VOOZH about

URL: https://dzone.com/articles/aws-eks-cluster-and-providing-access-to-developer

⇱ Create AWS EKS Cluster and Grant Developer Access

Related

  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. Creating an AWS EKS Cluster and Providing Access to Developer

Creating an AWS EKS Cluster and Providing Access to Developer

Create an AWS EKS Cluster and give logging/debugging access to the developer's EC2 who does not have access in AWS Console or are not added as an IAM user.

By Jul. 16, 21 · Tutorial
Likes
Comment
Save
11.1K Views

Join the DZone community and get the full member experience.

Join For Free

1. Introduction

This article is going to talk about mainly two points:

  1. How to create an AWS EKS Cluster.
  2. How to provide an AWS EKS cluster access to a developer who does not have admin access to AWS.

To deploy any microservices, we need to create AWS EKS clusters like dev and QA, etc. Once AWS EKS clusters are available then every developer should have access for logging and debugging purposes from their EC2 instance. 

2. EKS Cluster creation:

To create an AWS EKS cluster; you need the following few tools\CLI installed in your systems:

  • AWS CLI
  • EKSCTL CLI
  • KUBECTL CLI

2.1 Install AWS CLI

Follow the below steps to install AWS CLI.

Shell 
$ curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
$ sudo yum -y install unzip
$ unzip awscli-bundle.zip
$ sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
$ /usr/local/bin/aws --version


Using AWS CLI on Linux

Before you can start using the AWS CLI tool to interact with AWS services, you need to configure it by running the "aws configurecommand.

Shell 
$ aws configure


This will ask you to provide the following few details:

  • AWS Access Key ID

  • AWS Secret Access Key

  • Default region-name

  • Default output format

2.2 Install AWS EKSCTLCLI:

Follow the below-mentioned steps to install or upgrade the latest version of the eksctl command line utility. 

Shell 
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
eksctl version


2.3 Install KUBECTL CLI

Follow the below step to download and install the Amazon EKS vended kubectl binaries for Linux operating systems. 

Shell 
curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.20.4/2021-04-12/bin/linux/amd64/kubectl
chmod +x ./kubectl
mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
kubectl version --short --client


2.4 AWS EKS Cluster Creation:

With all the prep work done, follow along a sample EKS YAML that is mentioned to create an EKS cluster with 2 Nodes in the existing VPC. 

YAML 
###EKS.YML###
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
 name: sample-cluster
 region: <region>
vpc:
 id: vpc-id-12345
 subnets:
 private:
 <region>-a: { id: "subnetxxxxxxxxx" }
 <region>-c: { id: "subnetxxxxxxxxy" }
nodeGroups:
 - name: worker-nodes
 instanceType: t3.micro
 desiredCapacity: 2
 privateNetworking: true
 targetGroupARNs:
 - arn:aws:elasticloadbalancing:us-east-2:xxxxxxxxxxxx:targetgroup/sample-service/a1b2c3d4e5f6
 preBootstrapCommands:
 - "sed -i '2i \"insecure-registries\": [\"<DockerRepoURL:PORT>\"],' /etc/docker/daemon.json"
 - "systemctl restart docker"
 ssh:
 publicKeyName: sample-eks #Update this with your ssh-key(pem) key name.


When that is done, execute the below command to create an AWS EKS cluster via EKSCTL CLI.

Shell 
eksctl create cluster --config-file ./eks.yml


Now check the AWS console; an EKS cluster is being created and it will take some time to spin up completely.

3. Provide AWS EKS Cluster Access to Developers


Each and every developer is given an AWS EC2 for their development activities; from there developers can access the EKS cluster for logging and debugging purposes. To provide access to AWS EKS clusters to developers who do not have access to AWS console and/or are not added as IAM users, the “get” and “list” access will be configured for all the objects in Kubernetes.

3.1 Create a Role

First, you need to create an IAM role with the following details and steps:

RoleName - sample-k8s-devs

Trust Relationship-

  • Amazon EC2

  • eks.amazonaws.com 

3.2 Create a Policy and Attach to the Role


PolicyName: sample-k8s-policy

Action: sts:AssumeRole, eks:DescribeCluster and eks:ListCluster

Effect: Allow 

YAML 
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": "sts:AssumeRole",
 "Resource": "arn:aws:iam::XXXXXXXXXXXXX:role/sample-k8s-devs"
 },
 {
 "Effect": "Allow",
 "Action": [
 "eks:DescribeCluster",
 "eks:ListClusters"
 ],
 "Resource": "*"
 }
 ]
}


3.3 Attach IAM role to EC2 instances:

Attach these IAM roles to all the AWS EC2 instances that are provided to developers. Here's is how you can do it:

Login in AWS Console > EC2 Dashboard > select EC2 instances > Actions > Instance Settings > Attach/replace IAM role i.e. sample-k8s-devs.

3.4 Create RBAC to Provide Access

Create a role.yaml file as is shown below:

YAML 
### role.yaml ###
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 namespace: default
 name: pod-and-pod-logs-reader
rules:
- apiGroups: ["*"]
 #resources: ["pods", "pods/log", "events", "nodes", "deployments", "replicasets", "services"]
 resources: ["*"]
  verbs: ["get", "list"]


Then create a rolebinding.yaml file using the following steps:

YAML 
### rolebinding.yaml ###
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: full_access_role_binding
 namespace: default #Namespace where access is required
subjects:
- kind: User
 name: sample-k8s-devs # IAM role created in AWS
 apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role
 name: pod-and-pod-logs-reader #Role create in role.yml file
  apiGroup: rbac.authorization.k8s.io


Once you're sure about the step, execute the below commands:

Shell 
kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml


AWS-Auth ConfigMap change

Shell 
kubectl describe configmap -n kube-system aws-auth
kubectl edit -n kube-system configmap/aws-auth


You will see the default view of configmap as the following:

YAML 
apiVersion: v1
data:
 mapRoles: |
 - groups:
 - system:bootstrappers
 - system:nodes
 rolearn: arn:aws:iam::XXXXXXXXXXXX:role/eksctl-sample-cluster-nodegroup-sample-NodeInstanceRole-A1B2C3D4F5
 username: system:node:{{EC2PrivateDNSName}}

 mapUsers: |
 []
kind: ConfigMap
metadata:
 creationTimestamp: "2021-05-25T15:15:33Z"
 name: aws-auth
 namespace: kube-system
 resourceVersion: "208800"
 selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
 uid: 5f6f05fd-ce56-539f-c9d9-c9633ce8b61f


Now, add the below line in configmap.

YAML 
apiVersion: v1
data:
 mapRoles: |
 - groups:
 - system:bootstrappers
 - system:nodes
 rolearn: arn:aws:iam::XXXXXXXXXXXX:role/eksctl-sample-cluster-nodegroup-sample-NodeInstanceRole-A1B2C3D4F5
 username: system:node:{{EC2PrivateDNSName}}
 ######################## Below 2 lines ############################
 - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/sample-k8s-devs #IAM role ARN
 username: sample-k8s-devs #IAM role created in AWS
 ###################################################################
 mapUsers: |
 []
kind: ConfigMap
metadata:
 creationTimestamp: "2021-05-25T15:15:33Z"
 name: aws-auth
 namespace: kube-system
 resourceVersion: "208800"
 selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
 uid: 5f6f05fd-ce56-539f-c9d9-c9633ce8b61f


If you want to provide admin access of EKS to a particular user then IAM user arn format can be added under "mapUsers" as is shown below:

YAML 
mapUsers: |
 - groups:
 - system:masters
 username: arn:aws:iam::XXXXXXXXXXXX:user/myuser
 userarn: arn:aws:iam::XXXXXXXXXXXX:user/myuser


3.5 AWS EKS Cluster’s Access from AWS Dev VM

In order to provide AWS EKS cluster's access from AWS Dev VM, login into your AWS Dev VM machines where IAM role is attached.

Shell 
aws eks update-kubeconfig --name sample-cluster --region us-east-2 --role-arn arn:aws:iam::XXXXXXXXXXXX:role/sample-k8s-devs


You will need the following few parameters that need to be passed along with this command:

  • --name <EKS Cluster Name> i.e. “sample-cluster”

  • --role-arn <IAM role ARN> i.e. “sample-k8s-devs”

  • --region <AWS region> KUBECONFIG  

After that, it will start downloading and updating the KUBECONFIG file; which is required to access the Kubernetes cluster. Once the download is successful, you will see the below-mentioned message displayed. 

Now the user can perform all “Get and List” action for all the objects in Kubernetes. Developers can see logs and Events but no update, delete and create actions are allowed.

4. Developers Need to Execute Reference Commands

Here are some of the reference commands that developers can execute for logging and debugging purposes:

Shell 
kubectl logs pods/nginx
kubectl get events
kubectl get pods
kubectl get svc
kubectl get deployments


For example:

Shell 
[ec2-user]$ kubectl logs pods/nginx

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/05/26 11:00:53 [notice] 1#1: using the "epoll" event method
2021/05/26 11:00:53 [notice] 1#1: nginx/1.21.0
2021/05/26 11:00:53 [notice] 1#1: built by gcc 8.3.0 (Debian 8.3.0-6)
2021/05/26 11:00:53 [notice] 1#1: OS: Linux 5.4.117-58.216.amzn2.x86_64
2021/05/26 11:00:53 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/05/26 11:00:53 [notice] 1#1: start worker processes
2021/05/26 11:00:53 [notice] 1#1: start worker process 30
2021/05/26 11:00:53 [notice] 1#1: start worker process 31
Shell 
[ec2-user]$ kubectl get events

LAST SEEN TYPE REASON OBJECT MESSAGE
51m Normal Killing pod/nginx Stopping container nginx
51m Normal Scheduled pod/nginx Successfully assigned default/nginx to ip-10-12-125-116.us-east-2.compute.internal
51m Normal Pulling pod/nginx Pulling image "nginx"
51m Normal Pulled pod/nginx Successfully pulled image "nginx" in 447.694638ms
51m Normal Created pod/nginx Created container nginx
51m         Normal   Started     pod/nginx   Started container nginx


With that, developers without AWS console access or IAM user permission can easily access the EKS cluster for logging and debugging purposes.

Keep learning! As Leonardo da Vinci said, “Learning never exhausts the mind.” 


AWS Kubernetes cluster dev

Opinions expressed by DZone contributors are their own.

Related

  • Implementing EKS Multi-Tenancy Using Capsule (Part 3)
  • Establishing a Highly Available Kubernetes Cluster on AWS With Kops
  • Automate Cluster Autoscaler in EKS
  • Dynatrace Perform: Day Two

Partner Resources

×
Comments

The likes didn't load as expected. Please refresh the page and try again.

Let's be friends: