Created
December 21, 2024 02:41
-
-
Save teocns/e8e97045968292f8e2589a3a698838f8 to your computer and use it in GitHub Desktop.
EKS Diagnostic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env zsh | |
| # Exit on error | |
| set -e | |
| # Colors | |
| RED='\033[0;31m' | |
| GREEN='\033[0;32m' | |
| BLUE='\033[0;34m' | |
| YELLOW='\033[1;33m' | |
| CYAN='\033[0;36m' | |
| GRAY='\033[0;90m' | |
| NC='\033[0m' # No Color | |
| # Helper functions | |
| print_header() { | |
| echo -e "\n${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" | |
| echo -e "${BLUE}🔍 EKS Authentication Test for Cluster: ${YELLOW}${CLUSTER_NAME}${NC}" | |
| echo -e "${GRAY}Testing authentication methods without modifying existing configuration${NC}" | |
| echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}\n" | |
| } | |
| print_section() { | |
| echo -e "\n${BLUE}$1${NC}" | |
| echo -e "${GRAY}$2${NC}\n" | |
| } | |
| print_check() { | |
| echo -e "${GRAY}• $1:${NC} $2" | |
| } | |
| print_detail() { | |
| echo -e " ${GRAY}$1${NC}" | |
| } | |
| # Configuration | |
| CLUSTER_NAME="0x11" | |
| REGION="us-east-2" | |
| ACCOUNT_ID="315680545607" | |
| CLUSTER_CONTEXT="arn:aws:eks:${REGION}:${ACCOUNT_ID}:cluster/${CLUSTER_NAME}" | |
| # Create temporary kubeconfig | |
| TEMP_KUBECONFIG="/tmp/kubeconfig_${CLUSTER_NAME}" | |
| export ORIGINAL_KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}" | |
| export KUBECONFIG="${TEMP_KUBECONFIG}" | |
| cleanup() { | |
| export KUBECONFIG="${ORIGINAL_KUBECONFIG}" | |
| rm -f "${TEMP_KUBECONFIG}" | |
| rm -f /tmp/eks-ca.crt | |
| } | |
| trap cleanup EXIT | |
| # Print header | |
| print_header | |
| # Disable exit on error for tests | |
| set +e | |
| # Environment Information | |
| print_section "1. Environment Information" "Basic configuration and credentials" | |
| # AWS Credentials | |
| AWS_CREDS=$(aws sts get-caller-identity 2>&1) | |
| if [ $? -eq 0 ]; then | |
| USER_ARN=$(echo $AWS_CREDS | jq -r .Arn) | |
| print_check "AWS Identity" "${GREEN}Valid${NC} ($USER_ARN)" | |
| print_detail "Account: $(echo $AWS_CREDS | jq -r .Account)" | |
| print_detail "UserId: $(echo $AWS_CREDS | jq -r .UserId)" | |
| else | |
| print_check "AWS Identity" "${RED}Invalid${NC} (Error: $AWS_CREDS)" | |
| fi | |
| # AWS CLI Version | |
| AWS_CLI_VERSION=$(aws --version 2>&1) | |
| print_check "AWS CLI Version" "$AWS_CLI_VERSION" | |
| # Kubectl Version | |
| KUBECTL_VERSION=$(kubectl version --client 2>&1 | grep Client || echo "Not installed") | |
| print_check "kubectl Version" "$KUBECTL_VERSION" | |
| # AWS Region Configuration | |
| AWS_REGION_ENV=$AWS_REGION | |
| AWS_DEFAULT_REGION_ENV=$AWS_DEFAULT_REGION | |
| print_check "AWS_REGION" "${AWS_REGION_ENV:-Not set}" | |
| print_check "AWS_DEFAULT_REGION" "${AWS_DEFAULT_REGION_ENV:-Not set}" | |
| # Cluster Configuration | |
| print_section "2. Cluster Configuration" "EKS cluster settings and access configuration" | |
| # Cluster Status | |
| CLUSTER_INFO=$(aws eks describe-cluster --name ${CLUSTER_NAME} --region ${REGION} 2>&1) | |
| if [ $? -eq 0 ]; then | |
| CLUSTER_STATUS=$(echo $CLUSTER_INFO | jq -r .cluster.status) | |
| CLUSTER_ENDPOINT=$(echo $CLUSTER_INFO | jq -r .cluster.endpoint) | |
| CLUSTER_VERSION=$(echo $CLUSTER_INFO | jq -r .cluster.version) | |
| AUTH_MODE=$(echo $CLUSTER_INFO | jq -r .cluster.accessConfig.authenticationMode) | |
| print_check "Cluster Status" "${GREEN}$CLUSTER_STATUS${NC}" | |
| print_check "Cluster Endpoint" "$CLUSTER_ENDPOINT" | |
| print_check "Cluster Version" "$CLUSTER_VERSION" | |
| print_check "Auth Mode" "$AUTH_MODE" | |
| else | |
| print_check "Cluster Access" "${RED}Failed${NC} (Error: $CLUSTER_INFO)" | |
| fi | |
| # Authentication Methods | |
| print_section "3. Authentication Methods" "Testing different authentication methods" | |
| # 1. AWS CLI Token | |
| print_check "AWS CLI Token Test" "" | |
| TOKEN_TEST=$(aws eks get-token --cluster-name ${CLUSTER_NAME} --region ${REGION} 2>&1) | |
| if [ $? -eq 0 ]; then | |
| print_detail "Token Generation: ${GREEN}Success${NC}" | |
| TOKEN=$(echo "$TOKEN_TEST" | jq -r .status.token) | |
| print_detail "Token Type: $(echo $TOKEN | cut -d. -f1)" | |
| else | |
| print_detail "Token Generation: ${RED}Failed${NC}" | |
| print_detail "Error: $TOKEN_TEST" | |
| fi | |
| # 2. AWS IAM Authenticator | |
| print_check "aws-iam-authenticator Test" "" | |
| if command -v aws-iam-authenticator &> /dev/null; then | |
| AUTH_TOKEN_TEST=$(aws-iam-authenticator token -i ${CLUSTER_NAME} --region ${REGION} 2>&1) | |
| if [ $? -eq 0 ]; then | |
| print_detail "Token Generation: ${GREEN}Success${NC}" | |
| AUTH_TOKEN=$(echo "$AUTH_TOKEN_TEST" | jq -r .status.token) | |
| print_detail "Token Type: $(echo $AUTH_TOKEN | cut -d. -f1)" | |
| else | |
| print_detail "Token Generation: ${RED}Failed${NC}" | |
| print_detail "Error: $AUTH_TOKEN_TEST" | |
| fi | |
| else | |
| print_detail "${RED}aws-iam-authenticator not installed${NC}" | |
| fi | |
| # 3. Direct API Call | |
| print_check "Direct API Call Test" "" | |
| if [ ! -z "$TOKEN" ]; then | |
| # Get cluster CA cert | |
| CLUSTER_CA=$(echo $CLUSTER_INFO | jq -r .cluster.certificateAuthority.data) | |
| echo "${CLUSTER_CA}" | base64 -d > /tmp/eks-ca.crt | |
| API_TEST=$(curl -s --cacert /tmp/eks-ca.crt \ | |
| -H "Authorization: Bearer ${TOKEN}" \ | |
| "${CLUSTER_ENDPOINT}/api/v1/namespaces/kube-system/configmaps" 2>&1) | |
| if echo "$API_TEST" | jq -e .items > /dev/null 2>&1; then | |
| print_detail "API Access: ${GREEN}Success${NC}" | |
| print_detail "Found $(echo "$API_TEST" | jq '.items | length') ConfigMaps" | |
| else | |
| print_detail "API Access: ${RED}Failed${NC}" | |
| print_detail "Error: $(echo "$API_TEST" | jq -r '.message // .')" | |
| fi | |
| else | |
| print_detail "Skipped (no valid token)" | |
| fi | |
| # 4. kubectl Test with Temporary Config | |
| print_check "kubectl Test (with temporary config)" "" | |
| # Create temporary kubeconfig for this cluster only | |
| aws eks get-token --cluster-name ${CLUSTER_NAME} --region ${REGION} > /dev/null 2>&1 | |
| aws eks update-kubeconfig --name ${CLUSTER_NAME} --region ${REGION} --kubeconfig ${TEMP_KUBECONFIG} > /dev/null 2>&1 | |
| if [ -f "${TEMP_KUBECONFIG}" ]; then | |
| print_detail "Temporary kubeconfig: ${GREEN}Created${NC}" | |
| TEMP_CONTEXT=$(KUBECONFIG=${TEMP_KUBECONFIG} kubectl config current-context 2>/dev/null || echo "No context set") | |
| print_detail "Test Context: $TEMP_CONTEXT" | |
| # Test kubectl access | |
| print_detail "Testing kubectl access..." | |
| NODE_TEST=$(KUBECONFIG=${TEMP_KUBECONFIG} kubectl get nodes 2>&1) | |
| NODE_TEST_EXIT=$? | |
| if [ $NODE_TEST_EXIT -eq 0 ]; then | |
| NODE_COUNT=$(echo "$NODE_TEST" | grep -v NAME | wc -l) | |
| print_detail "Cluster Access: ${GREEN}Success${NC} ($NODE_COUNT nodes)" | |
| print_detail "Nodes:" | |
| echo "$NODE_TEST" | grep -v NAME | while read -r node; do | |
| print_detail " • $node" | |
| done | |
| else | |
| print_detail "Cluster Access: ${RED}Failed${NC}" | |
| print_detail "Error: $NODE_TEST" | |
| # Additional diagnostics | |
| print_detail "\nDiagnostic Information:" | |
| print_detail "1. Checking API server connection..." | |
| KUBECONFIG=${TEMP_KUBECONFIG} kubectl version 2>&1 | while read -r line; do | |
| print_detail " $line" | |
| done | |
| print_detail "2. Checking authentication..." | |
| KUBECONFIG=${TEMP_KUBECONFIG} kubectl auth can-i list nodes 2>&1 | while read -r line; do | |
| print_detail " $line" | |
| done | |
| # Show kubeconfig content for debugging | |
| print_detail "3. Kubeconfig content:" | |
| KUBECONFIG=${TEMP_KUBECONFIG} kubectl config view 2>&1 | while read -r line; do | |
| print_detail " $line" | |
| done | |
| fi | |
| else | |
| print_detail "Temporary kubeconfig: ${RED}Creation failed${NC}" | |
| print_detail "Error: Failed to create temporary kubeconfig file" | |
| fi | |
| # Check Original Kubeconfig | |
| print_section "4. Original Kubeconfig Status" "Checking if cluster exists in your kubeconfig" | |
| if [ -f "${ORIGINAL_KUBECONFIG}" ]; then | |
| ORIGINAL_CONTEXTS=$(KUBECONFIG=${ORIGINAL_KUBECONFIG} kubectl config get-contexts -o name 2>/dev/null | grep ${CLUSTER_NAME} || echo "") | |
| if [ ! -z "$ORIGINAL_CONTEXTS" ]; then | |
| print_check "Cluster in kubeconfig" "${GREEN}Found${NC}" | |
| print_detail "Contexts:" | |
| echo "$ORIGINAL_CONTEXTS" | while read -r ctx; do | |
| print_detail "• $ctx" | |
| done | |
| else | |
| print_check "Cluster in kubeconfig" "${YELLOW}Not found${NC}" | |
| print_detail "Run: aws eks update-kubeconfig --name ${CLUSTER_NAME} --region ${REGION}" | |
| fi | |
| else | |
| print_check "Original kubeconfig" "${YELLOW}Not found${NC}" | |
| fi | |
| echo -e "\n${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" | |
| echo -e "${GRAY}All tests performed using temporary configuration - your kubeconfig was not modified${NC}" | |
| echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment