Kubernetes #
This document provides how we are using kubernetes as our app orchestration.
Accessing EKS via kubectl #
Prerequisite #
Steps #
- Configure AWS CLI profile via SSO
$ aws configure sso
This command will prompt you to provide following variables.
- SSO session name: Can be anything
- SSO start URL: Must be https://tofu-bonsai.awsapps.com/start
- SSO region: Must be eu-central-1
- SSO registration scopes: Choose default (sso:account:access)
- role name: If you are assigned to multiple accounts, or have multiple roles, you are prompted to choose one. See About roles section below for detail.
- Default client Region: Must be eu-central-1
- CLI default output format: Anything you want. json should be fine.
- Profile name: Profile name you are going to use in your local machine. You might want a name that is shorter than the default.
- Verify your configuration
$ aws sts get-caller-identity --profile <profile name you chose above>
If the command above prints something like following, your profile was configured successfully.
{
"UserId": "XXXXXXXXXXXXXXXX:dummy@gotofu.com",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_XXX_YYYYY/dummy@gotofu.com"
}
- Delete old configuration (Only if you already have a config with old IAM user)
$ kubectl config delete-context arn:aws:eks:eu-central-1:<AWS Account ID>:cluster/bonsai-app-eks-cluster-<dev or prod>
- Get kubectl config from EKS
$ aws eks update-kubeconfig --region eu-central-1 --name bonsai-app-eks-cluster-<dev or prod> --profile <profile name>
- Test
You should be able to use kubectl to work with our EKS cluster. Let’s test if you really can.
$ kubectl get pod
If you see list of running pods. You are with this section.
About roles #
We are using AWS IAM Identity Center with SSO to login to AWS. Each user is assigned to one (or more) following role:
- full_access
- bonsai_developers
- Billing
Users with full_access role can access both production and dev, but only dev for bonsai_developers.