In order to start using current solution following requirement should be met:
- The lastest version of aws cli should be installed.
- Terraform version v1.3.6 or higher must be installed.
- AWS access key and secret key of the user with full permissions for EC2, EKS and IAM.
- kubectl version: v1.24 or higher must be installed.
- eks-demo.sh script was tested on Linux, but should work fine on Mac too.
Also following configuration should be done in advance:
aws configure --profile eks
Follow wizard's intructions and as it is done - you're good to go!
Below is a brief description of how to use the solution.
- Clone the repo using folowing command
git clone https://github.com/PetrKalmukhyan/eks-demo.git
and change your current directory to eks-demo
cd ./eks-demo
- To deploy demo EKS cluster and a pod to test S3 access using IAM roles for service accounts, please:
- execute
./eks-demo.sh
- type
deploy
- To test S3 access from test pod, please:
- execute
./eks-demo.sh
- type
tests3
- To destroy demo environment, please:
- execute
./eks-demo.sh
- type
destroy
Storing sensitive data, like secrets, in git repos sound like a common issue for the small development teams. However, keeping secrets in git repo is not a best practice, so for this case I'd recommend to implement Kubernetes Secrets, to store sensitive information. Unfortunately, be default, Kubernetes stores secrets only base64 encoded, which in not secure either. Two solutions described below are aimed to solve that that challenge:
- AWS Secrets and Configuration Provider (ASCP). In spite of native integration with AWS, this solution might require an additional development, as it has different secret query mechanism.
- External Secrets. This solution provides seamless integration with AWS Secrets Managem and similar services from other cloud prodivers and can be used to map secrets directly into the pod. A huge plus is that no additional development is required.
With all things equal I'd recommend option 2.