How do I create an EKS cluster with nodes via CDK?

Question

I'm able to deploy a Kubernetes Fargate cluster via CDK on my desired VPC:

const vpc = ec2.Vpc.fromLookup(this, 'vpc', {
  vpcId: 'vpc-abcdefg'
})

const cluster = new eks.FargateCluster(this, 'sample-eks', {
  version: eks.KubernetesVersion.V1_21,
  vpc,
})

cluster.addNodegroupCapacity('node-group-capacity', {
  minSize: 2,
  maxSize: 2,
})

However, there are no nodes within this cluster:

$ kubectl config get-clusters                 
NAME
minikube
arn:aws:eks:us-east-1:<account_number>:cluster/<cluster_name>

$ kubectl get nodes                           
No resources found

Very confused as to why this is happening, as I thought the addNodegroupCapacity method is supposed to add nodes to the cluster. I think I can add nodes post-hoc via eksctl, but I was wondering if it'd be possible to deploy with nodes via CDK.

Answer 1

My mistake was not adding a role/user with sufficient permissions to the aws-auth ConfigMap. This meant that the cluster did not have proper permissions to create nodes. The following fixed my issue:

const role = iam.Role.fromRoleName(this, 'admin-role', '<my-admin-role>');
cluster.awsAuth.addRoleMapping(role, { groups: [ 'system:masters' ]});

The <my-admin-role> argument is the name of the role that I assume when I log in to AWS. I found it by running aws sts get-caller-identity, which returns a JSON doc that provides your assumed role's ARN. For me it was arn:aws:sts::<account-number>:assumed-role/<my-admin-role>/<my-username>.

This also resolved another issue, as I was not able to interact with the cluster via kubectl. I would get the following error message: error: You must be logged in to the server (Unauthorized). Adding my assumed role to the aws-auth ConfigMap gave me permission to access the cluster via my terminal.

Not sure why I haven't seen this bit of configuration in the tutorials I've used, would appreciate any comments that could help explain this to me.