Skip to content

eks.md

Latest commit

 

History

History
261 lines (172 loc) · 6.87 KB

eks.md

File metadata and controls

261 lines (172 loc) · 6.87 KB

AWS EKS - Elastic Kubernetes Service

NOT PORTED YET

Best Practices

https://docs.aws.amazon.com/eks/latest/best-practices/introduction.html

EKS on Fargate

Serverless Kubernetes service to avoid having to deal with node pool management.

https://docs.aws.amazon.com/eks/latest/userguide/fargate.html

EKS Kubectl Access

First install AWS CLI as per the AWS page.

Then run the eks_kube_creds.sh script from the DevOps-Bash-tools repo's aws/ directory.

This will find and configure kube config for all your kubernetes clusters in the current AWS account.

aws_kube_creds.sh
kubectl config get-contexts

switch to the cluster you want:

kubectl config use-context <name>
kubectl get pods --all-namespaces

Then see Kubernetes page for configs, scripts and .envrc.

Eksctl

The official CLI of EKS.

Easier to use than AWS CLI for EKS.

From DevOps-Bash-tools:

install_eksctl.sh

Get Cluster Version

aws eks describe-cluster --name "$EKS_CLUSTER" --query "cluster.version" --output text

AWS Load Balancer

https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/

Grant IAM Roles EKS Access

https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html

Newer Native IAM Method

This is preferred as long as your cluster meets the version prerequisites.

Compare your cluster version and update using:

aws eks describe-cluster --name "$EKS_CLUSTER" \
  --query 'cluster.{"Kubernetes Version": version, "Platform Version": platformVersion}'

If new enable, enable it (this is irreversible):

aws eks update-cluster-config --name "$EKS_CLUSTER" --access-config authenticationMode='API_AND_CONFIG_MAP'

Then create access entries:

aws eks create-access-entry --cluster-name "$EKS_CLUSTER" \
    --principal-arn "arn:aws:iam::$AWS_ACCOUNT_ID:role/devs" \
    --type STANDARD \
    --user MyK8sRoleBinding \
    --kubernetes-groups MyK8sRoleBinding

https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

Old ConfigMap Method

Use this if the cluster version is old or you don't want to change the access mode in production just yet.

WARNING: If you get this edit wrong you could lose access to your cluster

For this reason it is recommended to use eksctl to edit the AWS auth-map configmap for safety:

eksctl get iamidentitymapping --cluster "$EKS_CLUSTER"

To get the role from an account currently authenticated using it:

AWS_ROLE="$(aws sts get-caller-identity --query 'Arn' --output text | sed 's|.*role/||; s|/.*$||' | tee /dev/stderr)"

If using AWS SSO it's look something like AWSReservedSSO_<ROLE>_1234567890abcdef.

eksctl create iamidentitymapping --cluster "$EKS_CLUSTER" --arn "arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE" --username 'admin:{{SessionName}}' --group 'system:masters' --no-duplicate-arns

Since you can't update, you would need to delete to modify the above, for example if you missed off the :{{SessionName}} suffix to the --username 'admin'

eksctl delete iamidentitymapping --cluster $EKS_CLUSTER  --arn="arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE"

See the configmap:

kubectl get -n kube-system configmap aws-auth -o yaml

Raw old school editing method (DO NOT USE - see WARNING above):

kubectl edit -n kube-system configmap aws-auth

EKS Resizeable Disk

Either create a new storageclass that is resizeable and use that for all future apps:

storageclass-aws-standard-resizeable.yaml

Or patch the default storageclass:

$ kubectl get sc
NAME               PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
ebs-sc (default)   ebs.csi.aws.com         Retain          WaitForFirstConsumer   true                   134d
kubectl patch sc ebs-sc -p '{"allowVolumeExpansion": true}'

I've patched the default storage class in production and resized Atlantis data pvc using the same procedure as the Jenkins-on-Kubernetes notes , it works.

EKS Cluster Add-Ons

List clusters:

eksctl get cluster

or

aws eks list-clusters

List Available EKS cluster addons:

aws eks describe-addon-versions | jq -r '.addons[].addonName' | sort

List eksctl installed EKS cluster addons (may not show ones installed by charts):

eksctl get addons --cluster "$EKS_CLUSTER"

or

aws eks list-addons --cluster-name "$EKS_CLUSTER" --query 'addons[].addonName' --output text

List version of a specific addon:

aws eks describe-addon --cluster-name "$EKS_CLUSTER" --addon-name vpc-cni --query "addon.addonVersion" --output text

List addon pods:

kubectl get pods -n addons

EKS Cluster Upgrades

See the EKS Cluster Upgrades doc.

Extended Support

UserGuide - Extended Support

Extended support costs more, you may want to switch to standard support.

Note: this will force upgrades earlier when the cluster's version falls out of standard support, which is only 14 months, so you will need to plan and upgrade more regularly, which is recommended best practice anyway. See upgrade policy.

See the Available Versions and Release Calender for when you need to upgrade versions for Standard or Extended support.

You can always see available versions and their status of standard vs extended and dates via the AWS CLI.

(requires a fairly new version of AWS CLI)

brew upgrade awscli
aws eks describe-cluster-versions --output table

Disable extended support and stay on the more recent versions only:

aws eks update-cluster-config --name "$EKS_CLUSTER" --upgrade-policy "supportType=STANDARD"