| AMI Name | Platform | Description | Mandatory |
|---|---|---|---|
| amazon-eks-node | Linux/UNIX | Default node pool instances (auto-scaled) | Yes |
| amazon-eks-node | Linux/UNIX | Execution node pool instances (auto-scaled). The default instance type for the execution node pool is t3.medium. Running a large number of simulations in parallel may exceed the maximum number of vCPUs limited in the service quota Running On-Demand All Standard (A, C, D, H, I, M, R, T, Z) instances. |
No |
| amzn2-ami-hvm-2.0.20210813.1-x86_64-gp2 | Amazon Linux | dSPACE license server | No |
| Description |
|---|
| Elastic IP Address for NAT Gateway |
| Name | Mandatory |
|---|---|
| Launch template for default node pool. | Yes |
| Launch template for execution node pool. | No |
| Name | Mandatory |
|---|---|
| Auto scaling group for default node pool. | Yes |
| Auto scaling group for execution node pool. | No |
| Name | Description | Mandatory |
|---|---|---|
| <tenant>-<environment>-<zone>-eks | Kubernetes cluster for SIMPHERA. | Yes |
| Description | Mandatory |
|---|---|
| Node group for SIMPHERA services and other auxiliary third-party services like Keycloak, nginx, etc. | Yes |
| Node group for the executors that perform the testing of the system under test. | No |
| Name | Description | Mandatory |
|---|---|---|
| <tenant>-<environment>-<zone>-simphera | Store data records of items like projects, test suites, etc. | Yes |
| <tenant>-<environment>-<zone>-keycloak | Keycloak stores SIMPHERA users in a separate Amazon RDS PostgreSQL instance. | Yes |
| Name | Description |
|---|---|
| /aws/eks/<tenant>-<environment>-<zone>-eks/cluster | Node metrics and Kubernetes system logs. |
| /<tenant>-<environment>-<zone>-eks/worker-fluentbit-logs | EKS container logs. |
| Requirement | Description | Default value | Mandatory? |
|---|---|---|---|
| IPv4 CIDR block | Network size ie. number of available IPs in VPC | 10.1.0.0/18 | yes |
| Availability zones | How many AZs to spread VPC across | 3 (at least 2 for high availability) | yes |
| Private subnets | How many private subnets to create | 3 (at least 2 for high availability; one per each AZ) | yes |
| Public subnets | How many public subnets to create | 3 (at least 2 for high availability; one per each AZ) | yes |
| NAT gateway | Enable/disable NAT in VPC | enable | yes |
| Single NAT gateway | Controls how many NAT gateways/Elastic IPs to provision | enable | no |
| Internet gateway | Enable/disable IGW in VPC | enable | yes |
| DNS hostnames | Determines whether the VPC supports assigning public DNS hostnames to instances with public IP addresses. | enable | yes |
| Description |
|---|
| Internet Gateway for SIMPHERA Virtual Private Network. |
| Description |
|---|
| NAT Gateway for SIMPHERA Virtual Private Network. |
| Group name | Group description | Direction | Protocol | Port range | Rule description |
|---|---|---|---|---|---|
| eks-cluster-sg-<tenant>-<environment>-<zone>-eks> | EKS created security group applied to ENI that is attached to EKS Control Plane master nodes, as well as any managed workloads. | inbound | tcp | 30128 | kubernetes.io/rule/nlb/health |
| inbound | All | All | |||
| inbound | tcp | 30804 | kubernetes.io/rule/nlb/health | ||
| inbound | icmp | 3 - 4 | kubernetes.io/rule/nlb/mtu | ||
| outbound | All | All | |||
| default | default VPC security group | inbound | All | All | |
| outbound | All | All | |||
| <tenant>-<environment>-<zone>-db-sg | PostgreSQL security group | inbound | tcp | 5432 | PostgreSQL access from within VPC |
| <tenant>-<environment>-<zone>-eks-eks_worker_sg | Security group for all nodes in the cluster. | inbound | All | All | Allow node to communicate with each other. |
| inbound | tcp | 1025 - 65535 | Allow workers pods to receive communication from the cluster control plane. | ||
| inbound | tcp | 443 | Allow pods running extension API servers on port 443 to receive communication from cluster control plane. | ||
| outbound | All | All | Allow nodes all egress to the Internet. | ||
| <tenant>-<environment>-<zone>-eks-eks_cluster_sg | EKS cluster security group. | inbound | tcp | 443 | Allow pods to communicate with the EKS cluster API. |
| outbound | All | All | Allow cluster egress access to the Internet. |
| Name |
|---|
| Public subnet in region 1 zone a |
| Public subnet in region 1 zone b |
| Public subnet in region 1 zone c |
| Private subnet in region 1 zone a |
| Private subnet in region 1 zone b |
| Private subnet in region 1 zone c |
| Requirement | Description | Default value | Mandatory? |
|---|---|---|---|
| IPv4 CIDR blocks | Network size, ie number of available IPs per private subnet | 10.1.0.0/22 10.1.4.0/22 10.1.8.0/22 |
yes |
| Tags | Metadata for organizing your AWS resources | "kubernetes.io/cluster/<cluster name>" = "shared" "kubernetes.io/role/elb" = "1" "purpose" = "private" |
yes |
| Network Access Lists | Allows or denies specific inbound or outbound traffic at the subnet level | Allow all inbound/outbound | yes |
| Requirement | Description | Default value | Mandatory? |
|---|---|---|---|
| IPv4 CIDR blocks | Network size, ie number of available IPs per public subnet | 10.1.12.0/22 10.1.16.0/22 10.1.20.0/22 |
yes |
| Tags | Metadata for organizing your AWS resources | "kubernetes.io/cluster/<cluster name>" = "shared" "kubernetes.io/role/elb" = "1" "purpose" = "public" |
yes |
| Network Access Lists | Allows or denies specific inbound or outbound traffic at the subnet level | Allow all inbound/outbound | yes |
| Requirement | Description | Default value | Mandatory? |
|---|---|---|---|
| Routes | Minimum routes for network communication to work | 0.0.0.0/0 to <NAT gateway> <vpcCidrBlock> to local |
yes |
| Subnet associations | Apply route table routes to a particular subnet | Explicit, all private subnets | yes |
| Requirement | Description | Default value | Mandatory? |
|---|---|---|---|
| Routes | Minimum routes for network communication to work | 0.0.0.0/0 to <Internet gateway> <vpcCidrBlock> to local |
yes |
| Subnet associations | Apply route table routes to a particular subnet | Explicit, all public subnets | yes |
| Description | Mandatory |
|---|---|
| Network Load Balancer for EKS created by nginx controller. | Yes |
| Name | Description | ACL | Mandatory |
|---|---|---|---|
| <tenant>-<environment>-<zone> | Stores binary data like zipped files containing simulation models, test results, vehicle models, etc. | private | Yes |
| <tenant>-<environment>-<zone>-license-server | This bucket is used for the initial setup of the license server to transfer several license files securely between an administration PC and the license server | private | No |
| Description | Mandatory |
|---|---|
| Volume attached to the license server EC2 | No |
| Kubernetes Persistent Volumes CouchDB nodes (deprecated) | No |
| Description | Mandatory |
|---|---|
| EKS cluster secret encryption key | No |
| EKS Workers FluentBit CloudWatch Log group KMS Key | No |
| Role name | Description | Policies |
|---|---|---|
| <tenant>-<environment>-<zone>-eks-aws-for-fluent-bit-sa-irsa | AWS IAM Role for the Kubernetes service account aws-for-fluent-bit-sa. | |
| <tenant>-<environment>-<zone>-eks-aws-node-irsa | AWS IAM Role for the Kubernetes service account aws-node. | |
| <tenant>-<environment>-<zone>-eks-cluster-autoscaler-sa-irsa | AWS IAM Role for the Kubernetes service account cluster-autoscaler-sa. | |
| <tenant>-<environment>-<zone>-eks-cluster-role | ||
| <tenant>-<environment>-<zone>-eks-default | ||
| <tenant>-<environment>-<zone>-eks-execnodes | ||
| <tenant>-<environment>-<zone>-eks-ingress-nginx-sa-irsa | AWS IAM Role for the Kubernetes service account ingress-nginx-sa. | |
| <tenant>-<environment>-<zone>-eks20220328155518107300000008 | ||
| <tenant>-<environment>-<zone>-s3-role | IAM role for the MinIO service account |
| Policy name | Description | Managed By |
|---|---|---|
| <tenant>-<environment>-<zone>-eks-fluentbit | IAM Policy for AWS for FluentBit | Customer |
| AmazonEKS_CNI_Policy | This policy provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IP address configuration on your EKS worker nodes. This permission set allows the CNI to list, describe, and modify Elastic Network Interfaces on your behalf. More information on the AWS VPC CNI Plugin is available here: https://github.com/aws/amazon-vpc-cni-k8s | AWS |
| <tenant>-<environment>-<zone>-eks-cluster-autoscaler-irsa | Cluster Autoscaler IAM policy | Customer |
| AmazonEKSClusterPolicy | This policy provides Kubernetes the permissions it requires to manage resources on your behalf. Kubernetes requires Ec2:CreateTags permissions to place identifying information on EC2 resources including but not limited to Instances, Security Groups, and Elastic Network Interfaces. | AWS |
| AmazonEKSServicePolicy | This policy allows Amazon Elastic Container Service for Kubernetes to create and manage the necessary resources to operate EKS Clusters. | AWS |
| <tenant>-<environment>-<zone>-eks-elb-sl-role-creation20220328154446563700000001 | Permissions for EKS to create AWSServiceRoleForElasticLoadBalancing service-linked role | Customer |
| AmazonEKSVPCResourceController | Policy used by VPC Resource Controller to manage ENI and IPs for worker nodes. | AWS |
| AmazonEKSWorkerNodePolicy | This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. | AWS |
| AmazonEC2ContainerRegistryReadOnly | Provides read-only access to Amazon EC2 Container Registry repositories. | AWS |
| AmazonSSMManagedInstanceCore | The policy for Amazon EC2 Role to enable AWS Systems Manager service core functionality. | AWS |
| <tenant>-<environment>-<zone>-eks-ingress-nginx-sa-policy | A generic AWS IAM policy for the ingress nginx irsa. | Customer |
| <tenant>-<environment>-<zone>-s3-policy | Allows access to S3 bucket. | Customer |