• Using AWS Secrets Manager secrets and Systems Manager parameters in Kubernetes with KES

    4 min read

    By using the Kubernetes External Secrets we can use external secret management systems, like AWS Secrets Manager or Vault, to securely add secrets in Kubernetes.

    This is achieved by by using the ExternalSecret object which declares how to fetch the secret data, while the KES controller converts the ExternalSecrets to Secrets. The conversion is completely transparent to Pods that can access Secrets normally.

    29/11/2021

    Read more...

  • IRSA: How to create an IAM role for a specific ServiceAccount

    2 min read

    AWS EKS Kubernetes IRSA

    On AWS EKS you can associate an IAM role with a Kubernetes service account. The assume role policy is going to look like this:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20:sub": "system:serviceaccount:demons:demosa"
        }
      }
    }
  ]
}

    Let's take a look on how to create this role using Terraform

    24/11/2021

    Read more...

  • Install and configure external-DNS on AWS EKS

    3 min read

    With external DNS the DNS records for the ingress objects we have will be created automatically. We can choose between several cloud providers but we can even configure it to use the standard dynamic zone manipulation defined in RFC-2136. Let's see how to configure it on AWS EKS with Route53

    09/11/2021

    Read more...

  • Terrafrom: Ignore changes on some of the managed resources

    2 min read

    Some of the resources we create using terraform might be externally changed, for example an AutoScalingGroup desired_capacity can be changed externally (not modifying terraform's state) in order to handle more traffic. That's the case for the worker's ASG on an EKS cluster, which will be usually modified by the cluster autoscaler

    (...)

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.eks.aws_autoscaling_group.workers["pet2cattle_eu-west-1a"] has been changed
  ~ resource "aws_autoscaling_group" "workers" {
      ~ desired_capacity          = 7 -> 6
        id                        = "pet2cattle_eu-west-1a2021082509502468370000000a"
        name                      = "pet2cattle_eu-west-1a2021082509502468370000000a"
        # (22 unchanged attributes hidden)


        # (16 unchanged blocks hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

(...)

    13/10/2021

    Read more...

  • Update local kubeconfig to connect to an AWS EKS cluster

    2 min read

    If we want to connect to an AWS EKS cluster using kubectl we need to update our kubeconfig (~/.kube/config) To do se we can use awscli

    04/10/2021

    Read more...

More recent...

From pet to cattle
Treat your kubernetes clusters like cattle, not pets
Categories
tags related to this category
kubectl plugin custom command ROSA EKS-connector ENI subnet Karpenter spot instances termination handler cluster autoscaler Secret ExternalSecret IRSA ServiceAccount externalDNS Ingress lifecycle ignore_changes kubeconfig drain StorageClass gp3 Pod securityGroup ALB PersistentVolume Volumes EBS awsElasticBlockStore ELB HTTPS LoadBalancer Service IAM