Creating an AWS EKS Cluster and Providing Access to Developer
Create an AWS EKS Cluster and give logging/debugging access to the developer's EC2 who does not have access in AWS Console or are not added as an IAM user.
Join the DZone community and get the full member experience.
Join For Free1. Introduction
This article is going to talk about mainly two points:
- How to create an AWS EKS Cluster.
- How to provide an AWS EKS cluster access to a developer who does not have admin access to AWS.
To deploy any microservices, we need to create AWS EKS clusters like dev and QA, etc. Once AWS EKS clusters are available then every developer should have access for logging and debugging purposes from their EC2 instance.
2. EKS Cluster creation:
To create an AWS EKS cluster; you need the following few tools\CLI installed in your systems:
- AWS CLI
- EKSCTL CLI
- KUBECTL CLI
2.1 Install AWS CLI
Follow the below steps to install AWS CLI.
$ curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
$ sudo yum -y install unzip
$ unzip awscli-bundle.zip
$ sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
$ /usr/local/bin/aws --version
Using AWS CLI on Linux
Before you can start using the AWS CLI tool to interact with AWS services, you need to configure it by running the "aws configure" command.
$ aws configure
This will ask you to provide the following few details:
AWS Access Key ID
AWS Secret Access Key
Default region-name
Default output format
2.2 Install AWS EKSCTLCLI:
Follow the below-mentioned steps to install or upgrade the latest version of the eksctl command line utility.
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
eksctl version
2.3 Install KUBECTL CLI
Follow the below step to download and install the Amazon EKS vended kubectl binaries for Linux operating systems.
curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.20.4/2021-04-12/bin/linux/amd64/kubectl
chmod +x ./kubectl
mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
kubectl version --short --client
2.4 AWS EKS Cluster Creation:
With all the prep work done, follow along a sample EKS YAML that is mentioned to create an EKS cluster with 2 Nodes in the existing VPC.
###EKS.YML###
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: sample-cluster
region: <region>
vpc:
id: vpc-id-12345
subnets:
private:
<region>-a: { id: "subnetxxxxxxxxx" }
<region>-c: { id: "subnetxxxxxxxxy" }
nodeGroups:
- name: worker-nodes
instanceType: t3.micro
desiredCapacity: 2
privateNetworking: true
targetGroupARNs:
- arn:aws:elasticloadbalancing:us-east-2:xxxxxxxxxxxx:targetgroup/sample-service/a1b2c3d4e5f6
preBootstrapCommands:
- "sed -i '2i \"insecure-registries\": [\"<DockerRepoURL:PORT>\"],' /etc/docker/daemon.json"
- "systemctl restart docker"
ssh:
publicKeyName: sample-eks #Update this with your ssh-key(pem) key name.
When that is done, execute the below command to create an AWS EKS cluster via EKSCTL CLI.
eksctl create cluster --config-file ./eks.yml
Now check the AWS console; an EKS cluster is being created and it will take some time to spin up completely.
3. Provide AWS EKS Cluster Access to Developers
Each and every developer is given an AWS EC2 for their development activities; from there developers can access the EKS cluster for logging and debugging purposes. To provide access to AWS EKS clusters to developers who do not have access to AWS console and/or are not added as IAM users, the “get” and “list” access will be configured for all the objects in Kubernetes.
3.1 Create a Role
First, you need to create an IAM role with the following details and steps:
RoleName - sample-k8s-devs
Trust Relationship-
Amazon EC2
eks.amazonaws.com
3.2 Create a Policy and Attach to the Role
PolicyName: sample-k8s-policy
Action: sts:AssumeRole, eks:DescribeCluster and eks:ListCluster
Effect: Allow
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::XXXXXXXXXXXXX:role/sample-k8s-devs"
},
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}
3.3 Attach IAM role to EC2 instances:
Attach these IAM roles to all the AWS EC2 instances that are provided to developers. Here's is how you can do it:
Login in AWS Console > EC2 Dashboard > select EC2 instances > Actions > Instance Settings > Attach/replace IAM role i.e. sample-k8s-devs.
3.4 Create RBAC to Provide Access
Create a role.yaml file as is shown below:
### role.yaml ###
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-and-pod-logs-reader
rules:
- apiGroups: ["*"]
#resources: ["pods", "pods/log", "events", "nodes", "deployments", "replicasets", "services"]
resources: ["*"]
verbs: ["get", "list"]
Then create a rolebinding.yaml file using the following steps:
### rolebinding.yaml ###
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: full_access_role_binding
namespace: default #Namespace where access is required
subjects:
- kind: User
name: sample-k8s-devs # IAM role created in AWS
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-and-pod-logs-reader #Role create in role.yml file
apiGroup: rbac.authorization.k8s.io
Once you're sure about the step, execute the below commands:
kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml
AWS-Auth ConfigMap change
kubectl describe configmap -n kube-system aws-auth
kubectl edit -n kube-system configmap/aws-auth
You will see the default view of configmap as the following:
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::XXXXXXXXXXXX:role/eksctl-sample-cluster-nodegroup-sample-NodeInstanceRole-A1B2C3D4F5
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2021-05-25T15:15:33Z"
name: aws-auth
namespace: kube-system
resourceVersion: "208800"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 5f6f05fd-ce56-539f-c9d9-c9633ce8b61f
Now, add the below line in configmap.
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::XXXXXXXXXXXX:role/eksctl-sample-cluster-nodegroup-sample-NodeInstanceRole-A1B2C3D4F5
username: system:node:{{EC2PrivateDNSName}}
######################## Below 2 lines ############################
- rolearn: arn:aws:iam::XXXXXXXXXXXX:role/sample-k8s-devs #IAM role ARN
username: sample-k8s-devs #IAM role created in AWS
###################################################################
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2021-05-25T15:15:33Z"
name: aws-auth
namespace: kube-system
resourceVersion: "208800"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 5f6f05fd-ce56-539f-c9d9-c9633ce8b61f
If you want to provide admin access of EKS to a particular user then IAM user arn format can be added under "mapUsers" as is shown below:
mapUsers: |
- groups:
- system:masters
username: arn:aws:iam::XXXXXXXXXXXX:user/myuser
userarn: arn:aws:iam::XXXXXXXXXXXX:user/myuser
3.5 AWS EKS Cluster’s Access from AWS Dev VM
In order to provide AWS EKS cluster's access from AWS Dev VM, login into your AWS Dev VM machines where IAM role is attached.
aws eks update-kubeconfig --name sample-cluster --region us-east-2 --role-arn arn:aws:iam::XXXXXXXXXXXX:role/sample-k8s-devs
You will need the following few parameters that need to be passed along with this command:
--name <EKS Cluster Name> i.e. “sample-cluster”
--role-arn <IAM role ARN> i.e. “sample-k8s-devs”
--region <AWS region> KUBECONFIG
After that, it will start downloading and updating the KUBECONFIG file; which is required to access the Kubernetes cluster. Once the download is successful, you will see the below-mentioned message displayed.
Now the user can perform all “Get and List” action for all the objects in Kubernetes. Developers can see logs and Events but no update, delete and create actions are allowed.
4. Developers Need to Execute Reference Commands
Here are some of the reference commands that developers can execute for logging and debugging purposes:
kubectl logs pods/nginx
kubectl get events
kubectl get pods
kubectl get svc
kubectl get deployments
For example:
[ec2-user]$ kubectl logs pods/nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/05/26 11:00:53 [notice] 1#1: using the "epoll" event method
2021/05/26 11:00:53 [notice] 1#1: nginx/1.21.0
2021/05/26 11:00:53 [notice] 1#1: built by gcc 8.3.0 (Debian 8.3.0-6)
2021/05/26 11:00:53 [notice] 1#1: OS: Linux 5.4.117-58.216.amzn2.x86_64
2021/05/26 11:00:53 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/05/26 11:00:53 [notice] 1#1: start worker processes
2021/05/26 11:00:53 [notice] 1#1: start worker process 30
2021/05/26 11:00:53 [notice] 1#1: start worker process 31
[ec2-user]$ kubectl get events
LAST SEEN TYPE REASON OBJECT MESSAGE
51m Normal Killing pod/nginx Stopping container nginx
51m Normal Scheduled pod/nginx Successfully assigned default/nginx to ip-10-12-125-116.us-east-2.compute.internal
51m Normal Pulling pod/nginx Pulling image "nginx"
51m Normal Pulled pod/nginx Successfully pulled image "nginx" in 447.694638ms
51m Normal Created pod/nginx Created container nginx
51m Normal Started pod/nginx Started container nginx
With that, developers without AWS console access or IAM user permission can easily access the EKS cluster for logging and debugging purposes.
Keep learning! As Leonardo da Vinci said, “Learning never exhausts the mind.”
Opinions expressed by DZone contributors are their own.
Comments