From 60404eabbee6d2f9c114a06a0e2a83e99f64f9b2 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Mon, 29 Jul 2024 19:37:55 +0200 Subject: [PATCH] feat(aws/eks): improve readibility --- knowledge base/cloud computing/aws/eks.md | 91 +++++++++++++++++++++-- 1 file changed, 84 insertions(+), 7 deletions(-) diff --git a/knowledge base/cloud computing/aws/eks.md b/knowledge base/cloud computing/aws/eks.md index a70bd40..79c3b58 100644 --- a/knowledge base/cloud computing/aws/eks.md +++ b/knowledge base/cloud computing/aws/eks.md @@ -10,8 +10,8 @@ 1. [Secrets encryption through KMS](#secrets-encryption-through-kms) 1. [Storage](#storage) 1. [Use EBS as volumes](#use-ebs-as-volumes) - 1. [EBS CSI driver IAM role as aws-managed add-on](#ebs-csi-driver-iam-role-as-aws-managed-add-on) - 1. [EBS CSI driver IAM role as self-managed add-on](#ebs-csi-driver-iam-role-as-self-managed-add-on) + 1. [EBS CSI driver as aws-managed add-on](#ebs-csi-driver-as-aws-managed-add-on) + 1. [EBS CSI driver as self-managed add-on](#ebs-csi-driver-as-self-managed-add-on) 1. [Metrics server](#metrics-server) 1. [Pod identity](#pod-identity) 1. [Autoscaling](#autoscaling) @@ -700,7 +700,7 @@ EBS CSI driver. Considerations: - The EBS CSI driver needs to make calls to AWS' APIs on one's behalf.
- The driver's IAM role's permissions need to be [set accordingly][ebs csi driver iam role as aws-managed add-on]. + The driver's IAM role's permissions need to be [set accordingly][ebs csi driver as aws-managed add-on]. - The EBS CSI DaemonSet is **required** to mount EBS volumes.
Fargate _can_ run the EBS _controller_ Pods, but it **cannot** run DaemonSets (including the CSI DaemonSet).
This means that Fargate **won't be able** to mount EBS volumes, and that only EC2 nodes running the DaemonSet will be @@ -726,7 +726,7 @@ kubectl exec -it 'app' -- cat '/data/out.txt' kubectl delete -f 'manifests/' ``` -#### EBS CSI driver IAM role as aws-managed add-on +#### EBS CSI driver as aws-managed add-on Refer [Manage the Amazon EBS CSI driver as an Amazon EKS add-on]. @@ -735,6 +735,9 @@ Requirements: - An existing EKS cluster (_duh!_). - An existing IAM OIDC provider for the cluster. +
+ CLI + ```sh # 1. Get the OIDC issuer ID for existing EKS clusters OIDC_ISSUER="$(aws eks describe-cluster --name 'DeepThought' --query 'cluster.identity.oidc.issuer' --output 'text')" @@ -745,6 +748,24 @@ Requirements: aws create create-open-id-connect-provider --url "$OIDC_ISSUER" --client-id-list 'sts.amazonaws.com' ``` +
+ +
+ Pulumi + + ```ts + const oidcProvider = new aws.iam.OpenIdConnectProvider( + "cluster", + { + clientIdLists: [ "sts.amazonaws.com" ], + thumbprintLists: [ "0123456789abcdef0123456789abcdef01234567" ], // FIXME: use reference + url: cluster.identities[0].oidcs[0].issuer, + }, + ); + ``` + +
+ - An IAM role for the EBS CSI driver.
Refer [Create an Amazon EBS CSI driver IAM role]. @@ -758,6 +779,53 @@ Requirements: > could not create volume in EC2: UnauthorizedOperation error > ``` +
+ CLI + + ```sh + ``` + +
+ +
+ Pulumi + + ```ts + const eksEbsCsiDriver_role = oidcProvider.arn.apply(oidcProviderArn => new aws.iam.Role( + "eksEbsCsiDriver", + { + name: "EksEbsCsiDriverRole", + description: "Allows Pods to act upon EBS volumes on behalf of the user.", + assumeRolePolicy: JSON.stringify({ + Version: "2012-10-17", + Statement: [{ + Effect: "Allow", + Principal: { + Federated: oidcProviderArn, + }, + Action: "sts:AssumeRoleWithWebIdentity", + Condition: { + StringEquals: { + // FIXME: use references + "oidc.eks.eu-west-1.amazonaws.com/id/0123456789ABCDEF0123456789ABCDEF:aud": "sts.amazonaws.com", + "oidc.eks.eu-west-1.amazonaws.com/id/0123456789ABCDEF0123456789ABCDEF:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa", + }, + }, + }], + }), + }, + )); + new aws.iam.RolePolicyAttachment( + "AmazonEBSCSIDriverPolicy-to-eksEbsCsiDriverRole", + { + policyArn: "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy", + role: eksEbsCsiDriver_role.name, + }, + ); + ``` + +
+ - [external-snapshotter], if planning to use the snapshot functionality of the driver.
The components' installation **must** be performed in this order: @@ -765,12 +833,16 @@ Requirements: 1. ClusterRole, ClusterRoleBinding, and other RBAC components. 1. Snapshot controller's Deployment. +
+ CLI ```sh git clone 'https://github.com/kubernetes-csi/external-snapshotter.git' kubectl kustomize 'external-snapshotter/client/config/crd' | kubectl apply -f - kubectl -n 'kube-system' kustomize 'external-snapshotter/deploy/kubernetes/snapshot-controller' | kubectl apply -f - ``` +
+ Procedure: - Install the add-on.
@@ -787,7 +859,7 @@ Procedure: -
+
Pulumi ```ts @@ -806,7 +878,10 @@ Procedure:
-#### EBS CSI driver IAM role as self-managed add-on +#### EBS CSI driver as self-managed add-on + +
+ CLI ```sh helm upgrade -i --repo 'https://kubernetes-sigs.github.io/aws-ebs-csi-driver' \ @@ -814,6 +889,8 @@ helm upgrade -i --repo 'https://kubernetes-sigs.github.io/aws-ebs-csi-driver' \ --namespace 'kube-system' ``` +
+ ## Metrics server Refer [View resource usage with the KubernetesMetrics Server]. @@ -1134,7 +1211,7 @@ Debug: see [Identify common issues]. [access management]: #access-management [cluster autoscaler]: #cluster-autoscaler [create worker nodes]: #create-worker-nodes -[ebs csi driver iam role as aws-managed add-on]: #ebs-csi-driver-iam-role-as-aws-managed-add-on +[ebs csi driver as aws-managed add-on]: #ebs-csi-driver-as-aws-managed-add-on [identify common issues]: #identify-common-issues [pod identity]: #pod-identity [requirements]: #requirements