Amazon EKS Operations: Difference between revisions
| Line 43: | Line 43: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
This command constructs a [[.kube_config#Contexts|Kubernetes context]] with pre-populated server and certificate authority data values for the cluster specified by name. If the right region is configured in the profile, there is no need to be specified. If no alias is used, the default name of the context is the cluster ARN. | This command constructs a [[.kube_config#Contexts|Kubernetes context]] with pre-populated server and certificate authority data values for the cluster specified by name. If the right region is configured in the profile, there is no need to be specified. If no alias is used, the default name of the context is the cluster ARN. | ||
The result is to add a new context to .kube/config: | |||
<syntaxhighlight lang='bash'> | |||
Added new context arn:aws:eks:us-east-1:999999999999:cluster/example-eks-cluster to /Users/testuser/.kube/config | |||
</syntaxhighlight> | |||
If the IAM user implied by the default AWS CLI configuration has been configured to have access, that should be sufficient. This identity can be obtained with [[AWS_Security_Operations#IAM_Information|aws sts get-caller-identity]]. Otherwise, a specific IAM Role can be specified with the --role-arn option. If the --role-arn option is specified, the [[.kube_config#Contexts|Kubernetes context]] will be configured as such that it will not be necessary to explicitly assume the role; <code>kubectl</code> operations in the correct context will simply work. | If the IAM user implied by the default AWS CLI configuration has been configured to have access, that should be sufficient. This identity can be obtained with [[AWS_Security_Operations#IAM_Information|aws sts get-caller-identity]]. Otherwise, a specific IAM Role can be specified with the --role-arn option. If the --role-arn option is specified, the [[.kube_config#Contexts|Kubernetes context]] will be configured as such that it will not be necessary to explicitly assume the role; <code>kubectl</code> operations in the correct context will simply work. | ||
| Line 55: | Line 59: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Switching between Kubernetes contexts is done with [[Kubectl_config#use-context|kubectl config use-context]]: | |||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
kubectl config use-context access-with-cluster-admin-permissions | |||
kubectl config current-context | |||
access-with-cluster-admin-permissions | |||
kubectl config use-context access-with-limited-permissions | |||
kubectl config current-context | |||
access-with-limited-permissions | |||
</syntaxhighlight> | </syntaxhighlight> | ||
=Load Balancer Troubleshooting= | =Load Balancer Troubleshooting= | ||
{{External|https://aws.amazon.com/premiumsupport/knowledge-center/eks-load-balancers-troubleshooting/}} | {{External|https://aws.amazon.com/premiumsupport/knowledge-center/eks-load-balancers-troubleshooting/}} | ||
Revision as of 20:50, 8 August 2020
External
Internal
Overview
Cluster Information
Cluster Status
aws eks [--region us-east-1] describe-cluster --name example-cluster --query "cluster.status"
"ACTIVE"
If the right region is configured in the profile, there is no need to be specified.
Cluster Endpoint
aws eks [--region us-east-1] describe-cluster --name example-cluster --query "cluster.endpoint" --output text
https://FDXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.gr0.us-east-1.eks.amazonaws.com
If the right region is configured in the profile, there is no need to be specified.
Cluster Certificate Authority
aws eks [--region us-east-1] describe-cluster --name example-cluster --query "cluster.certificateAuthority.data" --output text
LS0t...LQo=
If the right region is configured in the profile, there is no need to be specified.
Connect to an EKS Cluster with kubectl
Update .kube/config with the EKS cluster definition as follows:
aws eks [--region us-east-1] update-kubeconfig --name example-eks-cluster [--alias <context-alias>] [--role-arn arn:aws:iam::999999999999:role/some-role]
This command constructs a Kubernetes context with pre-populated server and certificate authority data values for the cluster specified by name. If the right region is configured in the profile, there is no need to be specified. If no alias is used, the default name of the context is the cluster ARN. The result is to add a new context to .kube/config:
Added new context arn:aws:eks:us-east-1:999999999999:cluster/example-eks-cluster to /Users/testuser/.kube/config
If the IAM user implied by the default AWS CLI configuration has been configured to have access, that should be sufficient. This identity can be obtained with aws sts get-caller-identity. Otherwise, a specific IAM Role can be specified with the --role-arn option. If the --role-arn option is specified, the Kubernetes context will be configured as such that it will not be necessary to explicitly assume the role; kubectl operations in the correct context will simply work.
Note that the IAM role may be linked for a specific set of RBAC permissions. How?. Building upon this capability, it is possible to create two different Kuberenetes context that imply to different sets of RBAC permission on the Kubernetes clusters:
aws eks update-kubeconfig --name example-eks-cluster --alias access-with-cluster-admin-permissions --role-arn arn:aws:iam::999999999999:role/eks-clusterrole-cluster-admin
aws eks update-kubeconfig --name example-eks-cluster --alias access-with-limited-permissions --role-arn arn:aws:iam::999999999999:role/eks-clusterrole-limited-permissions
Switching between Kubernetes contexts is done with kubectl config use-context:
kubectl config use-context access-with-cluster-admin-permissions
kubectl config current-context
access-with-cluster-admin-permissions
kubectl config use-context access-with-limited-permissions
kubectl config current-context
access-with-limited-permissions