Create a private Kubernetes cluster on AWS EKS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to another tech video in this Channel today in this video we are going to see how to create a private eks cluster and access the same via a public facing jump server with an IM role attached so without further Ado let's dive into the implementation so we have already logged into the AWS console let's go to VPC click create VPC select VPC and more under the auto generate I am writing eks demo for now at the end we will use custom name tags for all the resources keeping cidr IPv6 tenancy and number of availability zones as default in production scenario you may use all three availability zones I'll have two public subnets result for jump server and any internet facing albs in the future number of private subnets as 4 2 for app which will have the ecase cluster and the worker nodes and two for databases for future purposes this will complete our three tier Network architecture I'll keep the net gateways as in one easy it will be required to download images from ECR I am not complicating this implementation by adding VPC endpoints however in production scenarios usually there is no net Gateway that time you will have to provision endpoints as well once done I'll uncheck the auto generate checkbox and add name tags as needed I am rushing through this part as it's not the most important part of the video you can pause the video and add text accordingly and finally click create VPC apart from that Gateway all other resources are provisioning quite fast in the VPC screen you can see the resource map which helps to visualize the network better we have completed the basic Network infra provisioning required to create a private eks cluster and its corresponding worker nodes now let's move towards the most important part of the tutorial that is provisioning of the eks cluster and the node group on the top search for eks click add cluster and choose create in the cluster configuration give the name as eks hyphen demo hyphen cluster keep the kubernetes version as 1.25 to pass a cluster service role you may have to create a new one for that go to IM console on the left navigation pane click on rules choose create rule keep AWS Services selected for trusted entity type under use case search for E case and choose eks cluster and click next here we see Amazon eks cluster policy is added click next under the role name give a name as eks demo cluster role quickly validate everything and click create role once the role is created go back to the EK screen and click refresh to see the newly created IM rule since there is only one cluster role it got Auto selected I don't need any secrets encryption for this exercise but it's ideal for the production scenarios adding a name tag as eks demo cluster click next choose the VPC which we have provisioned earlier remove all subnets and select only app subnets as we want to keep our cluster private so choosing both eks demo app private subnets 1A and 1B I am not creating any additional security groups as eks will anyways create a security group for the cluster choose private as I want the cluster to be private to simulate the production scenario and click next since this is a demo I don't want to enable any kind of logging but again this is a must for the production setups Cube proxy core DNS and VPC cni add-ons are installed by default I don't want any guard Duty for now and click next I am not going to touch any add-on settings for this exercise click next let me quickly verify and review all the cluster parameters and hit create we can see that the cluster is now in creating State the cluster creation process will take around 8 to 10 minutes I will pause the video and come back again once the cluster is provisioned here we see that the cluster is now provisioned ignore the loading error it does not concern us for now now the next step is to provision compute capacity for that go to compute tab click add node group for the name tag let me add ek's demo node group again we don't have a role created for the node group let's quickly create that go to IM console create role keep the trusted entities as AWS service use case as ec2 and click next in the search box search for E case and choose Amazon eks worker node policy and another would be required to pull the images from the ECR for that search for container and choose Amazon ec2 container registry read only and click next provide the name as eks demo node group role keep all other parameters as is and click create role once the role is created continue with the node group provisioning screen once you refresh the role we just created will be Auto populated if that's the only node group role we have keep all other configurations as is and add a name tag that is eks demo node group and click next let's keep node group configuration as default Ami type as Amazon Linux 2 capacity as on demand instance type as T3 medium disk size as 20. and keep rest of the configurations as is and click next under the networking section again choose the app private subnets configuring remote access to the worker nodes is a personal choice some organizations do not allow access to the same for this exercise I'll allow access go to ec2 console and create a new key pair with the name eks demo node group key keep other things as it is add a tag and click create key pair let's also create a security group providing name as eks demo node Group Security Group select AKs demo VPC for now I will not add any inbound rules for this exercise I won't need any access to the worker nodes and click create Security Group now let's go back again to the node group creation screen and click refresh button besides the ec2 key pair drop down and select the eks demo node group key similarly select the security group as well and click next let's quickly verify all the configurations and click create we see a message stating node group creation is in process let's go to the ec2 console to check whether the provisioning has started I don't see it has started yet let's go back to the node group screen and wait for some time I'll pause the video and come back again once the node group is up here we see the node group is active and two nodes are registered let's check the ec2 console as well here we see two nodes are provisioned now that the provisioning for eks cluster and the node group is complete we need to access those cluster and worker nodes for that we will require a jump server we will provision the jump server in the public subnet as we need access to the same from our local machine for that let's go to ec2 console click on launch instances give the name tag as ecase demo jump server keep the Ami as Amazon Linux 2023 keep the instance type as is create a new key pair eks demo jump server key and hit create key pair the key pair will be downloaded which will be later used to access the jump server via SSH scroll down to the network settings click edit choose the custom VPC we have created earlier choose any public subnet this step is important because we will need a public IP for our ec2 instance so Select Auto assign public IPS enable choose create Security Group enter a proper group name I am keeping the source and Port as is since I don't have a static IP but in production scenarios it is recommended to restrict access to the jump servers to a single IP so that your entire infrastructure doesn't get exposed I won't touch rest of the settings and click launch instance browse to that instance it will take some time for that instance to come up once it is in the running State click on the connect button go to the SSH client tab copy the CH mode command I already have the terminal open I'll change the directory to downloads I have the key downloaded earlier in the directory paste the CH mode command and hit enter this command will give appropriate permissions on the key so that we can SSH into the jump server go back to the AWS console and copy the SSH example string paste it in the terminal hit enter type yes and now you are able to log into the jump server from here we can access our ecas cluster and do all the administration required now the first step is to install the cube CTL tool go to your browser and search for install cubectl click on the official link from AWS scroll down and select the Linux tab since we have Amazon Linux 2023 our eks cluster version is 1.25 and our ec2 instance is AMD 64. hence we will choose the appropriate link and run it in the terminal this step is optional if you want to verify the downloaded binary I am executing for the sake of it you can ignore this step if you want I'll check the checksum as well it says ok the open SSL command will give a sha 256 string you can compare the same with the downloaded one again this is optional apply the CH mode command to provide execute permissions to cube CTL this command will create a bin directory in the home path we'll copy the cube CTL file in the bin directory and Bin directory path will be exported so that we can run cubesatel commands from anywhere optionally you can run this command to set the path in your cell initialization file so that Cube CTL will be accessible whenever you open a new cell session and finally run the cube CTL command to check the installation now since the eks cluster was provisioned from an IM user we need to configure its credentials in the jump server as the cluster will be accessible only for that particular user this particular thing is mentioned in the AWS documentation here this will be done only for the first time after that I will demonstrate how to access the cluster via IM rule so let's configure the amp credentials execute AWS configure command enter the AWS access key aw secret key default region name for me it is AP South 1 and output format as Json if you don't know how to create credentials I will mention the link in the description now our AWS configuration is done we need to configure access to the eks cluster from our jump server for that let's search for update config Cube CTL open the official documentation link copy the update cubeconfig command replace the name parameter with our eks cluster name which we have mentioned during the provisioning replace region code with ap South 1 and execute the command here we can see that a new context is added now let's validate if it has been added as expected we can do that using the command Cube CTL config View so here we see all the contacts that are configured as of now I have only one if we run the update cubeconfig command for another cluster it will add another context here now let's try to access the cluster using the command Cube CTI cluster info here we see the request is not going through it's because we have added the context to the jump server configure the amp credentials as well but our e case cluster has to allow connectivity from the jump server for that we will have to open 443 on the eks cluster Security Group for jump server Security Group for that let's go to the eks cluster click on the networking tab open the cluster Security Group click on the inbound rules tab it inbound rules add a rule in the port range as 443 and in Source add the jump server Security Group add appropriate description and click save rules now head on to the terminal and rerun the cluster info command again so finally our cluster is accessible from our jump server let's try cubesital get notes command as well here we see the two nodes which were created during the node group creation we are now able to access the cluster however it's not a best practice to access it using IM credentials instead it should be done via IM rule if we are accessing from an ac2 instance when you do a configure list we see list of IM identities configured in the server so these are the credentials of my user and when you do AWS STS get caller identity it tells you who is running the AWS command again here we see my user is being used so let's configure our ec2 instance to use a im rule instead of an IM user for that go to IM go to rules click create role select AWS Service as trusted entity keep ec2 selected for common use case and click next here we are not selecting any policies as we need only kubernetes access to the ec2 user for now and for that configuration no policy is required in future if you want to access other services or perform some activities in the eks cluster you can provide those permissions but for accessing the kubernetes cluster nothing is required so ignore the policies and click next under role name I am giving eks demo jump server rule as the name keeping other things as is and click create role once the role is created we need to attach the same to the ec2 instance for that go to the ec2 instance choose the jump server click on the actions choose security modify IM rule choose the IM rule we just created and click update IM rule go back to the jump server terminal and check the configure list we still see the configured user and get caller identity is still showing I am user as Ajit but that's okay for now I'll show how do we clear that in some time but before that we have to configure our IM role in the kubernetes cluster go to the web browser and search for AWS eks edit config map open the link which says enable IM principle access to your cluster we have to make changes to AWS auth config map from the cube system namespace the describe command will give you the details about this particular config map but before we make any changes let's take a backup of the config map you can take the backup using the command cubectl get CM AWS hyphen auth hyphen n Cube hyphen system and write the output to a file validate if the file is created properly now execute the command Cube CTL edit CM AWS iPhone auth hyphen Cube system here under the map role section we have to add the newly created jump server role in the AWS documentation go to the edit config map manually tab we have to add the imro information so let's copy the group section which has some information related to IM rules let's copy this entire group string paste it in the terminal just below the existing group under map rules I am giving system Master permissions to the IM role as I want to perform Administration from the jump server copy the role Arn from the AWS console I have a typo in the system Master instead of underscore it should be a colon remove the existing IM role and paste the jump server row layer in here similarly copy the role name and replace it with the console viewer role once done exit and save let's validate whether the config map is updated so here we see it's been updated with the jump server IM rule you already know that even with I am roll configured all the request to AWS are done via IM user only to reset that let's clear that out by removing the contents of the config and the credentials file now rerun the AWS STS get caller identity command you will notice that it is picking up the IM role and not the IM user now let's do a cubicle get nodes to check if our cluster is accessible so this is how you provide access to IM rule on your cluster when you do an AWS configure list you will see Dynamic credentials generated by the IM rule hope this tutorial was helpful to you if you have any questions or suggestions please let me know in the comment section thanks for watching right till the end see you in the next video

Info

Channel: Tech with Ajit

Views: 10,831

Rating: undefined out of 5

Keywords: aws eks, aws eks kubernetes tutorial, aws eks for beginners, aws eks cluster setup, aws eks private cluster setup, aws, kubernetes, kubernetes tutorial, kubernetes setup, aws eks example, how to setup kubernetes cluster on aws, how to setup kubernetes on aws, aws kubernetes tutorials for beginners, aws devopskubenetes, microservices, amazon web services, aws tutorial, aws cloud, aws tutorials for beginners, setup kubernetes cluster, setup kubernetes cluster on aws, ajit inamdar

Id: M3j0mln3jBo

Channel Id: undefined

Length: 21min 2sec (1262 seconds)

Published: Thu Jun 01 2023