Skip to content

Instantly share code, notes, and snippets.

@davivcgarcia

davivcgarcia/content.md

Last active April 10, 2024 10:45
Show Gist options
  • Save davivcgarcia/da0720fe7be10aaada6aded56cc703ac to your computer and use it in GitHub Desktop.
Save davivcgarcia/da0720fe7be10aaada6aded56cc703ac to your computer and use it in GitHub Desktop.
Download ZIP
Amazon EKS Workshop - Complements
Raw
content.md

EKS Cluster Access Management

This is a hot-patch for the Amazon EKS Workshop to cover leverage the recently announced Cluster Access Management API, that superseed the old method based on an integration between IAM and a in-cluster Kubernetes ConfigMap.

Steps to execute

  1. Let's create an IAM User, that will be used for exercising the EKS access management.
aws iam create-user --user-name lab-user
  1. To use it within our lab, let's also create an IAM Access Secrets for that IAM User.
aws iam create-access-key --user-name lab-user | tee lab-user-key.txt
  1. Then, let's create an AWS CLI profile that uses this IAM Principal. Use the information given from the last command (AccessKeyId and SecretAccessKey) to answer the questions. If you don't have the output in the screen, check a file named as lab-user-key.txt at your current work directory.
aws configure --profile lab-user
  1. Explore the Cluster Management API using the EKS Console, and test the different levels of access using the following commands.

4.1. To enable the lab-user profile, issue:

export AWS_PROFILE=lab-user

4.1. To disable the lab-user profile, issue:

unset AWS_PROFILE
  1. The kubectl command will dinamicaly pull the necessary credentials using the AWS CLI. In our lab, the default AWS credential has administrative access, while we can use the new profile with more restrictives permissions.

Observability with CW Observability Add-on

This is a hot-patch for the Amazon EKS Workshop to cover leverage the recently announced Amazon CloudWatch Observability Add-on for Amazon EKS instead of the AWS Distribution of OpenTelemetry (ADOT) for collecting metrics/logs/traces. This will provide compatibility with the Container Insights with Enhanced Observability feature.

Steps to execute

In order to ensure the CW Observability Add-on has the proper permissions to communicate with the AWS APIs, we will use an IAM Role mapped to a specific Kubernetes Service Account using IRSA.

  1. First we need to ensure the EKS cluster has the IAM OIDC Provider associated.
eksctl utils associate-iam-oidc-provider --cluster eks-workshop --approve
  1. Then, we will use eksctl to create the IAM Role with proper permissions and trust policy.
eksctl create iamserviceaccount \
  --name cloudwatch-agent \
  --namespace amazon-cloudwatch --cluster eks-workshop \
  --role-name eks-workshop-cw-observability \
  --attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \
  --role-only \
  --approve
  1. Enable the EKS Add-on with the IAM Role previously created.
aws eks create-addon \
  --addon-name amazon-cloudwatch-observability \
  --cluster-name eks-workshop \
  --service-account-role-arn arn:aws:iam::$AWS_ACCOUNT_ID:role/eks-workshop-cw-observability
  1. Navigate to Amazon CloudWatch Container Insights console, and explore the metrics and logs collected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment