From 106b7fa97edfade0d7bd01c69b57b3bbcfd0e4ad Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Sat, 16 Mar 2024 01:17:56 +0300 Subject: [PATCH] feat(kb/aws): initial eks article --- knowledge base/cloud computing/aws/eks.md | 140 ++++++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 knowledge base/cloud computing/aws/eks.md diff --git a/knowledge base/cloud computing/aws/eks.md b/knowledge base/cloud computing/aws/eks.md new file mode 100644 index 0000000..768eee7 --- /dev/null +++ b/knowledge base/cloud computing/aws/eks.md @@ -0,0 +1,140 @@ +# Elastic Kubernetes Service + +1. [TL;DR](#tldr) +1. [Requirements](#requirements) +1. [Creation procedure](#creation-procedure) +1. [Further readings](#further-readings) + 1. [Sources](#sources) + +## TL;DR + + + + + + + +## Requirements + +- 1 _Cluster Service Role_. + + > To check. + > + > This step might not be necessary anymore [1][service-linked role permissions for amazon eks],[2][amazon eks cluster iam role] : + > + > > Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKS` - The role allows Amazon EKS to manage clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and VPCs. + > + > > Prior to October 3, 2023, [AmazonEKSClusterPolicy] was required on the IAM role for each cluster. + > > + > > Prior to April 16, 2020, [AmazonEKSServicePolicy] was also required and the suggested name was `eksServiceRole`. With the `AWSServiceRoleForAmazonEKS` service-linked role, that policy is no longer required for clusters created on or after April 16, 2020. + + Kubernetes clusters managed by EKS make calls to other AWS services on the user behalf to manage the resources that the cluster uses.
+ For a cluster to be allowed to make those calls, it needs to have an IAM role assigned with the `AmazonEKSClusterPolicy` policy attached to it. + +## Creation procedure + +1. Create a VPC, if one does not have them already, with public and private subnets that meet [EKS' requirements][amazon eks vpc and subnet requirements and considerations]. + + [Example in Cloudformation](https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml) + +1. Create the IAM role for the cluster and attach the required EKS IAM managed policy to it. + + > To check. + > + > This step might not be necessary anymore [1][service-linked role permissions for amazon eks],[2][amazon eks cluster iam role] : + > + > > Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKS` - The role allows Amazon EKS to manage clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and VPCs. + > + > > Prior to October 3, 2023, [AmazonEKSClusterPolicy] was required on the IAM role for each cluster. + > > + > > Prior to April 16, 2020, [AmazonEKSServicePolicy] was also required and the suggested name was `eksServiceRole`. With the `AWSServiceRoleForAmazonEKS` service-linked role, that policy is no longer required for clusters created on or after April 16, 2020. + +
+ Example in CLI + + ```json + { + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + }] + } + ``` + + ```sh + aws iam create-role \ + --role-name 'myAmazonEKSClusterRole' \ + --assume-role-policy-document 'file://eks-cluster-role-trust-policy.json' + aws iam attach-role-policy \ + --policy-arn 'arn:aws:iam::aws:policy/AmazonEKSClusterPolicy' \ + --role-name 'myAmazonEKSClusterRole' + ``` + +
+
+ +1. Create a custom control plane Security Group if one does not want to use [the autogenerated one][amazon eks security group requirements and considerations]. +1. Create the cluster. + +
+ Example in CLI + + ```sh + aws eks create-cluster \ + --name 'myAmazonEKSCluster' \ + --role-arn 'arn:aws:iam::000011112222:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS' \ + --resources-vpc-config 'subnetIds=subnet-11112222333344445,subnet-66667777888899990,securityGroupIds=sg-0aaaabbbbccccdddd' + ``` + +
+
+ +1. FIXME + +## Further readings + +### Sources + +- [Getting started with Amazon EKS - AWS Management Console and AWS CLI] +- [`aws eks create-cluster`][aws eks create-cluster] +- [Using service-linked roles for Amazon EKS] +- [Service-linked role permissions for Amazon EKS] +- [Amazon EKS cluster IAM role] +- [Amazon EKS VPC and subnet requirements and considerations] +- [Amazon EKS security group requirements and considerations] + + + + + + + +[amazon eks cluster iam role]: https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html +[aws eks create-cluster]: https://docs.aws.amazon.com/cli/latest/reference/eks/create-cluster.html +[getting started with amazon eks - aws management console and aws cli]: https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html +[service-linked role permissions for amazon eks]: https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles-eks.html#service-linked-role-permissions-eks +[using service-linked roles for amazon eks]: https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles.html +[amazoneksservicepolicy]: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSServicePolicy.html +[amazoneksclusterpolicy]: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html +[amazon eks vpc and subnet requirements and considerations]: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html +[amazon eks security group requirements and considerations]: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html + +