From 8327fa9cd8a1f9def2518381706a440f195b2be7 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Wed, 22 Sep 2021 14:26:18 -0700 Subject: [PATCH] Code sample for EKS prework blogpost --- .../eks-cluster-prework/scripts/pw-script.sh | 17 ++ .../eks-cluster-prework.template.yaml | 38 ++++ .../templates/prework.template.yaml | 165 ++++++++++++++++++ 3 files changed, 220 insertions(+) create mode 100644 samples/eks-cluster-prework/scripts/pw-script.sh create mode 100644 samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml create mode 100644 samples/eks-cluster-prework/templates/prework.template.yaml diff --git a/samples/eks-cluster-prework/scripts/pw-script.sh b/samples/eks-cluster-prework/scripts/pw-script.sh new file mode 100644 index 0000000..f75a0af --- /dev/null +++ b/samples/eks-cluster-prework/scripts/pw-script.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Install kubectl +yum install -y unzip + +# TODO: Make this generic based on the EKS Version +curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl +chmod +x ./kubectl + +#============= INSERT YOUR PREWORK STEPS HERE ====================# +# Confirm VNI version (Current is 1.9.0) - we could just assume this since it is a new cluster +kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 > /tmp/foo.txt +# TODO: add to a kubernetes secret we output into the CloudFormation template + +# Set AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG to True +kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true + +# Add additional steps below diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml new file mode 100644 index 0000000..b53c118 --- /dev/null +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -0,0 +1,38 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: "Amazon EKS PreWork pattern Blog" +Parameters: + AccessCIDR: + Default: 0.0.0.0/0 + Type: String + PreworkScriptBucket: + Type: String + Default: 'aws-quickstart' + PreworkScriptObject: + Type: String + Default: 'quickstart-examples/samples/eks-cluster-prework/script/pw-script.sh' +Resources: + EKSStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' + Parameters: + # Quickstart properties + QSS3BucketName: aws-quickstart + QSS3KeyPrefix: quickstart-amazon-eks/ + QSS3BucketRegion: us-east-1 + # Cluster properties + ProvisionBastionHost: Enabled + AccessCIDR: !Ref AccessCIDR + NodeInstanceType: t3.large + NumberOfNodes: 1 + MaxNumberOfNodes: 1 + PreworkStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' + Parameters: + ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" + PreworkScriptBucket: "aws-quickstart" + PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + JobName: "ExampleJob" + KubernetesNameSpace: "prework-example" diff --git a/samples/eks-cluster-prework/templates/prework.template.yaml b/samples/eks-cluster-prework/templates/prework.template.yaml new file mode 100644 index 0000000..cfd4e66 --- /dev/null +++ b/samples/eks-cluster-prework/templates/prework.template.yaml @@ -0,0 +1,165 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: +Parameters: + ClusterName: + Type: String + PreworkScriptBucket: + Type: String + Default: aws-quickstart + PreworkScriptObject: + Type: String + Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + JobName: + Type: String + Default: ExampleJob + KubernetesNameSpace: + Type: String + Default: "prework-example" +Resources: + KubernetesPreWorkIAMRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub "pw-role-${JobName}" + AssumeRolePolicyDocument: !Sub + - | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDCProvider}" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}-${JobName}" + } + } + } + ] + } + - NameSpace: !Ref KubernetesNameSpace + ResourceName: "pw-service-account" + Path: "/" + Policies: + - PolicyName: root + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:GetObject + Resource: + - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" + KubernetesRole: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + name: "${ResourceName}-${JobName}" + # Modify for your scripts here + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - ResourceName: "pw-role" + NameSpace: !Ref "KubernetesNameSpace" + + PreWorkServiceAccount: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName}-${JobName} + name: "${ResourceName}-${JobName}" + namespace: ${NameSpace} + - ResourceName: "pw-service-account" + NameSpace: !Ref KubernetesNameSpace + RoleName: !Ref "PreWorkIAMRole" + + PreWorkClusterRoleBinding: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + name: "${ResourceName}-${JobName}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "pw-role-${JobName}" + subjects: + - kind: ServiceAccount + name: "pw-service-account-${JobName}" + namespace: ${NameSpace} + - ResourceName: "pw-role-binding-${JobName}" + NameSpace: !Ref KubernetesNameSpace + + PreWorkJob: + DependsOn: [ PreWorkIAMRole, PreWorkRole, PreWorkServiceAccount, PreWorkRoleBinding ] + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: batch/v1 + kind: Job + metadata: + name: "${ResourceName}-${JobName}" + namespace: ${NameSpace} + spec: + template: + spec: + containers: + - name: ${ResourceName} + image: amazonlinux:2 + command: ["/bin/bash","-c"] + args: + - > + sleep 15; + yum update -y; + yum install -y awscli; + export AWS_REGION=${AWS::Region}; + export NS=${NameSpace}; + aws sts get-caller-identity; + aws s3 cp ${!S3_SCRIPT_URL} ./prework-script.sh && + chmod +x ./prework-script.sh && + ./prework-script.sh + env: + - name: S3_SCRIPT_URL + value: ${S3ScriptURL} + - name: AWS_REGION + value: ${AWS::Region} + serviceAccountName: "pw-service-account-${JobName}" + restartPolicy: Never + backoffLimit: 4 + - ResourceName: "pw-job" + NameSpace: !Ref "KubernetesNameSpace" + S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}"