Skip to main content

Satellite on AWS EKS

AWS EKS supports two compute types for its nodes: EC2 and Fargate. Choose the installation method that matches your use case:

Prerequisites

Before installing the Levo Satellite on AWS EKS, ensure you have:

  • eksctl version >= v0.152.0
  • Helm v3 installed and configured on your local machine
  • An AWS account with EKS permissions

Install in AWS EKS using EC2

1. Set Up Environment Variables

export CLUSTER_NAME='Cluster Name'
export REGION='AWS Region'
export ACCOUNT_ID='AWS Account ID'

2. Create the EKS Cluster

read -r -d '' EKS_CLUSTER <<EOF
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: ${CLUSTER_NAME}
  region: ${REGION}

vpc:
  subnets:
    private:
      # MENTION THE SUBNETS YOU WANT TO USE FOR YOUR SATELLITE
      # FOR EXAMPLE:
      # us-west-2a: { id: subnet-0d09e999a579234ea }
      # us-west-2b: { id: subnet-0d09e999a579234eb }

nodeGroups:
  - name: ng-e2e
    instanceType: t2.xlarge
    desiredCapacity: 1
    volumeSize: 40
    privateNetworking: true
EOF

echo "${EKS_CLUSTER}" > eks-cluster.yaml

eksctl create cluster -f ./configuration/eks-cluster.yaml

3. Configure Cluster Access

AWS EKS grants cluster admin permissions to the account that created the cluster. If you don't need to grant access to other AWS users, you can skip this section.

You can grant access to other AWS users in the same account using one of these methods:

Adding individuals to the cluster

Run this command to add an individual user account to the cluster's aws-auth ConfigMap:

eksctl create iamidentitymapping \
    --cluster ${CLUSTER_NAME} \
    --region ${REGION} \
    --arn <AWS ACCOUNT ARN FOR THE USER> \
    --group system:masters \
    --no-duplicate-arns \
    --username <AWS USERNAME FOR THE USER>

Giving access to an IAM User Group

Create a role developer.assume-access.role and attach two policies to it:

  1. EKSFullAccess: Grants access to all EKS resources
  2. developer.assume-eks-access-role.policy: Allows assuming the role

A detailed guide on defining roles and policies can be found here.

After creating the roles and attaching the policies, add the role to the cluster's aws-auth ConfigMap to grant the developers group access:

eksctl create iamidentitymapping \
    --cluster ${CLUSTER_NAME} \
    --region ${REGION} \
    --arn arn:aws:iam::${ACCOUND_ID}:role/developer.assume-access.role \
    --group system:masters \

Run this command to grant access to the cluster.

Users can connect to the cluster with a single command:

aws eks update-kubeconfig --name ${CLUSTER_NAME} --region ${REGION}> --role-arn arn:aws:iam::${ACCOUNT_ID}:role/developer.assume-access.role

This commands updates the kubeconfig and adds the context for the cluster and sets the current context to it. The --role argument sets the correct role and policies so that seemless access to the cluster is granted instantly.

4. Configure the Cluster

Create an OIDC Provider

Run the following commands:

oidc_id=$(aws eks describe-cluster --name ${CLUSTER_NAME} --region ${REGION} --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 | cut -d "\"" -f1

If this returns a value, that is the OIDC ID you need. If the command returns nothing, run:

eksctl utils associate-iam-oidc-provider --cluster ${CLUSTER_NAME} --region ${REGION} --approve

This creates an OIDC Identity Provider.

Next, create a role in AWS for the EBS CSI Driver add-on. The Amazon Elastic Block Store CSI Driver manages persistent volumes in EKS:

OIDC=$(aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 | cut -d "\"" -f1)

read -r -d '' EBS_DRIVER_POLICY <<EOF
{
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
        "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/oidc.eks.${REGION}.amazonaws.com/id/${OIDC}"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
        "StringEquals": {
        "oidc.eks.${REGION}.amazonaws.com/id/${OIDC}:aud": "sts.amazonaws.com",
        "oidc.eks.${REGION}.amazonaws.com/id/${OIDC}:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
        }
    }
    }
]
}
EOF
echo "${EBS_DRIVER_POLICY}" > aws-ebs-csi-driver-trust-policy.json

aws iam create-role \
  --role-name AmazonEKS_EBS_CSI_DriverRole \
  --assume-role-policy-document file://aws-ebs-csi-driver-trust-policy.json

aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
  --role-name AmazonEKS_EBS_CSI_DriverRole

eksctl create addon --name aws-ebs-csi-driver --cluster ${CLUSTER_NAME} --region ${REGION} --service-account-role-arn arn:aws:iam::${ACCOUNT_ID}:role/AmazonEKS_EBS_CSI_DriverRole —force

5. Install the Satellite

Follow the instructions in the Install on Kubernetes section to install the Satellite.

Ensure you record the Collector's address for future configuration.