• AWS EKS: reduce the number of reserved IPs

    4 min read

    EKS AWS ENI available IPs subnet

    If you are trying to run a EKS cluster on a small subnet you might run out of IPs sooner that you might think. Every time it has to attach or detach IPs an API call needs to be made, so to avoid getting API calls throttled it pre-reserves some

    16/05/2022

    Read more...
  • Using AWS Karpenter with spot instances

    3 min read

    One of the advantages of using AWS Karpenter is that makes straightforward using spot instances. But how do we handle termination notices coming from AWS?

    21/01/2022

    Read more...
  • Installing and configuring AWS Karpenter

    7 min read

    Starting November 29th 2021, AWS is considering that Karpenter is ready for production: It is a cluster autoscaler alternative intended to improve the efficiency and cost of running workloads on Kubernetes clusters

    03/12/2021

    Read more...
  • Using AWS Secrets Manager secrets and Systems Manager parameters in Kubernetes with KES

    4 min read

    By using the Kubernetes External Secrets we can use external secret management systems, like AWS Secrets Manager or Vault, to securely add secrets in Kubernetes.

    This is achieved by by using the ExternalSecret object which declares how to fetch the secret data, while the KES controller converts the ExternalSecrets to Secrets. The conversion is completely transparent to Pods that can access Secrets normally.

    29/11/2021

    Read more...
  • IRSA: How to create an IAM role for a specific ServiceAccount

    2 min read

    On AWS EKS you can associate an IAM role with a Kubernetes service account. The assume role policy is going to look like this:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::123456789123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20"
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20:sub": "system:serviceaccount:demons:demosa"
            }
          }
        }
      ]
    }
    

    Let's take a look on how to create this role using Terraform

    24/11/2021

    Read more...

Older content...