Satellite on AWS EKS
AWS EKS supports two compute types for its nodes, EC2 and Fargate. Depending on your usecase, you can follow the installation steps given below.
Prerequisites
- eksctl version >=
v0.152.0
- Helm v3 installed and working on your local machine.
- An AWS account with EKS permissions.
Install in AWS EKS using EC2
1. Setup environment variables
export CLUSTER_NAME='Cluster Name'
export REGION='AWS Region'
export ACCOUNT_ID='AWS Account ID'
2. Cluster Creation
read -r -d '' EKS_CLUSTER <<EOF
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: ${CLUSTER_NAME}
region: ${REGION}
vpc:
subnets:
private:
# MENTION THE SUBNETS YOU WANT TO USE FOR YOUR SATELLITE
# FOR EXAMPLE:
# us-west-2a: { id: subnet-0d09e999a579234ea }
# us-west-2b: { id: subnet-0d09e999a579234eb }
nodeGroups:
- name: ng-e2e
instanceType: t2.xlarge
desiredCapacity: 1
volumeSize: 40
privateNetworking: true
EOF
echo "${EKS_CLUSTER}" > eks-cluster.yaml
eksctl create cluster -f ./configuration/eks-cluster.yaml
3. Connecting to the cluster
AWS EKS grants cluster admin permissions to the account from which the cluster is created. If you don't need access to the cluster for other AWS Users, you can skip this section.
Access to other AWS users in the same account can be granted via 2 ways.
Adding individuals to the cluster
This command can be run to add an inidividual user account to the cluster's aws-auth configmap
eksctl create iamidentitymapping \
--cluster ${CLUSTER_NAME} \
--region ${REGION} \
--arn <AWS ACCOUNT ARN FOR THE USER> \
--group system:masters \
--no-duplicate-arns \
--username <AWS USERNAME FOR THE USER>
Giving access to an IAM User Group
We create a role developer.assume-access.role and attach two policies to it. The first one is EKSFullAccess
so that it has access to all the EKS resources. The second one is developer.assume-eks-access-role.policy
that allows assuming the role.
A detailed guide on defining the roles and policies can be found here.
Once you have followed the above guide to create the roles and attach the specific policies, you can add the role to the cluster's aws-auth config map to let the developers group access the cluster
eksctl create iamidentitymapping \
--cluster ${CLUSTER_NAME} \
--region ${REGION} \
--arn arn:aws:iam::${ACCOUND_ID}:role/developer.assume-access.role \
--group system:masters \
This needs to be run in order to grant access to the cluster.
One can Connect to the cluster by running just a single command
aws eks update-kubeconfig --name ${CLUSTER_NAME} --region ${REGION}> --role-arn arn:aws:iam::${ACCOUNT_ID}:role/developer.assume-access.role
This commands updates the kubeconfig and adds the context for the cluster and sets the current context to it.
The --role
argument sets the correct role and policies so that seemless access to the cluster is granted instantly.
4. Setting the cluster up
Creating an OIDC provider
Run these two commands:
oidc_id=$(aws eks describe-cluster --name ${CLUSTER_NAME} --region ${REGION} --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 | cut -d "\"" -f1
If this returns a value, that is the OIDC ID that we need. If the statement returns nothing, run this command:
eksctl utils associate-iam-oidc-provider --cluster ${CLUSTER_NAME} --region ${REGION} --approve
This creates an OIDC Identity Provider.
Next, to create a role in AWS for the EBS CSI Driver add-on (Amazon Elastic Block Store CSI Driver manages persistent volumes in EKS) we need to run these:
OIDC=$(aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 | cut -d "\"" -f1)
read -r -d '' EBS_DRIVER_POLICY <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/oidc.eks.${REGION}.amazonaws.com/id/${OIDC}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.${REGION}.amazonaws.com/id/${OIDC}:aud": "sts.amazonaws.com",
"oidc.eks.${REGION}.amazonaws.com/id/${OIDC}:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
}
}
}
]
}
EOF
echo "${EBS_DRIVER_POLICY}" > aws-ebs-csi-driver-trust-policy.json
aws iam create-role \
--role-name AmazonEKS_EBS_CSI_DriverRole \
--assume-role-policy-document file://aws-ebs-csi-driver-trust-policy.json
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
--role-name AmazonEKS_EBS_CSI_DriverRole
eksctl create addon --name aws-ebs-csi-driver --cluster ${CLUSTER_NAME} --region ${REGION} --service-account-role-arn arn:aws:iam::${ACCOUNT_ID}:role/AmazonEKS_EBS_CSI_DriverRole —force
5. Install the satellite
Please follow the instructions in the Install on Kubernetes section to install the Satellite.
Please ensure that you note down the address of the collector.