Clean Up Cloud Identity¶
This guide will walk you through cleaning up the cloud identity resources of Rok.
Note
If you have already cleaned up Rok's cloud identity, expand this note to fast-forward.
Choose one of the following options, based on your cloud provider:
Specify the IAM roles you have created for ExtenalDNS, the AWS Load Balancer Controller and the Cluster Autoscaler:
root@rok-tools:~# export EXTERNAL_DNS_ROLE=eks-external-dns-${EKS_CLUSTER?} root@rok-tools:~# export LOAD_BALANCER_ROLE=eks-aws-load-balancer-controller-${EKS_CLUSTER?} root@rok-tools:~# export AUTOSCALER_ROLE=cluster-autoscaler-${EKS_CLUSTER?}
Proceed to the Verify section.
- Proceed to the Verify section.
- Proceed to the Verify section.
Overview
What You'll Need¶
- A configured management environment.
Procedure¶
Choose one of the following options, based on your cloud provider.
Delete the Rok cloud identity:
root@rok-tools:~# aws cloudformation delete-stack --stack-name ${AWS_CF_S3_RESOURCES?}
Specify the IAM roles you have created for ExtenalDNS, the AWS Load Balancer Controller, and the Cluster Autoscaler:
root@rok-tools:~# export EXTERNAL_DNS_ROLE=eks-external-dns-${EKS_CLUSTER?} root@rok-tools:~# export LOAD_BALANCER_ROLE=eks-aws-load-balancer-controller-${EKS_CLUSTER?} root@rok-tools:~# export AUTOSCALER_ROLE=cluster-autoscaler-${EKS_CLUSTER?}
Clean up all attached role policies and roles in the above list. To do that, repeat the following steps for each role in the list.
Pick an IAM role from the list:
root@rok-tools:~# export IAM_ROLE_NAME=<ROLE>
Detach the attached policies:
root@rok-tools:~# aws iam list-attached-role-policies \ > --role-name ${IAM_ROLE_NAME?} | \ > jq -r '.AttachedPolicies[].PolicyArn' | \ > xargs -r -n1 -I{} \ > aws iam detach-role-policy \ > --role-name ${IAM_ROLE_NAME?} \ > --policy-arn {}
Delete the role:
root@rok-tools:~# aws iam delete-role --role-name ${IAM_ROLE_NAME?}
Go back to step 1, and repeat the steps for the remaining roles.
Remove the Pod identity that Rok uses:
root@rok-tools:~# az aks pod-identity delete \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --cluster-name ${AKS_CLUSTER?} \ > --namespace ${ROK_CLUSTER_NAMESPACE?} \ > --name ${POD_IDENTITY_NAME?}
Delete the Azure Managed Identity that Rok uses:
root@rok-tools:~# az identity delete --name ${AZ_MANAGED_IDENTITY?} \ > --resource-group ${AZ_RESOURCE_GROUP?}
Verify¶
Choose one of the following options, based on your cloud provider.
Retrieve the ExternalDNS role and ensure it does not exist:
root@rok-tools:~# aws iam get-role --role-name ${EXTERNAL_DNS_ROLE?} An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name eks-external-dns-arrikto-cluster cannot be found.
Retrieve the AWS Load Balancer Controller role and ensure it does not exist:
root@rok-tools:~# aws iam get-role --role-name ${LOAD_BALANCER_ROLE?} An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name eks-aws-load-balancer-controller-arrikto-cluster cannot be found.
Retrieve the Cluster Autoscaler role and ensure it does not exist:
root@rok-tools:~# aws iam get-role --role-name ${AUTOSCALER_ROLE?} An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name cluster-autoscaler-arrikto-cluster cannot be found.
Specify a filter for the name and namespace of Rok:
root@rok-tools:~# export FILTER="name=='${ROK_CLUSTER_NAME?}' && namespace=='${ROK_CLUSTER_NAMESPACE?}'"
List the Pod identities of Rok and ensure none exists:
root@rok-tools:~# az aks pod-identity list --cluster-name ${AKS_CLUSTER?} \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --query "podIdentityProfile.userAssignedIdentities[?${FILTER?}]" []
Attempt to retrieve the managed identity of Rok and verify it does not exist:
root@rok-tools:~# az identity show --name ${AZ_MANAGED_IDENTITY?} \ > --resource-group ${AZ_RESOURCE_GROUP?} The Resource 'Microsoft.ManagedIdentity/userAssignedIdentities/rok-arrikto-cluster' under resource group 'arrikto' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix
Summary¶
You have successfully deleted the cloud identity resources of Rok.