DKP UI allows you to quickly and easily provision a Cluster from your browser.

Create an AWS Infrastructure Provider

Before you create a Cluster, you first need to create an AWS infrastructure provider to hold your AWS/EKS Credentials:

  1. Get the AWS RoleARN.

    aws iam get-role --role-name <role-name> --query 'Role.[RoleName, Arn]' --output text
    CODE
  2. Select Infrastructure Providers from the Dashboard menu.

  3. Select Add Infrastructure Provider.

  4. Choose a workspace. If you are already in a workspace, the provider is automatically created in that workspace.

  5. Ensure you select Amazon Web Services.

  6. Add a Name for your Infrastructure Provider and include the Role ARN from Step 1 above.

  7. Select Save.

If you choose to, you can use static credentials. However, this method is not as secure so it is not recommended.

Provision an EKS Cluster

Follow these steps to provision the EKS cluster:

  1. From the top menu bar, select your target workspace.

  2. Select Clusters > Add Cluster.
    This begins the provisioning workflow.

  3. Choose Create Cluster.

  4. Enter the Cluster Name.

  5. Select EKS from the Choose Infrastructure choices.

  6. If available, choose a Kubernetes Version. Otherwise, the default Kubernetes version installs.

  7. Select a data center region or specify a custom region.

  8. Edit your worker Node Pools as necessary. You can choose the Number of Nodes, the Machine Type, and our IAM Instance Profile. For the worker pool, you can also choose a Worker Availability Zone.

  9. Add any additional Labels or Infrastructure Provider Tags as necessary.

  10. Validate your inputs, and then select Create.

You are redirected to the Clusters page, where you see your Cluster in the Provisioning status. Hover over the status to view the details.

After about 15 minutes, your Cluster should be in the Provisioned status.

See AWS RoleARN for more information from the AWS site.

Access EKS Cluster

After the cluster is successfully attached(managed), you can retrieve a custom kubeconfig file from the UI using your Kommander administrator credentials.

IAM User and Role Access for EKS Clusters

When creating an EKS cluster through the UI, the kubeconfig that is returned using the download kubeconfig button allows access for 15 minutes. To follow best practices for AWS security, you should configure accessing the EKS cluster using IAM role or user based authentication. This allows account administrators to monitor all actions made.

To enable IAM based cluster access, follow the steps below:

  1. Download the kubeconfig by selecting the Download kubeconfig button on the top section of the UI.

  2. Using that kubeconfig, edit the config map with a command similar to the one below:

    kubectl --kubeconfig=MYCLUSTER.conf edit cm -n kube-system aws-auth
    CODE
  3. Modify the mapRoles and mapUsers objects according to the permissions as needed. The example below is mapping the arn:aws:iam::MYAWSACCOUNTID:role/PowerUser role to systems:masters on the Kubernetes cluster:

    apiVersion: v1
    data:
      mapRoles: |
        - groups:
          - system:bootstrappers
          - system:nodes
          rolearn: arn:aws:iam::MYAWSACCOUNTID:role/nodes.cluster-api-provider-aws.sigs.k8s.io
          username: system:node:{{EC2PrivateDNSName}}
        - groups:
          - system:masters
          rolearn: arn:aws:iam::MYAWSACCOUNTID:role/PowerUser
          username: admin
    kind: ConfigMap
    CODE

    For more information, consult the Enabling IAM user and role access to you cluster guide and the Kubernetes RBAC guide.

  4. From your management cluster run the following command to fetch a kubeconfig that uses IAM based permissions by running:

    dkp get kubeconfig -c ${EKS_CLUSTER_NAME} -n ${KOMMANDER_WORKSPACE_NAMESPACE} >> ${EKS_CLUSTER_NAME}.conf
    CODE