Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you get kubectl to log in to an AWS EKS cluster?

Starting from a ~empty AWS account, I am trying to follow https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html

So that meant I created a VPS stack, then installed aws-iam-authenticator, awscli and kubectl, then created an IAM user with Programmatic access and AmazonEKSAdminPolicy directly attached.

Then I used the website to create my EKS cluster and used aws configure to set the access key and secret of my IAM user.

aws eks update-kubeconfig --name wr-eks-cluster worked fine, but:

kubectl get svc
error: the server doesn't have a resource type "svc"

I continued anyway, creating my worker nodes stack, and now I'm at a dead-end with:

kubectl apply -f aws-auth-cm.yaml
error: You must be logged in to the server (the server has asked for the client to provide credentials)

aws-iam-authenticator token -i <my cluster name> seems to work fine.

The thing I seem to be missing is that when you create the cluster you specify an IAM role, but when you create the user (according to the guide) you attach a policy. How is my user supposed to have access to this cluster?

Or ultimately, how do I proceed and gain access to my cluster using kubectl?

like image 279
sbs Avatar asked Nov 12 '18 17:11

sbs


People also ask

Can I use kubectl with EKS?

Short description. After you create your Amazon EKS cluster, you must configure your kubeconfig file with the AWS Command Line Interface (AWS CLI). This configuration allows you to connect to your cluster using the kubectl command line.

How do I connect to EKS private cluster?

Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters . Choose the name of the cluster to display your cluster information. Choose the Networking tab and choose Update. For Private access, choose whether to enable or disable private access for your cluster's Kubernetes API server endpoint.


1 Answers

  1. As mentioned in docs, the AWS IAM user created EKS cluster automatically receives system:master permissions, and it's enough to get kubectl working. You need to use this user credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) to access the cluster. In case you didn't create a specific IAM user to create a cluster, then you probably created it using root AWS account. In this case, you can use root user credentials (Creating Access Keys for the Root User).
  2. The main magic is inside aws-auth ConfigMap in your cluster – it contains IAM entities -> kubernetes ServiceAccount mapping.

I'm not sure about how do you pass credentials for the aws-iam-authenticator:

  • If you have ~/.aws/credentials with aws_profile_of_eks_iam_creator then you can try $ AWS_PROFILE=aws_profile_of_eks_iam_creator kubectl get all --all-namespaces
  • Also, you can use environment variables $ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=YYY AWS_DEFAULT_REGION=your-region-1 kubectl get all --all-namespaces

Both of them should work, because kubectl ... will use generated ~/.kube/config that contains aws-iam-authenticator token -i cluster_name command. aws-iam-authenticator uses environment variables or ~/.aws/credentials to give you a token.

Also, this answer may be useful for the understanding of the first EKS user creation.

like image 71
Ivan Kalita Avatar answered Sep 27 '22 22:09

Ivan Kalita