在进行本章实验前,先创建一个EKS集群
在 EKS 上为 EMR 集群创建命名空间:
kubectl create namespace emr-eks-workshop-namespace
创建IRSA:
eksctl create iamidentitymapping \
--cluster CLUSTER-NAME \
--namespace emr-eks-workshop-namespace \
--service-name "emr-containers"
在emr-eks-workshop-namespace
命名空间创建EMR 虚拟集群:
aws emr-containers create-virtual-cluster \
--name emr_eks_cluster \
--container-provider '{
"id": "CLUSTER-NAME",
"type": "EKS",
"info": {
"eksInfo": {
"namespace": "emr-eks-workshop-namespace"
}
}
}'
创建完成后,可以在控制台查看Virtual cluster:
让我们创建 EMR 将用于作业执行的角色。这是 EMR 作业在 EKS 上运行时将assume的角色:
cat <<EoF > emr-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticmapreduce.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EoF
aws iam create-role --role-name EMRContainers-JobExecutionRole --assume-role-policy-document file://emr-trust-policy.json
接下来,我们需要将所需的 IAM 策略附加到该角色,以便它可以将日志写入 s3 和 cloudwatch。
cat <<EoF > EMRContainers-JobExecutionRole.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"glue:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
EoF
aws iam put-role-policy --role-name EMRContainers-JobExecutionRole --policy-name EMR-Containers-Job-Execution --policy-document file://EMRContainers-JobExecutionRole.json
更新刚刚创建的 IAM 角色与 EMR 服务身份之间的信任关系:
aws emr-containers update-role-trust-policy \
--cluster-name CLUSTER-NAME \
--namespace emr-eks-workshop-namespace \
--role-name EMRContainers-JobExecutionRole
通过运行以下命令检查 EMR on EKS
列表。记下 EMR 集群的 ID,我们将使用它来向 EMR 集群提交作业:
aws emr-containers list-virtual-clusters
创建eks-fargate
命名空间:
kubectl create namespace eks-fargate
在eks-fargate
创建IRSA:
eksctl create iamidentitymapping \
--cluster CLUSTER-NAME \
--namespace eks-fargate \
--service-name "emr-containers"
设置fargate空间中提交任务使用的role:
aws emr-containers update-role-trust-policy \
--cluster-name CLUSTER-NAME \
--namespace eks-fargate \
--role-name EMRContainers-JobExecutionRole