Amazon Web Services

Amazon Web Services

Aws support for HA and Managed Clusters

How these credentials are used by ksctl

  1. Environment Variables
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
  1. Using command line
ksctl cred

Current Features

Cluster features

Highly Available cluster

clusters which are managed by the user not by cloud provider

you can choose between k3s and kubeadm as your bootstrap tool

custom components being used

  • Etcd database VM
  • HAProxy loadbalancer VM for controlplane nodes
  • controlplane VMs
  • workerplane VMs

Managed Cluster Elastic Kubernetes Service

we provision Roles ksctl-* 2 for each cluster:

  • ksctl-<clustername>-wp-role for the EKS NodePool
  • ksctl-<clustername>-cp-role for the EKS controlplane

we utilize the iam:AssumeRole to assume the role and create the cluster

Policies aka permissions for the user

here is the policy and role which we are using

  1. iam-role-full-access(Custom Policy)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor6",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:GetRolePolicy",
                "iam:SetSecurityTokenServicePreferences"
            ],
            "Resource": [
                "arn:aws:iam::*:role/ksctl-*",
                "arn:aws:iam::*:instance-profile/*"
            ]
        }
    ]
}
  1. eks-full-access(Custom Policy)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "eks:ListNodegroups",
                "eks:ListClusters",
                "eks:*"
            ],
            "Resource": "*"
        }
    ]
}
  1. AmazonEC2FullAccess(Aws)
  2. IAMReadOnlyAccess(Aws)