Access EKS Cluster

To access your newly created EKS cluster you need to update your kubeconfig. This guide will walk you through this process.

Choose one of the following options to configure access to your EKS cluster:

What You’ll Need

Check Your Environment

In order to create the kubeconfig file you need permissions for the following actions:

  • Describe EKS clusters.

Note

If you do not have the above permissions, contact your AWS administrator to grant sufficient permissions to your IAM user.

Option 1: Access EKS Cluster Automatically (preferred)

Configure access to your EKS cluster by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from eks-access
../../../_images/eks-access.png

Proceed to the Summary section.

Option 2: Access EKS Cluster Manually

If you want to configure access to your EKS cluster manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-cluster)
    root@rok-tools:~/ops/deployments# export EKS_CLUSTER
  3. Update the kubeconfig:

    root@rok-tools:~/ops/deployments# aws eks update-kubeconfig --name ${EKS_CLUSTER?} Added new context arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster to /root/.kube/config

    Troubleshooting

    AccessDenied

    If the above command fails with an error message similar to the following:

    An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::123456789012:user/user is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster

    it means your IAM user does not have sufficient permissions to perform an action necessary to create the kubeconfig file.

    To proceed, Check Your Environment and contact your AWS administrator to grant sufficient permissions to your IAM user.

  4. Assign the cluster security group that EKS created to the instance in which your management environment runs. Choose one of the following options based on the service in which you have created your management environment.

You don’t need to assign the cluster security group to your Kubernetes cluster. Skip this step and proceed to the Verify section.
You don’t need to assign the cluster security group to your local machine running Docker. Skip this step and proceed to the Verify section.
  1. Obtain the ClusterSecurityGroup ID of your EKS cluster:

    root@rok-tools:~/ops/deployments# esg=$(aws eks describe-cluster \ > --name ${EKS_CLUSTER?} \ > --query cluster.resourcesVpcConfig.clusterSecurityGroupId \ > --output text)
  2. Obtain the instance ID of your EC2 instance:

    root@rok-tools:~/ops/deployments# instance_id=$(curl 169.254.169.254/latest/meta-data/instance-id)
  3. Obtain the security groups of your EC2 instance:

    root@rok-tools:~/ops/deployments# isg=$(aws ec2 describe-instances \ > --instance-id $instance_id \ > --query Reservations[].Instances[].SecurityGroups[].GroupId \ > --output text)
  4. Update the security groups of your EC2 instance:

    root@rok-tools:~/ops/deployments# aws ec2 modify-instance-attribute \ > --instance-id $instance_id \ > --groups $isg $esg

Verify

  1. Inspect the generated configuration:

    root@rok-tools:~# kubectl config current-context arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster
    root@rok-tools:~# kubectl config view --minify=true apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://6E7720932E60AEA787E0E781931671F5.gr7.es-east-1.eks.amazonaws.com name: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster contexts: - context: cluster: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster ...

    Note

    Set the --minify flag to output info only for the current context.

  2. (Optional) If your EKS cluster is behind firewall ensure you have access to the underlying ALB of the Kubernetes endpoint:

    root@rok-tools:~# kubectl config view -o json --raw --minify=true | jq \ > -r '.clusters[0].cluster.server' | xargs curl -m 5 -k -I HTTP/2 403 audit-id: 0890a9fd-7713-42d2-9868-4916a3ffc2a0 cache-control: no-cache, private content-type: application/json x-content-type-options: nosniff content-length: 234 date: Wed, 08 Sep 2021 12:25:45 GM

    Troubleshooting

    ‘Connection timed out’ error

    You are trying to access the Kubernetes endpoint from an unauthorized source. Make sure your IP address belongs to the TRUSTED_CIDRS address pool or tunnel your traffic through a trusted VPN.

  3. Verify that you can access your EKS cluster:

    root@rok-tools:~# kubectl get nodes No resources found in default namespace.

    Troubleshooting

    ‘Unauthorized’ error

    If you are trying to access a cluster created by another user, make sure that the cluster creator has provided access to your IAM user or role. Follow the Share EKS Cluster guide in order to gain access to that cluster.

Summary

You have successfully configured access to your EKS cluster.

What’s Next

The next step is to add a node group to host Arrikto EKF Workloads.