Access EKS Cluster

To access your newly created EKS cluster you need to update your kubeconfig. This guide will walk you through this process.

Choose one of the following options to configure access to your EKS cluster:

What You’ll Need

Check Your Environment

In order to create the kubeconfig file you need permissions for the following actions:

  • Describe EKS clusters.

Note

If you do not have the above permissions, contact your AWS administrator to grant sufficient permissions to your IAM user.

Option 1: Access EKS Cluster Automatically (preferred)

Configure access to your EKS cluster by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from eks-access
../../../_images/eks-access.png

Proceed to the Summary section.

Option 2: Access EKS Cluster Manually

If you want to configure access to your EKS cluster manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-cluster)
  3. Update the kubeconfig:

    root@rok-tools:~/ops/deployments# aws eks update-kubeconfig --name ${EKS_CLUSTER?} Added new context arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster to /root/.kube/config

    Troubleshooting

    AccessDenied

    If the above command fails with an error message similar to the following:

    An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::123456789012:user/user is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster

    it means your IAM user does not have sufficient permissions to perform an action necessary to create the kubeconfig file.

    To proceed, Check Your Environment and contact your AWS administrator to grant sufficient permissions to your IAM user.

  4. Choose one of the following options based on the service in which you have created your management environment.

    Skip this step and proceed to the Verify section.

    Skip this step and proceed to the Verify section.

    1. Restore the required context from previous sections:

      root@rok-tools:~/ops/deployments# source <(cat deploy/env.aws-vpc)
    2. Obtain the instance ID of your EC2 instance:

      root@rok-tools:~/ops/deployments# INSTANCE_ID=$(curl \ > -Ss \ > 169.254.169.254/latest/meta-data/instance-id)
    3. Obtain the VPC IDs of your EC2 instance:

      root@rok-tools:~/ops/deployments# INSTANCE_VPC_IDS=$(aws ec2 describe-instances \ > --instance-id "${INSTANCE_ID?}" \ > --output text \ > --query Reservations[].Instances[].NetworkInterfaces[].VpcId)
    4. Check if the VPC of your EKS cluster is the same as the VPC of your EC2 instance:

      root@rok-tools:~/ops/deployments# [[ ${AWS_VPC_ID?} == "${INSTANCE_VPC_IDS?}" ]] \ > && echo SAME \ > || echo DIFFERENT SAME
    5. If the VPC of your EKS cluster is the same as the VPC of your EC2 instance, add the security group of your EKS cluster to the security groups of your EC2 instance.

      1. Obtain the security group ID of your EKS cluster:

        root@rok-tools:~/ops/deployments# CLUSTER_SECURITY_GROUP_ID=$(aws eks describe-cluster \ > --name "${EKS_CLUSTER?}" \ > --output text \ > --query cluster.resourcesVpcConfig.clusterSecurityGroupId)
      2. Obtain the security group IDs of your EC2 instance:

        root@rok-tools:~/ops/deployments# INSTANCE_SECURITY_GROUP_IDS=$(aws ec2 describe-instances \ > --instance-id "${INSTANCE_ID?}" \ > --output text \ > --query Reservations[].Instances[].SecurityGroups[].GroupId)
      3. Update the security groups of your EC2 instance:

        root@rok-tools:~/ops/deployments# aws ec2 modify-instance-attribute \ > --groups ${INSTANCE_SECURITY_GROUP_IDS?} "${CLUSTER_SECURITY_GROUP_ID?}" \ > --instance-id "${INSTANCE_ID?}"
  5. Save your state:

    root@rok-tools:~/ops/deployments# rok-j2 deploy/env.eks-access.j2 \ > -o deploy/env.eks-access
  6. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Access EKS Cluster"
  7. Mark your progress:

    root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
    root@rok-tools:~/ops/deployments# git tag \ > -a deploy/${DATE?}/develop/eks-access \ > -m "Access EKS Cluster"

Verify

  1. Inspect the generated configuration:

    root@rok-tools:~# kubectl config current-context arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster
    root@rok-tools:~# kubectl config view --minify=true apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://6E7720932E60AEA787E0E781931671F5.gr7.es-east-1.eks.amazonaws.com name: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster contexts: - context: cluster: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster ...

    Note

    Set the --minify flag to output info only for the current context.

  2. Ensure you have access to the underlying ALB of the Kubernetes endpoint:

    root@rok-tools:~# kubectl config view -o json --raw --minify=true | jq \ > -r '.clusters[0].cluster.server' | xargs curl -m 5 -k -I HTTP/2 403 audit-id: 0890a9fd-7713-42d2-9868-4916a3ffc2a0 cache-control: no-cache, private content-type: application/json x-content-type-options: nosniff content-length: 234 date: Wed, 08 Sep 2021 12:25:45 GM

    Troubleshooting

    ‘Connection timed out’ error

    You are trying to access the Kubernetes endpoint from an unauthorized source. Make sure the IP address of your management environment belongs to the TRUSTED_CIDRS address pool or tunnel your traffic through a trusted VPN.

    If your management environment is an EC2 instance and has the same VPC as your EKS cluster, make sure you have added the security group of your EKS cluster to the security groups of your EC2 instance.

  3. Verify that you can access your EKS cluster:

    root@rok-tools:~# kubectl get nodes No resources found in default namespace.

    Troubleshooting

    ‘Unauthorized’ error

    If you are trying to access a cluster created by another user, make sure that the cluster creator has provided access to your IAM user or role. Follow the Share EKS Cluster guide in order to gain access to that cluster.

Summary

You have successfully configured access to your EKS cluster.

What’s Next

The next step is to add a node group to host Arrikto EKF Workloads.