EKS deployment guide

This document outlines the installation steps for Amazon Elastic Kubernetes Service (EKS).

Launch an EKS cluster


Make sure Amazon EKS CLI (eksctl) is installed before proceeding.

We recommend launching a cluster with 2 m5.xlarge nodes to start, with autoscaling and network policy enabled. You can add additional CPU/GPU node pools as needed later.

Here are sample eksctl commands to create a bare minimum cluster:

eksctl create cluster --name=<cluster-name> --region <region> \
--nodes 2 \
--node-type m5.xlarge \
--node-volume-size 100 \
--nodes-min 2 \
--nodes-max 2 \
--asg-access \
--managed \

To enable auto scaling see Enable Auto Scaling

To enable network policy see Installing Calico on Amazon EKS

To enable logging see Enabling CloudWatch logging


You can optionally skip the logging configuration above and add --enable-efk-logging to opctl command below.

The eksctl command above will automatically retrieve your cluster's access credentials but you can also get them by running:

eksctl utils write-kubeconfig --cluster=<cluster-name> --region <region>

If you are not the person that created the cluster, you will need to be added to the cluster before you can use kubectl with these credentials.

Install Onepanel

  1. Download the latest opctl for your operating system from our release page.
# Download the binary
curl -sLO https://github.com/onepanelio/core/releases/download/latest/opctl-linux-amd64
# Make binary executable
chmod +x opctl-linux-amd64
# Move binary to path
mv ./opctl-linux-amd64 /usr/local/bin/opctl
# Test installation
opctl version
  1. Run the following command to initialize a params.yaml template for EKS:
opctl init --provider eks \
--enable-https \
--enable-cert-manager \
--dns-provider <dns-provider>

The --enable-https flag is optional and requires a TLS certificate, but it is highly recommended. You can optionally set the --enable-cert-manager and --dns-provider flags, so TLS certificates are automatically created and renewed via Let's Encrypt. If you do not set this flag and your DNS provider isn't one of the supported DNS providers, then you have to create a wildcard certificate and manually manage it.


If you have GPU nodes, you need to set the --gpu-device-plugins flag. Valid values are nvidia and amd or a comma separated combination of both nvidia,amd.

  1. Populate params.yaml by following the instructions in the template, you can also refer to configuration files for more detailed information.

It is highly recommended that you commit params.yaml file into a private repository and encrypt it with BlackBox or use a secret management service like Azure Key Vault, AWS Secret Manager, GCP Secret Manager or HashiCorp Vault.

  1. Finally, run the following command to deploy to your cluster:
opctl apply

If the command completes but it indicates that your cluster is not ready, you can check status again by running opctl app status. If you're still seeing issues, visit our Troubleshooting page.

  1. Once the deployment completes, the CLI will display the IP and wildcard domain you need to use to setup your DNS. You can also get this information again by running:
opctl app status
  1. Create a CNAME record in your DNS provider based on the instructions above.

You should use a wildcard CNAME record, for example: *.example.com or *.subdomain.example.com


If you're waiting for your DNS record to propogate, you can set up a hosts file to quickly test the deployment.

  1. Wait a few minutes and check the URL mentioned in the instructions above. Your applications should load with a screen prompting you to enter a token.

If the application is not loading, visit our Troubleshooting page for some steps that can help resolve most issues. If you are still having issues, join our Slack community or open an issue in GitHub.

  1. Use the following command to get your auth token to log into Onepanel:
opctl auth token