Amazon EKS
Fusion streamlines the deployment of Nextflow pipelines in Kubernetes because it replaces the need to configure and maintain a shared file system in your cluster.
Platform Amazon EKS compute environments
Seqera Platform supports Fusion in Amazon Elastic Kubernetes Service (Amazon EKS) compute environments.
See Amazon EKS for Platform instructions to enable Fusion.
Nextflow CLI
Fusion file system implements a lazy download and upload algorithm that runs in the background to transfer files in
parallel to and from the object storage into the container-local temporary directory (/tmp). To achieve optimal performance, set up an SSD volume as the temporary directory.
Several AWS EC2 instance types include one or more NVMe SSD volumes. These volumes must be formatted to be used. See SSD instance storage for details.
To use Fusion directly in Nextflow with an Amazon EKS cluster, you must configure a namespace and service account and update your Nextflow configuration.
Kubernetes configuration
Create a namespace and a service account in your Kubernetes cluster to run the jobs submitted during pipeline execution.
-
Create a manifest that includes the following configuration. For example:
---
apiVersion: v1
kind: Namespace
metadata:
name: fusion-demo
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: fusion-demo
name: fusion-sa
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/fusion-demo-role"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: fusion-demo
name: fusion-role
rules:
- apiGroups: [""]
resources: ["pods", "pods/status", "pods/log", "pods/exec"]
verbs: ["get", "list", "watch", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: fusion-demo
name: fusion-rolebind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: fusion-role
subjects:
- kind: ServiceAccount
name: fusion-saReplace
<ACCOUNT_ID>with your account ID. -
Configure your AWS IAM role to provide read-write permission to the S3 bucket used as the pipeline work directory. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<S3_BUCKET>"]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::<S3_BUCKET>/*"],
"Effect": "Allow"
}
]
}Replace
<S3_BUCKET>with your bucket name. -
Define a role trust relationship. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<CLUSTER_ID>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.eu-west-2.amazonaws.com/id/<CLUSTER_ID>:aud": "sts.amazonaws.com",
"oidc.eks.eu-west-2.amazonaws.com/id/<CLUSTER_ID>:sub": "system:serviceaccount:fusion-demo:fusion-sa"
}
}
}
]
}Replace the following:
<ACCOUNT_ID>: AWS account ID<REGION>: AWS region<CLUSTER_ID>: cluster ID
Nextflow configuration
-
Add the following to your
nextflow.configfile:process.executor = 'k8s'
wave.enabled = true
fusion.enabled = true
tower.accessToken = '<PLATFORM_ACCESS_TOKEN>'
k8s.context = '<K8S_CLUSTER_CONTEXT>'
k8s.namespace = 'fusion-demo'
k8s.serviceAccount = 'fusion-sa'Replace the following:
<PLATFORM_ACCESS_TOKEN>: your Platform access token.<K8S_CLUSTER_CONTEXT>: your Kubernetes context.
-
Run the pipeline with the Nextflow run command:
nextflow run <YOUR PIPELINE SCRIPT> -w s3://<S3_BUCKET>/workReplace the following:
<PIPELINE_SCRIPT>: your pipeline Git repository URI.<S3_BUCKET>: your S3 bucket.
When using Fusion, pods will run as privileged by default.
To use Fusion without the need for escalating privileges, install the Nextflow FUSE device plugin on your Kubernetes cluster and add set fusion.privileged to false in your nextflow.config file:
fusion.privileged = false
To use a custom FUSE device plugin, specify it via the k8s.fuseDevicePlugin configuration option. See Kubernetes configuration options for details.