eks-addon-irsa.sh

eks-addon-irsa.sh

#!/bin/sh -eu

export CLUSTER_NAME=dreamkast-cluster
export CLUSTER_REGION=ap-northeast-1
export PROFILE=default

curl -o /tmp/iam_policy.json "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.1/docs/install/iam_policy.json"
aws iam create-policy \
  --policy-name "AWSLoadBalancerControllerIAMPolicy" \
  --policy-document "file:///tmp/iam_policy.json" \
  --profile ${PROFILE}

cat <<EOF > /tmp/iam-ca.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeAutoScalingInstances",
        "autoscaling:DescribeLaunchConfigurations",
        "autoscaling:DescribeTags",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeLaunchTemplateVersions"
      ],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:SetDesiredCapacity",
        "autoscaling:TerminateInstanceInAutoScalingGroup",
        "ec2:DescribeInstanceTypes",
        "eks:DescribeNodegroup"
      ],
      "Resource": ["*"]
    }
  ]
}
EOF

aws iam create-policy \
    --policy-name "AWSClusterAutoscalerIAMPolicy" \
    --policy-document "file:///tmp/iam-ca.json" \
  --profile ${PROFILE}

curl -o /tmp/example-iam-policy.json "https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/master/docs/example-iam-policy.json"
aws iam create-policy \
  --policy-name "AWSEBSCSIDriverIAMPolicy" \
  --policy-document "file:///tmp/example-iam-policy.json" \
  --profile ${PROFILE}

eksctl create iamserviceaccount \
  --cluster=${CLUSTER_NAME} \
  --namespace=kube-system \
  --name=ebs-csi-controller-sa \
  --role-name "AmazonEKSCSIDriverRole" \
  --attach-policy-arn=arn:aws:iam::`aws sts get-caller-identity --profile ${PROFILE} | jq -r .Account`:policy/AWSEBSCSIDriverIAMPolicy \
  --override-existing-serviceaccounts \
  --profile ${PROFILE} \
  --approve

eksctl create iamserviceaccount \
  --cluster=${CLUSTER_NAME} \
  --namespace=kube-system \
  --name=aws-load-balancer-controller \
  --role-name "AmazonEKSLoadBalancerControllerRole" \
  --attach-policy-arn=arn:aws:iam::`aws sts get-caller-identity --profile ${PROFILE} | jq -r .Account`:policy/AWSLoadBalancerControllerIAMPolicy \
  --override-existing-serviceaccounts \
  --profile ${PROFILE} \
  --approve
    
eksctl create iamserviceaccount \
  --cluster=${CLUSTER_NAME} \
  --namespace=kube-system \
  --name=cluster-autoscaler \
  --role-name "AmazonEKSClusterAutoscalerRole" \
  --attach-policy-arn=arn:aws:iam::`aws sts get-caller-identity --profile ${PROFILE} | jq -r .Account`:policy/AWSClusterAutoscalerIAMPolicy \
  --override-existing-serviceaccounts \
  --profile ${PROFILE} \
  --approve
  
helm repo add eks https://aws.github.io/eks-charts
helm repo add autoscaler https://kubernetes.github.io/autoscaler
helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver

helm repo update

kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master"
helm upgrade --install aws-load-balancer-controller \
  eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=$CLUSTER_NAME \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller
helm upgrade --install aws-cluster-autoscaler \
  autoscaler/cluster-autoscaler \
  -n kube-system \
  --set autoDiscovery.clusterName=$CLUSTER_NAME \
  --set awsRegion=$CLUSTER_REGION \
  --set rbac.serviceAccount.create=false \
  --set rbac.serviceAccount.name=cluster-autoscaler
helm upgrade --install aws-ebs-csi-driver \
  aws-ebs-csi-driver/aws-ebs-csi-driver \
  -n kube-system \
  --set controller.serviceAccount.create=false \
  --set controller.region=$CLUSTER_REGION \
  --set controller.serviceAccount.name=ebs-csi-controller-sa