Skip to content

Instantly share code, notes, and snippets.

@zxkane

zxkane/cluster.yml

Last active May 20, 2020 02:56
Show Gist options
  • Save zxkane/289037c851af8077e31fbf867ef2d82f to your computer and use it in GitHub Desktop.
Save zxkane/289037c851af8077e31fbf867ef2d82f to your computer and use it in GitHub Desktop.
Download ZIP
Create a EKS cluster with IAM for service account
Raw
cluster.yml
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: cluster-3
region: cn-northwest-1
nodeGroups:
- name: ng2-private
instanceType: m5.large
desiredCapacity: 2
privateNetworking: true
Raw
nginx-deployment.yml
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: nginx-deployment
namespace: backend-apps
spec:
selector:
matchLabels:
app: nginx
replicas: 2 # tells deployment to run 2 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
serviceAccount: s3-reader
serviceAccountName: s3-reader
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
Raw
serviceaccount.yml
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: cluster-3
region: cn-northwest-1
iam:
withOIDC: true
serviceAccounts:
- metadata:
name: s3-reader
# if no namespace is set, "default" will be used;
# the namespace will be created if it doesn't exist already
namespace: backend-apps
labels: {aws-usage: "application"}
attachPolicyARNs:
- "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
- metadata:
name: cache-access
namespace: backend-apps
labels: {aws-usage: "application"}
attachPolicyARNs:
- "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess"
- "arn:aws:iam::aws:policy/AmazonElastiCacheFullAccess"
- metadata:
name: cluster-autoscaler
namespace: kube-system
labels: {aws-usage: "cluster-ops"}
attachPolicy: # inline policy can be defined along with `attachPolicyARNs`
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "autoscaling:DescribeAutoScalingGroups"
- "autoscaling:DescribeAutoScalingInstances"
- "autoscaling:DescribeLaunchConfigurations"
- "autoscaling:DescribeTags"
- "autoscaling:SetDesiredCapacity"
- "autoscaling:TerminateInstanceInAutoScalingGroup"
Resource: '*'
@zxkane
Copy link
Author

zxkane commented Nov 14, 2019
edited
Loading

  1. Create EKS cluster
eksctl create cluster -f cluster.yml
  1. Create namespace
kubectl create namespace backend-apps
  1. Create service account for eks. More details see doc
eksctl utils associate-iam-oidc-provider --config-file=serviceaccount.yml --approve
eksctl create iamserviceaccount --config-file=serviceaccount.yml --approve
  1. Create nginx pods for testing
kubectl apply -f nginx-deployment.yml
  1. Log in the nginx pod then install awscli tools for verifying the configuration
$ aws s3 ls
$ export AWS_DEFAULT_REGION=cn-northwest-1 # explicitly configure region if running in China regions
$ aws sts assume-role-with-web-identity \
 --role-arn $AWS_ROLE_ARN \
 --role-session-name mh9test \
 --web-identity-token file://$AWS_WEB_IDENTITY_TOKEN_FILE \
 --duration-seconds 1000 > /tmp/irp-cred.txt
$ export AWS_ACCESS_KEY_ID="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.AccessKeyId")"
$ export AWS_SECRET_ACCESS_KEY="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SecretAccessKey")"
$ export AWS_SESSION_TOKEN="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SessionToken")"
$ aws s3 ls
$ rm /tmp/irp-cred.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment