Documentation Index Fetch the complete documentation index at: https://mintlify.com/flyteorg/flyte/llms.txt
Use this file to discover all available pages before exploring further.
This guide walks through deploying Flyte on Amazon EKS using the flyte-binary Helm chart. The result is a single-cluster, production-capable Flyte installation backed by S3 and RDS.
Prerequisites
An EKS cluster with at least 3 nodes (e.g., m5.xlarge). Flyte’s control-plane components are lightweight but tasks need node capacity. eksctl create cluster \ --name flyte \ --region us-east-1 \ --nodegroup-name standard \ --node-type m5.xlarge \ --nodes 3
Create one or two S3 buckets — one for Flyte metadata and one for user task data (they can be the same bucket): aws s3 mb s3://my-flyte-metadata --region us-east-1 aws s3 mb s3://my-flyte-userdata --region us-east-1
Create a PostgreSQL 13+ RDS instance in the same VPC as your EKS cluster. Note the endpoint, username, password, and database name. The Flyte database should be named flyteadmin by default.
Flyte uses IAM Roles for Service Accounts (IRSA) so that pods can access S3 without static credentials. You need two IAM roles:
Backend role (FLYTE_BACKEND_IAM_ARN): used by the flyte-binary pod itself to access S3 for metadataUser role (FLYTE_USER_IAM_ARN): assumed by task pods in each project namespace Both roles need s3:GetObject, s3:PutObject, s3:DeleteObject, and s3:ListBucket on your buckets. Enable OIDC on your cluster and create the roles with eksctl: eksctl utils associate-iam-oidc-provider \ --cluster flyte --region us-east-1 --approve eksctl create iamserviceaccount \ --cluster flyte \ --namespace flyte \ --name flyte-backend \ --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess \ --override-existing-serviceaccounts \ --approve
Installation
Add the Flyte Helm repo
helm repo add flyteorg https://flyteorg.github.io/flyte helm repo update
Download the EKS starter values
curl -sL https://raw.githubusercontent.com/flyteorg/flyte/master/charts/flyte-binary/eks-starter.yaml \ -o values.yaml
Edit values.yaml
Replace all placeholder values. The full file is shown below with annotations.
Install with Helm
helm install flyte-backend flyteorg/flyte-binary \ --namespace flyte \ --create-namespace \ --values values.yaml
EKS values reference This is the complete eks-starter.yaml with all required fields:
configuration : database : username : postgres password : <DB_PASSWORD> host : <RDS_HOST_DNS> dbname : flyteadmin storage : metadataContainer : <BUCKET_NAME> userDataContainer : <USER_DATA_BUCKET_NAME> provider : s3 providerConfig : s3 : region : "<AWS-REGION-CODE>" authType : "iam" # Uses IRSA — no static keys needed logging : level : 5 plugins : cloudwatch : enabled : true templateUri : | - https://console.aws.amazon.com/cloudwatch/home?region=<AWS_REGION>#logEventViewer:group=/aws/eks/<EKS_CLUSTER_NAME>/cluster;stream=var.log.containers.{{ .podName }}_{{ .namespace }}_{{ .containerName }}-{{ .containerId }}.log auth : enabled : false # Set to true and configure OIDC for production oidc : baseUrl : <YOUR_IDP_BASE_URL> clientId : <IDP_CLIENT_ID> clientSecret : <IDP_CLIENT_SECRET> internal : clientSecret : <CC_PASSWD> clientSecretHash : <HASHED_CC_PASSWD> authorizedUris : - https://flyte.company.com inline : # Annotate the default KSA in each project namespace for IRSA cluster_resources : customData : - production : - defaultIamRole : value : <FLYTE_USER_IAM_ARN> - staging : - defaultIamRole : value : <FLYTE_USER_IAM_ARN> - development : - defaultIamRole : value : <FLYTE_USER_IAM_ARN> flyteadmin : roleNameKey : "iam.amazonaws.com/role" plugins : k8s : inject-finalizer : true default-env-vars : - AWS_METADATA_SERVICE_TIMEOUT : 5 - AWS_METADATA_SERVICE_NUM_ATTEMPTS : 20 storage : cache : max_size_mbs : 10 target_gc_percent : 100 tasks : task-plugins : enabled-plugins : - container - sidecar - K8S-ARRAY - connector-service - echo default-for-task-types : - container : container - container_array : K8S-ARRAY clusterResourceTemplates : inline : # Automatically create namespaces for each project+domain 001_namespace.yaml : | apiVersion: v1 kind: Namespace metadata: name: '{{ namespace }}' # Annotate the default KSA with the IAM role ARN 002_serviceaccount.yaml : | apiVersion: v1 kind: ServiceAccount metadata: name: default namespace: '{{ namespace }}' annotations: eks.amazonaws.com/role-arn: '{{ defaultIamRole }}' ingress : create : true # ALB Ingress Controller (recommended on EKS) ingressClassName : alb commonAnnotations : alb.ingress.kubernetes.io/certificate-arn : 'arn:aws:acm:<AWS-REGION>:<ACCOUNT-ID>:certificate/<CERT-ID>' alb.ingress.kubernetes.io/group.name : flyte alb.ingress.kubernetes.io/listen-ports : '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/scheme : internet-facing alb.ingress.kubernetes.io/ssl-redirect : '443' alb.ingress.kubernetes.io/target-type : ip httpAnnotations : alb.ingress.kubernetes.io/actions.app-root : '{"Type": "redirect", "RedirectConfig": {"Path": "/console", "StatusCode": "HTTP_302"}}' grpcAnnotations : alb.ingress.kubernetes.io/backend-protocol-version : GRPC host : flyte.mydomain.com serviceAccount : create : true annotations : eks.amazonaws.com/role-arn : "<FLYTE_BACKEND_IAM_ARN>"
Verify the installation # Check the Flyte pod kubectl get pods -n flyte # Port-forward for initial testing (before DNS is set up) kubectl -n flyte port-forward service/flyte-binary 8088:8088 8089:8089
Open http://localhost:8088/console in your browser.
# Point flytectl at the local port-forward (for testing) flytectl config init --host localhost:8088 # Or configure directly against the ALB hostname flytectl config init --host flyte.mydomain.com
IAM policy reference The backend IAM role (attached to the flyte-binary service account) needs at minimum:
{ "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Action" : [ "s3:GetObject" , "s3:PutObject" , "s3:DeleteObject" , "s3:ListBucket" , "s3:GetBucketLocation" ], "Resource" : [ "arn:aws:s3:::my-flyte-metadata" , "arn:aws:s3:::my-flyte-metadata/*" , "arn:aws:s3:::my-flyte-userdata" , "arn:aws:s3:::my-flyte-userdata/*" ] } ] }
What’s next 