DEV Community

ahn4
ahn4

Posted on • Updated on

Apply Kubernetes resources to AWS EKS Cluster - Bitbucket Pipeline

Relation between EKS and Bitbucket

Apply k8s Deployment.

Official

We'll use this one in the pipeline.

The following is needed.

  1. AWS IAM.
  2. Role/ClusterRole and Binding.

AWS IAM

Simply create one of User. This user will not access to Console. We configure this user's key and token to BitBucket.

The user should have the following policy at least.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster"
            ],
            "Resource": "*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Role/ClusterRole and Binding.

2 Resources are needed to be applied.

ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bitbucket-cicd
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - pods
  - services
  verbs:
  - get
  - list
  - update
  - patch
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - replicasets
  verbs:
  - get
  - list
  - update
  - patch
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - get
  - list
  - update
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bitbucket-cicd-binding
subjects:
- kind: Group
  name: bitbucket-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: bitbucket-cicd
  apiGroup: rbac.authorization.k8s.io

Enter fullscreen mode Exit fullscreen mode

apiGroups: apiVersion is specified when we create k8s manifest. apiGroups is string up to the first slash in this version. The version should be ignored. If group name was v1 only for example, apiGroups will be empty string, We can get all of api groups, use the command kubectl api-resources.

verbes: All of verbes are here.

ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bitbucket-cicd-binding
subjects:
- kind: Group
  name: bitbucket-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: bitbucket-cicd
  apiGroup: rbac.authorization.k8s.io
Enter fullscreen mode Exit fullscreen mode

subjects

Specify User, Group, or ServiceAccount to which the role is tied in this field.

kind: Will be User / Group / ServiceAccount.

name: Resource name of the kind.

Edit aws-auth

Map ClusterRoleBinding and IAM User.

kubectl edit -n kube-system configmap/aws-auth
Enter fullscreen mode Exit fullscreen mode

Mapping data will be like this...

apiVersion: v1
data:
  mapAccounts: |
    []  
  mapRoles: |
    - "userarn": "arn:aws:iam::{account id}:user/{IAM name}"
      "username": "bitbucket-cicd-user" # Name you like
      "groups":
      - "bitbucket-group" # Group name you specified in ClusterRoleBinding
-- omit.....
Enter fullscreen mode Exit fullscreen mode

Top comments (0)