Skip to content
This repository has been archived by the owner on Dec 6, 2024. It is now read-only.

Commit

Permalink
Initial Blog Sample code
Browse files Browse the repository at this point in the history
  • Loading branch information
gargana committed Sep 22, 2021
1 parent 9ea5119 commit f19cb76
Show file tree
Hide file tree
Showing 3 changed files with 220 additions and 0 deletions.
17 changes: 17 additions & 0 deletions samples/eks-cluster-prework/scripts/pw-script.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/bin/bash
# Install kubectl
yum install -y unzip

# TODO: Make this generic based on the EKS Version
curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl
chmod +x ./kubectl

#============= INSERT YOUR PREWORK STEPS HERE ====================#
# Confirm VNI version (Current is 1.9.0) - we could just assume this since it is a new cluster
kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 > /tmp/foo.txt
# TODO: add to a kubernetes secret we output into the CloudFormation template

# Set AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG to True
kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true

# Add additional steps below
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: "Amazon EKS PreWork pattern Blog"
Parameters:
AccessCIDR:
Default: 0.0.0.0/0
Type: String
PreworkScriptBucket:
Type: String
Default: 'aws-quickstart'
PreworkScriptObject:
Type: String
Default: 'quickstart-examples/samples/eks-cluster-prework/script/pw-script.sh'
Resources:
EKSStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml'
Parameters:
# Quickstart properties
QSS3BucketName: aws-quickstart
QSS3KeyPrefix: quickstart-amazon-eks/
QSS3BucketRegion: us-east-1
# Cluster properties
ProvisionBastionHost: Enabled
AccessCIDR: !Ref AccessCIDR
NodeInstanceType: t3.large
NumberOfNodes: 1
MaxNumberOfNodes: 1
PreworkStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml'
Parameters:
ClusterName: !Sub "EKSStack.Outputs.EKSClusterName"
PreworkScriptBucket: "aws-quickstart"
PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh"
JobName: "ExampleJob"
KubernetesNameSpace: "prework-example"
165 changes: 165 additions & 0 deletions samples/eks-cluster-prework/templates/prework.template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
AWSTemplateFormatVersion: "2010-09-09"
Description:
Parameters:
ClusterName:
Type: String
PreworkScriptBucket:
Type: String
Default: aws-quickstart
PreworkScriptObject:
Type: String
Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh"
JobName:
Type: String
Default: ExampleJob
KubernetesNameSpace:
Type: String
Default: "prework-example"
Resources:
KubernetesPreWorkIAMRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "pw-role-${JobName}"
AssumeRolePolicyDocument: !Sub
- |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDCProvider}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}-${JobName}"
}
}
}
]
}
- NameSpace: !Ref KubernetesNameSpace
ResourceName: "pw-service-account"
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}"
KubernetesRole:
Type: AWSQS::Kubernetes::Resource
Properties:
ClusterName: !Ref ClusterName
Namespace: !Ref KubernetesNameSpace
Manifest: !Sub
- |
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/name: "${ResourceName}-${JobName}"
name: "${ResourceName}-${JobName}"
# Modify for your scripts here
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- ResourceName: "pw-role"
NameSpace: !Ref "KubernetesNameSpace"

PreWorkServiceAccount:
Type: AWSQS::Kubernetes::Resource
Properties:
ClusterName: !Ref ClusterName
Namespace: !Ref KubernetesNameSpace
Manifest: !Sub
- |
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: "${ResourceName}-${JobName}"
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName}-${JobName}
name: "${ResourceName}-${JobName}"
namespace: ${NameSpace}
- ResourceName: "pw-service-account"
NameSpace: !Ref KubernetesNameSpace
RoleName: !Ref "PreWorkIAMRole"

PreWorkClusterRoleBinding:
Type: AWSQS::Kubernetes::Resource
Properties:
ClusterName: !Ref ClusterName
Namespace: !Ref KubernetesNameSpace
Manifest: !Sub
- |
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: "${ResourceName}-${JobName}"
name: "${ResourceName}-${JobName}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "pw-role-${JobName}"
subjects:
- kind: ServiceAccount
name: "pw-service-account-${JobName}"
namespace: ${NameSpace}
- ResourceName: "pw-role-binding-${JobName}"
NameSpace: !Ref KubernetesNameSpace

PreWorkJob:
DependsOn: [ PreWorkIAMRole, PreWorkRole, PreWorkServiceAccount, PreWorkRoleBinding ]
Type: AWSQS::Kubernetes::Resource
Properties:
ClusterName: !Ref ClusterName
Namespace: !Ref KubernetesNameSpace
Manifest: !Sub
- |
apiVersion: batch/v1
kind: Job
metadata:
name: "${ResourceName}-${JobName}"
namespace: ${NameSpace}
spec:
template:
spec:
containers:
- name: ${ResourceName}
image: amazonlinux:2
command: ["/bin/bash","-c"]
args:
- >
sleep 15;
yum update -y;
yum install -y awscli;
export AWS_REGION=${AWS::Region};
export NS=${NameSpace};
aws sts get-caller-identity;
aws s3 cp ${!S3_SCRIPT_URL} ./prework-script.sh &&
chmod +x ./prework-script.sh &&
./prework-script.sh
env:
- name: S3_SCRIPT_URL
value: ${S3ScriptURL}
- name: AWS_REGION
value: ${AWS::Region}
serviceAccountName: "pw-service-account-${JobName}"
restartPolicy: Never
backoffLimit: 4
- ResourceName: "pw-job"
NameSpace: !Ref "KubernetesNameSpace"
S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}"

0 comments on commit f19cb76

Please sign in to comment.