이버 버전 확인

aws eks describe-addon-versions \
    --addon-name aws-efs-csi-driver \
    --kubernetes-version 1.31 \
    --query "addons[].addonVersions[].[addonVersion, compatibilities[].defaultVersion]" \
    --output text

✅ 출력

v2.1.4-eksbuild.1
True
v2.1.3-eksbuild.1
False
v2.1.2-eksbuild.1
False
v2.1.1-eksbuild.1
False
v2.1.0-eksbuild.1
False
...

4. IAM Role for Service Account (IRSA) 설정

eksctl create iamserviceaccount \
  --name efs-csi-controller-sa \
  --namespace kube-system \
  --cluster ${CLUSTER_NAME} \
  --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \
  --approve \
  --role-only \
  --role-name AmazonEKS_EFS_CSI_DriverRole

✅ 출력

2025-02-18 22:32:31 [ℹ]  2 existing iamserviceaccount(s) (kube-system/aws-load-balancer-controller,kube-system/ebs-csi-controller-sa) will be excluded
2025-02-18 22:32:31 [ℹ]  1 iamserviceaccount (kube-system/efs-csi-controller-sa) was included (based on the include/exclude rules)
2025-02-18 22:32:31 [!]  serviceaccounts in Kubernetes will not be created or modified, since the option --role-only is used
2025-02-18 22:32:31 [ℹ]  1 task: { create IAM role for serviceaccount "kube-system/efs-csi-controller-sa" }
2025-02-18 22:32:31 [ℹ]  building iamserviceaccount stack "eksctl-myeks-addon-iamserviceaccount-kube-system-efs-csi-controller-sa"
2025-02-18 22:32:31 [ℹ]  deploying stack "eksctl-myeks-addon-iamserviceaccount-kube-system-efs-csi-controller-sa"
2025-02-18 22:32:31 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-addon-iamserviceaccount-kube-system-efs-csi-controller-sa"
2025-02-18 22:33:01 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-addon-iamserviceaccount-kube-system-efs-csi-controller-sa"

• EFS CSI 드라이버가 AWS EFS API와 통신할 수 있도록 IAM 역할 생성
• Amazon이 제공하는 AmazonEFSCSIDriverPolicy IAM 정책을 연결

5. IAM Service Account 확인

eksctl get iamserviceaccount --cluster ${CLUSTER_NAME}

✅ 출력

NAMESPACE	NAME				ROLE ARN
kube-system	aws-load-balancer-controller	arn:aws:iam::378102432899:role/eksctl-myeks-addon-iamserviceaccount-kube-sys-Role1-O6YEYsN7iVeQ
kube-system	ebs-csi-controller-sa		arn:aws:iam::378102432899:role/AmazonEKS_EBS_CSI_DriverRole
kube-system	efs-csi-controller-sa		arn:aws:iam::378102432899:role/AmazonEKS_EFS_CSI_DriverRole

• efs-csi-controller-sa 서비스 계정이 올바르게 IAM 역할과 연결됨 확인

6. Amazon EFS CSI 드라이버 애드온 배포

export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
eksctl create addon --name aws-efs-csi-driver --cluster ${CLUSTER_NAME} --service-account-role-arn arn:aws:iam::${ACCOUNT_ID}:role/AmazonEKS_EFS_CSI_DriverRole --force

✅ 출력

2025-02-18 22:35:34 [ℹ]  Kubernetes version "1.31" in use by cluster "myeks"
2025-02-18 22:35:34 [ℹ]  IRSA is set for "aws-efs-csi-driver" addon; will use this to configure IAM permissions
2025-02-18 22:35:34 [!]  the recommended way to provide IAM permissions for "aws-efs-csi-driver" addon is via pod identity associations; after addon creation is completed, run `eksctl utils migrate-to-pod-identity`
2025-02-18 22:35:34 [ℹ]  using provided ServiceAccountRoleARN "arn:aws:iam::378102432899:role/AmazonEKS_EFS_CSI_DriverRole"
2025-02-18 22:35:34 [ℹ]  creating addon

• EFS CSI Driver 애드온을 EKS 클러스터에 설치

7. 애드온 배포 상태 확인

eksctl get addon --cluster ${CLUSTER_NAME}

✅ 출력

2025-02-18 22:36:24 [ℹ]  Kubernetes version "1.31" in use by cluster "myeks"
2025-02-18 22:36:24 [ℹ]  getting all addons
2025-02-18 22:36:26 [ℹ]  to see issues for an addon run `eksctl get addon --name <addon-name> --cluster <cluster-name>`
NAME			VERSION			STATUS	ISSUES	IAMROLE										UPDATE AVAILABLE	CONFIGURATION VALUES									POD IDENTITY ASSOCIATION ROLES
aws-ebs-csi-driver	v1.39.0-eksbuild.1	ACTIVE	0												{
    "node": {
      "volumeAttachLimit": 31,
      "enableMetrics": true
    }
  }	
aws-efs-csi-driver	v2.1.4-eksbuild.1	ACTIVE	0	arn:aws:iam::378102432899:role/AmazonEKS_EFS_CSI_DriverRole				
coredns			v1.11.4-eksbuild.2	ACTIVE	0												
kube-proxy		v1.31.3-eksbuild.2	ACTIVE	0												
metrics-server		v0.7.2-eksbuild.2	ACTIVE	0												
vpc-cni			v1.19.2-eksbuild.5	ACTIVE	0	arn:aws:iam::378102432899:role/eksctl-myeks-addon-vpc-cni-Role1-ZTYxtOMDwfFu		enableNetworkPolicy: "true"	

• aws-efs-csi-driver가 ACTIVE 상태임을 확인

8. EFS CSI Driver 배포 확인

kubectl get csidrivers efs.csi.aws.com -o yaml

✅ 출력

apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"storage.k8s.io/v1","kind":"CSIDriver","metadata":{"annotations":{},"name":"efs.csi.aws.com"},"spec":{"attachRequired":false}}
  creationTimestamp: "2025-02-18T02:37:23Z"
  name: efs.csi.aws.com
  resourceVersion: "155201"
  uid: 9b68ab1a-c2c2-40e2-84c8-b0f06f04b289
spec:
  attachRequired: false
  fsGroupPolicy: ReadWriteOnceWithFSType
  podInfoOnMount: false
  requiresRepublish: false
  seLinuxMount: false
  storageCapacity: false
  volumeLifecycleModes:
  - Persistent

• efs.csi.aws.com CSI 드라이버가 정상적으로 설치됨 확인

9. EFS 사용 방식: 전체 공유 vs Access Points

• EFS 파일 시스템을 전체 공유
• Access Points를 이용해 특정 디렉토리만 분리하여 사용

• 필요에 따라 전체 파일 시스템 공유 또는 특정 디렉토리 권한 관리 가능

• EFS의 Access Points 기능을 사용하면 특정 경로만 사용 가능하도록 제한할 수 있음

10. EFS CSI Driver 클론 및 파일 구조 확인

(eks-user:default) [root@operator-host ~]# git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git /root/efs-csi
(eks-user:default) [root@operator-host ~]# cd /root/efs-csi/examples/kubernetes/multiple_pods/specs && tree

✅ 출력

Cloning into '/root/efs-csi'...
remote: Enumerating objects: 29682, done.
remote: Counting objects: 100% (5145/5145), done.
remote: Compressing objects: 100% (1142/1142), done.
remote: Total 29682 (delta 4275), reused 4015 (delta 3999), pack-reused 24537 (from 3)
Receiving objects: 100% (29682/29682), 27.11 MiB | 17.36 MiB/s, done.
Resolving deltas: 100% (16140/16140), done.

.
├── claim.yaml
├── pod1.yaml
├── pod2.yaml
├── pv.yaml
└── storageclass.yaml

0 directories, 5 files

• EFS CSI Driver 저장소를 클론하여 샘플 설정 파일 다운로드
• StorageClass, PV, PVC, Pod 관련 YAML 파일 존재

11. EFS StorageClass 생성 및 확인

(1) StorageClass 확인

(eks-user:default) [root@operator-host specs]# cat storageclass.yaml

✅ 출력

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: efs-sc
provisioner: efs.csi.aws.com

(2) StorageClass 생성

(eks-user:default) [root@operator-host specs]# kubectl apply -f storageclass.yaml

# 결과
storageclass.storage.k8s.io/efs-sc created

(3) StorageClass 생성 확인

(eks-user:default) [root@operator-host specs]# kubectl get sc efs-sc

✅ 출력

NAME     PROVISIONER       RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
efs-sc   efs.csi.aws.com   Delete          Immediate           false                  54s

12. EFS PersistentVolume(PV) 설정

(1) EFS PV 설정 확인

(eks-user:default) [root@operator-host specs]# cat pv.yaml

✅ 출력

apiVersion: v1
kind: PersistentVolume
metadata:
  name: efs-pv
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  csi:
    driver: efs.csi.aws.com
    volumeHandle: fs-4af69aab

• 기본적으로 volumeHandle: fs-4af69aab로 설정되어 있음

(2) EFS 시스템 ID 업데이트

(eks-user:default) [root@operator-host specs]# EfsFsId=$(aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text)
(eks-user:default) [root@operator-host specs]# sed -i "s/fs-4af69aab/$EfsFsId/g" pv.yaml
(eks-user:default) [root@operator-host specs]# cat pv.yaml

✅ 출력

apiVersion: v1
kind: PersistentVolume
metadata:
  name: efs-pv
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  csi:
    driver: efs.csi.aws.com
    volumeHandle: fs-0aeb6f8c0c228b9d2

• 기존 fs-4af69aab → 실제 사용 중인 EFS 시스템 ID(fs-0aeb6f8c0c228b9d2)로 변경

13. EFS PV 생성 및 확인

(1) efs-pv 생성

(eks-user:default) [root@operator-host specs]# kubectl apply -f pv.yaml
# 결과
persistentvolume/efs-pv created

(2) efs-pv 확인

(eks-user:default) [root@operator-host specs]# kubectl get pv; kubectl describe pv

✅ 출력

NAME     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM   STORAGECLASS   VOLUMEATTRIBUTESCLASS   REASON   AGE
efs-pv   5Gi        RWX            Retain           Available           efs-sc         <unset>                          31s

Name:            efs-pv
Labels:          <none>
Annotations:     <none>
Finalizers:      [kubernetes.io/pv-protection]
StorageClass:    efs-sc
Status:          Available
Claim:           
Reclaim Policy:  Retain
Access Modes:    RWX
VolumeMode:      Filesystem
Capacity:        5Gi
Node Affinity:   <none>
Message:         
Source:
    Type:              CSI (a Container Storage Interface (CSI) volume source)
    Driver:            efs.csi.aws.com
    FSType:            
    VolumeHandle:      fs-0aeb6f8c0c228b9d2
    ReadOnly:          false
    VolumeAttributes:  <none>
Events:                <none>

• ACCESS MODES: RWX
• IP 기반 접근이므로 다수의 파드가 동시에 접근 가능

14. EFS PersistentVolumeClaim(PVC) 생성

(1) PVC 생성 및 적용

(eks-user:default) [root@operator-host specs]# cat claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: efs-claim
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: efs-sc
  resources:
    requests:
      storage: 5Gi
      
(eks-user:default) [root@operator-host specs]# kubectl apply -f claim.yaml
# 결과
persistentvolumeclaim/efs-claim created

• efs-pv를 사용할 efs-claim PVC를 생성

(2) PVC 상태 확인

(eks-user:default) [root@operator-host specs]# kubectl get pvc

✅ 출력

NAME        STATUS   VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
efs-claim   Bound    efs-pv   5Gi        RWX            efs-sc         <unset>                 32s

• STATUS가 Bound이면 PV와 PVC가 정상적으로 연결됨
• ACCESS MODES가 RWX로 설정되어 여러 Pod에서 동시에 접근 가능

15. EFS 기반 다중 Pod 생성

(1) 다중 Pod 생성 및 적용

• 두 개의 Pod(app1, app2)를 생성하여 EFS 볼륨을 공유

(eks-user:default) [root@operator-host specs]# cat pod1.yaml pod2.yaml
apiVersion: v1
kind: Pod
metadata:
  name: app1
spec:
  containers:
  - name: app1
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    volumeMounts:
    - name: persistent-storage
      mountPath: /data
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: efs-claim
apiVersion: v1
kind: Pod
metadata:
  name: app2
spec:
  containers:
  - name: app2
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo $(date -u) >> /data/out2.txt; sleep 5; done"]
    volumeMounts:
    - name: persistent-storage
      mountPath: /data
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: efs-claim

(eks-user:default) [root@operator-host specs]# kubectl apply -f pod1.yaml,pod2.yaml

# 결과
pod/app1 created
pod/app2 created

(2) 다중 Pod 상태 확인

(eks-user:default) [root@operator-host specs]# kubectl get pods

✅ 출력

NAME   READY   STATUS    RESTARTS   AGE
app1   1/1     Running   0          57s
app2   1/1     Running   0          57s

16. Pod 내부에서 EFS 볼륨 크기 확인

(1) EFS 볼륨이 정상적으로 마운트되었는지 확인

• app1과 app2 Pod 내부에서 /data 디렉터리가 EFS 볼륨으로 정상 마운트되었는지 확인

(eks-user:default) [root@operator-host specs]# kubectl exec -ti app1 -- sh -c "df -hT -t nfs4"

# ✅ 출력
Filesystem           Type            Size      Used Available Use% Mounted on
127.0.0.1:/          nfs4            8.0E         0      8.0E   0% /data

(eks-user:default) [root@operator-host specs]# kubectl exec -ti app2 -- sh -c "df -hT -t nfs4"

# ✅ 출력
Filesystem           Type            Size      Used Available Use% Mounted on
127.0.0.1:/          nfs4            8.0E         0      8.0E   0% /data

(2) EFS 볼륨 크기 차이 분석

• kubectl get pv로 확인한 EFS의 설정된 용량은 5GiB
• 그러나 Pod 내부에서는 EFS 크기가 8.0E(엑사바이트)로 표시됨
• 이는 EFS가 블록 스토리지가 아닌 파일 시스템 기반으로 관리되며, 크기 제한 없이 자동 확장 가능하기 때문
• 즉, EFS는 논리적으로 무한한 크기로 인식되며, 실제 사용량에 따라 자동으로 증가

17. 다중 Pod에서 EFS 마운트 설정

• app1과 app2 Pod가 동일한 EFS 볼륨을 /data 경로에 마운트하도록 설정
• 각 Pod는 /data/out1.txt 및 /data/out2.txt 파일에 5초 간격으로 로그를 기록

(eks-user:default) [root@operator-host specs]# cat pod1.yaml pod2.yaml

✅ 출력

apiVersion: v1
kind: Pod
metadata:
  name: app1
spec:
  containers:
  - name: app1
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    volumeMounts:
    - name: persistent-storage
      mountPath: /data
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: efs-claim
      
apiVersion: v1
kind: Pod
metadata:
  name: app2
spec:
  containers:
  - name: app2
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo $(date -u) >> /data/out2.txt; sleep 5; done"]
    volumeMounts:
    - name: persistent-storage
      mountPath: /data
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: efs-claim

18. 운영서버에서 EFS 마운트 확인

(eks-user:default) [root@operator-host specs]# df -hT

✅ 출력

Filesystem      Type      Size  Used Avail Use% Mounted on
devtmpfs        devtmpfs  981M     0  981M   0% /dev
tmpfs           tmpfs     990M     0  990M   0% /dev/shm
tmpfs           tmpfs     990M  432K  989M   1% /run
tmpfs           tmpfs     990M     0  990M   0% /sys/fs/cgroup
/dev/xvda1      xfs        30G  3.2G   27G  11% /
192.168.1.145:/ nfs4      8.0E     0  8.0E   0% /mnt/myefs
tmpfs           tmpfs     198M     0  198M   0% /run/user/1000

• 운영서버에서도 동일한 EFS 볼륨을 /mnt/myefs에 마운트하여 공유 저장소로 활용 가능

19. 공유 저장소 내 파일 확인

(eks-user:default) [root@operator-host specs]# tree /mnt/myefs

✅ 출력

/mnt/myefs
├── memo.txt
├── out1.txt
└── out2.txt

0 directories, 3 files

• out1.txt와 out2.txt는 각각 app1과 app2가 생성한 파일
• 운영서버에서도 동일한 데이터를 확인 가능

20. EFS 공유 저장소 동작 확인

운영서버와 app1, app2에서 같은 파일을 조회

(1) 운영서버에서 파일 확인

(eks-user:default) [root@operator-host specs]# tail -f /mnt/myefs/out1.txt

✅ 출력

Tue Feb 18 14:02:30 UTC 2025
Tue Feb 18 14:02:35 UTC 2025
Tue Feb 18 14:02:40 UTC 2025
Tue Feb 18 14:02:45 UTC 2025
Tue Feb 18 14:02:50 UTC 2025
...

(2) Pod 내부에서 동일한 파일 확인

(eks-user:default) [root@operator-host specs]# kubectl exec -ti app1 -- tail -f /data/out1.txt

✅ 출력

Tue Feb 18 14:02:55 UTC 2025
Tue Feb 18 14:03:00 UTC 2025
Tue Feb 18 14:03:05 UTC 2025
Tue Feb 18 14:03:10 UTC 2025
Tue Feb 18 14:03:15 UTC 2025
...

• 운영서버와 Pod 간에 동일한 파일을 공유하며 실시간으로 데이터가 저장됨

21. EFS 마운트 해제 및 리소스 정리

(1) Pod 및 EFS 관련 리소스 삭제

(eks-user:default) [root@operator-host specs]# kubectl delete pod app1 app2
# 결과
pod "app1" deleted
pod "app2" deleted

(eks-user:default) [root@operator-host specs]# kubectl delete pvc efs-claim && kubectl delete pv efs-pv && kubectl delete sc efs-sc
# 결과
persistentvolumeclaim "efs-claim" deleted
persistentvolume "efs-pv" deleted
storageclass.storage.k8s.io "efs-sc" deleted

---

🔑 EFS AccessPoints를 활용한 동적 프로비저닝 배포

1. EFS AccessPoints 기반 StorageClass 생성

EFS AccessPoints를 활용하여 특정 디렉토리와 권한을 설정할 수 있는 StorageClass 생성

(eks-user:default) [root@operator-host specs]# curl -s -O https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/dynamic_provisioning/specs/storageclass.yaml
(eks-user:default) [root@operator-host specs]# cat storageclass.yaml

✅ 출력

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: efs-sc
provisioner: efs.csi.aws.com
parameters:
  provisioningMode: efs-ap
  fileSystemId: fs-92107410
  directoryPerms: "700"
  gidRangeStart: "1000" # optional
  gidRangeEnd: "2000" # optional
  basePath: "/dynamic_provisioning" # optional
  subPathPattern: "${.PVC.namespace}/${.PVC.name}" # optional
  ensureUniqueDirectory: "true" # optional
  reuseAccessPoint: "false" # optional

설정 항목

• fileSystemId: 사용 중인 EFS ID를 동적으로 적용
• basePath: 동적 생성될 디렉토리 경로 설정
• subPathPattern: PVC별 개별 디렉토리 할당

(eks-user:default) [root@operator-host specs]# sed -i "s/fs-92107410/$EfsFsId/g" storageclass.yaml
(eks-user:default) [root@operator-host specs]# kubectl apply -f storageclass.yaml

# 결과
storageclass.storage.k8s.io/efs-sc created

2. StorageClass 생성 확인

(eks-user:default) [root@operator-host specs]# kubectl get sc efs-sc

✅ 출력

NAME     PROVISIONER       RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
efs-sc   efs.csi.aws.com   Delete          Immediate           false                  5s

3. PVC 및 Pod 생성

(1) PVC 및 Pod 정의 파일 다운로드

(eks-user:default) [root@operator-host specs]# curl -s -O https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/dynamic_provisioning/specs/pod.yaml

(2) PVC 및 Pod 설정 내용 확인

(eks-user:default) [root@operator-host specs]# cat pod.yaml

✅ 출력

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: efs-claim
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: efs-sc
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: Pod
metadata:
  name: efs-app
spec:
  containers:
    - name: app
      image: centos
      command: ["/bin/sh"]
      args: ["-c", "while true; do echo $(date -u) >> /data/out; sleep 5; done"]
      volumeMounts:
        - name: persistent-storage
          mountPath: /data
  volumes:
    - name: persistent-storage
      persistentVolumeClaim:
        claimName: efs-claim

(3) PVC 및 Pod 생성

(eks-user:default) [root@operator-host specs]# kubectl apply -f pod.yaml

# 결과
persistentvolumeclaim/efs-claim created
pod/efs-app created

4. PVC, PV, Pod 상태 확인

(eks-user:default) [root@operator-host specs]# kubectl get pvc,pv,pod

✅ 출력

NAME                              STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
persistentvolumeclaim/efs-claim   Bound    pvc-4ea92c76-1bda-4425-b183-77f8c6ea11ef   5Gi        RWX            efs-sc         <unset>                 2s

NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM               STORAGECLASS   VOLUMEATTRIBUTESCLASS   REASON   AGE
persistentvolume/pvc-4ea92c76-1bda-4425-b183-77f8c6ea11ef   5Gi        RWX            Delete           Bound    default/efs-claim   efs-sc         <unset>                          2s

NAME          READY   STATUS              RESTARTS   AGE
pod/efs-app   0/1     ContainerCreating   0          2s

5. PVC, PV 생성 로그 확인

(eks-user:default) [root@operator-host specs]# kubectl krew install stern

✅ 출력

Updated the local copy of plugin index.
Installing plugin: stern
Installed plugin: stern
\
 | Use this plugin:
 | 	kubectl stern
 | Documentation:
 | 	https://github.com/stern/stern
/
WARNING: You installed plugin "stern" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.

EFS CSI 드라이버 로그 확인

kubectl stern -n kube-system -l app=efs-csi-controller -c csi-provisioner

6. Pod 내부에서 EFS 마운트 확인

(eks-user:default) [root@operator-host specs]# kubectl exec -it efs-app -- sh -c "df -hT -t nfs4"

✅ 출력

Filesystem     Type  Size  Used Avail Use% Mounted on
127.0.0.1:/    nfs4  8.0E     0  8.0E   0% /data

• EFS가 정상적으로 마운트됨
• 동적으로 크기 확장 가능

7. EFS AccessPoints를 통한 저장소 관리

• AccessPoints를 활용하여 환경별 저장소 분리 가능

8. 공유 저장소 내 데이터 확인

(eks-user:default) [root@operator-host specs]# tree /mnt/myefs

✅ 출력

/mnt/myefs
├── dynamic_provisioning
│   └── default
│       └── efs-claim-1a0017bc-6165-44fb-ac74-5d623fd39925
│           └── out
├── memo.txt
├── out1.txt
└── out2.txt

3 directories, 4 files

• PVC별 개별 디렉토리가 자동 생성됨
• 동적 볼륨 할당이 정상적으로 수행됨

9. 리소스 정리

(eks-user:default) [root@operator-host specs]# kubectl delete -f pod.yaml
persistentvolumeclaim "efs-claim" deleted
pod "efs-app" deleted

(eks-user:default) [root@operator-host specs]# kubectl delete -f storageclass.yaml
storageclass.storage.k8s.io "efs-sc" deleted

(eks-user:default) [root@operator-host specs]# cd $HOME

---

🏗️ EKS 인스턴스 스토어 기반 Persistent Volumes 및 NodeGroup 추가

1. 인스턴스 스토어(Instance Store)란?

• 물리 서버에 로컬 저장소를 제공하는 EC2 인스턴스의 저장소
• 인스턴스가 종료되면 데이터가 삭제될 가능성이 있음
• IO 성능이 뛰어나며 매우 빠른 속도로 동작

2. 인스턴스 스토어 지원 인스턴스 유형 및 용량 조회

aws ec2 describe-instance-types \
 --filters "Name=instance-type,Values=c5*" "Name=instance-storage-supported,Values=true" \
 --query "InstanceTypes[].[InstanceType, InstanceStorageInfo.TotalSizeInGB]" \
 --output table

✅ 출력

--------------------------
|  DescribeInstanceTypes |
+---------------+--------+
|  c5d.large    |  50    |
|  c5d.12xlarge |  1800  |
|  c5d.2xlarge  |  200   |
|  c5d.24xlarge |  3600  |
|  c5d.4xlarge  |  400   |
|  c5d.18xlarge |  1800  |
|  c5d.xlarge   |  100   |
|  c5d.metal    |  3600  |
|  c5d.9xlarge  |  900   |
+---------------+--------+

3. 서브넷 및 SSH 키페어 설정

• 노드 그룹이 배포될 서브넷 및 SSH 키페어 설정

export PubSubnet1=$(aws ec2 describe-subnets --filters Name=tag:Name,Values="$CLUSTER_NAME-Vpc1PublicSubnet1" --query "Subnets[0].[SubnetId]" --output text)
export PubSubnet2=$(aws ec2 describe-subnets --filters Name=tag:Name,Values="$CLUSTER_NAME-Vpc1PublicSubnet2" --query "Subnets[0].[SubnetId]" --output text)
export PubSubnet3=$(aws ec2 describe-subnets --filters Name=tag:Name,Values="$CLUSTER_NAME-Vpc1PublicSubnet3" --query "Subnets[0].[SubnetId]" --output text)
echo $PubSubnet1 $PubSubnet2 $PubSubnet3

SSHKEYNAME=kp-aews

4. 신규 NodeGroup 구성 파일 생성

cat << EOF > myng2.yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: myeks
  region: ap-northeast-2
  version: "1.31"

managedNodeGroups:
- amiFamily: AmazonLinux2
  desiredCapacity: 1
  instanceType: c5d.large
  labels:
    alpha.eksctl.io/cluster-name: myeks
    alpha.eksctl.io/nodegroup-name: ng2
    disk: instancestore
  maxPodsPerNode: 110
  maxSize: 1
  minSize: 1
  name: ng2
  ssh:
    allow: true
    publicKeyName: $SSHKEYNAME
  subnets:
  - $PubSubnet1
  - $PubSubnet2
  - $PubSubnet3
  tags:
    alpha.eksctl.io/nodegroup-name: ng2
    alpha.eksctl.io/nodegroup-type: managed
  volumeIOPS: 3000
  volumeSize: 30
  volumeThroughput: 125
  volumeType: gp3
  preBootstrapCommands:
    - |
      # Install Tools
      yum install nvme-cli links tree jq tcpdump sysstat -y

      # Filesystem & Mount
      mkfs -t xfs /dev/nvme1n1
      echo /dev/nvme1n1 /data xfs defaults,noatime 0 2 >> /etc/fstab
EOF

• 인스턴스 타입: c5d.large (50GB 인스턴스 스토어 제공)
• 디스크 마운트: /dev/nvme1n1 → /data
• 사전 설치 패키지: nvme-cli, jq, tree, tcpdump, sysstat
• 볼륨 크기 및 성능 설정: 30GB (gp3, 3000 IOPS, 125MB/s)

5. 신규 NodeGroup 배포

eksctl create nodegroup -f myng2.yaml

✅ 출력

2025-02-18 23:40:47 [ℹ]  nodegroup "ng2" will use "" [AmazonLinux2/1.31]
2025-02-18 23:40:47 [ℹ]  using EC2 key pair "kp-aews"
2025-02-18 23:40:48 [ℹ]  1 existing nodegroup(s) (ng1) will be excluded
2025-02-18 23:40:48 [ℹ]  1 nodegroup (ng2) was included (based on the include/exclude rules)
2025-02-18 23:40:48 [ℹ]  will create a CloudFormation stack for each of 1 managed nodegroups in cluster "myeks"
2025-02-18 23:40:49 [ℹ]  
2 sequential tasks: { fix cluster compatibility, 1 task: { 1 task: { create managed nodegroup "ng2" } } 
}
2025-02-18 23:40:49 [ℹ]  checking cluster stack for missing resources
2025-02-18 23:40:49 [ℹ]  cluster stack has all required resources
2025-02-18 23:40:49 [ℹ]  building managed nodegroup stack "eksctl-myeks-nodegroup-ng2"
2025-02-18 23:40:49 [ℹ]  deploying stack "eksctl-myeks-nodegroup-ng2"
2025-02-18 23:40:49 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng2"
2025-02-18 23:41:20 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng2"
2025-02-18 23:42:18 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng2"
2025-02-18 23:43:00 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng2"
2025-02-18 23:43:38 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng2"
2025-02-18 23:43:38 [ℹ]  no tasks
2025-02-18 23:43:38 [✔]  created 0 nodegroup(s) in cluster "myeks"
2025-02-18 23:43:38 [ℹ]  nodegroup "ng2" has 1 node(s)
2025-02-18 23:43:38 [ℹ]  node "ip-192-168-3-139.ap-northeast-2.compute.internal" is ready
2025-02-18 23:43:38 [ℹ]  waiting for at least 1 node(s) to become ready in "ng2"
2025-02-18 23:43:38 [ℹ]  nodegroup "ng2" has 1 node(s)
2025-02-18 23:43:38 [ℹ]  node "ip-192-168-3-139.ap-northeast-2.compute.internal" is ready
2025-02-18 23:43:38 [✔]  created 1 managed nodegroup(s) in cluster "myeks"
2025-02-18 23:43:38 [ℹ]  checking security group configuration for all nodegroups
2025-02-18 23:43:38 [ℹ]  all nodegroups have up-to-date cloudformation templates

6. 배포된 노드 확인

kubectl get node --label-columns=node.kubernetes.io/instance-type,eks.amazonaws.com/capacityType,topology.kubernetes.io/zone

✅ 출력

NAME                                               STATUS   ROLES    AGE     VERSION               INSTANCE-TYPE   CAPACITYTYPE   ZONE
ip-192-168-1-207.ap-northeast-2.compute.internal   Ready    <none>   11h     v1.31.5-eks-5d632ec   t3.medium       ON_DEMAND      ap-northeast-2a
ip-192-168-2-84.ap-northeast-2.compute.internal    Ready    <none>   11h     v1.31.5-eks-5d632ec   t3.medium       ON_DEMAND      ap-northeast-2b
ip-192-168-3-139.ap-northeast-2.compute.internal   Ready    <none>   2m59s   v1.31.5-eks-5d632ec   c5d.large       ON_DEMAND      ap-northeast-2c
ip-192-168-3-80.ap-northeast-2.compute.internal    Ready    <none>   11h     v1.31.5-eks-5d632ec   t3.medium       ON_DEMAND      ap-northeast-2c

• 노드 c5d.large가 정상적으로 추가됨

kubectl get node -l disk=instancestore

✅ 출력

NAME                                               STATUS   ROLES    AGE     VERSION
ip-192-168-3-139.ap-northeast-2.compute.internal   Ready    <none>   3m29s   v1.31.5-eks-5d632ec

• 인스턴스 스토어가 있는 노드 확인 완료

7. 보안 그룹 설정 (ng2-remoteAccess 포함)

export NG2SGID=$(aws ec2 describe-security-groups --filters "Name=group-name,Values=*ng2-remoteAccess*" --query 'SecurityGroups[*].GroupId' --output text)
aws ec2 authorize-security-group-ingress --group-id $NG2SGID --protocol '-1' --cidr $(curl -s ipinfo.io/ip)/32
aws ec2 authorize-security-group-ingress --group-id $NG2SGID --protocol '-1' --cidr 172.20.1.100/32

✅ 출력

{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-01263a4b3dd1797db",
            "GroupId": "sg-0e186958bfe3d2895",
            "GroupOwnerId": "378102432899",
            "IsEgress": false,
            "IpProtocol": "-1",
            "FromPort": -1,
            "ToPort": -1,
            "CidrIpv4": "182.230.60.93/32",
            "SecurityGroupRuleArn": "arn:aws:ec2:ap-northeast-2:378102432899:security-group-rule/sgr-01263a4b3dd1797db"
        }
    ]
}
{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-004bfcccf4933bca4",
            "GroupId": "sg-0e186958bfe3d2895",
            "GroupOwnerId": "378102432899",
            "IsEgress": false,
            "IpProtocol": "-1",
            "FromPort": -1,
            "ToPort": -1,
            "CidrIpv4": "172.20.1.100/32",
            "SecurityGroupRuleArn": "arn:aws:ec2:ap-northeast-2:378102432899:security-group-rule/sgr-004bfcccf4933bca4"
        }
    ]
}

• 보안 그룹 규칙 추가 완료

8. SSH를 통한 워커 노드 접속

N4=3.34.90.173
ssh ec2-user@$N4 hostname

✅ 출력

The authenticity of host '3.34.90.173 (3.34.90.173)' can't be established.
ED25519 key fingerprint is SHA256:8982ohpoaUv/4ImQwqxA8Ye4HDQZbziZ+n7vcW++NKw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '3.34.90.173' (ED25519) to the list of known hosts.
ip-192-168-3-139.ap-northeast-2.compute.internal

• SSH 접속 확인

9. 인스턴스 스토어 디스크 확인

인스턴스에서 사용 가능한 NVMe 디스크 목록 조회

ssh ec2-user@$N4 sudo nvme list

✅ 출력

Node             SN                   Model                                    Namespace Usage                      Format           FW Rev  
---------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- --------
/dev/nvme0n1     vol0c28a9e99805af630 Amazon Elastic Block Store               1          32.21  GB /  32.21  GB    512   B +  0 B   1.0     
/dev/nvme1n1     AWS3E4B64A6880B81A2C Amazon EC2 NVMe Instance Storage         1          50.00  GB /  50.00  GB    512   B +  0 B   0

• EBS(30GB) 외에도 50GB 인스턴스 스토어 추가 확인됨

10. 인스턴스 스토어 마운트 확인

nvme1n1 디스크가 /data에 마운트되어 있는지 확인

ssh ec2-user@$N4 sudo lsblk -e 7 -d

✅ 출력

NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
nvme1n1 259:0    0 46.6G  0 disk /data
nvme0n1 259:1    0   30G  0 disk 

• 50GB 인스턴스 스토어 디스크가 /data에 마운트됨

ssh ec2-user@$N4 sudo df -hT -t xfs

✅ 출력

Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/nvme0n1p1 xfs    30G  3.7G   27G  13% /
/dev/nvme1n1   xfs    47G  365M   47G   1% /data

• 디스크가 XFS 파일 시스템으로 포맷되어 /data에 정상적으로 마운트됨

ssh ec2-user@$N4 sudo tree /data

✅ 출력

/data

0 directories, 0 files

• 데이터 디렉토리에 아무 파일도 없음

11. fstab 설정 확인 (부팅 시 자동 마운트 여부)

ssh ec2-user@$N4 sudo cat /etc/fstab

✅ 출력

UUID=1dfdfe0d-276a-4d52-8572-ceb3b011d9ea     /           xfs    defaults,noatime  1   1
/dev/nvme1n1 /data xfs defaults,noatime 0 2

• 재부팅 시 /data가 자동 마운트되도록 설정됨

12. 노드 리소스 확인

kubectl describe node -l disk=instancestore | grep Allocatable: -A7

✅ 출력

Allocatable:
  cpu:                1930m
  ephemeral-storage:  27905944324
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  memory:             3097488Ki
  pods:               110
System Info:

• ephemeral-storage 및 pods 개수 확인 가능

13. Kubelet 파라미터 확인

ssh ec2-user@$N4 sudo ps -ef | grep kubelet

✅ 출력

root        3014       1  0 14:42 ?        00:00:07 /usr/bin/kubelet --config /etc/kubernetes/kubelet/kubelet-config.json --kubeconfig /var/lib/kubelet/kubeconfig --container-runtime-endpoint unix:///run/containerd/containerd.sock --image-credential-provider-config /etc/eks/image-credential-provider/config.json --image-credential-provider-bin-dir /etc/eks/image-credential-provider --node-ip=192.168.3.139 --pod-infra-container-image=602401143452.dkr.ecr.ap-northeast-2.amazonaws.com/eks/pause:3.5 --v=2 --hostname-override=ip-192-168-3-139.ap-northeast-2.compute.internal --cloud-provider=external --node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,alpha.eksctl.io/cluster-name=myeks,alpha.eksctl.io/nodegroup-name=ng2,disk=instancestore,eks.amazonaws.com/nodegroup-image=ami-0fa05db9e3c145f63,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=ng2,eks.amazonaws.com/sourceLaunchTemplateId=lt-0d2cf44115bd914f2 --max-pods=29 --max-pods=110
root        3602    3110  0 14:42 ?        00:00:00 /csi-node-driver-registrar --csi-address=/csi/csi.sock --kubelet-registration-path=/var/lib/kubelet/plugins/efs.csi.aws.com/csi.sock --v=2
root        4015    3921  0 14:42 ?        00:00:00 /bin/aws-ebs-csi-driver node --endpoint=unix:/csi/csi.sock --http-endpoint=0.0.0.0:3302 --csi-mount-point-prefix=/var/lib/kubelet/plugins/kubernetes.io/csi/ebs.csi.aws.com/ --volume-attach-limit=31 --logging-format=text --v=2
root        4063    3921  0 14:42 ?        00:00:00 /csi-node-driver-registrar --csi-address=/csi/csi.sock --kubelet-registration-path=/var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock --v=2

• --max-pods=110 값이 최종 적용됨

14. 기존 local-path 스토리지 클래스 삭제

k get sc

✅ 출력

NAME            PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2             kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  12h
gp3 (default)   ebs.csi.aws.com         Delete          WaitForFirstConsumer   true                   3h32m
local-path      rancher.io/local-path   Delete          WaitForFirstConsumer   false                  6h53m

kubectl delete -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.31/deploy/local-path-storage.yaml

# 결과
namespace "local-path-storage" deleted
serviceaccount "local-path-provisioner-service-account" deleted
role.rbac.authorization.k8s.io "local-path-provisioner-role" deleted
clusterrole.rbac.authorization.k8s.io "local-path-provisioner-role" deleted
rolebinding.rbac.authorization.k8s.io "local-path-provisioner-bind" deleted
clusterrolebinding.rbac.authorization.k8s.io "local-path-provisioner-bind" deleted
deployment.apps "local-path-provisioner" deleted
storageclass.storage.k8s.io "local-path" deleted
configmap "local-path-config" deleted

15. 새로운 local-path 스토리지 클래스 배포

curl -sL https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.31/deploy/local-path-storage.yaml | sed 's/opt/data/g' | kubectl apply -f -

# 결과
namespace/local-path-storage created
serviceaccount/local-path-provisioner-service-account created
role.rbac.authorization.k8s.io/local-path-provisioner-role created
clusterrole.rbac.authorization.k8s.io/local-path-provisioner-role created
rolebinding.rbac.authorization.k8s.io/local-path-provisioner-bind created
clusterrolebinding.rbac.authorization.k8s.io/local-path-provisioner-bind created
deployment.apps/local-path-provisioner created
storageclass.storage.k8s.io/local-path created
configmap/local-path-config created

16. local-path 설정 확인

kubectl describe cm -n local-path-storage local-path-config

✅ 출력

Name:         local-path-config
Namespace:    local-path-storage
Labels:       <none>
Annotations:  <none>

Data
====
config.json:
----
{
        "nodePathMap":[
        {
                "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
                "paths":["/data/local-path-provisioner"]
        }
        ]
}

helperPod.yaml:
----
apiVersion: v1
kind: Pod
metadata:
  name: helper-pod
spec:
  priorityClassName: system-node-critical
  tolerations:
    - key: node.kubernetes.io/disk-pressure
      operator: Exists
      effect: NoSchedule
  containers:
  - name: helper-pod
    image: busybox
    imagePullPolicy: IfNotPresent

setup:
----
#!/bin/sh
set -eu
mkdir -m 0777 -p "$VOL_DIR"

teardown:
----
#!/bin/sh
set -eu
rm -rf "$VOL_DIR"

BinaryData
====

Events:  <none>

• 로컬 스토리지의 마운트 경로 /data/local-path-provisioner로 변경됨

17. 인스턴스 접속

ssh ec2-user@$N4
Last login: Tue Feb 18 15:07:08 2025 from 182.230.60.93
   ,     #_
   ~\_  ####_        Amazon Linux 2
  ~~  \_#####\
  ~~     \###|       AL2 End of Life is 2026-06-30.
  ~~       \#/ ___
   ~~       V~' '->
    ~~~         /    A newer version of Amazon Linux is available!
      ~~._.   _/
         _/ _/       Amazon Linux 2023, GA and supported until 2028-03-15.
       _/m/'           https://aws.amazon.com/linux/amazon-linux-2023/

[ec2-user@ip-192-168-3-139 ~]$ 

18. 디스크 성능 모니터링 (IOPS 확인)

[ec2-user@ip-192-168-3-139 ~]$ iostat -xmdz 1 -p nvme1n1

✅ 출력

Linux 5.10.233-224.894.amzn2.x86_64 (ip-192-168-3-139.ap-northeast-2.compute.internal) 	02/18/2025 	_x86_64_	(2 CPU)

Device:         rrqm/s   wrqm/s     r/s     w/s    rMB/s    wMB/s avgrq-sz avgqu-sz   await r_await w_await  svctm  %util
nvme1n1           0.00     0.00    0.19    0.16     0.00     0.02   118.97     0.00    0.23    0.08    0.41   0.28   0.01

Device:         rrqm/s   wrqm/s     r/s     w/s    rMB/s    wMB/s avgrq-sz avgqu-sz   await r_await w_await  svctm  %util

Device:         rrqm/s   wrqm/s     r/s     w/s    rMB/s    wMB/s avgrq-sz avgqu-sz   await r_await w_await  svctm  %util

• nvme1n1 디스크의 입출력(IO) 속도를 실시간으로 확인 가능

19. FIO 테스트로 IOPS 성능 측정

(eks-user:default) [root@operator-host ~]# kubestr fio -f fio-read.fio -s local-path --size 10G --nodeselector disk=instancestore

• FIO 벤치마크 테스트가 진행됨

✅ 출력

PVC created kubestr-fio-pvc-cvqpl
Pod created kubestr-fio-pod-xzw7g
Running FIO test (fio-read.fio) on StorageClass (local-path) with a PVC of Size (10G)
Elapsed time- 3m42.67154584s
FIO test results:
  
FIO version - fio-3.36
Global options - ioengine=libaio verify= direct=1 gtod_reduce=

JobName: 
  blocksize= filesize= iodepth= rw=
read:
  IOPS=20308.564453 BW(KiB/s)=81234
  iops: min=15898 max=93734 avg=20316.953125
  bw(KiB/s): min=63592 max=374940 avg=81267.796875

Disk stats (read/write):
  nvme1n1: ios=2433492/10 merge=0/3 ticks=7648125/15 in_queue=7648141, util=99.949951%
  -  OK

• IOPS가 기존 대비 7배 증가 (IOPS=20308.564453), 평균 대역폭 81MB/s 달성

19. 배포 리소스 정리 및 삭제

# local-path 스토리지 클래스 삭제
kubectl delete -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.31/deploy/local-path-storage.yaml
namespace "local-path-storage" deleted
serviceaccount "local-path-provisioner-service-account" deleted
role.rbac.authorization.k8s.io "local-path-provisioner-role" deleted
clusterrole.rbac.authorization.k8s.io "local-path-provisioner-role" deleted
rolebinding.rbac.authorization.k8s.io "local-path-provisioner-bind" deleted
clusterrolebinding.rbac.authorization.k8s.io "local-path-provisioner-bind" deleted
deployment.apps "local-path-provisioner" deleted
storageclass.storage.k8s.io "local-path" deleted
configmap "local-path-config" deleted

# ng2 노드그룹 삭제
eksctl delete nodegroup -c $CLUSTER_NAME -n ng2
2025-02-19 00:18:37 [ℹ]  1 nodegroup (ng2) was included (based on the include/exclude rules)
2025-02-19 00:18:37 [ℹ]  will drain 1 nodegroup(s) in cluster "myeks"
2025-02-19 00:18:37 [ℹ]  starting parallel draining, max in-flight of 1
2025-02-19 00:18:37 [ℹ]  cordon node "ip-192-168-3-139.ap-northeast-2.compute.internal"
2025-02-19 00:18:37 [✔]  drained all nodes: [ip-192-168-3-139.ap-northeast-2.compute.internal]
2025-02-19 00:18:37 [ℹ]  will delete 1 nodegroups from cluster "myeks"
2025-02-19 00:18:38 [ℹ]  1 task: { 1 task: { delete nodegroup "ng2" [async] } }
2025-02-19 00:18:38 [ℹ]  will delete stack "eksctl-myeks-nodegroup-ng2"
2025-02-19 00:18:38 [✔]  deleted 1 nodegroup(s) from cluster "myeks"

---

🔄 멀티플랫폼 컨테이너 빌드 및 ECR 배포

1. 노드 그룹 및 CPU 아키텍처 확인

(eks-user:default) [root@operator-host ~]# arch
# 결과
x86_64

다른 아키텍처(ARM, RISC-V) 기반 컨테이너 실행 시 오류 발생

(eks-user:default) [root@operator-host ~]# docker run --rm -it riscv64/ubuntu bash
# 결과
Unable to find image 'riscv64/ubuntu:latest' locally
latest: Pulling from riscv64/ubuntu
docker: no matching manifest for linux/amd64 in the manifest list entries.
See 'docker run --help'.

(eks-user:default) [root@operator-host ~]# docker run --rm -it arm64v8/ubuntu bash
# 결과
Unable to find image 'arm64v8/ubuntu:latest' locally
latest: Pulling from arm64v8/ubuntu
docker: no matching manifest for linux/amd64 in the manifest list entries.
See 'docker run --help'

• CPU 아키텍처가 다를 경우 기본적으로 실행 불가능

2. 멀티플랫폼 컨테이너 빌드 환경 구축

(1) buildx 빌더 상태 확인

(eks-user:default) [root@operator-host ~]# docker buildx ls

✅ 출력

NAME/NODE DRIVER/ENDPOINT STATUS  BUILDKIT PLATFORMS
default * docker                           
  default default         running v0.12.5  linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386

• 기본적으로 amd64 플랫폼만 지원됨

(2) QEMU를 사용하여 다른 아키텍처 지원 활성화

(eks-user:default) [root@operator-host ~]# docker run --rm --privileged multiarch/qemu-user-static --reset -p yes

✅ 출력

Unable to find image 'multiarch/qemu-user-static:latest' locally
latest: Pulling from multiarch/qemu-user-static
205dae5015e7: Pull complete 
816739e52091: Pull complete 
30abb83a18eb: Pull complete 
0657daef200b: Pull complete 
30c9c93f40b9: Pull complete 
Digest: sha256:fe60359c92e86a43cc87b3d906006245f77bfc0565676b80004cc666e4feb9f0
Status: Downloaded newer image for multiarch/qemu-user-static:latest
Setting /usr/bin/qemu-alpha-static as binfmt interpreter for alpha
Setting /usr/bin/qemu-arm-static as binfmt interpreter for arm
Setting /usr/bin/qemu-armeb-static as binfmt interpreter for armeb
Setting /usr/bin/qemu-sparc-static as binfmt interpreter for sparc
Setting /usr/bin/qemu-sparc32plus-static as binfmt interpreter for sparc32plus
Setting /usr/bin/qemu-sparc64-static as binfmt interpreter for sparc64
Setting /usr/bin/qemu-ppc-static as binfmt interpreter for ppc
Setting /usr/bin/qemu-ppc64-static as binfmt interpreter for ppc64
Setting /usr/bin/qemu-ppc64le-static as binfmt interpreter for ppc64le
Setting /usr/bin/qemu-m68k-static as binfmt interpreter for m68k
Setting /usr/bin/qemu-mips-static as binfmt interpreter for mips
Setting /usr/bin/qemu-mipsel-static as binfmt interpreter for mipsel
Setting /usr/bin/qemu-mipsn32-static as binfmt interpreter for mipsn32
Setting /usr/bin/qemu-mipsn32el-static as binfmt interpreter for mipsn32el
Setting /usr/bin/qemu-mips64-static as binfmt interpreter for mips64
Setting /usr/bin/qemu-mips64el-static as binfmt interpreter for mips64el
Setting /usr/bin/qemu-sh4-static as binfmt interpreter for sh4
Setting /usr/bin/qemu-sh4eb-static as binfmt interpreter for sh4eb
Setting /usr/bin/qemu-s390x-static as binfmt interpreter for s390x
Setting /usr/bin/qemu-aarch64-static as binfmt interpreter for aarch64
Setting /usr/bin/qemu-aarch64_be-static as binfmt interpreter for aarch64_be
Setting /usr/bin/qemu-hppa-static as binfmt interpreter for hppa
Setting /usr/bin/qemu-riscv32-static as binfmt interpreter for riscv32
Setting /usr/bin/qemu-riscv64-static as binfmt interpreter for riscv64
Setting /usr/bin/qemu-xtensa-static as binfmt interpreter for xtensa
Setting /usr/bin/qemu-xtensaeb-static as binfmt interpreter for xtensaeb
Setting /usr/bin/qemu-microblaze-static as binfmt interpreter for microblaze
Setting /usr/bin/qemu-microblazeel-static as binfmt interpreter for microblazeel
Setting /usr/bin/qemu-or1k-static as binfmt interpreter for or1k
Setting /usr/bin/qemu-hexagon-static as binfmt interpreter for hexagon

• QEMU를 통해 다양한 아키텍처 지원 추가됨

(3) QEMU 설치 확인

(eks-user:default) [root@operator-host ~]# docker images

✅ 출력

REPOSITORY                   TAG       IMAGE ID       CREATED       SIZE
multiarch/qemu-user-static   latest    3539aaa87393   2 years ago   305MB

3. 빌드 환경 생성 및 확인

(1) buildx 빌더 생성

(eks-user:default) [root@operator-host ~]# docker buildx create --use --name mybuilder
# 결과
mybuilder

(2) buildx 빌더 목록 확인

(eks-user:default) [root@operator-host ~]# docker buildx ls

✅ 출력

NAME/NODE    DRIVER/ENDPOINT             STATUS   BUILDKIT PLATFORMS
mybuilder *  docker-container                              
  mybuilder0 unix:///var/run/docker.sock inactive          
default      docker                                        
  default    default                     running  v0.12.5  linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386, linux/arm64, linux/riscv64, linux/ppc64, linux/ppc64le, linux/s390x, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6

• 멀티플랫폼 빌드 환경이 활성화됨

(3) buildx 빌더 부트스트랩 실행

(eks-user:default) [root@operator-host ~]# docker buildx inspect --bootstrap

✅ 출력

[+] Building 8.6s (1/1) FINISHED                                                                                                                  
 => [internal] booting buildkit                                                                                                              8.6s
 => => pulling image moby/buildkit:buildx-stable-1                                                                                           7.9s
 => => creating container buildx_buildkit_mybuilder0                                                                                         0.7s
Name:          mybuilder
Driver:        docker-container
Last Activity: 2025-02-18 15:33:47 +0000 UTC

Nodes:
Name:      mybuilder0
Endpoint:  unix:///var/run/docker.sock
Status:    running
Buildkit:  v0.19.0
Platforms: linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         9dd2e75695e3
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
GC Policy rule#0:
 All:           false
 Filters:       type==source.local,type==exec.cachemount,type==source.git.checkout
 Keep Duration: 48h0m0s
GC Policy rule#1:
 All:           false
 Keep Duration: 1440h0m0s
 Keep Bytes:    2.794GiB
GC Policy rule#2:
 All:        false
 Keep Bytes: 2.794GiB
GC Policy rule#3:
 All:        true
 Keep Bytes: 2.794GiB

• 이제 여러 아키텍처의 컨테이너 빌드 가능

(4) buildx 빌더 목록 확인

(eks-user:default) [root@operator-host ~]# docker buildx ls

✅ 출력

NAME/NODE    DRIVER/ENDPOINT             STATUS  BUILDKIT PLATFORMS
mybuilder *  docker-container                             
  mybuilder0 unix:///var/run/docker.sock running v0.19.0  linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
default      docker                                       
  default    default                     running v0.12.5  linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386, linux/arm64, linux/riscv64, linux/ppc64, linux/ppc64le, linux/s390x, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6

• linux/amd64, linux/arm64, linux/riscv64 등 다중 플랫폼 지원 확인 가능

(5) buildx 실행 확인

(eks-user:default) [root@operator-host ~]# docker ps

✅ 출력

CONTAINER ID   IMAGE                           COMMAND       CREATED          STATUS          PORTS     NAMES
9dd2e75695e3   moby/buildkit:buildx-stable-1   "buildkitd"   58 seconds ago   Up 57 seconds             buildx_buildkit_mybuilder0

• moby/buildkit 컨테이너가 실행되며 멀티플랫폼 빌드 가능

4. 샘플 컨테이너 애플리케이션 생성

(1) 프로젝트 디렉토리 생성

(eks-user:default) [root@operator-host ~]# mkdir myweb && cd myweb

(2) server.py 작성

(eks-user:default) [root@operator-host myweb]# cat > server.py <<EOF
> from http.server import ThreadingHTTPServer, BaseHTTPRequestHandler
> from datetime import datetime
> import socket
> 
> class RequestHandler(BaseHTTPRequestHandler):
>     def do_GET(self):
>         self.send_response(200)
>         self.send_header('Content-type', 'text/plain')
>         self.end_headers()
>         
>         now = datetime.now()
>         hostname = socket.gethostname()
>         response_string = now.strftime("The time is %-I:%M:%S %p, VERSION 0.0.1\n")
>         response_string += f"Server hostname: {hostname}\n"
>         self.wfile.write(bytes(response_string, "utf-8")) 
> 
> def startServer():
>     try:
>         server = ThreadingHTTPServer(('', 80), RequestHandler)
>         print("Listening on " + ":".join(map(str, server.server_address)))
>         server.serve_forever()
>     except KeyboardInterrupt:
>         server.shutdown()
> 
> if __name__ == "__main__":
>     startServer()
> EOF

(3) Dockerfile 작성

(eks-user:default) [root@operator-host myweb]# cat > Dockerfile <<EOF
> FROM python:3.12
> ENV PYTHONUNBUFFERED 1
> COPY . /app
> WORKDIR /app 
> CMD python3 server.py
> EOF

5. 단일 플랫폼 컨테이너 빌드 및 실행

(1) Python 3.12 기반 컨테이너 이미지 다운로드

(eks-user:default) [root@operator-host myweb]# docker pull python:3.12

# 결과
3.12: Pulling from library/python
a492eee5e559: Pull complete 
32b550be6cb6: Pull complete 
35af2a7690f2: Pull complete 
7576b00d9bb1: Pull complete 
07612085660d: Pull complete 
60fd44efca0f: Pull complete 
4a12975a6131: Pull complete 
Digest: sha256:f61c61fb2a8967599fb0874746c93530c3d2a4583478528eda06584abc736ea0
Status: Downloaded newer image for python:3.12
docker.io/library/python:3.12

(2) Python 3.12 기반 컨테이너 빌드

(eks-user:default) [root@operator-host myweb]# docker build -t myweb:1 -t myweb:latest .

# 결과
[+] Building 0.3s (8/8) FINISHED                                                                                                   docker:default
 => [internal] load build definition from Dockerfile                                                                                         0.0s
 => => transferring dockerfile: 125B                                                                                                         0.0s
 => [internal] load metadata for docker.io/library/python:3.12                                                                               0.0s
 => [internal] load .dockerignore                                                                                                            0.0s
 => => transferring context: 2B                                                                                                              0.0s
 => [internal] load build context                                                                                                            0.0s
 => => transferring context: 1.04kB                                                                                                          0.0s
 => [1/3] FROM docker.io/library/python:3.12                                                                                                 0.1s
 => [2/3] COPY . /app                                                                                                                        0.2s
 => [3/3] WORKDIR /app                                                                                                                       0.0s
 => exporting to image                                                                                                                       0.0s
 => => exporting layers                                                                                                                      0.0s
 => => writing image sha256:e8e1bb0cc5209d01fa642497dc930b06db1e6317d3eacc9b94c40033b7436efd                                                 0.0s
 => => naming to docker.io/library/myweb:1                                                                                                   0.0s
 => => naming to docker.io/library/myweb:latest                                                                                              0.0s

• myweb:1 및 myweb:latest 태그로 컨테이너 이미지 빌드 완료

6. 컨테이너 이미지 확인

(eks-user:default) [root@operator-host myweb]# docker images

✅ 출력

REPOSITORY                   TAG               IMAGE ID       CREATED          SIZE
myweb                        1                 e8e1bb0cc520   27 seconds ago   1.02GB
myweb                        latest            e8e1bb0cc520   27 seconds ago   1.02GB
python                       3.12              149b9784258f   13 days ago      1.02GB
moby/buildkit                buildx-stable-1   23b5a9d195cf   4 weeks ago      208MB
multiarch/qemu-user-static   latest            3539aaa87393   2 years ago      305MB

• 빌드된 myweb:1 컨테이너 이미지 확인

7. 컨테이너 실행 및 서비스 확인

(eks-user:default) [root@operator-host myweb]# docker run -d -p 8080:80 --name=timeserver myweb

# 결과
2651f49a0fe29182098c0c6e185ee81e63816f1ddf034fa2f32cc58383f7badb

• timeserver 컨테이너 실행
• 8080 포트로 HTTP 요청을 받을 수 있음

(eks-user:default) [root@operator-host myweb]# curl http://localhost:8080

✅ 출력

The time is 3:51:20 PM, VERSION 0.0.1
Server hostname: 2651f49a0fe2

• 현재 시간과 컨테이너 호스트명을 반환하는 간단한 웹 서버 동작 확인

8. 컨테이너 정리

(eks-user:default) [root@operator-host myweb]# docker rm -f timeserver

# 결과
timeserver

9. Docker Hub 로그인

(eks-user:default) [root@operator-host myweb]# docker login
Log in with your Docker ID or email address to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com/ to create one.
You can log in with your password or a Personal Access Token (PAT). Using a limited-scope PAT grants better security and is required for organizations using SSO. Learn more at https://docs.docker.com/go/access-tokens/

Username: shinminjin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

10. Docker 사용자명 변수 설정

(eks-user:default) [root@operator-host myweb]# DOCKERNAME=shinminjin

11. 다중 아키텍처 컨테이너 빌드 및 푸시

(eks-user:default) [root@operator-host myweb]# docker buildx build --platform linux/amd64,linux/arm64 --push --tag $DOCKERNAME/myweb:multi .

✅ 출력

[+] Building 106.5s (14/14) FINISHED                                                                                   docker-container:mybuilder
 => [internal] load build definition from Dockerfile                                                                                         0.0s
 => => transferring dockerfile: 125B                                                                                                         0.0s
 => [linux/arm64 internal] load metadata for docker.io/library/python:3.12                                                                   2.6s
 => [linux/amd64 internal] load metadata for docker.io/library/python:3.12                                                                   2.5s
 => [auth] library/python:pull token for registry-1.docker.io                                                                                0.0s
 => [internal] load .dockerignore                                                                                                            0.0s
 => => transferring context: 2B                                                                                                              0.0s
 => [linux/amd64 1/3] FROM docker.io/library/python:3.12@sha256:f61c61fb2a8967599fb0874746c93530c3d2a4583478528eda06584abc736ea0            36.9s
 => => resolve docker.io/library/python:3.12@sha256:f61c61fb2a8967599fb0874746c93530c3d2a4583478528eda06584abc736ea0                         0.0s
 => => sha256:4a12975a6131fb8b18f6c80441a8533d18ec06d744cd9dd26431ae147a1b7552 248B / 248B                                                   0.5s
 => => sha256:60fd44efca0fdc711987188c7b289674aea93ed94d2beff8a1e4d92a8e1fbe7f 25.66MB / 25.66MB                                             1.1s
 => => sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 211.33MB / 211.33MB                                           5.7s
 => => sha256:07612085660d86eae935f91c31ea91065995815b395c798b5c0f8df260c7e2a8 6.16MB / 6.16MB                                               0.7s
 => => sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 64.39MB / 64.39MB                                             2.6s
 => => sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 24.06MB / 24.06MB                                             1.7s
 => => sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 48.48MB / 48.48MB                                             1.9s
 => => extracting sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde                                                    4.3s
 => => extracting sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108                                                    1.5s
 => => extracting sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772                                                    5.4s
 => => extracting sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7                                                   15.7s
 => => extracting sha256:07612085660d86eae935f91c31ea91065995815b395c798b5c0f8df260c7e2a8                                                    0.6s
 => => extracting sha256:60fd44efca0fdc711987188c7b289674aea93ed94d2beff8a1e4d92a8e1fbe7f                                                    1.6s
 => => extracting sha256:4a12975a6131fb8b18f6c80441a8533d18ec06d744cd9dd26431ae147a1b7552                                                    0.0s
 => [linux/arm64 1/3] FROM docker.io/library/python:3.12@sha256:f61c61fb2a8967599fb0874746c93530c3d2a4583478528eda06584abc736ea0            36.1s
 => => resolve docker.io/library/python:3.12@sha256:f61c61fb2a8967599fb0874746c93530c3d2a4583478528eda06584abc736ea0                         0.0s
 => => sha256:305935ae2ee22ec786106269d7da84b1df25782c691db84256ebce68190e1c79 250B / 250B                                                   0.5s
 => => sha256:d708adbcc8ee3a9b1354ffe945eb8875d5e843a6aceb8397559caf8ef2ffd214 24.91MB / 24.91MB                                             1.1s
 => => sha256:7d49e4574da2d8f2419ffdbd2cfc65c6be873a05dab52159fb02b63d8be816fe 6.24MB / 6.24MB                                               1.0s
 => => sha256:9611c2b713640ce0f9156445b244c4da5e621183b56c0901d97a8b6d54ce10d7 202.72MB / 202.72MB                                           6.2s
 => => sha256:c9d3572a68af0b860060b7ea84adfa8406fa20cfd1337c947dfb661aa965eee7 64.36MB / 64.36MB                                             2.8s
 => => sha256:193c44006e77abbadfdd7be72b4ab6d7a5c08640ef575970f722b798ee7800ac 23.60MB / 23.60MB                                             1.3s
 => => sha256:106abeaee908db66722312b3379ae398e2bcc5b2fdad0cc248509efa14a819ff 48.31MB / 48.31MB                                             2.2s
 => => extracting sha256:106abeaee908db66722312b3379ae398e2bcc5b2fdad0cc248509efa14a819ff                                                    8.1s
 => => extracting sha256:193c44006e77abbadfdd7be72b4ab6d7a5c08640ef575970f722b798ee7800ac                                                    1.6s
 => => extracting sha256:c9d3572a68af0b860060b7ea84adfa8406fa20cfd1337c947dfb661aa965eee7                                                    5.4s
 => => extracting sha256:9611c2b713640ce0f9156445b244c4da5e621183b56c0901d97a8b6d54ce10d7                                                   14.6s
 => => extracting sha256:7d49e4574da2d8f2419ffdbd2cfc65c6be873a05dab52159fb02b63d8be816fe                                                    0.6s
 => => extracting sha256:d708adbcc8ee3a9b1354ffe945eb8875d5e843a6aceb8397559caf8ef2ffd214                                                    2.2s
 => => extracting sha256:305935ae2ee22ec786106269d7da84b1df25782c691db84256ebce68190e1c79                                                    0.0s
 => [internal] load build context                                                                                                            0.0s
 => => transferring context: 1.04kB                                                                                                          0.0s
 => [linux/arm64 2/3] COPY . /app                                                                                                            0.2s
 => [linux/arm64 3/3] WORKDIR /app                                                                                                           0.0s
 => [linux/amd64 2/3] COPY . /app                                                                                                            0.1s
 => [linux/amd64 3/3] WORKDIR /app                                                                                                           0.0s
 => exporting to image                                                                                                                      66.8s
 => => exporting layers                                                                                                                      0.1s
 => => exporting manifest sha256:b73a3a9ae85ac83166587bc398a9cda723b1296cd200e7bf61a2f8fdc03f22d6                                            0.0s
 => => exporting config sha256:2e766855d2c0dc9c8a005866ec139d251b4f3cabd38586fff3fa9df874b1b14f                                              0.0s
 => => exporting attestation manifest sha256:be4b65e573ddbae236084237c32bb3e61598865f2378464082b008a268349bd7                                0.0s
 => => exporting manifest sha256:5d18951aa10d7db756c39875c1360499c3a6643a097f9ea81ed8fdc7479c9b49                                            0.0s
 => => exporting config sha256:c319f11eb4c8a52e492b75bd068715a6703f6d0afcf6d6240dbed9c0ad1011e8                                              0.0s
 => => exporting attestation manifest sha256:eaa3e8e820eb8ee42165d8d674562cc887cdf8b0e9ba7d26d24e05bde231ce07                                0.0s
 => => exporting manifest list sha256:1c6d6bc4f4383a11c8d033222ba28e68073abd45e0de31272d0b94020916ee56                                       0.0s
 => => pushing layers                                                                                                                       62.4s
 => => pushing manifest for docker.io/shinminjin/myweb:multi@sha256:1c6d6bc4f4383a11c8d033222ba28e68073abd45e0de31272d0b94020916ee56         4.2s
 => [auth] shinminjin/myweb:pull,push token for registry-1.docker.io                                                                         0.0s

 2 warnings found (use --debug to expand):
 - LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 2)
 - JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals (line 5)

• linux/amd64, linux/arm64 아키텍처를 지원하는 컨테이너 이미지 빌드
• 빌드된 이미지를 Docker Hub로 푸시

12. 빌드된 컨테이너 아키텍처 확인

• Docker Hub에 푸시된 컨테이너 이미지의 OS 및 아키텍처 확인 가능
• ✅ 운영 체제(OS): linux
• ✅ 지원 아키텍처(Architecture): amd64, arm64

• 다중 플랫폼 지원으로 운영 효율성 증가

(eks-user:default) [root@operator-host myweb]# docker manifest inspect $DOCKERNAME/myweb:multi | jq

✅ 출력

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "size": 2010,
      "digest": "sha256:b73a3a9ae85ac83166587bc398a9cda723b1296cd200e7bf61a2f8fdc03f22d6",
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "size": 2010,
      "digest": "sha256:5d18951aa10d7db756c39875c1360499c3a6643a097f9ea81ed8fdc7479c9b49",
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "size": 566,
      "digest": "sha256:be4b65e573ddbae236084237c32bb3e61598865f2378464082b008a268349bd7",
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "size": 566,
      "digest": "sha256:eaa3e8e820eb8ee42165d8d674562cc887cdf8b0e9ba7d26d24e05bde231ce07",
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    }
  ]
}

• 컨테이너 이미지가 amd64, arm64 아키텍처를 모두 지원하는지 확인 가능

13. 컨테이너 삭제

docker rm -f timeserver

---

🏢 AWS ECR 프라이빗 저장소 사용하기

1. AWS ECR 로그인 및 인증 설정

(1) AWS 계정 ID를 환경 변수에 저장

(eks-user:default) [root@operator-host myweb]# export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text

(2) ECR에 Docker 인증 정보 설정

(eks-user:default) [root@operator-host myweb]# aws ecr get-login-password \
> --region ap-northeast-2 | docker login \
> --username AWS \
> --password-stdin ${ACCOUNT_ID}.dkr.ecr.ap-northeast-2.amazonaws.com

✅ 출력

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

2. ECR 인증 정보 확인

(eks-user:default) [root@operator-host myweb]# cat /root/.docker/config.json | jq

✅ 출력

{
  "auths": {
    "378102432899.dkr.ecr.ap-northeast-2.amazonaws.com": {
      "auth": "xxxxxxxxxxxxxxxxxx"
    },
    "https://index.docker.io/v1/": {
      "auth": "xxxxxxxxxxxxxxxxxx"
    }
  }
}

• auths 항목에 ECR 저장소 URL이 포함되어 있는지 확인

3. ECR 프라이빗 저장소 생성

• 새로운 컨테이너 이미지 저장소를 AWS ECR에서 생성

(eks-user:default) [root@operator-host myweb]# aws ecr create-repository --repository-name myweb

✅ 출력

{
    "repository": {
        "repositoryArn": "arn:aws:ecr:ap-northeast-2:378102432899:repository/myweb",
        "registryId": "378102432899",
        "repositoryName": "myweb",
        "repositoryUri": "378102432899.dkr.ecr.ap-northeast-2.amazonaws.com/myweb",
        "createdAt": "2025-02-19T01:17:53.137000+09:00",
        "imageTagMutability": "MUTABLE",
        "imageScanningConfiguration": {
            "scanOnPush": false
        },
        "encryptionConfiguration": {
            "encryptionType": "AES256"
        }
    }
}

4. 다중 아키텍처 컨테이너 빌드 및 ECR 푸시

• linux/amd64, linux/arm64 아키텍처 지원 컨테이너 빌드
• 빌드된 이미지를 AWS ECR로 바로 푸시

(eks-user:default) [root@operator-host myweb]# docker buildx build --platform linux/amd64,linux/arm64 --push --tag ${ACCOUNT_ID}.dkr.ecr.ap-northeast-2.amazonaws.com/myweb:multi .

✅ 출력

[+] Building 13.3s (14/14) FINISHED                                                                                    docker-container:mybuilder
 => [internal] load build definition from Dockerfile                                                                                         0.0s
 => => transferring dockerfile: 125B                                                                                                         0.0s
 => [linux/arm64 internal] load metadata for docker.io/library/python:3.12                                                                   1.4s
 => [linux/amd64 internal] load metadata for docker.io/library/python:3.12                                                                   1.4s
 => [auth] library/python:pull token for registry-1.docker.io                                                                                0.0s
 => [internal] load .dockerignore                                                                                                            0.0s
 => => transferring context: 2B                                                                                                              0.0s
 => [linux/amd64 1/3] FROM docker.io/library/python:3.12@sha256:f61c61fb2a8967599fb0874746c93530c3d2a4583478528eda06584abc736ea0             0.0s
 => => resolve docker.io/library/python:3.12@sha256:f61c61fb2a8967599fb0874746c93530c3d2a4583478528eda06584abc736ea0                         0.0s
 => [linux/arm64 1/3] FROM docker.io/library/python:3.12@sha256:f61c61fb2a8967599fb0874746c93530c3d2a4583478528eda06584abc736ea0             0.0s
 => => resolve docker.io/library/python:3.12@sha256:f61c61fb2a8967599fb0874746c93530c3d2a4583478528eda06584abc736ea0                         0.0s
 => [internal] load build context                                                                                                            0.0s
 => => transferring context: 60B                                                                                                             0.0s
 => CACHED [linux/arm64 2/3] COPY . /app                                                                                                     0.0s
 => CACHED [linux/arm64 3/3] WORKDIR /app                                                                                                    0.0s
 => CACHED [linux/amd64 2/3] COPY . /app                                                                                                     0.0s
 => CACHED [linux/amd64 3/3] WORKDIR /app                                                                                                    0.0s
 => exporting to image                                                                                                                      11.8s
 => => exporting layers                                                                                                                      0.0s
 => => exporting manifest sha256:b73a3a9ae85ac83166587bc398a9cda723b1296cd200e7bf61a2f8fdc03f22d6                                            0.0s
 => => exporting config sha256:2e766855d2c0dc9c8a005866ec139d251b4f3cabd38586fff3fa9df874b1b14f                                              0.0s
 => => exporting attestation manifest sha256:75d8f32e66dee7b5268c1882a93f0107bf972a16c7972903f0fefbde843b0e08                                0.0s
 => => exporting manifest sha256:5d18951aa10d7db756c39875c1360499c3a6643a097f9ea81ed8fdc7479c9b49                                            0.0s
 => => exporting config sha256:c319f11eb4c8a52e492b75bd068715a6703f6d0afcf6d6240dbed9c0ad1011e8                                              0.0s
 => => exporting attestation manifest sha256:388d86fbeda42c224fd181d385228fa7d7ff1d0ff2c3379c5b7f6f21e4e2f8f2                                0.0s
 => => exporting manifest list sha256:2bfb7328872d6ac549cfdc136c70bca7f133b7d2da51da1a3f456ff256d774ba                                       0.0s
 => => pushing layers                                                                                                                       10.4s
 => => pushing manifest for 378102432899.dkr.ecr.ap-northeast-2.amazonaws.com/myweb:multi@sha256:2bfb7328872d6ac549cfdc136c70bca7f133b7d2da  1.4s
 => [auth] sharing credentials for 378102432899.dkr.ecr.ap-northeast-2.amazonaws.com                                                         0.0s

 2 warnings found (use --debug to expand):
 - LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 2)
 - JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals (line 5)

• multi-architecture 지원 컨테이너 이미지가 ECR에 푸시됨

5. AWS ECR 컨테이너 실행

• ECR에서 컨테이너 이미지를 풀하여 실행
• 윈도우PC(amd64), macOS(arm64)에서 동일한 이미지 사용 가능

(eks-user:default) [root@operator-host myweb]# docker run -d -p 8080:80 --name=timeserver ${ACCOUNT_ID}.dkr.ecr.ap-northeast-2.amazonaws.com/myweb:multi

✅ 출력

Unable to find image '378102432899.dkr.ecr.ap-northeast-2.amazonaws.com/myweb:multi' locally
multi: Pulling from myweb
a492eee5e559: Already exists 
32b550be6cb6: Already exists 
35af2a7690f2: Already exists 
7576b00d9bb1: Already exists 
07612085660d: Already exists 
60fd44efca0f: Already exists 
4a12975a6131: Already exists 
0a18c01708c3: Pull complete 
4f4fb700ef54: Pull complete 
Digest: sha256:2bfb7328872d6ac549cfdc136c70bca7f133b7d2da51da1a3f456ff256d774ba
Status: Downloaded newer image for 378102432899.dkr.ecr.ap-northeast-2.amazonaws.com/myweb:multi
c981958a36336d01c5ee98d23a9953b03261bbeceeab19e9c4b910598a9bad2e

• 컨테이너 실행 상태 확인

(eks-user:default) [root@operator-host myweb]# curl http://localhost:8080

✅ 출력

The time is 4:21:54 PM, VERSION 0.0.1
Server hostname: c981958a3633

6. ECR 컨테이너 및 저장소 정리

(1) ECR 저장소 삭제

(2) 컨테이너 삭제

(eks-user:default) [root@operator-host myweb]# docker rm -f timeserver
# 결과
timeserver

---

⚡ AWS Graviton (ARM) 노드그룹 및 배포 실습

1. 기존 노드 아키텍처 확인

kubectl get nodes -L kubernetes.io/arch

✅ 출력

NAME                                               STATUS   ROLES    AGE   VERSION               ARCH
ip-192-168-1-207.ap-northeast-2.compute.internal   Ready    <none>   13h   v1.31.5-eks-5d632ec   amd64
ip-192-168-2-84.ap-northeast-2.compute.internal    Ready    <none>   13h   v1.31.5-eks-5d632ec   amd64
ip-192-168-3-80.ap-northeast-2.compute.internal    Ready    <none>   13h   v1.31.5-eks-5d632ec   amd64

• 현재 EKS 클러스터의 모든 노드는 amd64 아키텍처

2. Graviton(ARM) 기반 노드그룹 생성

(1) YAML 파일 생성 (myng3.yaml)

eksctl create nodegroup -c $CLUSTER_NAME -r ap-northeast-2 --subnet-ids "$PubSubnet1","$PubSubnet2","$PubSubnet3" \
  -n ng3 -t t4g.medium -N 1 -m 1 -M 1 --node-volume-size=30 --node-labels family=graviton --dry-run > myng3.yaml

(2) 노드그룹 생성

eksctl create nodegroup -f myng3.yaml

# 결과
2025-02-19 01:32:09 [ℹ]  nodegroup "ng3" will use "" [AmazonLinux2/1.31]
2025-02-19 01:32:10 [ℹ]  1 existing nodegroup(s) (ng1) will be excluded
2025-02-19 01:32:10 [ℹ]  1 nodegroup (ng3) was included (based on the include/exclude rules)
2025-02-19 01:32:10 [ℹ]  will create a CloudFormation stack for each of 1 managed nodegroups in cluster "myeks"
2025-02-19 01:32:11 [ℹ]  
2 sequential tasks: { fix cluster compatibility, 1 task: { 1 task: { create managed nodegroup "ng3" } } 
}
2025-02-19 01:32:11 [ℹ]  checking cluster stack for missing resources
2025-02-19 01:32:11 [ℹ]  cluster stack has all required resources
2025-02-19 01:32:12 [ℹ]  building managed nodegroup stack "eksctl-myeks-nodegroup-ng3"
2025-02-19 01:32:12 [ℹ]  deploying stack "eksctl-myeks-nodegroup-ng3"
2025-02-19 01:32:12 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng3"
2025-02-19 01:32:42 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng3"
2025-02-19 01:33:17 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng3"
2025-02-19 01:33:57 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng3"
2025-02-19 01:34:38 [ℹ]  waiting for CloudFormation stack "eksctl-myeks-nodegroup-ng3"
2025-02-19 01:34:38 [ℹ]  no tasks
2025-02-19 01:34:38 [✔]  created 0 nodegroup(s) in cluster "myeks"
2025-02-19 01:34:38 [ℹ]  nodegroup "ng3" has 1 node(s)
2025-02-19 01:34:38 [ℹ]  node "ip-192-168-3-99.ap-northeast-2.compute.internal" is ready
2025-02-19 01:34:38 [ℹ]  waiting for at least 1 node(s) to become ready in "ng3"
2025-02-19 01:34:38 [ℹ]  nodegroup "ng3" has 1 node(s)
2025-02-19 01:34:38 [ℹ]  node "ip-192-168-3-99.ap-northeast-2.compute.internal" is ready
2025-02-19 01:34:38 [✔]  created 1 managed nodegroup(s) in cluster "myeks"
2025-02-19 01:34:38 [ℹ]  checking security group configuration for all nodegroups
2025-02-19 01:34:38 [ℹ]  all nodegroups have up-to-date cloudformation templates

3. 배포된 노드 확인

kubectl get nodes --label-columns eks.amazonaws.com/nodegroup,kubernetes.io/arch,eks.amazonaws.com/capacityType

✅ 출력

NAME                                               STATUS   ROLES    AGE     VERSION               NODEGROUP             ARCH    CAPACITYTYPE
ip-192-168-1-207.ap-northeast-2.compute.internal   Ready    <none>   13h     v1.31.5-eks-5d632ec   ng1                   amd64   ON_DEMAND
ip-192-168-1-92.ap-northeast-2.compute.internal    Ready    <none>   7m41s   v1.31.5-eks-5d632ec   managed-spot          amd64   SPOT
ip-192-168-2-145.ap-northeast-2.compute.internal   Ready    <none>   99s     v1.31.4-eks-0f56d01   ng-bottlerocket       amd64   ON_DEMAND
ip-192-168-2-164.ap-northeast-2.compute.internal   Ready    <none>   7m40s   v1.31.5-eks-5d632ec   managed-spot          amd64   SPOT
ip-192-168-2-84.ap-northeast-2.compute.internal    Ready    <none>   13h     v1.31.5-eks-5d632ec   ng1                   amd64   ON_DEMAND
ip-192-168-3-73.ap-northeast-2.compute.internal    Ready    <none>   73s     v1.31.4-eks-0f56d01   ng-bottlerocket-ssh   amd64   ON_DEMAND
ip-192-168-3-80.ap-northeast-2.compute.internal    Ready    <none>   13h     v1.31.5-eks-5d632ec   ng1                   amd64   ON_DEMAND
ip-192-168-3-99.ap-northeast-2.compute.internal    Ready    <none>   12m     v1.31.5-eks-5d632ec   ng3                   arm64   ON_DEMAND

• ng3 노드가 arm64로 배포됨

4. 현재 Taints 설정 확인

aws eks describe-nodegroup --cluster-name $CLUSTER_NAME --nodegroup-name ng3 | jq .nodegroup.taints

✅ 출력

null

5. Graviton 노드에 Taints 설정

• ng3 노드에 frontend=true:NoExecute Taint 적용
• 특정 Pod만 해당 노드에 스케줄링 가능

aws eks update-nodegroup-config --cluster-name $CLUSTER_NAME --nodegroup-name ng3 --taints "addOrUpdateTaints=[{key=frontend, value=true, effect=NO_EXECUTE}]"

✅ 출력

{
    "update": {
        "id": "eabe8298-9d6b-3ef6-965f-00120771faa6",
        "status": "InProgress",
        "type": "ConfigUpdate",
        "params": [
            {
                "type": "TaintsToAdd",
                "value": "[{\"effect\":\"NO_EXECUTE\",\"value\":\"true\",\"key\":\"frontend\"}]"
            },
            {
                "type": "TaintsToRemove",
                "value": "[]"
            }
        ],
        "createdAt": "2025-02-19T01:52:40.946000+09:00",
        "errors": []
    }
}

• Taints 설정 확인

kubectl describe nodes --selector family=graviton | grep Taints

✅ 출력

Taints:             frontend=true:NoExecute

6. Graviton 노드에 Tolerations을 포함한 Pod 배포

• tolerations을 설정하여 Taint가 있어도 Pod가 배포될 수 있도록 설정

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: busybox
spec:
  terminationGracePeriodSeconds: 3
  containers:
  - name: busybox
    image: busybox
    command:
    - "/bin/sh"
    - "-c"
    - "while true; do date >> /home/pod-out.txt; cd /home; sync; sync; sleep 10; done"
  tolerations:
    - effect: NoExecute
      key: frontend
      operator: Exists
  nodeSelector:
    family: graviton
EOF

# 결과
pod/busybox created

7. Pod 정보 확인

(1) Pod 세부 정보 확인

kubectl describe pod busybox

✅ 출력

Name:             busybox
Namespace:        default
Priority:         0
Service Account:  default
Node:             ip-192-168-3-99.ap-northeast-2.compute.internal/192.168.3.99
Start Time:       Wed, 19 Feb 2025 01:59:49 +0900
Labels:           <none>
Annotations:      <none>
Status:           Running
IP:               192.168.3.40
IPs:
  IP:  192.168.3.40
Containers:
  busybox:
    Container ID:  containerd://620e686393b9dee8876708ba15aac6f8523fd6fa9dd0507183dd230b9277bca9
    Image:         busybox
    Image ID:      docker.io/library/busybox@sha256:a5d0ce49aa801d475da48f8cb163c354ab95cab073cd3c138bd458fc8257fbf1
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sh
      -c
      while true; do date >> /home/pod-out.txt; cd /home; sync; sync; sleep 10; done
    State:          Running
      Started:      Wed, 19 Feb 2025 01:59:54 +0900
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-5sq9z (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True
  Initialized                 True
  Ready                       True
  ContainersReady             True
  PodScheduled                True
Volumes:
  kube-api-access-5sq9z:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              family=graviton
Tolerations:                 frontend:NoExecute op=Exists
                             node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age    From               Message
  ----    ------     ----   ----               -------
  Normal  Scheduled  2m27s  default-scheduler  Successfully assigned default/busybox to ip-192-168-3-99.ap-northeast-2.compute.internal
  Normal  Pulling    2m26s  kubelet            Pulling image "busybox"
  Normal  Pulled     2m22s  kubelet            Successfully pulled image "busybox" in 4.274s (4.274s including waiting). Image size: 1855561 bytes.
  Normal  Created    2m22s  kubelet            Created container busybox
  Normal  Started    2m22s  kubelet            Started container busybox

(2) Pod 내부에서 아키텍처 확인

kubectl exec -it busybox -- arch
# 결과
aarch64

(3) Pod 내부에서 로그 확인

kubectl exec -it busybox -- tail -f /home/pod-out.txt

✅ 출력

Tue Feb 18 17:01:24 UTC 2025
Tue Feb 18 17:01:34 UTC 2025
Tue Feb 18 17:01:44 UTC 2025
Tue Feb 18 17:01:54 UTC 2025
Tue Feb 18 17:02:04 UTC 2025
Tue Feb 18 17:02:14 UTC 2025
Tue Feb 18 17:02:24 UTC 2025
Tue Feb 18 17:02:34 UTC 2025
Tue Feb 18 17:02:44 UTC 2025
...

• busybox 컨테이너가 정상적으로 실행 중

8. Pod 삭제

kubectl delete pod busybox
# 결과
pod "busybox" deleted

9. 다중 아키텍처 컨테이너 배포 (x86_64 & ARM64)

• 운영서버 EC2에서 빌드한 myweb 컨테이너를 다중 아키텍처 지원하는 Pod로 배포
• x86_64(AMD) 및 ARM64(Graviton) 노드에서 각각 실행

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: myweb-arm
spec:
  terminationGracePeriodSeconds: 3
  containers:
  - name: myweb
    image: shinminjin/myweb:multi
  tolerations:
    - effect: NoExecute
      key: frontend
      operator: Exists
  nodeSelector:
    family: graviton
---
apiVersion: v1
kind: Pod
metadata:
  name: myweb-amd
spec:
  terminationGracePeriodSeconds: 3
  containers:
  - name: myweb
    image: shinminjin/myweb:multi
EOF

# 결과
pod/myweb-arm created
pod/myweb-amd created

10. 배포된 Pod 및 노드 확인

kubectl get pod -owide

✅ 출력

NAME        READY   STATUS    RESTARTS   AGE   IP              NODE                                               NOMINATED NODE   READINESS GATES
myweb-amd   1/1     Running   0          77s   192.168.2.219   ip-192-168-2-145.ap-northeast-2.compute.internal   <none>           <none>
myweb-arm   1/1     Running   0          77s   192.168.3.40    ip-192-168-3-99.ap-northeast-2.compute.internal    <none>           <none>

11. 각 컨테이너의 아키텍처 확인

kubectl exec -it myweb-arm -- arch
aarch64

kubectl exec -it myweb-amd -- arch
x86_64

12. 웹 서비스 정상 동작 확인

kubectl exec -it myweb-arm -- curl localhost
# 결과
The time is 5:09:21 PM, VERSION 0.0.1
Server hostname: myweb-arm

kubectl exec -it myweb-amd -- curl localhost
# 결과
The time is 5:09:30 PM, VERSION 0.0.1
Server hostname: myweb-amd

13. Pod 삭제 및 ng3 노드 그룹 삭제

kubectl delete pod myweb-arm myweb-amd
# 결과
pod "myweb-arm" deleted
pod "myweb-amd" deleted

eksctl delete nodegroup -c $CLUSTER_NAME -n ng3
# 결과
2025-02-19 02:12:21 [ℹ]  1 nodegroup (ng3) was included (based on the include/exclude rules)
2025-02-19 02:12:21 [ℹ]  will drain 1 nodegroup(s) in cluster "myeks"
2025-02-19 02:12:21 [ℹ]  starting parallel draining, max in-flight of 1
2025-02-19 02:12:21 [ℹ]  cordon node "ip-192-168-3-99.ap-northeast-2.compute.internal"
2025-02-19 02:12:22 [✔]  drained all nodes: [ip-192-168-3-99.ap-northeast-2.compute.internal]
2025-02-19 02:12:22 [ℹ]  will delete 1 nodegroups from cluster "myeks"
2025-02-19 02:12:22 [ℹ]  1 task: { 1 task: { delete nodegroup "ng3" [async] } }
2025-02-19 02:12:22 [ℹ]  will delete stack "eksctl-myeks-nodegroup-ng3"
2025-02-19 02:12:22 [✔]  deleted 1 nodegroup(s) from cluster "myeks"

---

💰 스팟 노드그룹 및 배포 실습

1. 노드 역할 조회

NODEROLEARN=$(aws iam list-roles --query "Roles[?contains(RoleName, 'nodegroup-ng1')].Arn" --output text)
echo $NODEROLEARN

✅ 출력

arn:aws:iam::378102432899:role/eksctl-myeks-nodegroup-ng1-NodeInstanceRole-rGyQG9rZlOwl

2. 스팟 노드그룹 생성

aws eks create-nodegroup \
  --cluster-name $CLUSTER_NAME \
  --nodegroup-name managed-spot \
  --subnets $PubSubnet1 $PubSubnet2 $PubSubnet3 \
  --node-role $NODEROLEARN \
  --instance-types c5.large c5d.large c5a.large \
  --capacity-type SPOT \
  --scaling-config minSize=2,maxSize=3,desiredSize=2 \
  --disk-size 20

✅ 출력

{
    "nodegroup": {
        "nodegroupName": "managed-spot",
        "nodegroupArn": "arn:aws:eks:ap-northeast-2:378102432899:nodegroup/myeks/managed-spot/56ca8cf5-e169-efa6-7b36-7922fce5434f",
        "clusterName": "myeks",
        "version": "1.31",
        "releaseVersion": "1.31.5-20250212",
        "createdAt": "2025-02-19T01:37:18.476000+09:00",
        "modifiedAt": "2025-02-19T01:37:18.476000+09:00",
        "status": "CREATING",
        "capacityType": "SPOT",
        "scalingConfig": {
            "minSize": 2,
            "maxSize": 3,
            "desiredSize": 2
        },
        "instanceTypes": [
            "c5.large",
            "c5d.large",
            "c5a.large"
        ],
        "subnets": [
            "subnet-0fed28a1b3e108719",
            "subnet-0e4fb63cb543698fe",
            "subnet-0861bd68771150000"
        ],
        "amiType": "AL2023_x86_64_STANDARD",
        "nodeRole": "arn:aws:iam::378102432899:role/eksctl-myeks-nodegroup-ng1-NodeInstanceRole-rGyQG9rZlOwl",
        "diskSize": 20,
        "health": {
            "issues": []
        },
        "updateConfig": {
            "maxUnavailable": 1
        },
        "tags": {}
    }
}

• managed-spot 노드그룹이 스팟 인스턴스로 생성됨

3. 적절한 스팟 인스턴스 선택

• ec2-instance-selector 설치
• 요구하는 CPU, 메모리, 아키텍처에 맞는 인스턴스를 선택 가능

curl -Lo ec2-instance-selector https://github.com/aws/amazon-ec2-instance-selector/releases/download/v2.4.1/ec2-instance-selector-`uname | tr '[:upper:]' '[:lower:]'`-amd64 && chmod +x ec2-instance-selector
sudo mv ec2-instance-selector /usr/local/bin/
ec2-instance-selector --version

✅ 출력

v2.4.1

• ec2-instance-selector 정상 설치 완료

4. 인스턴스 추천 조회 (vCPU 2, RAM 4GB, GPU 없음, x86_64 아키텍처)

ec2-instance-selector --vcpus 2 --memory 4 --gpus 0 --current-generation -a x86_64 --deny-list 't.*' --output table-wide

✅ 출력

NOTE: Could not retrieve 30 day avg hourly spot price for instance type p2.16xlarge
Instance Type   VCPUs   Mem (GiB)  Hypervisor  Current Gen  Hibernation Support  CPU Arch  Network Performance  ENIs    GPUs    GPU Mem (GiB)  GPU Info  On-Demand Price/Hr  Spot Price/Hr (30d avg)  
-------------   -----   ---------  ----------  -----------  -------------------  --------  -------------------  ----    ----    -------------  --------  ------------------  -----------------------  
c5.large        2       4          nitro       true         true                 x86_64    Up to 10 Gigabit     3       0       0              none      $0.096              $0.02993                 
c5a.large       2       4          nitro       true         false                x86_64    Up to 10 Gigabit     3       0       0              none      $0.086              $0.0397                  
c5d.large       2       4          nitro       true         true                 x86_64    Up to 10 Gigabit     3       0       0              none      $0.11               $0.03067                 
c6i.large       2       4          nitro       true         true                 x86_64    Up to 12.5 Gigabit   3       0       0              none      $0.096              $0.03346                 
c6id.large      2       4          nitro       true         true                 x86_64    Up to 12.5 Gigabit   3       0       0              none      $0.1155             $0.03071                 
c6in.large      2       4          nitro       true         true                 x86_64    Up to 25 Gigabit     3       0       0              none      $0.1281             $0.05098                 
c7i-flex.large  2       4          nitro       true         true                 x86_64    Up to 12.5 Gigabit   3       0       0              none      $0.09576            $0.02884                 
c7i.large       2       4          nitro       true         true                 x86_64    Up to 12.5 Gigabit   3       0       0              none      $0.1008             $0.02964

• c5.large 계열 인스턴스가 저렴한 스팟 가격을 제공함

5. 스팟 및 온디맨드 노드 확인

(1) 온디맨드 노드만 조회

kubectl get nodes -l eks.amazonaws.com/capacityType=ON_DEMAND

✅ 출력

NAME                                               STATUS   ROLES    AGE   VERSION
ip-192-168-1-207.ap-northeast-2.compute.internal   Ready    <none>   14h   v1.31.5-eks-5d632ec
ip-192-168-2-145.ap-northeast-2.compute.internal   Ready    <none>   35m   v1.31.4-eks-0f56d01
ip-192-168-2-84.ap-northeast-2.compute.internal    Ready    <none>   14h   v1.31.5-eks-5d632ec
ip-192-168-3-73.ap-northeast-2.compute.internal    Ready    <none>   34m   v1.31.4-eks-0f56d01
ip-192-168-3-80.ap-northeast-2.compute.internal    Ready    <none>   14h   v1.31.5-eks-5d632ec

(2) 전체 노드 (온디맨드 vs 스팟) 조회

kubectl get nodes -L eks.amazonaws.com/capacityType

✅ 출력

NAME                                               STATUS   ROLES    AGE   VERSION               CAPACITYTYPE
ip-192-168-1-207.ap-northeast-2.compute.internal   Ready    <none>   14h   v1.31.5-eks-5d632ec   ON_DEMAND
ip-192-168-1-92.ap-northeast-2.compute.internal    Ready    <none>   41m   v1.31.5-eks-5d632ec   SPOT
ip-192-168-2-145.ap-northeast-2.compute.internal   Ready    <none>   35m   v1.31.4-eks-0f56d01   ON_DEMAND
ip-192-168-2-164.ap-northeast-2.compute.internal   Ready    <none>   41m   v1.31.5-eks-5d632ec   SPOT
ip-192-168-2-84.ap-northeast-2.compute.internal    Ready    <none>   14h   v1.31.5-eks-5d632ec   ON_DEMAND
ip-192-168-3-73.ap-northeast-2.compute.internal    Ready    <none>   35m   v1.31.4-eks-0f56d01   ON_DEMAND
ip-192-168-3-80.ap-northeast-2.compute.internal    Ready    <none>   14h   v1.31.5-eks-5d632ec   ON_DEMAND

6. 스팟 노드에 Pod 배포

스팟 노드에서만 실행되는 busybox Pod 배포

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: busybox
spec:
  terminationGracePeriodSeconds: 3
  containers:
  - name: busybox
    image: busybox
    command:
    - "/bin/sh"
    - "-c"
    - "while true; do date >> /home/pod-out.txt; cd /home; sync; sync; sleep 10; done"
  nodeSelector:
    eks.amazonaws.com/capacityType: SPOT
EOF

# 결과
pod/busybox created

7. Pod 배포 노드 확인

kubectl get pod -owide

✅ 출력

NAME      READY   STATUS    RESTARTS   AGE   IP             NODE                                               NOMINATED NODE   READINESS GATES
busybox   1/1     Running   0          50s   192.168.2.75   ip-192-168-2-164.ap-northeast-2.compute.internal   <none>           <none>

k get nodes -L eks.amazonaws.com/capacityType

✅ 출력

NAME                                               STATUS   ROLES    AGE   VERSION               CAPACITYTYPE
ip-192-168-1-207.ap-northeast-2.compute.internal   Ready    <none>   14h   v1.31.5-eks-5d632ec   ON_DEMAND
ip-192-168-1-92.ap-northeast-2.compute.internal    Ready    <none>   47m   v1.31.5-eks-5d632ec   SPOT
ip-192-168-2-145.ap-northeast-2.compute.internal   Ready    <none>   41m   v1.31.4-eks-0f56d01   ON_DEMAND
ip-192-168-2-164.ap-northeast-2.compute.internal   Ready    <none>   47m   v1.31.5-eks-5d632ec   SPOT
ip-192-168-2-84.ap-northeast-2.compute.internal    Ready    <none>   14h   v1.31.5-eks-5d632ec   ON_DEMAND
ip-192-168-3-73.ap-northeast-2.compute.internal    Ready    <none>   41m   v1.31.4-eks-0f56d01   ON_DEMAND
ip-192-168-3-80.ap-northeast-2.compute.internal    Ready    <none>   14h   v1.31.5-eks-5d632ec   ON_DEMAND

• busybox Pod가 스팟 인스턴스에서 실행됨

8. 스팟 인스턴스 리소스 삭제

(1) Pod 삭제

kubectl delete pod busybox
# 결과
pod "busybox" deleted

(2) ng3 노드 그룹 삭제

eksctl delete nodegroup -c $CLUSTER_NAME -n managed-spot
# 결과
2025-02-19 02:30:04 [ℹ]  1 nodegroup (managed-spot) was included (based on the include/exclude rules)
2025-02-19 02:30:04 [ℹ]  will drain 1 nodegroup(s) in cluster "myeks"
2025-02-19 02:30:04 [ℹ]  starting parallel draining, max in-flight of 1
2025-02-19 02:30:04 [ℹ]  cordon node "ip-192-168-1-92.ap-northeast-2.compute.internal"
2025-02-19 02:30:04 [ℹ]  cordon node "ip-192-168-2-164.ap-northeast-2.compute.internal"
2025-02-19 02:30:05 [✔]  drained all nodes: [ip-192-168-1-92.ap-northeast-2.compute.internal ip-192-168-2-164.ap-northeast-2.compute.internal]
2025-02-19 02:30:05 [ℹ]  will delete 1 nodegroups from cluster "myeks"
2025-02-19 02:30:05 [ℹ]  
2 parallel tasks: { delete unowned nodegroup managed-spot, no tasks 
}
2025-02-19 02:30:05 [✔]  deleted 1 nodegroup(s) from cluster "myeks"

---

🗑️ (실습 완료 후) 자원 삭제

(1) Amazon EKS 클러스터 삭제

eksctl delete cluster --name $CLUSTER_NAME

(2) AWS CloudFormation 스택 삭제

aws cloudformation delete-stack --stack-name myeks

(3) 변수 설정 삭제

EKS 배포 후 실습 편의를 위해 추가했던 변수 설정 제거

vi ~/.bashrc