• IRSA: How to create an IAM role for a specific ServiceAccount

    2 min read

    AWS EKS Kubernetes IRSA

    On AWS EKS you can associate an IAM role with a Kubernetes service account. The assume role policy is going to look like this:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20:sub": "system:serviceaccount:demons:demosa"
        }
      }
    }
  ]
}

    Let's take a look on how to create this role using Terraform

    24/11/2021

    Read more...

  • Install and configure external-DNS on AWS EKS

    3 min read

    With external DNS the DNS records for the ingress objects we have will be created automatically. We can choose between several cloud providers but we can even configure it to use the standard dynamic zone manipulation defined in RFC-2136. Let's see how to configure it on AWS EKS with Route53

    09/11/2021

    Read more...

  • Terrafrom: Ignore changes on some of the managed resources

    2 min read

    Some of the resources we create using terraform might be externally changed, for example an AutoScalingGroup desired_capacity can be changed externally (not modifying terraform's state) in order to handle more traffic. That's the case for the worker's ASG on an EKS cluster, which will be usually modified by the cluster autoscaler

    (...)

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.eks.aws_autoscaling_group.workers["pet2cattle_eu-west-1a"] has been changed
  ~ resource "aws_autoscaling_group" "workers" {
      ~ desired_capacity          = 7 -> 6
        id                        = "pet2cattle_eu-west-1a2021082509502468370000000a"
        name                      = "pet2cattle_eu-west-1a2021082509502468370000000a"
        # (22 unchanged attributes hidden)


        # (16 unchanged blocks hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

(...)

    13/10/2021

    Read more...

  • Update local kubeconfig to connect to an AWS EKS cluster

    2 min read

    If we want to connect to an AWS EKS cluster using kubectl we need to update our kubeconfig (~/.kube/config) To do se we can use awscli

    04/10/2021

    Read more...

  • Kubernetes / AWS node termination handler: Drain spot instances that are about to be terminated

    3 min read

    If you are using a mixed policy on your EKS workers ASG you will want to install the AWS node termination handler to drain a node once AWS notifies that a particular spot instance is going to be reclaimed

    29/09/2021

    Read more...

More recent...

From pet to cattle
Treat your kubernetes clusters like cattle, not pets
Categories
tags related to this category
ROSA EKS-connector ENI subnet Karpenter spot instances termination handler cluster autoscaler Secret ExternalSecret IRSA ServiceAccount externalDNS Ingress lifecycle ignore_changes kubeconfig drain StorageClass gp3 Pod securityGroup ALB PersistentVolume Volumes EBS awsElasticBlockStore ELB HTTPS LoadBalancer Service IAM