brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(kb/aws): initial eks article

Browse Source
This commit is contained in:
Michele Cereda
2024-03-16 01:17:56 +03:00
parent 6c10c81a23
commit 106b7fa97e
1 changed files with 140 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
knowledge base/cloud computing/aws/eks.md Normal file
View File

@@ -0,0 +1,140 @@
# Elastic Kubernetes Service
1. [TL;DR](#tldr)
1. [Requirements](#requirements)
1. [Creation procedure](#creation-procedure)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
<!-- Uncomment if needed
<details>
<summary>Installation</summary>
</details>
-->
<!-- Uncomment if needed
<details>
<summary>Usage</summary>
</details>
-->
<!-- Uncomment if needed
<details>
<summary>Real world use cases</summary>
</details>
-->
## Requirements
- 1 _Cluster Service Role_.
> To check.
>
> This step might not be necessary anymore <sup>[1][service-linked role permissions for amazon eks],[2][amazon eks cluster iam role]</sup> :
>
> > Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKS` - The role allows Amazon EKS to manage clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and VPCs.
>
> > Prior to October 3, 2023, [AmazonEKSClusterPolicy] was required on the IAM role for each cluster.
> >
> > Prior to April 16, 2020, [AmazonEKSServicePolicy] was also required and the suggested name was `eksServiceRole`. With the `AWSServiceRoleForAmazonEKS` service-linked role, that policy is no longer required for clusters created on or after April 16, 2020.
Kubernetes clusters managed by EKS make calls to other AWS services on the user behalf to manage the resources that the cluster uses.<br/>
For a cluster to be allowed to make those calls, it needs to have an IAM role assigned with the `AmazonEKSClusterPolicy` policy attached to it.
## Creation procedure
1. Create a VPC, if one does not have them already, with public and private subnets that meet [EKS' requirements][amazon eks vpc and subnet requirements and considerations].
[Example in Cloudformation](https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml)
1. Create the IAM role for the cluster and attach the required EKS IAM managed policy to it.
> To check.
>
> This step might not be necessary anymore <sup>[1][service-linked role permissions for amazon eks],[2][amazon eks cluster iam role]</sup> :
>
> > Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKS` - The role allows Amazon EKS to manage clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and VPCs.
>
> > Prior to October 3, 2023, [AmazonEKSClusterPolicy] was required on the IAM role for each cluster.
> >
> > Prior to April 16, 2020, [AmazonEKSServicePolicy] was also required and the suggested name was `eksServiceRole`. With the `AWSServiceRoleForAmazonEKS` service-linked role, that policy is no longer required for clusters created on or after April 16, 2020.
<details>
<summary>Example in CLI</summary>
```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
```
```sh
aws iam create-role \
--role-name 'myAmazonEKSClusterRole' \
--assume-role-policy-document 'file://eks-cluster-role-trust-policy.json'
aws iam attach-role-policy \
--policy-arn 'arn:aws:iam::aws:policy/AmazonEKSClusterPolicy' \
--role-name 'myAmazonEKSClusterRole'
```
</details>
<br/>
1. Create a custom control plane Security Group if one does not want to use [the autogenerated one][amazon eks security group requirements and considerations].
1. Create the cluster.
<details>
<summary>Example in CLI</summary>
```sh
aws eks create-cluster \
--name 'myAmazonEKSCluster' \
--role-arn 'arn:aws:iam::000011112222:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS' \
--resources-vpc-config 'subnetIds=subnet-11112222333344445,subnet-66667777888899990,securityGroupIds=sg-0aaaabbbbccccdddd'
```
</details>
<br/>
1. FIXME
## Further readings
### Sources
- [Getting started with Amazon EKS - AWS Management Console and AWS CLI]
- [`aws eks create-cluster`][aws eks create-cluster]
- [Using service-linked roles for Amazon EKS]
- [Service-linked role permissions for Amazon EKS]
- [Amazon EKS cluster IAM role]
- [Amazon EKS VPC and subnet requirements and considerations]
- [Amazon EKS security group requirements and considerations]
<!--
References
-->
<!-- In-article sections -->
<!-- Knowledge base -->
<!-- Files -->
<!-- Upstream -->
[amazon eks cluster iam role]: https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html
[aws eks create-cluster]: https://docs.aws.amazon.com/cli/latest/reference/eks/create-cluster.html
[getting started with amazon eks - aws management console and aws cli]: https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html
[service-linked role permissions for amazon eks]: https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles-eks.html#service-linked-role-permissions-eks
[using service-linked roles for amazon eks]: https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles.html
[amazoneksservicepolicy]: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSServicePolicy.html
[amazoneksclusterpolicy]: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html
[amazon eks vpc and subnet requirements and considerations]: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html
[amazon eks security group requirements and considerations]: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
<!-- Others -->