DEV Community: Hagai Hillel The latest articles on DEV Community by Hagai Hillel (@hagay3). https://dev.to/hagay3 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F754892%2F8a9a275b-1b61-4936-83d8-79aea341f13c.png DEV Community: Hagai Hillel https://dev.to/hagay3 en K8S - How to use EKS (AWS) Refresh token Hagai Hillel Fri, 02 Aug 2024 13:45:00 +0000 https://dev.to/hagay3/k8s-how-to-use-eks-aws-refresh-token-3h8o https://dev.to/hagay3/k8s-how-to-use-eks-aws-refresh-token-3h8o <h2> Skuber </h2> <p>The Skuber client is a Scala library designed for interacting with Kubernetes clusters. It offers a high-level, strongly typed API for managing Kubernetes resources such as Pods, Services, Deployments, ReplicaSets, and Ingresses.<br> <a href="https://github.com/hagay3/skuber" rel="noopener noreferrer">https://github.com/hagay3/skuber</a></p> <h2> How to use EKS (AWS) Refresh token </h2> <p>Background <br> Step-by-step guide <br> Setup the environment variables <br> Create IAM Role <br> Create a service account <br> Create the aws-auth mapping <br> <a href="https://dev.to[#refresh-eks-code-examples">Refresh EKS Code Examples</a>)</p> <h2> Background </h2> <p>Skuber has the functionality to refresh EKS (AWS) token with an IAM role and cluster configurations.</p> <p>The initiative:</p> <ul> <li>Refreshing tokens increasing k8s cluster security</li> <li>Since kubernetes v1.21 service account tokens has an expiration of 90 days. <a href="https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html" rel="noopener noreferrer">https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html</a> </li> </ul> <h2> Step-by-step guide </h2> <p>Pay attention to the fact that skuber can be deployed in one cluster and the cluster you want to control can be a remote cluster. <br> In this guide I will use the following:</p> <p><code>SKUBER_CLUSTER</code> - the cluster skuber app will be deployed on. <br> <code>REMOTE_CLUSTER</code> - the cluster that skuber will be connected to.</p> <h3> Setup the environment variables </h3> <ul> <li>Make sure aws cli is configured properly </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">ACCOUNT_ID</span><span class="o">=</span><span class="si">$(</span>aws sts get-caller-identity <span class="nt">--output</span> text <span class="nt">--query</span> Account<span class="si">)</span> <span class="nb">echo</span> <span class="nv">$ACCOUNT_ID</span> </code></pre> </div> <p>Set the cluster name and region that need access to (<code>REMOTE_CLUSTER</code>) <br> use <code>aws eks list-clusters</code> to see the cluster names.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">REMOTE_CLUSTER</span><span class="o">=</span>example-cluster <span class="nb">export </span><span class="nv">REGION</span><span class="o">=</span>us-east-1 </code></pre> </div> <p>Set the cluster name which skuber app will run from (<code>SKUBER_CLUSTER</code>)</p> <p>Set the namespace name which skuber app will run from</p> <p>Set the oidc provider id</p> <p>Set the service account name that skuber app will be attached to (we will create it later)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">SKUBER_CLUSTER</span><span class="o">=</span>skuber-cluster <span class="nb">export </span><span class="nv">SKUBER_NAMESPACE</span><span class="o">=</span>skuber-namespace <span class="nb">export </span><span class="nv">OIDC</span><span class="o">=</span><span class="si">$(</span>aws eks describe-cluster <span class="nt">--name</span> <span class="nv">$SKUBER_CLUSTER</span> <span class="nt">--output</span> text <span class="nt">--query</span> cluster.identity.oidc.issuer | <span class="nb">cut</span> <span class="nt">-d</span><span class="s1">'/'</span> <span class="nt">-f3</span>,4,5<span class="si">)</span> <span class="nb">echo</span> <span class="nv">$OIDC</span> <span class="nb">export </span><span class="nv">SKUBER_SA</span><span class="o">=</span>skuber-serviceaccount </code></pre> </div> <h3> Create IAM Role </h3> <p>This role will allow skuber service account to assume this role. <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">cat</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="err">skuber_iam_role.json</span><span class="w"> </span><span class="err">&lt;&lt;EOL</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC}"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"${OIDC}:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"system:serviceaccount:${SKUBER_NAMESPACE}:${SKUBER_SA}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">EOL</span><span class="w"> </span></code></pre> </div> <p>Create and set IAM role name<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">IAM_ROLE_NAME</span><span class="o">=</span>skuber-eks aws iam create-role <span class="se">\</span> <span class="nt">--role-name</span> <span class="nv">$IAM_ROLE_NAME</span> <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Kubernetes role for skuber client"</span> <span class="se">\</span> <span class="nt">--assume-role-policy-document</span> file://skuber_iam_role.json <span class="se">\</span> <span class="nt">--output</span> text <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Role.Arn'</span> </code></pre> </div> <h3> Create a service account </h3> <p>Change the context to <code>SKUBER_CLUSTER</code> and create the service account <br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl config use-context arn:aws:eks:<span class="k">${</span><span class="nv">REGION</span><span class="k">}</span>:<span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span>:cluster/<span class="k">${</span><span class="nv">SKUBER_CLUSTER</span><span class="k">}</span> kubectl apply <span class="nt">-n</span> <span class="err">$</span> <span class="nt">-f</span> - <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> apiVersion: v1 kind: ServiceAccount metadata: name: </span><span class="k">${</span><span class="nv">SKUBER_SA</span><span class="k">}</span><span class="sh"> </span><span class="no">EOF </span></code></pre> </div> <h3> Create the aws-auth mapping </h3> <p>In order to map aws iam role to the actual kubernetes cluster permissions, we need to create a mapping:<br> IAM Role -&gt; Kubernetes Permissions</p> <p>For this example I'm using existing masters permissions group, its recommended to create something more specific with <a href="https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html" rel="noopener noreferrer">RBAC</a>.</p> <ul> <li>Create this mapping on every cluster that skuber will be able to interact with.</li> </ul> <p>Change the context to <code>REMOTE_CLUSTER</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl config use-context arn:aws:eks:<span class="k">${</span><span class="nv">REGION</span><span class="k">}</span>:<span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span>:cluster/<span class="k">${</span><span class="nv">REMOTE_CLUSTER</span><span class="k">}</span> kubectl edit configmap aws-auth <span class="nt">-n</span> kube-system </code></pre> </div> <p>Add the following mapping</p> <ul> <li>Replace the variables with the actual values </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">rolearn</span><span class="pi">:</span> <span class="s">arn:aws:iam::$ACCOUNT_ID:role/$IAM_ROLE_NAME</span> <span class="na">username</span><span class="pi">:</span> <span class="s">ci</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">system:masters</span> </code></pre> </div> <h3> Refresh EKS Code Examples </h3> <ul> <li>Set the environment variables according to <code>REMOTE_CLUSTER</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">namespace</span><span class="o">=</span>default <span class="nb">export </span><span class="nv">serverUrl</span><span class="o">=</span><span class="si">$(</span>aws eks describe-cluster <span class="nt">--name</span> <span class="nv">$REMOTE_CLUSTER</span> <span class="nt">--output</span> text <span class="nt">--query</span> cluster.endpoint<span class="si">)</span> <span class="nb">export </span><span class="nv">certificate</span><span class="o">=</span><span class="si">$(</span>aws eks describe-cluster <span class="nt">--name</span> <span class="nv">$REMOTE_CLUSTER</span> <span class="nt">--output</span> text <span class="nt">--query</span> cluster.certificateAuthority<span class="si">)</span> <span class="nb">export </span><span class="nv">clusterName</span><span class="o">=</span><span class="nv">$REMOTE_CLUSTER</span> <span class="nb">export </span><span class="nv">region</span><span class="o">=</span><span class="nv">$AWS_REGION</span> </code></pre> </div> <p>A working example for using <code>AwsAuthRefreshable</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code><span class="k">implicit</span> <span class="k">private</span> <span class="k">val</span> <span class="nv">as</span> <span class="k">=</span> <span class="nc">ActorSystem</span><span class="o">()</span> <span class="k">implicit</span> <span class="k">private</span> <span class="k">val</span> <span class="nv">ex</span> <span class="k">=</span> <span class="nv">as</span><span class="o">.</span><span class="py">dispatcher</span> <span class="k">val</span> <span class="nv">namespace</span> <span class="k">=</span> <span class="nv">System</span><span class="o">.</span><span class="py">getenv</span><span class="o">(</span><span class="s">"namespace"</span><span class="o">)</span> <span class="k">val</span> <span class="nv">serverUrl</span> <span class="k">=</span> <span class="nv">System</span><span class="o">.</span><span class="py">getenv</span><span class="o">(</span><span class="s">"serverUrl"</span><span class="o">)</span> <span class="k">val</span> <span class="nv">certificate</span> <span class="k">=</span> <span class="nv">Base64</span><span class="o">.</span><span class="py">getDecoder</span><span class="o">.</span><span class="py">decode</span><span class="o">(</span><span class="nv">System</span><span class="o">.</span><span class="py">getenv</span><span class="o">(</span><span class="s">"certificate"</span><span class="o">))</span> <span class="k">val</span> <span class="nv">clusterName</span> <span class="k">=</span> <span class="nv">System</span><span class="o">.</span><span class="py">getenv</span><span class="o">(</span><span class="s">"clusterName"</span><span class="o">)</span> <span class="k">val</span> <span class="nv">region</span> <span class="k">=</span> <span class="nv">Regions</span><span class="o">.</span><span class="py">fromName</span><span class="o">(</span><span class="nv">System</span><span class="o">.</span><span class="py">getenv</span><span class="o">(</span><span class="s">"region"</span><span class="o">))</span> <span class="k">val</span> <span class="nv">cluster</span> <span class="k">=</span> <span class="nc">Cluster</span><span class="o">(</span><span class="n">server</span> <span class="k">=</span> <span class="n">serverUrl</span><span class="o">,</span> <span class="n">certificateAuthority</span> <span class="k">=</span> <span class="nc">Some</span><span class="o">(</span><span class="nc">Right</span><span class="o">(</span><span class="n">certificate</span><span class="o">)),</span> <span class="n">clusterName</span> <span class="k">=</span> <span class="nc">Some</span><span class="o">(</span><span class="n">clusterName</span><span class="o">),</span> <span class="n">awsRegion</span> <span class="k">=</span> <span class="nc">Some</span><span class="o">(</span><span class="n">region</span><span class="o">))</span> <span class="k">val</span> <span class="nv">context</span> <span class="k">=</span> <span class="nc">Context</span><span class="o">(</span><span class="n">cluster</span> <span class="k">=</span> <span class="n">cluster</span><span class="o">,</span> <span class="n">authInfo</span> <span class="k">=</span> <span class="nc">AwsAuthRefreshable</span><span class="o">(</span><span class="n">cluster</span> <span class="k">=</span> <span class="nc">Some</span><span class="o">(</span><span class="n">cluster</span><span class="o">)))</span> <span class="k">val</span> <span class="nv">k8sConfig</span> <span class="k">=</span> <span class="nc">Configuration</span><span class="o">(</span><span class="n">clusters</span> <span class="k">=</span> <span class="nc">Map</span><span class="o">(</span><span class="n">clusterName</span> <span class="o">-&gt;</span> <span class="n">cluster</span><span class="o">),</span> <span class="n">contexts</span> <span class="k">=</span> <span class="nc">Map</span><span class="o">(</span><span class="n">clusterName</span> <span class="o">-&gt;</span> <span class="n">context</span><span class="o">)).</span><span class="py">useContext</span><span class="o">(</span><span class="n">context</span><span class="o">)</span> <span class="k">val</span> <span class="nv">k8s</span><span class="k">:</span> <span class="kt">KubernetesClient</span> <span class="o">=</span> <span class="nf">k8sInit</span><span class="o">(</span><span class="n">k8sConfig</span><span class="o">)</span> <span class="nf">listPods</span><span class="o">(</span><span class="n">namespace</span><span class="o">,</span> <span class="mi">0</span><span class="o">)</span> <span class="nf">listPods</span><span class="o">(</span><span class="n">namespace</span><span class="o">,</span> <span class="mi">5</span><span class="o">)</span> <span class="nf">listPods</span><span class="o">(</span><span class="n">namespace</span><span class="o">,</span> <span class="mi">11</span><span class="o">)</span> <span class="nv">k8s</span><span class="o">.</span><span class="py">close</span> <span class="nv">Await</span><span class="o">.</span><span class="py">result</span><span class="o">(</span><span class="nv">as</span><span class="o">.</span><span class="py">terminate</span><span class="o">(),</span> <span class="mf">10.</span><span class="n">seconds</span><span class="o">)</span> <span class="nv">System</span><span class="o">.</span><span class="py">exit</span><span class="o">(</span><span class="mi">0</span><span class="o">)</span> <span class="k">def</span> <span class="nf">listPods</span><span class="o">(</span><span class="n">namespace</span><span class="k">:</span> <span class="kt">String</span><span class="o">,</span> <span class="n">minutesSleep</span><span class="k">:</span> <span class="kt">Int</span><span class="o">)</span><span class="k">:</span> <span class="kt">Unit</span> <span class="o">=</span> <span class="o">{</span> <span class="nf">println</span><span class="o">(</span><span class="n">s</span><span class="s">"Sleeping $minutesSleep minutes..."</span><span class="o">)</span> <span class="nv">Thread</span><span class="o">.</span><span class="py">sleep</span><span class="o">(</span><span class="n">minutesSleep</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="o">)</span> <span class="nf">println</span><span class="o">(</span><span class="nv">DateTime</span><span class="o">.</span><span class="py">now</span><span class="o">)</span> <span class="k">val</span> <span class="nv">pods</span> <span class="k">=</span> <span class="nv">Await</span><span class="o">.</span><span class="py">result</span><span class="o">(</span><span class="nv">k8s</span><span class="o">.</span><span class="py">listInNamespace</span><span class="o">[</span><span class="kt">PodList</span><span class="o">](</span><span class="n">namespace</span><span class="o">),</span> <span class="mf">10.</span><span class="n">seconds</span><span class="o">)</span> <span class="nf">println</span><span class="o">(</span><span class="nv">pods</span><span class="o">.</span><span class="py">items</span><span class="o">.</span><span class="py">map</span><span class="o">(</span><span class="nv">_</span><span class="o">.</span><span class="py">name</span><span class="o">))</span> <span class="o">}</span> </code></pre> </div> kubernetes aws opensource scala