AWS Fargate profile
Before you can schedule pods on Fargate in your cluster, you must define at least one Fargate profile that specifies which pods use Fargate when launched.
The Fargate profile allows an administrator to declare which pods run on Fargate. This declaration is done through the profile’s selectors. Each profile can have up to five selectors that contain a namespace and optional labels. You must define a namespace for every selector. The label field consists of multiple optional key-value pairs. Pods that match a selector (by matching a namespace for the selector and all of the labels specified in the selector) are scheduled on Fargate. If a namespace selector is defined without any labels, Amazon EKS attempts to schedule all pods that run in that namespace onto Fargate using the profile. If a to-be-scheduled pod matches any of the selectors in the Fargate profile, then that pod is scheduled on Fargate.
If a pod matches multiple Fargate profiles, Amazon EKS picks one of the matches at random. In this
case, you can specify which profile a pod should use by adding the following Kubernetes
label to the pod specification: eks.amazonaws.com/fargate-profile:
. However, the pod must still
match a selector in that profile in order to be scheduled onto Fargate. Kubernetes
affinity/anti-affinity rules aren't taken into consideration and are unnecessary with Amazon EKS
Fargate pods.my-fargate-profile
When you create a Fargate profile, you must specify a pod execution role for the Amazon EKS
components that run on the Fargate infrastructure using the profile. This role is added to the
cluster's Kubernetes Role Based Access Controlkubelet
that's running on the Fargate infrastructure can register with your
Amazon EKS cluster and appear in your cluster as a node. The pod execution role also provides
IAM permissions to the Fargate infrastructure to allow read access to Amazon ECR image
repositories. For more information, see Amazon EKS pod execution IAM role.
Fargate profiles are immutable. However, you can create a new updated profile to replace an existing profile and then delete the original after the updated profile has finished creating.
Any pods that are running using a Fargate profile will be stopped and put into pending when the profile is deleted.
If any Fargate profiles in a cluster are in the DELETING
status, you must wait
for that Fargate profile to finish deleting before you can create any other profiles in that
cluster.
Amazon EKS and Fargate try to spread pods across each of the subnets defined in the Fargate profile, but you may end up with an uneven spread. If you must have an even spread (such as when deploying two replicas without any downtime), then you need to use two Fargate profiles. Each profile should have only one subnet.
Fargate profile components
The following components are contained in a Fargate profile.
-
Pod execution role – When your cluster creates pods on AWS Fargate, the
kubelet
that's running on the Fargate infrastructure must make calls to AWS APIs on your behalf. This is, for example, to pull container images from Amazon ECR. The Amazon EKS pod execution role provides the IAM permissions to do this.When you create a Fargate profile, you must specify a pod execution role to use with your pods. This role is added to the cluster's Kubernetes Role-based access control
(RBAC) for authorization. This is so that the kubelet
that's running on the Fargate infrastructure can register with your Amazon EKS cluster and appear in your cluster as a node. For more information, see Amazon EKS pod execution IAM role. -
Subnets – The IDs of subnets to launch pods into that use this profile. At this time, pods that are running on Fargate aren't assigned public IP addresses. Therefore, only private subnets (with no direct route to an Internet Gateway) are accepted for this parameter.
-
Selectors – The selectors to match for pods to use this Fargate profile. Each selector must have an associated namespace. Optionally, you can also specify labels for a namespace. You may specify up to five selectors in a Fargate profile. A pod only must match one selector to run using the Fargate profile.
-
Namespace – You must specify a namespace for a selector. The selector only matches pods that are created in this namespace, but you can create multiple selectors to target multiple namespaces.
-
Labels – You can optionally specify Kubernetes labels to match for the selector. The selector only matches pods that have all of the labels that are specified in the selector.
Creating a Fargate profile
This topic helps you to create a Fargate profile. AWS Fargate with Amazon EKS is available in all Amazon EKS Regions except AWS GovCloud (US-East) and AWS GovCloud (US-West).. You also must
have created a pod execution role to use for your Fargate profile. For more information,
see Amazon EKS pod execution IAM role. Pods that
are running on Fargate are only supported on private subnets (with NAT gateway access to AWS
services, but not a direct route to an Internet Gateway), so your cluster's VPC must
have private subnets available. You can create a profile with eksctl
or the
AWS Management Console. Select the tab with the name of the tool that you want to create your Fargate
profile with.
This procedure requires eksctl
version 0.103.0
or later. You can check your version with the following command:
eksctl version
For instructions on how to install or upgrade eksctl
, see Installing or upgrading eksctl.
Deleting a Fargate profile
This topic helps you to delete a Fargate profile.
When you delete a Fargate profile, any pods that were scheduled onto Fargate with the profile are deleted. If those pods match another Fargate profile, then they are scheduled on Fargate with that profile. If they no longer match any Fargate profiles, then they aren't scheduled onto Fargate and may remain as pending.
Only one Fargate profile in a cluster can be in the DELETING
status at a
time. Wait for a Fargate profile to finish deleting before you can delete any other
profiles in that cluster.
You can delete a profile with eksctl
, the AWS Management Console, or the AWS CLI. Select
the tab with the name of the tool that you want to use to delete your profile.