brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 21:54:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9502eb5b8343dcab661739357066ae99a0c21972
oam/knowledge base/cloud computing/aws/eks.md
Michele Cereda 106b7fa97e feat(kb/aws): initial eks article
2024-03-16 01:17:56 +03:00

5.6 KiB
Raw Blame History

Elastic Kubernetes Service

  1. TL;DR
  2. Requirements
  3. Creation procedure
  4. Further readings
    1. Sources

TL;DR

Requirements

  • 1 Cluster Service Role.

    To check.

    This step might not be necessary anymore 1,2 :

    Amazon EKS uses the service-linked role named AWSServiceRoleForAmazonEKS - The role allows Amazon EKS to manage clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and VPCs.

    Prior to October 3, 2023, AmazonEKSClusterPolicy was required on the IAM role for each cluster.

    Prior to April 16, 2020, AmazonEKSServicePolicy was also required and the suggested name was eksServiceRole. With the AWSServiceRoleForAmazonEKS service-linked role, that policy is no longer required for clusters created on or after April 16, 2020.

    Kubernetes clusters managed by EKS make calls to other AWS services on the user behalf to manage the resources that the cluster uses.
    For a cluster to be allowed to make those calls, it needs to have an IAM role assigned with the AmazonEKSClusterPolicy policy attached to it.

Creation procedure

  1. Create a VPC, if one does not have them already, with public and private subnets that meet EKS' requirements.

    Example in Cloudformation

  2. Create the IAM role for the cluster and attach the required EKS IAM managed policy to it.

    To check.

    This step might not be necessary anymore 1,2 :

    Amazon EKS uses the service-linked role named AWSServiceRoleForAmazonEKS - The role allows Amazon EKS to manage clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and VPCs.

    Prior to October 3, 2023, AmazonEKSClusterPolicy was required on the IAM role for each cluster.

    Prior to April 16, 2020, AmazonEKSServicePolicy was also required and the suggested name was eksServiceRole. With the AWSServiceRoleForAmazonEKS service-linked role, that policy is no longer required for clusters created on or after April 16, 2020.

    Example in CLI 
    {
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Service": "eks.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }]
}

    aws iam create-role \
  --role-name 'myAmazonEKSClusterRole' \
  --assume-role-policy-document 'file://eks-cluster-role-trust-policy.json'
aws iam attach-role-policy \
  --policy-arn 'arn:aws:iam::aws:policy/AmazonEKSClusterPolicy' \
  --role-name 'myAmazonEKSClusterRole'

  3. Create a custom control plane Security Group if one does not want to use the autogenerated one.

  4. Create the cluster.

    Example in CLI 
    aws eks create-cluster \
  --name 'myAmazonEKSCluster' \
  --role-arn 'arn:aws:iam::000011112222:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS' \
  --resources-vpc-config 'subnetIds=subnet-11112222333344445,subnet-66667777888899990,securityGroupIds=sg-0aaaabbbbccccdddd'

  5. FIXME

Further readings

Sources