Revised Steps with IAM Role Creation and Assignment

Revised Steps with IAM Role Creation and Assignment

1. Create VPC and Subnets

• VPC Creation:

  bashCopy code
  aws ec2 create-vpc --cidr-block 10.0.0.0/16

  Note the VPC ID (e.g., vpc-xxxxx) for future steps.

• Subnet Creation: Create subnets in different Availability Zones.

  bashCopy code
  aws ec2 create-subnet --vpc-id vpc-xxxxx --cidr-block 10.0.1.0/24 --availability-zone us-west-2a
  aws ec2 create-subnet --vpc-id vpc-xxxxx --cidr-block 10.0.2.0/24 --availability-zone us-west-2b

2. Create IAM Roles

• EKS Service Role: Create an IAM role with the required policies for EKS.

  bashCopy code
  aws iam create-role --role-name eksServiceRole --assume-role-policy-document file://eks-trust-policy.json

  Attach the necessary policies:

  bashCopy code
  aws iam attach-role-policy --role-name eksServiceRole --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
  aws iam attach-role-policy --role-name eksServiceRole --policy-arn arn:aws:iam::aws:policy/AmazonEKSServicePolicy

• Node Group Role: Create an IAM role for the EKS worker nodes.

  bashCopy code
  aws iam create-role --role-name eksNodeRole --assume-role-policy-document file://eks-node-trust-policy.json

  Attach policies required by worker nodes:

  bashCopy code
  aws iam attach-role-policy --role-name eksNodeRole --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
  aws iam attach-role-policy --role-name eksNodeRole --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
  aws iam attach-role-policy --role-name eksNodeRole --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly

3. Create Elastic Container Registry (ECR)

• ECR Repository

  :

  bashCopy code
  aws ecr create-repository --repository-name my-app-repo

4. Create Elastic Kubernetes Service (EKS) Cluster

• EKS Cluster

  :

  bashCopy code
  aws eks create-cluster --name my-eks-cluster --role-arn arn:aws:iam::123456789012:role/eksServiceRole --resources-vpc-config subnetIds=subnet-abcde01,subnet-abcde02

5. Create Security Groups

• Security Group

  :

  bashCopy code
  aws ec2 create-security-group --group-name my-sg --description "My security group" --vpc-id vpc-xxxxx

  Then, add rules to allow traffic from restricted IPs:

  bashCopy code
  aws ec2 authorize-security-group-ingress --group-id sg-xxxxx --protocol tcp --port 80 --cidr restricted-ip-address/32
  aws ec2 authorize-security-group-ingress --group-id sg-xxxxx --protocol tcp --port 443 --cidr restricted-ip-address/32

6. Create Worker Nodes for EKS

1. Download the AWS EKS Worker Node CloudFormation Template

First, you need to download the appropriate CloudFormation template provided by AWS. These templates are available in the AWS EKS documentation. You can use wget or curl to download it:

bashCopy code
wget https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-08-17/amazon-eks-nodegroup.yaml

2. Create a Key Pair for EC2 Instances

Create a key pair for SSH access to the EC2 instances:

bashCopy code
aws ec2 create-key-pair --key-name MyKeyPair

Note: Remember to save the key material (.pem file) that you receive in response.

3. Deploy the CloudFormation Stack using AWS CLI

Now, deploy the CloudFormation stack with the template you downloaded. You’ll need to provide various parameters such as the EKS cluster name, node group role ARN, subnet IDs, and the key pair name.

bashCopy code
aws cloudformation create-stack --stack-name my-eks-nodes --template-body file://amazon-eks-nodegroup.yaml --parameters ParameterKey=ClusterName,ParameterValue=my-eks-cluster ParameterKey=ClusterControlPlaneSecurityGroup,ParameterValue=sg-xxxxx ParameterKey=NodeGroupName,ParameterValue=my-node-group ParameterKey=NodeAutoScalingGroupMinSize,ParameterValue=1 ParameterKey=NodeAutoScalingGroupMaxSize,ParameterValue=3 ParameterKey=NodeInstanceType,ParameterValue=t3.medium ParameterKey=NodeImageId,ParameterValue=ami-0a887e401f7654935 ParameterKey=KeyName,ParameterValue=MyKeyPair ParameterKey=VpcId,ParameterValue=vpc-xxxxx ParameterKey=Subnets,ParameterValue=\"subnet-abcde01,subnet-abcde02\" ParameterKey=NodeGroupRoleArn,ParameterValue=arn:aws:iam::123456789012:role/eksNodeRole --capabilities CAPABILITY_IAM

Replace the placeholders like my-eks-cluster, sg-xxxxx, vpc-xxxxx, subnet-abcde01, subnet-abcde02, etc., with your actual values.

4. Monitor the Stack Creation

You can monitor the status of the stack creation using the AWS Management Console or AWS CLI:

bashCopy code
aws cloudformation describe-stacks --stack-name my-eks-nodes

Once the stack status is CREATE_COMPLETE, your worker nodes are ready and should join your EKS cluster automatically.

7. Networking and Access

• Internet Gateway & Route Tables: Set up as needed for external access.

  1. Create an Internet Gateway:

     • This is needed if your worker nodes need access to the internet.

     bashCopy code
     aws ec2 create-internet-gateway

     Note the Internet Gateway ID (igw-xxxx) for future steps.

  2. Attach the Internet Gateway to Your VPC:

     bashCopy code
     aws ec2 attach-internet-gateway --internet-gateway-id igw-xxxx --vpc-id vpc-xxxxx

  3. Create a Route Table:

     • Create a route table in your VPC for routing traffic.

     bashCopy code
     aws ec2 create-route-table --vpc-id vpc-xxxxx

     Note the Route Table ID (rtb-xxxx) for future steps.

  4. Create a Route to the Internet Gateway:

     • This enables traffic from the VPC to the internet via the Internet Gateway.

     bashCopy code
     aws ec2 create-route --route-table-id rtb-xxxx --destination-cidr-block 0.0.0.0/0 --gateway-id igw-xxxx

  5. Associate the Route Table with Subnets:

     • Associate the route table with each of your subnets.

     bashCopy code
     aws ec2 associate-route-table --route-table-id rtb-xxxx --subnet-id subnet-abcde01
     aws ec2 associate-route-table --route-table-id rtb-xxxx --subnet-id subnet-abcde02

  6. Adjust Security Groups as Needed:

     • Update your security groups to allow the necessary inbound and outbound traffic for your application.

8. Configure kubectl for EKS

• Update kubeconfig

  :

  bashCopy code
  aws eks update-kubeconfig --name my-eks-cluster

Notes on IAM Policy Documents

• The eks-trust-policy.json and eks-node-trust-policy.json files are JSON policy documents that allow EKS and EC2 to assume the role, respectively. You need to create these JSON files as per AWS IAM policies guidelines.

  eks-trust-policy.json

  This trust policy is used when creating the IAM role for the EKS cluster. It allows the EKS service to assume this role.

  jsonCopy code
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "eks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }

  eks-node-trust-policy.json

  This trust policy is for the IAM role assigned to EKS worker nodes. It allows the EC2 instances (worker nodes) to assume this role.

  jsonCopy code
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "ec2.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }

  Usage

  When you create the IAM roles using the AWS CLI, you’ll reference these files. For example:

  bashCopy code
  aws iam create-role --role-name eksServiceRole --assume-role-policy-document file://eks-trust-policy.json
  aws iam create-role --role-name eksNodeRole --assume-role-policy-document file://eks-node-trust-policy.json

  Ensure that these JSON files are correctly formatted and stored locally where the AWS CLI can access them. These trust policies are crucial for setting up IAM roles that align with AWS security best practices, by explicitly defining which AWS services can assume these roles.

This revised procedure includes the creation and assignment of IAM roles, which are vital for managing access and permissions for EKS and its worker nodes. Remember to replace placeholder values (like subnet-abcde01, vpc-xxxxx, sg-xxxxx, etc.) with actual values from your AWS setup.