|
| 1 | +# eks |
| 2 | + |
| 3 | +Builds and EKS cluster using this module: https://github.com/terraform-aws-modules/terraform-aws-eks |
| 4 | + |
| 5 | +## Post cluster creation |
| 6 | + |
| 7 | +list clusters |
| 8 | +``` |
| 9 | +aws eks --region us-east-1 list-clusters |
| 10 | +``` |
| 11 | + |
| 12 | +Get kubeconfig |
| 13 | +``` |
| 14 | +aws eks --region us-east-1 update-kubeconfig --name eks-dev |
| 15 | +``` |
| 16 | + |
| 17 | +## aws-auth config map |
| 18 | +Due to the changes in how the AWS EKS module works, the module is not applying the aws-auth's configmap anymore. This means we have to apply it. |
| 19 | + |
| 20 | + |
| 21 | +If using Github Actions to run this module, you will have to download `kubectl` into the pipeline. |
| 22 | +``` |
| 23 | + - name: 'Download kubectl' |
| 24 | + run: | |
| 25 | + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" |
| 26 | + chmod 755 kubectl |
| 27 | + cp kubectl ${{ github.workspace }}/tmp_bin/kubectl |
| 28 | +``` |
| 29 | + |
| 30 | +Then set this input parameter: |
| 31 | +``` |
| 32 | +kubectl_binary = "/github/workspace/kubectl" |
| 33 | +``` |
| 34 | + |
| 35 | +## Granting permissions to kubectl |
| 36 | +Using `kubectl` with an EKS cluster authenticates with AWS IAM. The creator of the EKS cluster will be granted permission to the cluster on creation. This is essentially the first user on the cluster. For other AWS users or users that assumes IAM roles, these users/roles will have to be added into the list. |
| 37 | + |
| 38 | +Without adding in any user/roles to the cluster when running `kubectl` commands the user will be denied: |
| 39 | +``` |
| 40 | +kubectl get pods |
| 41 | +error: You must be logged in to the server (Unauthorized) |
| 42 | +``` |
| 43 | + |
| 44 | +You can go to: `AWS Console -> CloudWatch -> Logs -> Log groups -> /aws/eks/<cluster name>/cluster` |
| 45 | + |
| 46 | +There is a log stream named: `authenticator-XXXXXXX` |
| 47 | + |
| 48 | +This log stream holds the logs for the Kubernetes aws-auth pod running in this cluster that is doing the authentication. You can search the logs for denied messages such as: |
| 49 | + |
| 50 | +``` |
| 51 | +time="2022-10-11T18:10:41Z" level=info msg="STS response" accesskeyid=ASIAW5Y4UBHMUKVMVAAA accountid=476264531111 arn="arn:aws:sts::47626451111:assumed-role/AWSReservedSSO_devops_admin_595c0f4da82205f0/[email protected]" client="127.0.0.1:36738" method=POST path=/authenticate [email protected] userid=AROAW5Y4UBHMR662MVVH4 |
| 52 | +``` |
| 53 | + |
| 54 | +The key item to find in there is the role and in this specific log is: |
| 55 | +``` |
| 56 | +role/AWSReservedSSO_devops_admin_595c0f4da82205f0 |
| 57 | +``` |
| 58 | + |
| 59 | +You will then have to go into the `AWS Console -> IAM -> Roles` and search for `AWSReservedSSO_devops_admin_595c0f4da82205f0`. When you find this role, you can click on the details of it and copy the AWS ARN. |
| 60 | + |
| 61 | +In this case it is: `arn:aws:iam::476264531111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_devops_admin_595c0f4da82205f0` |
| 62 | + |
| 63 | +You will then add this user or role to the appropriate section in the Terragrunt/Terraform instantiation of it: https://github.com/ManagedKube/kubernetes-ops/blob/main/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/200-eks/terragrunt.hcl |
| 64 | + |
| 65 | +``` |
| 66 | + aws_auth_roles = [ |
| 67 | + { |
| 68 | + rolearn = "arn:aws:iam::476264531111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_devops_admin_595c0f4da82205f0" |
| 69 | + username = "devops-admin" |
| 70 | + groups = ["system:masters"] |
| 71 | + }, |
| 72 | + ``` |
| 73 | + |
| 74 | + |
| 75 | + |
0 commit comments