Access EKS Cluster¶
To access your newly created EKS cluster you need to update your kubeconfig. This guide will walk you through this process.
Fast Forward
If you already have a kubeconfig file or if you have configured your management environment to have access to your Kubernetes cluster, expand this box to fast-forward.
- Proceed to the Verify section.
See also
Choose one of the following options to configure access to your EKS cluster:
Overview
What You’ll Need¶
- A configured management environment.
- An configured VPC.
- An existing EKS cluster.
Check Your Environment¶
In order to create the kubeconfig file you need permissions for the following actions:
- Describe EKS clusters.
Note
If you do not have the above permissions, contact your AWS administrator to grant sufficient permissions to your IAM user.
Option 1: Access EKS Cluster Automatically (preferred)¶
Configure access to your EKS cluster by following the on-screen instructions on
the rok-deploy
user interface.
If rok-deploy
is not already running, start it with:
Proceed to the Summary section.
Option 2: Access EKS Cluster Manually¶
If you want to configure access to your EKS cluster manually, follow the instructions below.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-cluster)root@rok-tools:~/ops/deployments# export EKS_CLUSTERUpdate the kubeconfig:
root@rok-tools:~/ops/deployments# aws eks update-kubeconfig --name ${EKS_CLUSTER?} Added new context arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster to /root/.kube/configTroubleshooting
AccessDenied
If the above command fails with an error message similar to the following:
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::123456789012:user/user is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-clusterit means your IAM user does not have sufficient permissions to perform an action necessary to create the kubeconfig file.
To proceed, Check Your Environment and contact your AWS administrator to grant sufficient permissions to your IAM user.
Assign the cluster security group that EKS created to the instance in which your management environment runs. Choose one of the following options based on the service in which you have created your management environment.
You don’t need to assign the cluster security group to your Kubernetes cluster. Skip this step and proceed to the Verify section.You don’t need to assign the cluster security group to your local machine running Docker. Skip this step and proceed to the Verify section.
Obtain the ClusterSecurityGroup ID of your EKS cluster:
root@rok-tools:~/ops/deployments# esg=$(aws eks describe-cluster \ > --name ${EKS_CLUSTER?} \ > --query cluster.resourcesVpcConfig.clusterSecurityGroupId \ > --output text)Obtain the instance ID of your EC2 instance:
root@rok-tools:~/ops/deployments# instance_id=$(curl 169.254.169.254/latest/meta-data/instance-id)Obtain the security groups of your EC2 instance:
root@rok-tools:~/ops/deployments# isg=$(aws ec2 describe-instances \ > --instance-id $instance_id \ > --query Reservations[].Instances[].SecurityGroups[].GroupId \ > --output text)Update the security groups of your EC2 instance:
root@rok-tools:~/ops/deployments# aws ec2 modify-instance-attribute \ > --instance-id $instance_id \ > --groups $isg $esg
Verify¶
Inspect the generated configuration:
root@rok-tools:~# kubectl config current-context arn:aws:eks:us-east-1:123456789012:cluster/arrikto-clusterroot@rok-tools:~# kubectl config view --minify=true apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://6E7720932E60AEA787E0E781931671F5.gr7.es-east-1.eks.amazonaws.com name: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster contexts: - context: cluster: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster ...Note
Set the
--minify
flag to output info only for the current context.(Optional) If your EKS cluster is behind firewall ensure you have access to the underlying ALB of the Kubernetes endpoint:
root@rok-tools:~# kubectl config view -o json --raw --minify=true | jq \ > -r '.clusters[0].cluster.server' | xargs curl -m 5 -k -I HTTP/2 403 audit-id: 0890a9fd-7713-42d2-9868-4916a3ffc2a0 cache-control: no-cache, private content-type: application/json x-content-type-options: nosniff content-length: 234 date: Wed, 08 Sep 2021 12:25:45 GMTroubleshooting
‘Connection timed out’ error
You are trying to access the Kubernetes endpoint from an unauthorized source. Make sure your IP address belongs to the
TRUSTED_CIDRS
address pool or tunnel your traffic through a trusted VPN.Verify that you can access your EKS cluster:
root@rok-tools:~# kubectl get nodes No resources found in default namespace.Troubleshooting
‘Unauthorized’ error
If you are trying to access a cluster created by another user, make sure that the cluster creator has provided access to your IAM user or role. Follow the Share EKS Cluster guide in order to gain access to that cluster.
What’s Next¶
The next step is to add a node group to host Arrikto EKF Workloads.