1. Create AWS IAM users:
We have created following IAM users and assign the EKS policy permissions to it.
- eks-trainee ( eks list and read permission)
- eks-developer ( eks list and read permission)
- eks-super-admin (EKS cluster admin policy)
2. Create AWS EKS cluster
- configure the aws cli for eks-creator account
2. list to show which IAM user currently logged in
aws sts get-caller-identity3. Create EKS cluster
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: robin-personal-cluster
region: us-east-2
nodeGroups:
- name: ng-1
instanceType: t2.small
desiredCapacity: 2
volumeSize: 80
ssh:
allow: true
- name: ng-2
instanceType: t2.small
desiredCapacity: 2
volumeSize: 80
ssh:
allow: trueeksctl create cluster -f cluster.yaml3. Set Kubernetes context:
To be able to execute the k8s commands, we need to set the k8s context
eksctl utils write-kubeconfig --cluster=robin-personal-cluster --set-kubeconfig-context=true4. Create clusterRole and clusterRoleBinding:
Create clusterRole and clusterRoleBinding for eks-trainee user:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: trainee-clusterrole
rules:
- apiGroups:
- ""
resources: [ "*" ]
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources: [ "*" ]
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources: [ "*" ]
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: trainee-clusterrole-binging
subjects:
- kind: User
name: eks-trainee
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: trainee-clusterrole
apiGroup: rbac.authorization.k8s.iokubectl apply -f eks_trainee_config.yamlCreate clusterRole and clusterRoleBinding for eks-developer user:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: developer-clusterrole
rules:
- apiGroups: [""]
resources: ["nodes", "namespaces", "pods"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments" ,"daemonsets" ,"statefulsets" ,"replicasets"]
verbs: ["get", "list", "create"]
- apiGroups: [ "batch"]
resources: ["jobs"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: developer-clusterrole-binging
subjects:
- kind: User
name: eks-developer
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: developer-clusterrole
apiGroup: rbac.authorization.k8s.iokubectl apply -f eks_developer_config.yaml5. Add IAM users in the aws_auth_config.yaml file:
- Export the aws_auth_configMap.yaml file:
if we go with the AWS EKS managed service then there is a special file called as a aws_auth_config.yaml. If you dont have this file already then export the file from AWS EKS cluster using below command:
kubectl get configmap aws-auth -n kube-system -o yaml > aws_auth_config.yaml2. Add IAM user name and ARNs in the aws_auth_config.yaml file:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::00000000000:role/eksctl-robin-personal-cluster-nod-NodeInstanceRole-TUKH4Z187ANC
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::00000000000:role/eksctl-robin-personal-cluster-nod-NodeInstanceRole-2RY0KK33CGIG
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- userarn: arn:aws:iam::00000000000:user/eks-trainee
username: eks-trainee
- userarn: arn:aws:iam::00000000000:user/eks-developer
username: eks-developer
- userarn: arn:aws:iam::00000000000:user/eks-super-admin
groups:
- system:masters
username: eks-super-admin
