Skip to main content
Skip table of contents

AWS Air-gapped Environment Variables

When using an existing air-gapped infrastructure, DKP does not create, modify, or delete any AWS resources.

AWS Resources:

  • Internet Gateways

  • NAT Gateways

  • Routing tables

  • Subnets

  • VPC

  • VPC Endpoints (for subnets without NAT Gateways)

An AWS subnet has Network ACLs that can control traffic in and out of the subnet. DKP does not modify the Network ACLs of an existing subnet. DKP uses Security Groups to control traffic. If a Network ACL denies traffic that is allowed by DKP-managed Security Groups, the cluster may not work correctly.

Export variables for the existing infrastructure details:

CODE 
export AWS_VPC_ID=<vpc-...>
export AWS_SUBNET_IDS=<subnet-...,subnet-...,subnet-...>
export AWS_ADDITIONAL_SECURITY_GROUPS=<sg-...>
export AWS_AMI_ID=<ami-...>

  • AWS_VPC_ID: the VPC ID where the cluster will be created. The VPC requires the following AWS VPC Endpoints to be already present:

    • ec2 - com.amazonaws.{region}.ec2

    • elasticloadbalancing - com.amazonaws.{region}.elasticloadbalancing

    • secretsmanager - com.amazonaws.{region}.secretsmanager

    • autoscaling - com.amazonaws.{region}.autoscaling

    • ecr - com.amazonaws.{region}.ecr.api - (authentication)

    • ecr - com.amazonaws.{region}.ecr.dkr - (data trasfer)

    More details about AWS service using an interface VPC endpoint and AWS VPC endpoints list.

  • AWS_SUBNET_IDS: a comma-separated list of one or more private Subnet IDs with each one in a different Availability Zone. The cluster control-plane and worker nodes will automatically be spread across these Subnets.

  • AWS_ADDITIONAL_SECURITY_GROUPS: a comma-seperated list of one or more Security Groups IDs to use in addition to the ones automatically created by CAPA.

  • AWS_AMI_ID: the AMI ID to use for control-plane and worker nodes. The default AWS image is not recommended for use in production. The AMI must be created with Konvoy Image Builder in order to use the registry mirror feature.

    • Flag to use custom AMI during cluster creation: --ami=${AWS_AMI_ID}

⚠️ IMPORTANT: You must tag the subnets as described below to allow for Kubernetes to create ELBs for services of type LoadBalancer in those subnets. If the subnets are not tagged, they will not receive an ELB and the following error displays: Error syncing load balancer, failed to ensure load balancer; could not find any suitable subnets for creating the ELB..

The tags should be set as follows, where <CLUSTER_NAME> corresponds to the name set in CLUSTER_NAME environment variable:

CODE 
kubernetes.io/cluster = <CLUSTER_NAME>
kubernetes.io/cluster/<CLUSTER_NAME> = owned
kubernetes.io/role/internal-elb = 1

Next Step

AWS Air-gapped Bootstrap

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close