bceb966dfd
Additional support for Terraform v0.13 and aws v3! - The update to the vpc module in examples was, strictly speaking, unnecessary but it adds the terraform block with supported versions. - Update for iam module in the example was very necessary to support new versions - Workaround for "Provider produced inconsistent final plan" when creating ASGs at the same time as the cluster. See https://github.com/terraform-providers/terraform-provider-aws/issues/14085 for full details. - Blacklist 0.13.0 as it was too strict when migrating from aws v2 to v3 about dropped attributes.
IAM Roles for Service Accounts
This example shows how to create an IAM role to be used for a Kubernetes ServiceAccount. It will create a policy and role to be used by the cluster-autoscaler using the public Helm chart.
The AWS documentation for IRSA is here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
Setup
Run Terraform:
terraform init
terraform apply
Set kubectl context to the new cluster: export KUBECONFIG=kubeconfig_test-eks-irsa
Check that there is a node that is Ready:
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-2-190.us-west-2.compute.internal Ready <none> 6m39s v1.14.8-eks-b8860f
Replace <ACCOUNT ID> with your AWS account ID in cluster-autoscaler-chart-values.yaml. There is output from terraform for this.
Install the chart using the provided values file:
helm install --name cluster-autoscaler --namespace kube-system stable/cluster-autoscaler --values=cluster-autoscaler-chart-values.yaml
Verify
Ensure the cluster-autoscaler pod is running:
$ kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler"
NAME READY STATUS RESTARTS AGE
cluster-autoscaler-aws-cluster-autoscaler-5545d4b97-9ztpm 1/1 Running 0 3m
Observe the AWS_* environment variables that were added to the pod automatically by EKS:
kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler" -o yaml | grep -A3 AWS_ROLE_ARN
- name: AWS_ROLE_ARN
value: arn:aws:iam::xxxxxxxxx:role/cluster-autoscaler
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Verify it is working by checking the logs, you should see that it has discovered the autoscaling group successfully:
kubectl --namespace=kube-system logs -l "app.kubernetes.io/name=aws-cluster-autoscaler"
I0128 14:59:00.901513 1 auto_scaling_groups.go:354] Regenerating instance to ASG map for ASGs: [test-eks-irsa-worker-group-12020012814125354700000000e]
I0128 14:59:00.969875 1 auto_scaling_groups.go:138] Registering ASG test-eks-irsa-worker-group-12020012814125354700000000e
I0128 14:59:00.969906 1 aws_manager.go:263] Refreshed ASG list, next refresh after 2020-01-28 15:00:00.969901767 +0000 UTC m=+61.310501783