In this post we are going to setup Crossplane on AWS EKS Cluster with IRSA and provision the AWS Cloud Services.
IRSA is leveraged to launch the AWS Cloud Services
Amazon EKS
Amazon EKS is a managed Kubernetes service to run Kubernetes in the AWS cloud
Crossplane
Crossplane is a framework for building cloud native control planes without needing to write code.
https://github.com/crossplane/crossplane
## Launch EKS Cluster with IRSA for Crossplane
Leverage EKSCTL to launch the EKS Cluster using the below configuration, provided yaml leverages existing VPC to launch the Cluster. Substitute subnet ids before creating the cluster.
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: crossplane-demo
region: us-east-1
version: '1.21'
vpc:
subnets:
private:
us-east-1a: { id: subnet-1234}
us-east-1b: { id: subnet-1234}
clusterEndpoints:
publicAccess: true
iam:
withOIDC: true
serviceAccounts:
- metadata:
name: provider-aws-f78664a342f1
namespace: crossplane-system
attachPolicyARNs:
- "arn:aws:iam::aws:policy/AdministratorAccess"
managedNodeGroups:
- name: crossplane-nodegroup
labels: { role: workers }
instanceType: t3a.medium
desiredCapacity: 1
volumeSize: 30
privateNetworking: true
Save the above contents in cluster.yaml and use the below command to create the cluster
eksctl create cluster -f cluster.yaml
Install Crossplane
Install the Crossplane using the helm chart by using the below commands
kubectl create namespace crossplane-system
helm repo add crossplane-stable https://charts.crossplane.io/stable
helm repo update
helm install crossplane --namespace crossplane-system crossplane-stable/crossplane
Install Crossplane AWS provider
Provider contains the CRDs to launch the AWS Cloud Services. Apply the below configuration yamls to install the provider. Replace AWS_PROVIDER_ARN with the ARN of the role created during cluster creation
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
name: aws-config
annotations:
eks.amazonaws.com/role-arn: <AWS_PROVIDER_ARN>
spec:
podSecurityContext:
fsGroup: 2000
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws
spec:s
package: crossplane/provider-aws:v0.24.1
controllerConfigRef:
name: aws-config
Apply the below config which will allow Crossplane to use the IRSA role for launching the AWS Cloud Services.
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: aws-provider
spec:
credentials:
source: InjectedIdentity
Create a S3 bucket using Crossplane
Apply the below yaml to test Crossplane setup with IRSA. Once this yaml is applied a S3 bucket will be created in the name s3-demo.
apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
name: s3-demo
spec:
deletionPolicy: Delete
forProvider:
acl: private
locationConstraint: us-east-1
serverSideEncryptionConfiguration:
rules:
- applyServerSideEncryptionByDefault:
sseAlgorithm: AES256
versioningConfiguration:
status: Enabled
providerConfigRef:
name: aws-provider
Notes:
In the EKS Cluster creation Admin policy is used for service account. This policy can be restricted to the particular service like S3, SQS based on the services created through Crossplane.
Top comments (0)