Amazon Web Services

Caution

we need credentials to access clusters

these are confidential information so shouldn’t be shared with anyone

How these credentials are used by ksctl

Environment Variables

export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""

Using command line

ksctl cred

Current Features

Cluster features

Highly Available cluster

clusters which are managed by the user not by cloud provider

you can choose between k3s and kubeadm as your bootstrap tool

custom components being used

Etcd database VM
HAProxy loadbalancer VM for controlplane nodes
controlplane VMs
workerplane VMs

Managed Cluster Elastic Kubernetes Service

we provision Roles ksctl-* 2 for each cluster:

ksctl-<clustername>-wp-role for the EKS NodePool
ksctl-<clustername>-cp-role for the EKS controlplane

we utilize the iam:AssumeRole to assume the role and create the cluster

Policies aka permissions for the user

here is the policy and role which we are using

iam-role-full-access(Custom Policy)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor6",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:GetRolePolicy",
                "iam:SetSecurityTokenServicePreferences"
            ],
            "Resource": [
                "arn:aws:iam::*:role/ksctl-*",
                "arn:aws:iam::*:instance-profile/*"
            ]
        }
    ]
}

eks-full-access(Custom Policy)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "eks:ListNodegroups",
                "eks:ListClusters",
                "eks:*"
            ],
            "Resource": "*"
        }
    ]
}

AmazonEC2FullAccess(Aws)
IAMReadOnlyAccess(Aws)

Validaty of Kubeconfig

The Kubeconfig generated after you ran

ksctl switch aws --name here-you-go --region us-east-1

we are using sst token to authenticate with the cluster, so the kubeconfig is valid for 15 minutes

once you see that there is a error of unauthorized then you need to re-run the above command

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified August 3, 2024: moved the docs from develop to stable (060b2e7)