Amazon Web Services

These are the required steps for you to successfully create an Elastic Container Service for Kubernetes on your own Amazon Web Services account.


Components you will need to create in your account

Step by step tutorial

Create your Elastic Container Service for Kubernetes

You can choose to either create your Kubernetes cluster through the UI or the console. Please follow AWS' instructions in their official site here.

In general, the tutorial will help you create:

Once the cluster is created, copy the following values:

The certificate is base64 encoded, you will need to decode it to utf8 - you can use this page to decode it. Just paste it there and copy the resulting certificate. Forma will need this value in the field Connection certificate content when adding the cluster.

Copy the API server endpoint that will be set in Forma in the field Kubernetes Cluster Address.

Make sure to enter the Kubernetes Cluster Address without the https:// part.

After these steps, there are some more things you need to do on AWS.

Add nodes to your Kubernetes cluster

Now, you will need to add nodes and join them to your cluster as explained in this official AWS tutorial here.

  • Do not set AssociatePublicIpAddress: 'false', otherwise Forma won't be able to reach your nodes
  • Set NodeInstanceType to at least t2.medium or m5.large (checkout the different instance types here)
  • Set NodeAutoScalingGroupMinSize to at least 3
  • Set BootstrapArguments to --enable-docker-bridge true, due to a recent change in AWS AMIs
  • Leave the rest as it is in the instructions.
  • Make sure the NodeImageId is the right one according to the region where you created your cluster.
  • After the stack is created continue to the section To enable worker nodes to join your cluster.

The tutorial ends before the section Step 4: Launch a Guest Book Application.

Update the security groups to allow access to NodePorts

In order for your cluster to be available from the outside, you'd need to allow access through a security group. 

Go to EC2.

Look for the nodes in the link Running instances. Select the first node and click on its security group.

Then edit the Inbound registries.

The new rule will include the ports that your cluster will use to communicate with the other organizations' clusters.

The just click Save.

Create a Service Account

Forma needs some permissions to the infrastructure it accesses, that's why we have a set of best practices in place that you can follow. Read more about what access Forma needs and why here.

Register a service account for Forma, so ir can access your cluster. Run kubectl apply -f and then run kubectl describe secrets forma-proxy-secret

Copy and save the  token that is shown once the script runs successfully.

Make sure you copy this token.

Setup your Forma Cluster

We will need a final value to be able to point Forma to your cluster. To get the  Public External Cluster Address. Go to your console again and run kubectl get nodes -o jsonpath="PublicIP: {.items[0].status.addresses[?(@.type=='ExternalIP')].address} ". This will get you the ExternalIP. Make sure to copy just the IP address and no other symbol.

Create a Cluster configuration in Forma

Login to Forma if you haven't yet And fill the "How to connect" fields accordingly to the previous instructions.

You will need the Kubernetes Cluster Address and Public External Cluster Address you got before, as well as the Token and the Connection certificate content.

Save the cluster configuration and head back to the home of Forma to create a new Network.

Summary of the data you need to get Forma to talk to your Cluster

In general, this is the data you will need to create configure your Cluster in Forma is the following, we have created this table to help you map the concepts.

In Forma In AWS How to get it
Kubernetes Cluster Address
API server endpoint From the web console.
Public External Cluster Address External IP You get it by running kubectl get nodes -o jsonpath="PublicIP: {.items[0].status.addresses[?(@.type=='ExternalIP')].address}"
Token Token You get it by running the downloaded script  bash ./
Connection certificate content Certificate authority From the web console.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us