Learn

Learn about latest technology

Build

Unleash your talent and coding!

Share

Let more people use it to improve!
 

AWS EKS just configuring it manually

viernes, 28 de junio de 2019


This is a technical article focused in to create, manually, a proper configuration to sent commands from your local environment to AWS EKS Cluster.

In AWS-EKS you will need that your local kubectl CLI can talks with your AWS EKS Cluster. Every thing is oriented to install AWS CLI. So What happen if you don’t want to  install AWS CLI? In that case the configuration process to talk to the EKS cluster must be done manually. Let’s check what does it means.
Before that, you will need to know some technical concept about k8s and AWS. I suppose that you feel confortable or at least have basic knowledges in the following contents:
  1. AWS IAM: remember that you shouldn't use your AWS account root user.
  2. Kubectl CLI: command line interface for running commands against Kubernetes clusters that must be installed on your local environment.
Our utter configuration is composed for 2 files in our local environment:
  1. ~/.kube/config: We have a config file, usually KUBECONFIG, this file is used to configure access to clusters . It is a document like every definitions document in k8s with fields like (apiVersion, kind, etc) so the first thing that you need to know is the location of the cluster and the credentials to access it.
  2. ~/.aws/credentials: These are the credentials with which I going to create my cluster, authenticated with my IAM account.
At the same time we need something(software/tool) that with our credentials will make available the authentication to our k8s EKS cluster, this role is performed by aws-iam-authenticator.
You can find a proper installation guide of aws-iam-authenticator or  try with the following steps:
the below lines are referred to OSX but if you are working with linux then you will need to change in line 3 the bash file instead of .bash_profile should be .bashrc

1
2
3
curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.13.7/2019-06-11/bin/darwin/amd64/aws-iam-authenticator
chmod +x ./aws-iam-authenticator
mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile

Testing your above aws-iam-authenticator installation: aws-iam-authenticator help

Now we are going to indicate the location/name of our kubconfig file and its content.


~/.kube/config

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
apiVersion: v1
clusters:
- cluster:
    server: <endpoint-url>
    certificate-authority-data: <base64-encoded-ca-cert>
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: aws
  name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      command: aws-iam-authenticator
      args:
        - token
        - -i
        - my_cluster_name
        # - -r
        # - arn:aws:iam::835499627031:role/eksServiceRole
      env:
        - name: AWS_PROFILE
          value: my_profile_name
yaml definition 1.0

Should be interesting have a look to several lines at yaml definition 1.0 for example

In line 20 aws-iam-authenticator [command] [Flags:] it runs the cluster authentication using AWS IAM and get tokens for Kubernetes, in order to get there, we have our credential files with our access keys/secrets that we are gonna explain below.

We indicate below the location/name of our credentials file and its content.

~/.aws/credentials

[my_user_in_IAM]
aws_access_key_id=generated_aws_access_key
aws_secret_access_key=generated_aws_secret_access_key
config definition 1.0

In config definition 1.0 I indicate the structure of the credential files but you can find more about manage access keys in IAM documentation for manage access keys. In the picture below you can find in an easy way how create keys/secrets in your AWS IAM account. The same key/secrets/user_in_IAM used to create your EKS Cluster.



In reference to the aforementioned file yaml definition 1.0 we  need to get the server endpoint(line 4): <endpoint-url> in reference to below picture pay attention to Api server endpoint and the certificate-authority-data(line 5): <base64-encoded-ca-cert> in reference to below picture have a look to Certificate Authority

















This is just the configuration process,  you will need to modify the kubeconfig file (~/.kube/config) every time that you create a new cluster, it can be done by command or modifying the kubeconfig file manually. I think that you should do this process manually  at least few times  because it will help you to understand it quite well.

So you can decide, from my point of view, when I am working in Linux environment  I run  eksctl for cluster creation process but when I am working in OS X, I prefer to create the cluster and worker nodes through the aws console, it is just an opinion. So in that case(OS X) I don't install aws CLI. It is enough with  ~/.kube/config, ~/.aws/credentials and the installation of aws-iam-authenticator.

0 comentarios:

Publicar un comentario