Kubernetes #
This document provides how we are using kubernetes as our app orchestration.
Accessing EKS via kubectl #
Prerequisite #
Steps #
- Configure AWS CLI profile via SSO
aws configure sso
This command will prompt you to provide following variables.
- SSO session name: Can be anything
- SSO start URL: Must be https://tofu-bonsai.awsapps.com/start
- SSO region: Must be eu-central-1
- SSO registration scopes: Choose default (sso:account:access)
- role name: If you are assigned to multiple accounts, or have multiple roles, you are prompted to choose one. See About roles section below for detail.
- Default client Region: Must be eu-central-1
- CLI default output format: Anything you want. json should be fine.
- Profile name: Profile name you are going to use in your local machine. You might want a name that is shorter than the default.
- Verify your configuration
aws sts get-caller-identity --profile <profile name you chose above>
If the command above prints something like following, your profile was configured successfully.
{
"UserId": "XXXXXXXXXXXXXXXX:dummy@gotofu.com",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_XXX_YYYYY/dummy@gotofu.com"
}
- Delete old configuration (Only if you already have a config with old IAM user)
kubectl config delete-context arn:aws:eks:eu-central-1:<AWS Account ID>:cluster/bonsai-app-eks-cluster-<dev or prod>
- Get kubectl config from EKS
aws eks update-kubeconfig --region eu-central-1 --name bonsai-app-eks-cluster-<dev or prod> --profile <profile name>
- Test
You should be able to use kubectl to work with our EKS cluster. Let’s test if you really can.
kubectl get pod
If you see list of running pods. You are with this section.
About roles #
We are using AWS IAM Identity Center with SSO to login to AWS. Each user is assigned to one (or more) following role:
- full_access
- bonsai_developers
- Billing
Users with full_access role can access both production and dev, but only dev for bonsai_developers.