Amazon EKS Operations: Difference between revisions
| Line 38: | Line 38: | ||
If the right region is configured in the profile, there is no need to be specified. | If the right region is configured in the profile, there is no need to be specified. | ||
= | =<span id='Connect_to_an_EKS_Cluster_with_kubectl'></span>kubectl Context= | ||
{{Internal|Amazon EKS kubectl Context|Amazon EKS kubectl Context}} | {{Internal|Amazon EKS kubectl Context|Amazon EKS kubectl Context}} | ||
Revision as of 22:55, 28 September 2020
External
Internal
Overview
Create and Delete Cluster
Cluster Information
Cluster Status
aws eks [--region us-east-1] describe-cluster --name example-cluster --query "cluster.status"
"ACTIVE"
If the right region is configured in the profile, there is no need to be specified.
Cluster Endpoint
aws eks [--region us-east-1] describe-cluster --name example-cluster --query "cluster.endpoint" --output text
https://FDXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.gr0.us-east-1.eks.amazonaws.com
If the right region is configured in the profile, there is no need to be specified.
Cluster Certificate Authority
aws eks [--region us-east-1] describe-cluster --name example-cluster --query "cluster.certificateAuthority.data" --output text
LS0t...LQo=
If the right region is configured in the profile, there is no need to be specified.
kubectl Context
Allowing Additional Users to Access the Cluster
Allow IAM Role Access
Individual AWS users (authenticating as particular IAM Users) can be allowed access if an IAM role is "allowed" access to the Kubernetes cluster by associating it with RBAC roles or groups, and then the IAM role is configured to allow IAM users to assume it. This is the preferred solution, because different roles can be associated with different cluster permissions, and the same user can access the cluster with different permissions, by just using a different role.
1. Create an IAM role dedicated to cluster access, as described here: Create a Role to Delegate Permission to an IAM User.
2. Update aws-auth ConfigMap to allow the IAM role to access the Kubernetes cluster. This is done by associating it with a specific set of RBAC permissions, denoted by a group or Kubernetes role:
kubectl -n kube-system edit cm aws-auth
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::...
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::999999999999:role/playground-eks-cluster-admin
groups:
- system:masters
Allow Individual IAM User Access
Configuring individual user access directly in aws-auth ConfigMap is less preferable than using an IAM role for access, for reasons explained in that section.
TODO https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html
Associate an IAM Role with a Kubernetes User
1. Create an IAM role dedicated to cluster access, as described here: Create a Role to Delegate Permission to an IAM User. Use the following convention when naming it:
<cluster-name>-eks-namespaced-edit-role
2. Edit aws-auth ConfigMap and associate the IAM role with a Kubernetes User:
kubectl -n kube-system edit cm aws-auth
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::999999999999:role/blue-eks-namespaced-edit-role
username: namespaced-edit-user