diff --git a/blog-assets/eks-cluster-prework/scripts/pw-script.sh b/blog-assets/eks-cluster-prework/scripts/pw-script.sh index f75a0af..b264164 100644 --- a/blog-assets/eks-cluster-prework/scripts/pw-script.sh +++ b/blog-assets/eks-cluster-prework/scripts/pw-script.sh @@ -1,17 +1,18 @@ #!/bin/bash # Install kubectl -yum install -y unzip -# TODO: Make this generic based on the EKS Version -curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl -chmod +x ./kubectl +# we are installing the current version if you are on an older cluster you might need to change this. +curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" +# Install kubectl +install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl #============= INSERT YOUR PREWORK STEPS HERE ====================# -# Confirm VNI version (Current is 1.9.0) - we could just assume this since it is a new cluster -kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 > /tmp/foo.txt -# TODO: add to a kubernetes secret we output into the CloudFormation template - -# Set AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG to True -kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true +# We will create a simple script the point of the blog is to show that you CAN run pre-work on the cluster via CloudFormation +# so we are less concerned with the content of this script. -# Add additional steps below +# there are much better ways to manage secrets ;) +kubectl create secret generic db-user-pass \ + --from-literal=username=devuser \ + --from-literal=password='S!B\*d$zDsb=' \ + -- namespace $KUBE_NAMESPACE +kubectl describe secrets/db-user-pass \ No newline at end of file diff --git a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index b9c4e8f..db23bd6 100644 --- a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -1,12 +1,12 @@ AWSTemplateFormatVersion: '2010-09-09' Description: "Amazon EKS PreWork pattern Blog" Parameters: - PreworkJobName: + AccessCIDR: + Default: 0.0.0.0/0 Type: String - Default: 'example-job' - PreworkNameSpace: + JobName: Type: String - Default: 'example-job-ns' + Default: 'job-example' PreworkScriptBucket: Type: String Default: 'aws-quickstart' @@ -17,24 +17,40 @@ Resources: EKSStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' Parameters: - # AWS Quick Start properties + # QuickStart properties QSS3BucketName: aws-quickstart QSS3KeyPrefix: quickstart-amazon-eks/ - QSS3BucketRegion: us-east-1 - # Amazon EKS Cluster properties - ProvisionBastionHost: Disabled + # Cluster properties + ProvisionBastionHost: Enabled + AccessCIDR: !Ref AccessCIDR NodeInstanceType: t3.large NumberOfNodes: 1 MaxNumberOfNodes: 1 + GetOIDCProvider: + Type: Custom::GetOIDCProvider + Properties: + ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader" + AwsCliCommand: !Sub "eks describe-cluster --name ${ClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'" + IdField: 'issuer' PreworkStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-examples/blog-assets/eks-cluster-prework/templates/prework.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/blog-assets/eks-cluster-prework/templates/prework.template.yaml' Parameters: ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" - PreworkScriptBucket: "aws-quickstart" - PreworkScriptObject: !Ref "PreworkScriptObject" - JobName: !Ref "PreWorkJobName" - KubernetesNameSpace: !Ref "PreworkNamespace" + PreworkScriptBucket: !Ref PreworkScriptBucket + PreworkScriptObject: !Ref PreworkScriptObject + JobName: !Ref JobName + KubernetesNameSpace: "prework-example" + OIDCProvider: !Sub + - "${OIDCProvider1}/${OIDCProvider2}/${OIDCProvider3}" + - OIDCProvider1: !Select [ 2, !Split [ "/", !Ref GetOIDCProvider ] ] + OIDCProvider2: !Select [ 3, !Split [ "/", !Ref GetOIDCProvider ] ] + OIDCProvider3: !Select [ 4, !Split [ "/", !Ref GetOIDCProvider ] ] +Outputs: + EKSClusterName: + Value: !GetAtt EKSStack.Outputs.EKSClusterName + BastionIP: + Value: !GetAtt EKSStack.Outputs.BastionIP diff --git a/blog-assets/eks-cluster-prework/templates/prework.template.yaml b/blog-assets/eks-cluster-prework/templates/prework.template.yaml index 4ad336d..aae7057 100644 --- a/blog-assets/eks-cluster-prework/templates/prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/prework.template.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: +Description: "Amazon EKS cluster pre/post-work blog sample" Parameters: ClusterName: Type: String @@ -8,18 +8,26 @@ Parameters: Default: aws-quickstart PreworkScriptObject: Type: String - Default: "quickstart-examples/blog-assets/eks-cluster-prework/scripts/pw-script.sh" + Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" JobName: Type: String - Default: ExampleJob + Default: job-example + AllowedPattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' + ConstraintDescription: "a lowercase RFC 1123 subdomain must consist of lower case + alphanumeric characters, '-' or '.', and must start and end with an alphanumeric + character" + OIDCProvider: + Type: String + Description: Amazon EKS cluster OIDC provider, without the protocol (e.g., oidc.eks.us-east-1.amazonaws.com/id/SADFASFFASFXCCVXCVSDFSDF). + Default: "" KubernetesNameSpace: Type: String Default: "prework-example" Resources: - KubernetesPreWorkIAMRole: + PreWorkIAMRole: Type: AWS::IAM::Role Properties: - RoleName: !Sub "pw-role-${JobName}" + RoleName: !Sub "pw-role-${JobName}" AssumeRolePolicyDocument: !Sub - | { @@ -33,14 +41,14 @@ Resources: "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}-${JobName}" + "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}" } } } ] } - NameSpace: !Ref KubernetesNameSpace - ResourceName: "pw-service-account" + ResourceName: !Sub "pw-service-account-${JobName}" Path: "/" Policies: - PolicyName: root @@ -50,20 +58,22 @@ Resources: - Effect: Allow Action: - s3:GetObject + - s3:HeadObject Resource: - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" - PeworkNameSpace: + KubePreWorkNamespace: Type: "AWSQS::Kubernetes::Resource" Properties: ClusterName: !Ref ClusterName + Namespace: default Manifest: !Sub | kind: Namespace apiVersion: v1 metadata: name: ${KubernetesNameSpace} - Namespace: default - KubernetesRole: + KubePreWorkRole: Type: AWSQS::Kubernetes::Resource + DependsOn: [ KubePreWorkNamespace ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace @@ -73,8 +83,8 @@ Resources: kind: Role metadata: labels: - app.kubernetes.io/name: "${ResourceName}-${JobName}" - name: "${ResourceName}-${JobName}" + app.kubernetes.io/name: "${ResourceName}" + name: "${ResourceName}" # Modify for your scripts here rules: - apiGroups: @@ -84,11 +94,12 @@ Resources: verbs: - create - delete - - ResourceName: "pw-role" + - get + - ResourceName: !Sub "pw-role-${JobName}" NameSpace: !Ref "KubernetesNameSpace" - - PreWorkServiceAccount: + KubePreWorkServiceAccount: Type: AWSQS::Kubernetes::Resource + DependsOn: [ KubePreWorkNamespace ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace @@ -98,17 +109,17 @@ Resources: kind: ServiceAccount metadata: labels: - app.kubernetes.io/name: "${ResourceName}-${JobName}" + app.kubernetes.io/name: "${ResourceName}" annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName}-${JobName} - name: "${ResourceName}-${JobName}" + eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName} + name: "${ResourceName}" namespace: ${NameSpace} - - ResourceName: "pw-service-account" + - ResourceName: !Sub "pw-service-account-${JobName}" NameSpace: !Ref KubernetesNameSpace - RoleName: !Ref "PreWorkIAMRole" - - PreWorkClusterRoleBinding: + RoleName: !Ref PreWorkIAMRole + KubePreWorkRoleBinding: Type: AWSQS::Kubernetes::Resource + DependsOn: [ KubePreWorkNamespace, KubePreWorkRole, KubePreWorkServiceAccount ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace @@ -118,8 +129,8 @@ Resources: kind: RoleBinding metadata: labels: - app.kubernetes.io/name: "${ResourceName}-${JobName}" - name: "${ResourceName}-${JobName}" + app.kubernetes.io/name: "${ResourceName}" + name: "${ResourceName}" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -128,11 +139,10 @@ Resources: - kind: ServiceAccount name: "pw-service-account-${JobName}" namespace: ${NameSpace} - - ResourceName: "pw-role-binding-${JobName}" + - ResourceName: !Sub "pw-role-binding-${JobName}" NameSpace: !Ref KubernetesNameSpace - - PreWorkJob: - DependsOn: [ PreWorkIAMRole, PreWorkRole, PreWorkServiceAccount, PreWorkRoleBinding ] + KubePreWorkJob: + DependsOn: [ PreWorkIAMRole, KubePreWorkRole, KubePreWorkServiceAccount, KubePreWorkRoleBinding ] Type: AWSQS::Kubernetes::Resource Properties: ClusterName: !Ref ClusterName @@ -142,7 +152,7 @@ Resources: apiVersion: batch/v1 kind: Job metadata: - name: "${ResourceName}-${JobName}" + name: "${ResourceName}" namespace: ${NameSpace} spec: template: @@ -167,9 +177,11 @@ Resources: value: ${S3ScriptURL} - name: AWS_REGION value: ${AWS::Region} + - name: KUBE_NAMESPACE + value: ${KubernetesNameSpace} serviceAccountName: "pw-service-account-${JobName}" restartPolicy: Never backoffLimit: 4 - - ResourceName: "pw-job" + - ResourceName: !Sub "pw-job-${JobName}" NameSpace: !Ref "KubernetesNameSpace" - S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" + S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" \ No newline at end of file diff --git a/samples/eks-cluster-prework/scripts/pw-script.sh b/samples/eks-cluster-prework/scripts/pw-script.sh deleted file mode 100644 index b264164..0000000 --- a/samples/eks-cluster-prework/scripts/pw-script.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# Install kubectl - -# we are installing the current version if you are on an older cluster you might need to change this. -curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -# Install kubectl -install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - -#============= INSERT YOUR PREWORK STEPS HERE ====================# -# We will create a simple script the point of the blog is to show that you CAN run pre-work on the cluster via CloudFormation -# so we are less concerned with the content of this script. - -# there are much better ways to manage secrets ;) -kubectl create secret generic db-user-pass \ - --from-literal=username=devuser \ - --from-literal=password='S!B\*d$zDsb=' \ - -- namespace $KUBE_NAMESPACE -kubectl describe secrets/db-user-pass \ No newline at end of file diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml deleted file mode 100644 index c1ca84f..0000000 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ /dev/null @@ -1,56 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: "Amazon EKS PreWork pattern Blog" -Parameters: - AccessCIDR: - Default: 0.0.0.0/0 - Type: String - JobName: - Type: String - Default: 'job-example' - PreworkScriptBucket: - Type: String - Default: 'aws-quickstart' - PreworkScriptObject: - Type: String - Default: 'quickstart-examples/samples/eks-cluster-prework/script/pw-script.sh' -Resources: - EKSStack: - Type: AWS::CloudFormation::Stack - Properties: - TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' - Parameters: - # QuickStart properties - QSS3BucketName: aws-quickstart - QSS3KeyPrefix: quickstart-amazon-eks/ - # Cluster properties - ProvisionBastionHost: Enabled - AccessCIDR: !Ref AccessCIDR - NodeInstanceType: t3.large - NumberOfNodes: 1 - MaxNumberOfNodes: 1 - GetOIDCProvider: - Type: Custom::GetOIDCProvider - Properties: - ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader" - AwsCliCommand: !Sub "eks describe-cluster --name ${ClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'" - IdField: 'issuer' - PreworkStack: - Type: AWS::CloudFormation::Stack - Properties: - TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' - Parameters: - ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" - PreworkScriptBucket: !Ref PreworkScriptBucket - PreworkScriptObject: !Ref PreworkScriptObject - JobName: !Ref JobName - KubernetesNameSpace: "prework-example" - OIDCProvider: !Sub - - "${OIDCProvider1}/${OIDCProvider2}/${OIDCProvider3}" - - OIDCProvider1: !Select [ 2, !Split [ "/", !Ref GetOIDCProvider ] ] - OIDCProvider2: !Select [ 3, !Split [ "/", !Ref GetOIDCProvider ] ] - OIDCProvider3: !Select [ 4, !Split [ "/", !Ref GetOIDCProvider ] ] -Outputs: - EKSClusterName: - Value: !GetAtt EKSStack.Outputs.EKSClusterName - BastionIP: - Value: !GetAtt EKSStack.Outputs.BastionIP diff --git a/samples/eks-cluster-prework/templates/prework.template.yaml b/samples/eks-cluster-prework/templates/prework.template.yaml deleted file mode 100644 index aae7057..0000000 --- a/samples/eks-cluster-prework/templates/prework.template.yaml +++ /dev/null @@ -1,187 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Description: "Amazon EKS cluster pre/post-work blog sample" -Parameters: - ClusterName: - Type: String - PreworkScriptBucket: - Type: String - Default: aws-quickstart - PreworkScriptObject: - Type: String - Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" - JobName: - Type: String - Default: job-example - AllowedPattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' - ConstraintDescription: "a lowercase RFC 1123 subdomain must consist of lower case - alphanumeric characters, '-' or '.', and must start and end with an alphanumeric - character" - OIDCProvider: - Type: String - Description: Amazon EKS cluster OIDC provider, without the protocol (e.g., oidc.eks.us-east-1.amazonaws.com/id/SADFASFFASFXCCVXCVSDFSDF). - Default: "" - KubernetesNameSpace: - Type: String - Default: "prework-example" -Resources: - PreWorkIAMRole: - Type: AWS::IAM::Role - Properties: - RoleName: !Sub "pw-role-${JobName}" - AssumeRolePolicyDocument: !Sub - - | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDCProvider}" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}" - } - } - } - ] - } - - NameSpace: !Ref KubernetesNameSpace - ResourceName: !Sub "pw-service-account-${JobName}" - Path: "/" - Policies: - - PolicyName: root - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - s3:GetObject - - s3:HeadObject - Resource: - - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" - KubePreWorkNamespace: - Type: "AWSQS::Kubernetes::Resource" - Properties: - ClusterName: !Ref ClusterName - Namespace: default - Manifest: !Sub | - kind: Namespace - apiVersion: v1 - metadata: - name: ${KubernetesNameSpace} - KubePreWorkRole: - Type: AWSQS::Kubernetes::Resource - DependsOn: [ KubePreWorkNamespace ] - Properties: - ClusterName: !Ref ClusterName - Namespace: !Ref KubernetesNameSpace - Manifest: !Sub - - | - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/name: "${ResourceName}" - name: "${ResourceName}" - # Modify for your scripts here - rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - ResourceName: !Sub "pw-role-${JobName}" - NameSpace: !Ref "KubernetesNameSpace" - KubePreWorkServiceAccount: - Type: AWSQS::Kubernetes::Resource - DependsOn: [ KubePreWorkNamespace ] - Properties: - ClusterName: !Ref ClusterName - Namespace: !Ref KubernetesNameSpace - Manifest: !Sub - - | - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/name: "${ResourceName}" - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName} - name: "${ResourceName}" - namespace: ${NameSpace} - - ResourceName: !Sub "pw-service-account-${JobName}" - NameSpace: !Ref KubernetesNameSpace - RoleName: !Ref PreWorkIAMRole - KubePreWorkRoleBinding: - Type: AWSQS::Kubernetes::Resource - DependsOn: [ KubePreWorkNamespace, KubePreWorkRole, KubePreWorkServiceAccount ] - Properties: - ClusterName: !Ref ClusterName - Namespace: !Ref KubernetesNameSpace - Manifest: !Sub - - | - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/name: "${ResourceName}" - name: "${ResourceName}" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "pw-role-${JobName}" - subjects: - - kind: ServiceAccount - name: "pw-service-account-${JobName}" - namespace: ${NameSpace} - - ResourceName: !Sub "pw-role-binding-${JobName}" - NameSpace: !Ref KubernetesNameSpace - KubePreWorkJob: - DependsOn: [ PreWorkIAMRole, KubePreWorkRole, KubePreWorkServiceAccount, KubePreWorkRoleBinding ] - Type: AWSQS::Kubernetes::Resource - Properties: - ClusterName: !Ref ClusterName - Namespace: !Ref KubernetesNameSpace - Manifest: !Sub - - | - apiVersion: batch/v1 - kind: Job - metadata: - name: "${ResourceName}" - namespace: ${NameSpace} - spec: - template: - spec: - containers: - - name: ${ResourceName} - image: amazonlinux:2 - command: ["/bin/bash","-c"] - args: - - > - sleep 15; - yum update -y; - yum install -y awscli; - export AWS_REGION=${AWS::Region}; - export NS=${NameSpace}; - aws sts get-caller-identity; - aws s3 cp ${!S3_SCRIPT_URL} ./prework-script.sh && - chmod +x ./prework-script.sh && - ./prework-script.sh - env: - - name: S3_SCRIPT_URL - value: ${S3ScriptURL} - - name: AWS_REGION - value: ${AWS::Region} - - name: KUBE_NAMESPACE - value: ${KubernetesNameSpace} - serviceAccountName: "pw-service-account-${JobName}" - restartPolicy: Never - backoffLimit: 4 - - ResourceName: !Sub "pw-job-${JobName}" - NameSpace: !Ref "KubernetesNameSpace" - S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" \ No newline at end of file