From f19cb7604c73ae333f1532374cfbbd54dbb0ebef Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Wed, 22 Sep 2021 14:34:07 -0700 Subject: [PATCH 1/7] Initial Blog Sample code --- .../eks-cluster-prework/scripts/pw-script.sh | 17 ++ .../eks-cluster-prework.template.yaml | 38 ++++ .../templates/prework.template.yaml | 165 ++++++++++++++++++ 3 files changed, 220 insertions(+) create mode 100644 samples/eks-cluster-prework/scripts/pw-script.sh create mode 100644 samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml create mode 100644 samples/eks-cluster-prework/templates/prework.template.yaml diff --git a/samples/eks-cluster-prework/scripts/pw-script.sh b/samples/eks-cluster-prework/scripts/pw-script.sh new file mode 100644 index 0000000..f75a0af --- /dev/null +++ b/samples/eks-cluster-prework/scripts/pw-script.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Install kubectl +yum install -y unzip + +# TODO: Make this generic based on the EKS Version +curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl +chmod +x ./kubectl + +#============= INSERT YOUR PREWORK STEPS HERE ====================# +# Confirm VNI version (Current is 1.9.0) - we could just assume this since it is a new cluster +kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 > /tmp/foo.txt +# TODO: add to a kubernetes secret we output into the CloudFormation template + +# Set AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG to True +kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true + +# Add additional steps below diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml new file mode 100644 index 0000000..b53c118 --- /dev/null +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -0,0 +1,38 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: "Amazon EKS PreWork pattern Blog" +Parameters: + AccessCIDR: + Default: 0.0.0.0/0 + Type: String + PreworkScriptBucket: + Type: String + Default: 'aws-quickstart' + PreworkScriptObject: + Type: String + Default: 'quickstart-examples/samples/eks-cluster-prework/script/pw-script.sh' +Resources: + EKSStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' + Parameters: + # Quickstart properties + QSS3BucketName: aws-quickstart + QSS3KeyPrefix: quickstart-amazon-eks/ + QSS3BucketRegion: us-east-1 + # Cluster properties + ProvisionBastionHost: Enabled + AccessCIDR: !Ref AccessCIDR + NodeInstanceType: t3.large + NumberOfNodes: 1 + MaxNumberOfNodes: 1 + PreworkStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' + Parameters: + ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" + PreworkScriptBucket: "aws-quickstart" + PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + JobName: "ExampleJob" + KubernetesNameSpace: "prework-example" diff --git a/samples/eks-cluster-prework/templates/prework.template.yaml b/samples/eks-cluster-prework/templates/prework.template.yaml new file mode 100644 index 0000000..cfd4e66 --- /dev/null +++ b/samples/eks-cluster-prework/templates/prework.template.yaml @@ -0,0 +1,165 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: +Parameters: + ClusterName: + Type: String + PreworkScriptBucket: + Type: String + Default: aws-quickstart + PreworkScriptObject: + Type: String + Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + JobName: + Type: String + Default: ExampleJob + KubernetesNameSpace: + Type: String + Default: "prework-example" +Resources: + KubernetesPreWorkIAMRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub "pw-role-${JobName}" + AssumeRolePolicyDocument: !Sub + - | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDCProvider}" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}-${JobName}" + } + } + } + ] + } + - NameSpace: !Ref KubernetesNameSpace + ResourceName: "pw-service-account" + Path: "/" + Policies: + - PolicyName: root + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:GetObject + Resource: + - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" + KubernetesRole: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + name: "${ResourceName}-${JobName}" + # Modify for your scripts here + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - ResourceName: "pw-role" + NameSpace: !Ref "KubernetesNameSpace" + + PreWorkServiceAccount: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName}-${JobName} + name: "${ResourceName}-${JobName}" + namespace: ${NameSpace} + - ResourceName: "pw-service-account" + NameSpace: !Ref KubernetesNameSpace + RoleName: !Ref "PreWorkIAMRole" + + PreWorkClusterRoleBinding: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + name: "${ResourceName}-${JobName}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "pw-role-${JobName}" + subjects: + - kind: ServiceAccount + name: "pw-service-account-${JobName}" + namespace: ${NameSpace} + - ResourceName: "pw-role-binding-${JobName}" + NameSpace: !Ref KubernetesNameSpace + + PreWorkJob: + DependsOn: [ PreWorkIAMRole, PreWorkRole, PreWorkServiceAccount, PreWorkRoleBinding ] + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: batch/v1 + kind: Job + metadata: + name: "${ResourceName}-${JobName}" + namespace: ${NameSpace} + spec: + template: + spec: + containers: + - name: ${ResourceName} + image: amazonlinux:2 + command: ["/bin/bash","-c"] + args: + - > + sleep 15; + yum update -y; + yum install -y awscli; + export AWS_REGION=${AWS::Region}; + export NS=${NameSpace}; + aws sts get-caller-identity; + aws s3 cp ${!S3_SCRIPT_URL} ./prework-script.sh && + chmod +x ./prework-script.sh && + ./prework-script.sh + env: + - name: S3_SCRIPT_URL + value: ${S3ScriptURL} + - name: AWS_REGION + value: ${AWS::Region} + serviceAccountName: "pw-service-account-${JobName}" + restartPolicy: Never + backoffLimit: 4 + - ResourceName: "pw-job" + NameSpace: !Ref "KubernetesNameSpace" + S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" From bd1a12d1b29d1085afe5e4a99c89945c729ef864 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Wed, 22 Sep 2021 14:39:13 -0700 Subject: [PATCH 2/7] Fix spacing issues. --- .../templates/eks-cluster-prework.template.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index b53c118..ba9438b 100644 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -21,8 +21,8 @@ Resources: QSS3KeyPrefix: quickstart-amazon-eks/ QSS3BucketRegion: us-east-1 # Cluster properties - ProvisionBastionHost: Enabled - AccessCIDR: !Ref AccessCIDR + ProvisionBastionHost: Enabled + AccessCIDR: !Ref AccessCIDR NodeInstanceType: t3.large NumberOfNodes: 1 MaxNumberOfNodes: 1 @@ -31,7 +31,7 @@ Resources: Properties: TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' Parameters: - ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" + ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" JobName: "ExampleJob" From c13d5c0cf8d069f8fa3c424e39eb3686ef58feda Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Wed, 22 Sep 2021 14:39:42 -0700 Subject: [PATCH 3/7] Fix spacing issues. --- .../templates/eks-cluster-prework.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index ba9438b..62f6f18 100644 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -31,7 +31,7 @@ Resources: Properties: TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' Parameters: - ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" + ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" JobName: "ExampleJob" From 53883df36a1807044c70570fd6a0dd761830f4f6 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Thu, 23 Sep 2021 10:19:36 -0700 Subject: [PATCH 4/7] Remove Bastion and AccessCIDR, small parameter adjustments --- .../eks-cluster-prework.template.yaml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index 62f6f18..e869ea2 100644 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -1,9 +1,12 @@ AWSTemplateFormatVersion: '2010-09-09' Description: "Amazon EKS PreWork pattern Blog" Parameters: - AccessCIDR: - Default: 0.0.0.0/0 + PreworkJobName: Type: String + Default: 'example-job' + PreworkNameSpace: + Type: String + Default: 'example-job-ns' PreworkScriptBucket: Type: String Default: 'aws-quickstart' @@ -16,13 +19,12 @@ Resources: Properties: TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' Parameters: - # Quickstart properties + # AWS Quick Start properties QSS3BucketName: aws-quickstart QSS3KeyPrefix: quickstart-amazon-eks/ QSS3BucketRegion: us-east-1 - # Cluster properties - ProvisionBastionHost: Enabled - AccessCIDR: !Ref AccessCIDR + # Amazon EKS Cluster properties + ProvisionBastionHost: Disabled NodeInstanceType: t3.large NumberOfNodes: 1 MaxNumberOfNodes: 1 @@ -34,5 +36,5 @@ Resources: ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" - JobName: "ExampleJob" - KubernetesNameSpace: "prework-example" + JobName: !Ref "PreWorkJobName" + KubernetesNameSpace: !Ref "PreworkNamespace" From 05d0571e24799b294ee3c8a5fea831b2136ce05e Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Thu, 23 Sep 2021 11:42:49 -0700 Subject: [PATCH 5/7] Adjust the S3 URI's to be sigv4 compliant. --- .../templates/eks-cluster-prework.template.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index e869ea2..9f116d1 100644 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -17,7 +17,7 @@ Resources: EKSStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' Parameters: # AWS Quick Start properties QSS3BucketName: aws-quickstart @@ -31,7 +31,7 @@ Resources: PreworkStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' Parameters: ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" From 9521c13b6ae38aa8372c032ab4f1d9f519ce4ab1 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Mon, 27 Sep 2021 14:05:52 -0700 Subject: [PATCH 6/7] Adjusting to agreed path for blog posts --- {samples => blog-assets}/eks-cluster-prework/scripts/pw-script.sh | 0 .../templates/eks-cluster-prework.template.yaml | 0 .../eks-cluster-prework/templates/prework.template.yaml | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename {samples => blog-assets}/eks-cluster-prework/scripts/pw-script.sh (100%) rename {samples => blog-assets}/eks-cluster-prework/templates/eks-cluster-prework.template.yaml (100%) rename {samples => blog-assets}/eks-cluster-prework/templates/prework.template.yaml (100%) diff --git a/samples/eks-cluster-prework/scripts/pw-script.sh b/blog-assets/eks-cluster-prework/scripts/pw-script.sh similarity index 100% rename from samples/eks-cluster-prework/scripts/pw-script.sh rename to blog-assets/eks-cluster-prework/scripts/pw-script.sh diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml similarity index 100% rename from samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml rename to blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml diff --git a/samples/eks-cluster-prework/templates/prework.template.yaml b/blog-assets/eks-cluster-prework/templates/prework.template.yaml similarity index 100% rename from samples/eks-cluster-prework/templates/prework.template.yaml rename to blog-assets/eks-cluster-prework/templates/prework.template.yaml From 13fdfe8c3596c6633cf42d0dddc68dbfcbf36fbd Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Mon, 27 Sep 2021 14:14:31 -0700 Subject: [PATCH 7/7] Template adjustments for new paths --- .../templates/eks-cluster-prework.template.yaml | 6 +++--- .../templates/prework.template.yaml | 12 +++++++++++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index 9f116d1..b9c4e8f 100644 --- a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -12,7 +12,7 @@ Parameters: Default: 'aws-quickstart' PreworkScriptObject: Type: String - Default: 'quickstart-examples/samples/eks-cluster-prework/script/pw-script.sh' + Default: 'quickstart-examples/blog-assets/eks-cluster-prework/script/pw-script.sh' Resources: EKSStack: Type: AWS::CloudFormation::Stack @@ -31,10 +31,10 @@ Resources: PreworkStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-examples/blog-assets/eks-cluster-prework/templates/prework.template.yaml' Parameters: ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" - PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + PreworkScriptObject: !Ref "PreworkScriptObject" JobName: !Ref "PreWorkJobName" KubernetesNameSpace: !Ref "PreworkNamespace" diff --git a/blog-assets/eks-cluster-prework/templates/prework.template.yaml b/blog-assets/eks-cluster-prework/templates/prework.template.yaml index cfd4e66..4ad336d 100644 --- a/blog-assets/eks-cluster-prework/templates/prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/prework.template.yaml @@ -8,7 +8,7 @@ Parameters: Default: aws-quickstart PreworkScriptObject: Type: String - Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + Default: "quickstart-examples/blog-assets/eks-cluster-prework/scripts/pw-script.sh" JobName: Type: String Default: ExampleJob @@ -52,6 +52,16 @@ Resources: - s3:GetObject Resource: - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" + PeworkNameSpace: + Type: "AWSQS::Kubernetes::Resource" + Properties: + ClusterName: !Ref ClusterName + Manifest: !Sub | + kind: Namespace + apiVersion: v1 + metadata: + name: ${KubernetesNameSpace} + Namespace: default KubernetesRole: Type: AWSQS::Kubernetes::Resource Properties: