Create an EKS Cluster from the DKP UI
The DKP user interface allows you to provision a Cluster from your browser quickly and easily.
Create an AWS Infrastructure Provider
Before you create a Cluster, you first need to create an AWS infrastructure provider to hold your AWS/EKS Credentials:
- CODE
aws iam get-role --role-name <role-name> --query 'Role.[RoleName, Arn]' --output text
Select Infrastructure Providers from the Dashboard menu.
Select Add Infrastructure Provider.
Choose a workspace. If you are already in a workspace, the provider is automatically created in that workspace.
Ensure you select Amazon Web Services.
Add a Name for your Infrastructure Provider and include the Role ARN from Step 1 above.
Select Save.
If you choose to, you can use static credentials. However, this method is not as secure so it is not recommended.
Provision an EKS Cluster
Follow these steps to provision the EKS cluster:
From the top menu bar, select your target workspace.
Select Clusters > Add Cluster.
This begins the provisioning workflow.Choose Create Cluster.
Enter the Cluster Name.
Select EKS from the Choose Infrastructure choices.
If available, choose a Kubernetes Version. Otherwise, the default Kubernetes version installs.
Select a data center region or specify a custom region.
Edit your worker Node Pools as necessary. You can choose the Number of Nodes, the Machine Type, and our IAM Instance Profile. For the worker pool, you can also choose a Worker Availability Zone.
Add any additional Labels or Infrastructure Provider Tags as necessary.
Validate your inputs, and then select Create.
You are redirected to the Clusters page, where you see your Cluster in the Provisioning status. Hover over the status to view the details.
After about 15 minutes, your Cluster should be in the Provisioned status.
See AWS RoleARN for more information from the AWS site.
Access EKS Cluster
After the cluster is successfully attached(managed), you can retrieve a custom kubeconfig
file from the UI using your Kommander administrator credentials.
IAM User and Role Access for EKS Clusters
When creating an EKS cluster through the UI, the kubeconfig
that is returned using the download kubeconfig
button allows access for 15 minutes. To follow best practices for AWS security, you should configure accessing the EKS cluster using IAM role or user based authentication. This allows account administrators to monitor all actions made.
To enable IAM based cluster access, follow the steps below:
Download the
kubeconfig
by selecting the Downloadkubeconfig
button on the top section of the UI.Using that
kubeconfig
, edit the config map with a command similar to the one below:CODEkubectl --kubeconfig=MYCLUSTER.conf edit cm -n kube-system aws-auth
Modify the
mapRoles
andmapUsers
objects according to the permissions as needed. The example below is mapping thearn:aws:iam::MYAWSACCOUNTID:role/PowerUser
role tosystems:masters
on the Kubernetes cluster:CODEapiVersion: v1 data: mapRoles: | - groups: - system:bootstrappers - system:nodes rolearn: arn:aws:iam::MYAWSACCOUNTID:role/nodes.cluster-api-provider-aws.sigs.k8s.io username: system:node:{{EC2PrivateDNSName}} - groups: - system:masters rolearn: arn:aws:iam::MYAWSACCOUNTID:role/PowerUser username: admin kind: ConfigMap
For more information, consult the Enabling IAM user and role access to you cluster guide and the Kubernetes RBAC guide.
From your management cluster run the following command to fetch a kubeconfig that uses IAM based permissions by running:
CODEdkp get kubeconfig -c ${EKS_CLUSTER_NAME} -n ${KOMMANDER_WORKSPACE_NAMESPACE} >> ${EKS_CLUSTER_NAME}.conf