Creating an AWS EKS Cluster and Providing Access to Developer

1. Introduction

This article is going to talk about mainly two points:

1. How to create an AWS EKS Cluster.
2. How to provide an AWS EKS cluster access to a developer who does not have admin access to AWS.

To deploy any microservices, we need to create AWS EKS clusters like dev and QA, etc. Once AWS EKS clusters are available then every developer should have access for logging and debugging purposes from their EC2 instance. 

2. EKS Cluster creation:

To create an AWS EKS cluster; you need the following few tools\CLI installed in your systems:

• AWS CLI
• EKSCTL CLI
• KUBECTL CLI

2.1 Install AWS CLI

Follow the below steps to install AWS CLI.

$ curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
$ sudo yum -y install unzip
$ unzip awscli-bundle.zip
$ sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
$ /usr/local/bin/aws --version

Using AWS CLI on Linux

Before you can start using the AWS CLI tool to interact with AWS services, you need to configure it by running the "aws configure" command.

$ aws configure

This will ask you to provide the following few details:

• AWS Access Key ID

• AWS Secret Access Key

• Default region-name

• Default output format

2.2 Install AWS EKSCTLCLI:

Follow the below-mentioned steps to install or upgrade the latest version of the eksctl command line utility. 

curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
eksctl version

2.3 Install KUBECTL CLI

Follow the below step to download and install the Amazon EKS vended kubectl binaries for Linux operating systems. 

curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.20.4/2021-04-12/bin/linux/amd64/kubectl
chmod +x ./kubectl
mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
kubectl version --short --client

2.4 AWS EKS Cluster Creation:

With all the prep work done, follow along a sample EKS YAML that is mentioned to create an EKS cluster with 2 Nodes in the existing VPC. 

###EKS.YML###
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: sample-cluster
  region: <region>
vpc:
  id: vpc-id-12345
  subnets:
    private:
      <region>-a: { id: "subnetxxxxxxxxx" }
      <region>-c: { id: "subnetxxxxxxxxy" }
nodeGroups:
  - name: worker-nodes
    instanceType: t3.micro
    desiredCapacity: 2
    privateNetworking: true
    targetGroupARNs:
      - arn:aws:elasticloadbalancing:us-east-2:xxxxxxxxxxxx:targetgroup/sample-service/a1b2c3d4e5f6
    preBootstrapCommands:
      - "sed -i '2i \"insecure-registries\": [\"<DockerRepoURL:PORT>\"],' /etc/docker/daemon.json"
      - "systemctl restart docker"
    ssh:
      publicKeyName: sample-eks #Update this with your ssh-key(pem) key name.

When that is done, execute the below command to create an AWS EKS cluster via EKSCTL CLI.

eksctl create cluster --config-file ./eks.yml

Now check the AWS console; an EKS cluster is being created and it will take some time to spin up completely.

3. Provide AWS EKS Cluster Access to Developers

Each and every developer is given an AWS EC2 for their development activities; from there developers can access the EKS cluster for logging and debugging purposes. To provide access to AWS EKS clusters to developers who do not have access to AWS console and/or are not added as IAM users, the “get” and “list” access will be configured for all the objects in Kubernetes.

3.1 Create a Role

First, you need to create an IAM role with the following details and steps:

RoleName - sample-k8s-devs

Trust Relationship-

• Amazon EC2

• eks.amazonaws.com 

3.2 Create a Policy and Attach to the Role

PolicyName: sample-k8s-policy

Action: sts:AssumeRole, eks:DescribeCluster and eks:ListCluster

Effect: Allow 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::XXXXXXXXXXXXX:role/sample-k8s-devs"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}

3.3 Attach IAM role to EC2 instances:

Attach these IAM roles to all the AWS EC2 instances that are provided to developers. Here's is how you can do it:

Login in AWS Console > EC2 Dashboard > select EC2 instances > Actions > Instance Settings > Attach/replace IAM role i.e. sample-k8s-devs.

3.4 Create RBAC to Provide Access

Create a role.yaml file as is shown below:

### role.yaml ###
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-and-pod-logs-reader
rules:
- apiGroups: ["*"]
  #resources: ["pods", "pods/log", "events", "nodes", "deployments", "replicasets", "services"]
  resources: ["*"]
  verbs: ["get", "list"]

Then create a rolebinding.yaml file using the following steps:

### rolebinding.yaml ###
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: full_access_role_binding
  namespace: default #Namespace where access is required
subjects:
- kind: User
  name: sample-k8s-devs # IAM role created in AWS
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-and-pod-logs-reader #Role create in role.yml file
  apiGroup: rbac.authorization.k8s.io

Once you're sure about the step, execute the below commands:

kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml

AWS-Auth ConfigMap change

kubectl describe configmap -n kube-system aws-auth
kubectl edit -n kube-system configmap/aws-auth

You will see the default view of configmap as the following:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::XXXXXXXXXXXX:role/eksctl-sample-cluster-nodegroup-sample-NodeInstanceRole-A1B2C3D4F5
      username: system:node:{{EC2PrivateDNSName}}

  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2021-05-25T15:15:33Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "208800"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 5f6f05fd-ce56-539f-c9d9-c9633ce8b61f

Now, add the below line in configmap.

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::XXXXXXXXXXXX:role/eksctl-sample-cluster-nodegroup-sample-NodeInstanceRole-A1B2C3D4F5
      username: system:node:{{EC2PrivateDNSName}}
      ######################## Below 2 lines ############################
    - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/sample-k8s-devs #IAM role ARN
      username: sample-k8s-devs #IAM role created in AWS
      ###################################################################
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2021-05-25T15:15:33Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "208800"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 5f6f05fd-ce56-539f-c9d9-c9633ce8b61f

If you want to provide admin access of EKS to a particular user then IAM user arn format can be added under "mapUsers" as is shown below:

mapUsers: |
    - groups:
      - system:masters
      username: arn:aws:iam::XXXXXXXXXXXX:user/myuser
      userarn: arn:aws:iam::XXXXXXXXXXXX:user/myuser

3.5 AWS EKS Cluster’s Access from AWS Dev VM

In order to provide AWS EKS cluster's access from AWS Dev VM, login into your AWS Dev VM machines where IAM role is attached.

aws eks update-kubeconfig --name sample-cluster --region us-east-2 --role-arn arn:aws:iam::XXXXXXXXXXXX:role/sample-k8s-devs

You will need the following few parameters that need to be passed along with this command:

• --name <EKS Cluster Name> i.e. “sample-cluster”

• --role-arn <IAM role ARN> i.e. “sample-k8s-devs”

• --region <AWS region> KUBECONFIG  

After that, it will start downloading and updating the KUBECONFIG file; which is required to access the Kubernetes cluster. Once the download is successful, you will see the below-mentioned message displayed. 

Now the user can perform all “Get and List” action for all the objects in Kubernetes. Developers can see logs and Events but no update, delete and create actions are allowed.

4. Developers Need to Execute Reference Commands

Here are some of the reference commands that developers can execute for logging and debugging purposes:

kubectl logs pods/nginx
kubectl get events
kubectl get pods
kubectl get svc
kubectl get deployments

For example:

[ec2-user]$ kubectl logs pods/nginx

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/05/26 11:00:53 [notice] 1#1: using the "epoll" event method
2021/05/26 11:00:53 [notice] 1#1: nginx/1.21.0
2021/05/26 11:00:53 [notice] 1#1: built by gcc 8.3.0 (Debian 8.3.0-6)
2021/05/26 11:00:53 [notice] 1#1: OS: Linux 5.4.117-58.216.amzn2.x86_64
2021/05/26 11:00:53 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/05/26 11:00:53 [notice] 1#1: start worker processes
2021/05/26 11:00:53 [notice] 1#1: start worker process 30
2021/05/26 11:00:53 [notice] 1#1: start worker process 31

[ec2-user]$ kubectl get events

LAST SEEN   TYPE     REASON      OBJECT      MESSAGE
51m         Normal   Killing     pod/nginx   Stopping container nginx
51m         Normal   Scheduled   pod/nginx   Successfully assigned default/nginx to ip-10-12-125-116.us-east-2.compute.internal
51m         Normal   Pulling     pod/nginx   Pulling image "nginx"
51m         Normal   Pulled      pod/nginx   Successfully pulled image "nginx" in 447.694638ms
51m         Normal   Created     pod/nginx   Created container nginx
51m         Normal   Started     pod/nginx   Started container nginx

With that, developers without AWS console access or IAM user permission can easily access the EKS cluster for logging and debugging purposes.

Keep learning! As Leonardo da Vinci said, “Learning never exhausts the mind.”