Amazon EKS Concepts: Difference between revisions
| Line 61: | Line 61: | ||
An IAM role is needed when creating the EKS cluster. An IAM role can be created as described [[AWS_Security_Operations#Create_an_IAM_Role|here]]. The use case should be "EKS - Cluster". | An IAM role is needed when creating the EKS cluster. An IAM role can be created as described [[AWS_Security_Operations#Create_an_IAM_Role|here]]. The use case should be "EKS - Cluster". | ||
When the cluster is created, the identity that created the cluster (user or role) is added to the Kubernetes RBAC authorization table as the administrator (with system:masters permissions). Initially, only that IAM user can make calls to the Kubernetes API server using kubectl . | When the cluster is created, the identity that created the cluster (user or role) is added to the Kubernetes RBAC authorization table as the administrator (with system:masters permissions). Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. That role is also known as "Cluster Service Role" | ||
==EKS IAM Permissions== | ==EKS IAM Permissions== | ||
Revision as of 20:16, 3 September 2020
Internal
Overview
EKS Cluster
Control Plane
EKS Worker Node
EKS Worker Node IAM Role
Amazon EKS-optimized AMI
Worker Node Group
Node Group Name
Self-Managed Node Group
Contains self-managed worker nodes. The node group name can be used later to identity the Auto Scaling node group that is created for these worker nodes.
Managed Node Group
Cluster Service Role
Cluster Endpoint
AWS Infrastructure Requirements
TODO: Topology diagram
Cluster VPC
Subnets
Security Groups
A dedicated security group for each cluster control plane is recommended.
EKS Platform Versions and Kubernetes Versions
Amazon EKS platform version.
Integration with ECR
Logging
Control Plane Logging
SLA
aws-iam-authenticator
Page 17.
aws-iam-authenticator Operations
.kube/config Configuration
AWS documentation refers to the Kubernetes configuration file as "kubeconfig".
EKS Security
IAM Role
An IAM role is needed when creating the EKS cluster. An IAM role can be created as described here. The use case should be "EKS - Cluster".
When the cluster is created, the identity that created the cluster (user or role) is added to the Kubernetes RBAC authorization table as the administrator (with system:masters permissions). Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. That role is also known as "Cluster Service Role"
EKS IAM Permissions
These are technically "actions", but they are commonly referred to as "permissions", which implies that the action is part of a formal permission construct associated with the entity requiring it.
- eks:DescribeCluster
Autoscaling
Cluster Autoscaler
Horizontal Pod Autoscaler
Vertical Pod Autoscaler
Load Balancing and Ingress
TODO: https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support
TODO: https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#aws
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: 'nlb'
service.beta.kubernetes.io/aws-load-balancer-security-groups: 'sg-00000000000000000'
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'arn:aws:acm:xx-xxxx-x:xxxxxxxxx:xxxxxxx/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx'