DEV Community: Shardul Srivastava The latest articles on DEV Community by Shardul Srivastava (@shardulsrivastava). https://dev.to/shardulsrivastava https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F497827%2F8abb9931-172a-456f-8fa3-525618ac5c2d.jpeg DEV Community: Shardul Srivastava https://dev.to/shardulsrivastava en Getting Started with Contributing to CNCF: A Beginner's Guide Shardul Srivastava Sat, 08 Feb 2025 21:46:28 +0000 https://dev.to/shardulsrivastava/getting-started-with-contributing-to-cncf-a-beginners-guide-4gp3 https://dev.to/shardulsrivastava/getting-started-with-contributing-to-cncf-a-beginners-guide-4gp3 <p>Contributing to CNCF is not difficult, but let me tell you what's difficult..</p> <p><strong>Finding out where to start contributing.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5eik3mt13avmk1f1z1vj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5eik3mt13avmk1f1z1vj.png" alt="Image description" width="477" height="357"></a></p> <p>So Let's start to peel the onion, the first thing you should do is to go through this amazing <a href="https://landscape.cncf.io/" rel="noopener noreferrer">CNCF Landscape</a>. This landscape covers not just the CNCF projects but also member projects.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7r3wi6o07rarjbc8jd50.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7r3wi6o07rarjbc8jd50.gif" alt="Image description" width="640" height="480"></a></p> <p>You can find an exhaustive list of all the CNCF Graduated and Incubating projects <a href="https://www.cncf.io/projects/" rel="noopener noreferrer">here</a>.</p> <p>Did I say Gradudated and Incubating... What's that ??</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft4mfu9vddtd6unu33c9s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft4mfu9vddtd6unu33c9s.png" alt="Image description" width="500" height="590"></a></p> <p>CNCF has a lot of projects under its umbrella, they are categorized based on their maturity levels, here are three different categories:</p> <ol> <li><p>Graduated - CNCF Graduated projects are mature, widely adopted, and have a mind-boggling community behind them. Kubernetes is one of the examples of Graduated CNCF projects.</p></li> <li><p>Incubating - CNCF Incubating projects are on their way to graduation but are still maturing. They have proven technical merit and community growth but may need to enhance their processes.</p></li> <li><p>Sandbox - CNCF Sandbox projects are early-stage projects that are in the process of establishing their community and technical merit</p></li> </ol> <p><a href="https://contribute.cncf.io/contributors/projects/" rel="noopener noreferrer">Here</a> is a very handy link to all the CNCF projects across maturity levels.</p> <p>This would help you to understand what are the projects and you will find that most of the cloud-related open-source projects are maintained by CNCF.</p> <h2> How to find the right issues </h2> <p>Use these Github queries to find the beginner-friendly issues from CNCF graduated, incubating and sandbox projects.</p> <h3> CNCF Graduated Projects </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>is:issue is:open label:"good first issue" repo:kubernetes/kubernetes repo:prometheus/prometheus repo:etcd-io/etcd repo:containerd/containerd repo:linkerd/linkerd2 repo:fluent/fluent-bit repo:helm/helm repo:opencontainers/runc repo:cni-org/cni repo:envoyproxy/envoy repo:jaegertracing/jaeger repo:grpc/grpc repo:vitessio/vitess repo:tuf/tuf repo:opentelemetry/opentelemetry-collector repo:tikv/tikv repo:dragonflyoss/Dragonfly2 repo:argoproj/argo-cd repo:falcosecurity/falco repo:openpolicyagent/opa repo:thanos-io/thanos repo:fluxcd/flux2 repo:longhorn/longhorn repo:cert-manager/cert-manager repo:contour-org/contour repo:emissary-ingress/emissary repo:harvester/harvester repo:k3s-io/k3s repo:kubeedge/kubeedge repo:kubeflow/kubeflow repo:kubewarden/kubewarden-controller repo:kyverno/kyverno repo:openservicemesh/osm repo:paralus/paralus repo:serverlessworkflow/specification repo:spire/spire repo:tremor-rs/tremor-runtime repo:wasmCloud/wasmcloud repo:keptn/keptn repo:backstage/backstage repo:openfeature/spec repo:cloudevents/spec repo:knative/serving repo:crossplane/crossplane repo:openebs/openebs repo:opencost/opencost repo:open-cluster-management-io/OCM repo:operator-framework/operator-sdk repo:porter-dev/porter repo:pravega/pravega repo:submariner-io/submariner repo:telepresenceio/telepresence repo:tricksterproxy/trickster repo:virtual-kubelet/virtual-kubelet repo:volcano-sh/volcano repo:weaveworks/weave repo:openyurtio/openyurt repo:meshery/meshery repo:chaos-mesh/chaos-mesh repo:openkruise/kruise repo:openelb/openelb repo:sealer/sealer repo:devfile/api repo:antrea-io/antrea repo:litmuschaos/litmus repo:karmada-io/karmada repo:openfunction/openfunction repo:open-gateway/gateway-api </code></pre> </div> <h3> CNCF Incubating Projects </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>is:issue is:open label:"good first issue" repo:artifacthub/hub repo:backstage/backstage repo:buildpacks/pack repo:chaos-mesh/chaos-mesh repo:cloud-custodian/cloud-custodian repo:containernetworking/cni repo:projectcontour/contour repo:cortexproject/cortex repo:crossplane/crossplane repo:dragonflyoss/Dragonfly2 repo:emissary-ingress/emissary repo:flatcar/flatcar repo:grpc/grpc repo:karmada-io/karmada repo:keptn/keptn repo:keycloak/keycloak repo:knative/serving repo:kubeflow/kubeflow repo:kubescape/kubescape repo:kubevela/kubevela repo:kubevirt/kubevirt repo:kyverno/kyverno repo:litmuschaos/litmus repo:longhorn/longhorn repo:nats-io/nats-server repo:notaryproject/notary repo:opencost/opencost repo:open-feature/spec repo:openkruise/kruise repo:opentelemetry/opentelemetry-collector repo:openyurtio/openyurt repo:operator-framework/operator-sdk repo:strimzi/strimzi-kafka-operator repo:thanos-io/thanos repo:volcano-sh/volcano repo:wasmCloud/wasmcloud </code></pre> </div> <h3> CNCF Sandbox Projects </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>is:issue is:open label:"good first issue" repo:aeraki-mesh/aeraki repo:akri-sh/akri repo:antrea-io/antrea repo:armadaproject/armada repo:yahoo/athenz repo:runatlantis/atlantis repo:banzaicloud/bank-vaults repo:bfenetworks/bfe repo:bpfman/bpfman repo:projectcapsule/capsule repo:carina-io/carina repo:cartography-cncf/cartography repo:carvel-dev/ytt repo:cdk8s-team/cdk8s repo:chaosblade-io/chaosblade repo:cloudnative-pg/cloudnative-pg repo:clusternet/clusternet repo:clusterpedia-io/clusterpedia repo:confidential-containers/confidential-containers repo:connectrpc/connect-go repo:containerssh/containerssh repo:project-copacetic/copacetic repo:cozystack/cozystack repo:devfile/api repo:devspace-sh/devspace repo:devstream-io/devstream repo:dexidp/dex repo:distribution/distribution repo:easegress-io/easegress repo:eraser-dev/eraser repo:external-secrets/external-secrets repo:fluid-cloudnative/fluid repo:Project-HAMi/HAMi repo:headlamp-k8s/headlamp repo:hexa-org/policy-orchestrator repo:hwameistor/hwameistor repo:hyperlight-dev/hyperlight repo:inclavare-containers/inclavare-containers repo:inspektor-gadget/inspektor-gadget repo:interTwin-eu/interLink repo:k0sproject/k0s repo:k3s-io/k3s repo:k8gb-io/k8gb repo:k8sgpt-ai/k8sgpt repo:k8up-io/k8up repo:kairos-io/kairos repo:kanisterio/kanister repo:kcl-lang/kcl repo:kcp-dev/kcp repo:sustainable-computing-io/kepler repo:keylime/keylime repo:kgateway-dev/kgateway repo:kitops-ml/kitops repo:kmesh-net/kmesh repo:ko-build/ko repo:konveyor/operator repo:koordinator-sh/koordinator repo:kptdev/kpt repo:krkn-chaos/krkn repo:kuadrant/kuadrant-operator repo:kuasar-io/kuasar repo:kube-burner/kube-burner repo:kubeovn/kube-ovn repo:kube-rs/kube repo:kube-vip/kube-vip repo:kubean-io/kubean repo:kubearmor/kubearmor repo:kubeclipper/kubeclipper repo:kuberhealthy/kuberhealthy repo:kubeslice/kubeslice repo:kubestellar/kubestellar repo:kubewarden/kubewarden-controller repo:kudobuilder/kudo repo:kumahq/kuma repo:kubereboot/kured repo:KusionStack/kusion repo:lima-vm/lima repo:kube-logging/logging-operator repo:loxilb-io/loxilb repo:merbridge/merbridge repo:meshery/meshery repo:metallb/metallb repo:metal3-io/baremetal-operator </code></pre> </div> <h2> How to start doing the setup. </h2> <p>Well every project has it's own guide on how to get started, reading through CONTRIBUTING.md would help you with setting up the project local.</p> <h2> How to check your contributions </h2> <p>CNCF has a score system that tells how much you have contributed to CNCF projects, you can check your score here.</p> <p><a href="https://devstats.cluster.fun/" rel="noopener noreferrer">https://devstats.cluster.fun/</a></p> <p>If you came this far, let me share something that will help you to get up to date with what's going on</p> <h2> How to interact with the community behind the projects </h2> <p>If you are interested in contributing into any projects, always join their slack channel in CNCF, here is how you can get invited to the CNCF slack - <a href="https://communityinviter.com/apps/cloud-native/cncf" rel="noopener noreferrer">https://communityinviter.com/apps/cloud-native/cncf</a>.</p> Running Apache Kafka on Containers Shardul Srivastava Sun, 30 Oct 2022 18:12:00 +0000 https://dev.to/aws-builders/running-apache-kafka-on-containers-2ing https://dev.to/aws-builders/running-apache-kafka-on-containers-2ing <p>Apache Kafka is one of the most famous data stores. It's a go-to tool to collect streaming data at scale and process them with either <a href="https://kafka.apache.org/documentation/streams/">Kafka streams</a> or <a href="https://spark.apache.org/docs/latest/structured-streaming-kafka-integration.html">Apache Spark</a>.</p> <p>Getting started with Kafka is challenging as it involves familiarising a lot of new concepts such as topics, replication, and offsets, and then you have to understand what a Zookeeper is.</p> <p>Confluent is a company specialising in Kafka with their cloud-based offering called <strong>Confluent cloud</strong>. Confluent is one of the biggest contributors to the Kafka open-source project. they have created some great tools to help with Kafka such as <a href="https://www.confluent.io/product/ksqldb/">KsqlDB</a> that allows us to query streaming data (It's amazing, try it).</p> <p>Apart from that Confluent has great articles on understanding Kafka internals.</p> <h2> Kafka with Docker </h2> <p>To get started with Kafka on Docker, we are going to use confluent Kafka images.</p> <ol> <li>Create a docker-compose.yaml file with one zookeeper and one Kafka container: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">zookeeper</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">confluentinc/cp-zookeeper:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">zookeeper</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">ZOOKEEPER_CLIENT_PORT</span><span class="pi">:</span> <span class="m">2181</span> <span class="na">ZOOKEEPER_TICK_TIME</span><span class="pi">:</span> <span class="m">2000</span> <span class="na">kafka</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">confluentinc/cp-kafka:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">broker</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9092:9092"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">zookeeper</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">KAFKA_BROKER_ID</span><span class="pi">:</span> <span class="m">1</span> <span class="na">KAFKA_ZOOKEEPER_CONNECT</span><span class="pi">:</span> <span class="s1">'</span><span class="s">zookeeper:2181'</span> <span class="na">KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</span><span class="pi">:</span> <span class="s">PLAINTEXT:PLAINTEXT,PLAINTEXT_INTERNAL:PLAINTEXT</span> <span class="na">KAFKA_ADVERTISED_LISTENERS</span><span class="pi">:</span> <span class="s">PLAINTEXT://localhost:9092,PLAINTEXT_INTERNAL://kafka:29092</span> <span class="na">KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR</span><span class="pi">:</span> <span class="m">1</span> </code></pre> </div> <p>Start both containers in detached mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up <span class="nt">-d</span> </code></pre> </div> <p>docker-compose starts zookeeper on port <code>2181</code> and Kafka on port <code>9092</code> along with some configurations:</p> <ol> <li> <p>Zookeeper</p> <ol> <li> <strong><code>ZOOKEEPER_CLIENT_PORT</code></strong> - Port where Zookeeper would be available.</li> <li> <strong><code>ZOOKEEPER_TICK_TIME</code></strong>- the length of a single tick.</li> </ol> </li> <li> <p>Kafka</p> <ol> <li> <strong><code>KAFKA_ZOOKEEPER_CONNECT</code></strong> - Instructs Kafka how to connect to ZooKeeper.</li> <li> <strong><code>KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</code></strong> - Defines key/value pairs for the security protocol to use, per listener name.</li> <li> <strong><code>KAFKA_ADVERTISED_LISTENERS</code></strong> - A comma-separated list of listeners with their host/IP and port. Read more about kafka listeners <a href="https://www.confluent.io/blog/kafka-listeners-explained/">here</a>.</li> <li> <strong><code>KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR</code></strong> - Equivalent of broker configuration <code>offsets.topic.replication.factor</code> which is the replication factor for the offsets topic. Since we are running with just one Kafka node, we need to set this to 1.</li> </ol> </li> </ol> <blockquote> <p>Read more about how the connection to kafka broker works in a docker container <a href="https://www.confluent.io/blog/kafka-client-cannot-connect-to-broker-on-aws-on-docker-etc/">here</a></p> </blockquote> <h2> Create Topics in Kafka </h2> <p>Kafka topics are like database tables. Just like a database, we have to create a table to start storing the data, for Kafka we have to create a topic.</p> <p>Unlike a database that has a command to create a database, Kafka comes with some utility scripts, one of which is to create a topic that requires mandatory input as the topic name and a few other optional arguments.</p> <ol> <li> <p>Log in to the Kafka container<br> </p> <pre class="highlight shell"><code>docker-compose <span class="nb">exec </span>kafka bash </code></pre> </li> <li> <p>Create a topic by the name <code>kafka-test</code><br> </p> <pre class="highlight shell"><code>/usr/bin/kafka-topics <span class="se">\</span> <span class="nt">--bootstrap-server</span> broker:9092 <span class="se">\</span> <span class="nt">--create</span> <span class="se">\</span> <span class="nt">--topic</span> kafka-test Created topic kafka-test. </code></pre> </li> </ol> <p>Try running this command again and you will get this error: </p> <blockquote> <p>Error while executing the topic command: Topic 'kafka-test' already exists.</p> </blockquote> <p>Not so much CI friendly right ?? <code>--if-not-exists</code> allows you to create a topic if it doesn't exist and retuns exit code 0.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/bin/kafka-topics <span class="se">\</span> <span class="nt">--bootstrap-server</span> broker:9092 <span class="se">\</span> <span class="nt">--create</span> <span class="se">\</span> <span class="nt">--if-not-exists</span> <span class="se">\</span> <span class="nt">--topic</span> kafka-test </code></pre> </div> <p>There are a couple of other arguments that are essential for a good understanding of Kafka:</p> <ol> <li> <strong><code>--partitions</code></strong> - Kafka topics are partitioned i.e the data of topics are spread across multiple brokers for scalability.</li> <li> <strong><code>--replication-factor</code></strong> - To make data in a topic fault-tolerant and highly-available, every topic can be replicated, so that there are always multiple brokers that have a copy of the data.</li> </ol> <h2> What's a Kafka Message </h2> <p>Once we have the topic created, we can start sending messages to the topic. A Message consists of headers, a key, and a value. Let's talk about each of these.</p> <ol> <li><p><strong><code>Headers</code></strong> - Headers are key-value pairs and give the ability to add some metadata about the kafka message. Read the original KIP(Kafka Improvement Proposals) proposing headers <a href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-82+-+Add+Record+Headers">here</a>.</p></li> <li><p><strong><code>Key</code></strong> - Key for the kafka message. The key value can be null. Randomly chosen keys (i.e. serial numbers and UUID) are the best example of message keys. Read more about when you should use a key <a href="https://forum.confluent.io/t/what-should-i-use-as-the-key-for-my-kafka-message/312/2">here</a>.</p></li> <li><p><strong><code>Value</code></strong> - Actual data to be stored in kafka. Could be a string, json, Protobuf, or AVRO data format.</p></li> </ol> <h2> Writing to a Kafka Topic </h2> <p>Kafka provides a <a href="https://docs.confluent.io/platform/current/clients/producer.html">Producer API</a> to send a message to the Kafka topic. This API is available in java with <a href="https://kafka.apache.org/33/javadoc/index.html?org/apache/kafka/clients/producer/KafkaProducer.html">kafka-clients</a> library and python with <a href="https://kafka-python.readthedocs.io/en/master/apidoc/KafkaProducer.html">kafka-python</a> package.</p> <p>Luckily for us, we don't have to use any of these. Kafka comes with an out of box script <code>kafka-console-producer</code> that allows us to write data to a kafka topic. </p> <p>Run the command and as soon as the command returns <code>&gt;</code> with a new line, enter the Json message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/bin/kafka-console-producer <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka:9092 <span class="se">\</span> <span class="nt">--topic</span> kafka-test <span class="o">&gt;{</span><span class="s2">"tickers"</span>: <span class="o">[{</span><span class="s2">"name"</span>: <span class="s2">"AMZN"</span>, <span class="s2">"price"</span>: 1902<span class="o">}</span>, <span class="o">{</span><span class="s2">"name"</span>: <span class="s2">"MSFT"</span>, <span class="s2">"price"</span>: 107<span class="o">}</span>, <span class="o">{</span><span class="s2">"name"</span>: <span class="s2">"AAPL"</span>, <span class="s2">"price"</span>: 215<span class="o">}]}</span> </code></pre> </div> <p>We have successfully sent a message to the topic. </p> <blockquote> <p>Enter <code>Control + C</code> to stop the script.</p> </blockquote> <p>however this message was sent without any key, To send a key we have to set the properties <code>parse.key</code> to allow sending the key.</p> <blockquote> <p>Default key separator is <code>\t(tab)</code>,we can change it by setting the property <code>key.separator</code>. <strong>Eg: --property "key.separator=:"</strong></p> </blockquote> <p>Let's try to send a message with a random key <code>stocks-123</code> this time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/bin/kafka-console-producer <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka:9092 <span class="se">\</span> <span class="nt">--topic</span> kafka-test <span class="se">\</span> <span class="nt">--property</span> <span class="s2">"parse.key=true"</span> <span class="o">&gt;</span>stocks-123 <span class="o">{</span><span class="s2">"tickers"</span>: <span class="o">[{</span><span class="s2">"name"</span>: <span class="s2">"AMZN"</span>, <span class="s2">"price"</span>: 1902<span class="o">}</span>, <span class="o">{</span><span class="s2">"name"</span>: <span class="s2">"MSFT"</span>, <span class="s2">"price"</span>: 107<span class="o">}</span>, <span class="o">{</span><span class="s2">"name"</span>: <span class="s2">"AAPL"</span>, <span class="s2">"price"</span>: 215<span class="o">}]}</span> </code></pre> </div> <p>With the release of kafka version <a href="https://archive.apache.org/dist/kafka/3.2.0/RELEASE_NOTES.html">3.2.0</a>, it's possible to <a href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-798%3A+Add+possibility+to+write+kafka+headers+in+Kafka+Console+Producer">send headers using ConsoleProducer</a> by setting the property <code>parse.headers</code> to <strong>true</strong>.</p> <p>Headers are metadata about the kafka message, souce of these stock prices would be a good candidate for the headers. Let's add a header key as <code>stock_source</code> and value as <code>nyse</code> to the Kafka message :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/bin/kafka-console-producer <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka:9092 <span class="se">\</span> <span class="nt">--topic</span> kafka-test <span class="se">\</span> <span class="nt">--property</span> <span class="s2">"parse.key=true"</span> <span class="se">\</span> <span class="nt">--property</span> <span class="s2">"parse.headers=true"</span> <span class="o">&gt;</span>stock_source:nyse stocks-123 <span class="o">{</span><span class="s2">"tickers"</span>: <span class="o">[{</span><span class="s2">"name"</span>: <span class="s2">"AMZN"</span>, <span class="s2">"price"</span>: 1902<span class="o">}</span>, <span class="o">{</span><span class="s2">"name"</span>: <span class="s2">"MSFT"</span>, <span class="s2">"price"</span>: 107<span class="o">}</span>, <span class="o">{</span><span class="s2">"name"</span>: <span class="s2">"AAPL"</span>, <span class="s2">"price"</span>: 215<span class="o">}]}</span> </code></pre> </div> <p>Now we have successfully sent a kafka message with a header, key and value.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdwub7kn4d7nhy0ojs6e2.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdwub7kn4d7nhy0ojs6e2.gif" alt="baby-scream-yeah.gif" width="498" height="462"></a></p> <blockquote> <p>Check out supported properties for kafka-consoler-producer <a href="https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/tools/ConsoleProducer.scala#L221-L240">here</a>.</p> </blockquote> <h2> Reading from a Kafka Topic </h2> <p>Kafka provides a <a href="https://docs.confluent.io/platform/current/clients/consumer.html">Consumer API</a> to read messages from a Kafka topic. This API is available in java with <a href="https://kafka.apache.org/33/javadoc/index.html?org/apache/kafka/clients/consumer/KafkaConsumer.html">kafka-clients</a> library and python with <a href="https://kafka-python.readthedocs.io/en/master/apidoc/KafkaConsumer.html">kafka-python</a> package.</p> <p>Kafka comes with an out of box script <code>kafka-console-consumer</code> to read messages from the kafka topic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/bin/kafka-console-consumer <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka:9092 <span class="se">\</span> <span class="nt">--topic</span> kafka-test </code></pre> </div> <p>However, this command only prints the values of the kafka message. To print the key and headers, we have to set the properties <code>print.headers</code>, <code>print.key</code> to <strong>true</strong>. We can also print the timestamp of the message with the property <code>print.timestamp</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/bin/kafka-console-consumer <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka:9092 <span class="se">\</span> <span class="nt">--topic</span> kafka-test <span class="se">\</span> <span class="nt">--property</span> print.headers<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--property</span> print.key<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--property</span> print.timestamp<span class="o">=</span><span class="nb">true</span> </code></pre> </div> <p>There is other information such as <code>partition</code> and <code>offset</code>, they can be printed by setting the properties <code>--property print.offset=true</code> and <code>--property print.partition=true</code>.</p> <p>Everytime we read from the a kafka topic, Kafka keeps track of the last offset the consumer read from and allows you to read from that point next time, however we can always read from the beginning using the arguments <code>--from-beginning</code>.</p> <p>To always read from a kafka topic from the beginning:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/bin/kafka-console-consumer <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka:9092 <span class="se">\</span> <span class="nt">--topic</span> kafka-test <span class="se">\</span> <span class="nt">--from-beginning</span> <span class="se">\</span> <span class="nt">--property</span> print.headers<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--property</span> print.key<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--property</span> print.timestamp<span class="o">=</span><span class="nb">true</span> </code></pre> </div> <blockquote> <p>Is this too much to remember ?? <br> Don't worry we have an easier way of reading and writing from Kafka topics.</p> </blockquote> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy6isvqojqtkmwe85pdsk.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy6isvqojqtkmwe85pdsk.jpeg" alt="baby-yoda" width="500" height="500"></a></p> <h2> kcat Utility </h2> <p><a href="https://github.com/edenhill/kcat">kcat</a> is an awesome tool to make our lives easier, it allows us to read and write from kafka topics without tons of scripts and in a more user-friendly way.</p> <p>As Confluent puts it, "It is a swiss-army knife of tools for inspecting and creating data in Kafka"</p> <p><code>kcat</code> has two modes, it runs in producer mode by specifying the argument <code>-P</code> and consumer mode by specifying the argument <code>-C</code>.It also automatically selects its mode depending on the terminal or pipe type. If data is being piped to kcat it will automatically select producer (-P) mode. If data is being piped from kcat (e.g. standard terminal output) it will automatically select consumer (-C) mode.</p> <ol> <li> <p>To read data from kafka topics, simply run<br> </p> <pre class="highlight shell"><code>kcat <span class="nt">-b</span> localhost:9092 <span class="nt">-t</span> kafka-test </code></pre> </li> <li> <p>To write data to a Kafka topic, run<br> </p> <pre class="highlight shell"><code>kcat <span class="nt">-P</span> <span class="nt">-b</span> localhost:9092 <span class="nt">-t</span> kafka-test </code></pre> </li> </ol> <p>Take a look at the examples <a href="https://github.com/edenhill/kcat#examples">here</a> to find out more about the usage.</p> <p><a href="https://www.confluent.io/blog/5-things-every-kafka-developer-should-know/">here</a> are some tips and tricks of using Kafka.</p> kafka docker containers confluent Getting Started with ACK RDS Controller Shardul Srivastava Tue, 18 Oct 2022 20:31:17 +0000 https://dev.to/aws-builders/getting-started-with-ack-rds-controller-10kc https://dev.to/aws-builders/getting-started-with-ack-rds-controller-10kc <p><a href="https://github.com/aws-controllers-k8s/rds-controller">ACK controller for RDS</a> is a <a href="https://kubernetes.io/docs/concepts/architecture/controller/">Kubernetes Controller</a> for provisioning RDS instances in a kubernetes native way.</p> <p><code>ACK controller for RDS</code> supports creating these database engines:</p> <ol> <li>Amazon Aurora (MySQL &amp; PostgreSQL)</li> <li>Amazon RDS for PostgreSQL</li> <li>Amazon RDS for MySQL</li> <li>Amazon RDS for MariaDB</li> <li>Amazon RDS for Oracle</li> <li>Amazon RDS for SQL Server</li> </ol> <h2> Install ACK Controller for RDS </h2> <p>Let's start by setting up an EKS cluster. <code>ACK Controller for RDS</code> requires <code>AmazonRDSFullAccess</code> to create and manage RDS instances.<br> We will also create a service account <code>ack-rds-controller</code> for <code>ACK Controller for RDS</code> and attach <a href="https://github.com/aws-controllers-k8s/rds-controller/blob/main/helm/values.yaml#L81">AmazonRDSFullAccess</a> IAM permissions to this service account with the help of <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IRSA</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: ack-cluster region: eu-west-1 version: <span class="s2">"1.22"</span> iam: withOIDC: <span class="nb">true </span>serviceAccounts: - metadata: <span class="c"># Service account used by rds-controller https://github.com/aws-controllers-k8s/rds-controller/blob/main/helm/values.yaml#L81</span> name: ack-rds-controller namespace: ack-system <span class="c"># https://github.com/aws-controllers-k8s/rds-controller/blob/main/config/iam/recommended-policy-arn</span> attachPolicyARNs: - <span class="s2">"arn:aws:iam::aws:policy/AmazonRDSFullAccess"</span> managedNodeGroups: - name: managed-ng-1 minSize: 1 maxSize: 10 desiredCapacity: 1 instanceType: t3.large amiFamily: AmazonLinux2 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>eksctl create cluster <span class="nt">-f</span> ack-cluster.yaml </code></pre> </div> <p>Once the cluster is created, install the <code>ACK Controller for RDS</code> using <a href="https://gallery.ecr.aws/aws-controllers-k8s/rds-chart">Helm chart</a>. <code>ACK Controller for RDS</code> helm charts are stored in the public ECR repository.</p> <p><strong>Note:</strong> Check the latest version of the helm chart <a href="https://gallery.ecr.aws/aws-controllers-k8s/rds-chart">here</a></p> <p>Authenticate to the ECR repo using your AWS credentials :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws ecr-public get-login-password <span class="nt">--region</span> us-east-1 | helm registry login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> public.ecr.aws Login Succeeded </code></pre> </div> <p>Once you're authenticated, install <code>ACK Controller for RDS</code> in the <code>ack-system</code> namespace :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> helm upgrade <span class="se">\</span> <span class="nt">--install</span> <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> ack-rds <span class="se">\</span> <span class="nt">-n</span> ack-system <span class="se">\</span> oci://public.ecr.aws/aws-controllers-k8s/rds-chart <span class="se">\</span> <span class="nt">--version</span><span class="o">=</span>v0.1.1 <span class="se">\</span> <span class="nt">--set</span><span class="o">=</span>aws.region<span class="o">=</span>eu-west-1 <span class="se">\</span> <span class="nt">--set</span><span class="o">=</span>serviceAccount.create<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span><span class="o">=</span>log.level<span class="o">=</span>debug </code></pre> </div> <p>During installation, we are setting these values in the Helm chart:</p> <ol> <li> <code>aws.region</code> - AWS Region for API Calls.</li> <li> <code>serviceAccount.create</code> - Setting this to false, since serviceAccount is created by eksctl during cluster creation above.</li> <li> <code>log.level</code> - Setting this to <code>debug</code> to see detailed logs.</li> </ol> <p><code>ACK controller for RDS</code> installs several CRDs that allow you to provision RDS instances and related components:</p> <ol> <li> <strong><code>GlobalCluster</code></strong> - Custom resource to create <a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html">Aurora Global cluster</a>.</li> <li> <strong><code>DBCluster</code></strong> - Custom resource to create <a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraOverview.html">Amazon Aurora DB Cluster</a>.</li> <li> <strong><code>DBInstance</code></strong> - Custom resource to create <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html">Amazon RDS DB Instances</a>.</li> <li> <strong><code>DBClusterParameterGroup</code></strong> - Custom resource to create <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithDBClusterParamGroups.html">DB cluster parameter groups</a>.</li> <li> <strong><code>DBParameterGroup</code></strong> - Custom resource to create <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithDBInstanceParamGroups.html">DB parameter groups</a>.</li> <li> <strong><code>DBProxy</code></strong> - Custom resource to create <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.html">Amazon RDS Proxy</a> </li> <li> <strong><code>DBSubnetGroup</code></strong> - Custom resource to create <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html">DB Subnet Group</a>.</li> </ol> <p><strong>Note:</strong>. Refer <a href="https://aws-controllers-k8s.github.io/community/reference/rds/v1alpha1/dbcluster/">here</a> for the reference of these CRDs. </p> <p>Check <code>ACK controller for RDS</code> logs in cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-f</span> <span class="nt">-l</span> app.kubernetes.io/instance<span class="o">=</span>ack-rds </code></pre> </div> <h3> Create Autora PostgreSQL Cluster with RDS Controller </h3> <p>To create an Aurora PostgreSQL Cluster with <code>ACK controller for RDS</code>, we have to first create a DB Subnet Group using <code>DBSubnetGroup</code>, then create a Aurora Cluster using <code>DBCluster</code> and add two Aurora Database instances in the cluster using <code>DBInstance</code>.</p> <ol> <li> <p>Create a DB Subnet Group <code>test-ack-subnetgroup</code> with all the subnets that are part of the VPC created by eksctl or use your existing subnets:<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rds.services.k8s.aws/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DBSubnetGroup</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test-ack-subnetgroup"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test-ack-subnetgroup"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Test</span><span class="nv"> </span><span class="s">ACK</span><span class="nv"> </span><span class="s">Subnet</span><span class="nv"> </span><span class="s">Group"</span> <span class="na">subnetIDs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">subnet-011e4c822231b65fa"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">subnet-001ce16b9b7c3578f"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">subnet-0a90579d9b066ecf7"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">subnet-00e6d2e90ea132c8b"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">subnet-0fbc22e542749c98c"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">subnet-080c0b1ed39b0aa91"</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">created-by"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ack-rds"</span> </code></pre> <p><strong>Note:</strong> To get all the subnets created by eksctl, run command:<br> </p> <pre class="highlight shell"><code>eksctl get cluster ack-cluster <span class="nt">-o</span> json| jq <span class="nt">-r</span> <span class="s1">'.[0].ResourcesVpcConfig.SubnetIds'</span> </code></pre> </li> <li> <p>Check the status of <code>test-ack-subnetgroup</code> DB Subnet Group :<br> </p> <pre class="highlight shell"><code>kubectl get dbsubnetgroup test-ack-subnetgroup <span class="nt">-ojson</span>| jq <span class="nt">-r</span> <span class="s1">'.status.subnetGroupStatus'</span> Complete </code></pre> <p>if it returns <code>Complete</code>, then <code>DB Subnet group</code> is successfully created.</p> </li> <li> <p>Create a secret to store the password of the master user :<br> </p> <pre class="highlight shell"><code>kubectl create secret generic <span class="s2">"test-ack-master-password"</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">DATABASE_PASSWORD</span><span class="o">=</span><span class="s2">"mypassword"</span> secret/test-ack-master-password created </code></pre> </li> <li> <p>Create an Aurora DB Cluster <code>test-ack-aurora-cluster</code> using <code>DBCluster</code> :<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rds.services.k8s.aws/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DBCluster</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test-ack-aurora-cluster"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">engine</span><span class="pi">:</span> <span class="s">aurora-postgresql</span> <span class="na">engineVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">14.4"</span> <span class="na">engineMode</span><span class="pi">:</span> <span class="s">provisioned</span> <span class="na">dbClusterIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test-ack-aurora-cluster"</span> <span class="na">databaseName</span><span class="pi">:</span> <span class="s">test-ack</span> <span class="na">dbSubnetGroupName</span><span class="pi">:</span> <span class="s">test-ack-subnetgroup</span> <span class="na">deletionProtection</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">masterUsername</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test"</span> <span class="na">masterUserPassword</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">default"</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test-ack-master-password"</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">DATABASE_PASSWORD"</span> <span class="na">storageEncrypted</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">enableCloudwatchLogsExports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgresql</span> <span class="na">backupRetentionPeriod</span><span class="pi">:</span> <span class="m">14</span> <span class="na">copyTagsToSnapshot</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">preferredBackupWindow</span><span class="pi">:</span> <span class="s">00:00-01:59</span> <span class="na">preferredMaintenanceWindow</span><span class="pi">:</span> <span class="s">sat:02:00-sat:04:00</span> </code></pre> </li> <li> <p>Once created, check the status of <code>DBCluster</code> resource <code>test-ack-aurora-cluster</code>:<br> </p> <pre class="highlight shell"><code>kubectl describe DBCluster test-ack-aurora-cluster </code></pre> <p>if the status is <code>available</code> then Aurora DB Cluster is successfully created.</p> </li> <li> <p>After <code>DBCluster</code> is successfully created, add two Aurora DB Instances <code>test-ack-aurora-instance-1</code> and <code>test-ack-aurora-instance-2</code> to the DB cluster using <code>DBInstance</code> :<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rds.services.k8s.aws/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DBInstance</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-ack-aurora-instance-1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">dbInstanceClass</span><span class="pi">:</span> <span class="s">db.t4g.medium</span> <span class="na">dbInstanceIdentifier</span><span class="pi">:</span> <span class="s">test-ack-aurora-instance-1</span> <span class="na">dbClusterIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test-ack"</span> <span class="na">engine</span><span class="pi">:</span> <span class="s">aurora-postgresql</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rds.services.k8s.aws/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DBInstance</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-ack-aurora-instance-2</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">dbInstanceClass</span><span class="pi">:</span> <span class="s">db.t4g.medium</span> <span class="na">dbInstanceIdentifier</span><span class="pi">:</span> <span class="s">test-ack-aurora-instance-2</span> <span class="na">dbClusterIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test-ack"</span> <span class="na">engine</span><span class="pi">:</span> <span class="s">aurora-postgresql</span> </code></pre> <p>When these instances are available, one of them will be a <strong>Writer Instance</strong> and other one will be a <strong>Reader Instance</strong>.</p> </li> <li> <p>Check the status of <code>DBInstance</code> :<br> </p> <pre class="highlight shell"><code>kubectl describe DBInstance test-ack-aurora-instance-1 kubectl describe DBInstance test-ack-aurora-instance-2 </code></pre> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fos1m6jt0qf7rxd685fzj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fos1m6jt0qf7rxd685fzj.png" alt="rds-instance-status" width="800" height="126"></a></p> <p>Status <code>available</code> means that DB Instances are ready to use now.</p> </li> <li> <p>Get the <code>Writer Endpoint</code> of the Aurora RDS cluster:<br> </p> <pre class="highlight shell"><code>kubectl get dbcluster test-ack-aurora-cluster <span class="nt">-ojson</span>| jq <span class="nt">-r</span> <span class="s1">'.status.endpoint'</span> test-ack-aurora-cluster.cluster-cncphmukmdde.eu-west-1.rds.amazonaws.com </code></pre> </li> <li> <p>Get the <code>Reader Endpoint</code> of the Aurora RDS cluster:<br> </p> <pre class="highlight shell"><code>kubectl get dbcluster test-ack-aurora-cluster <span class="nt">-ojson</span>| jq <span class="nt">-r</span> <span class="s1">'.status.readerEndpoint'</span> test-ack-aurora-cluster.cluster-ro-cncphmukmdde.eu-west-1.rds.amazonaws.com </code></pre> </li> </ol> <p>When you have the Aurora DB Cluster provisioned, you would want to extract values such as <code>Reader Endpoint</code> and <code>Writer Endpoint</code> and configure them in the application to connect to the cluster.</p> <p><code>ACK controller for RDS</code> provides a way to import these values directly from the <code>DBCluster</code> or <code>DBInstance</code> resource to a desired <code>Configmap</code> or <code>Secret</code>.</p> <h3> Export the Database Details in a Configmap </h3> <p><code>FieldExport</code> CRD allows you to export any spec or status field from a <code>DBCluster</code> or <code>DBInstance</code> resource into a ConfigMap.</p> <ol> <li> <p>Create an empty <code>ConfigMap</code> :<br> </p> <pre class="highlight shell"><code>kubectl create cm ack-cluster-config configmap/ack-cluster-config created </code></pre> </li> <li> <p>Create a <code>FieldExport</code> to import the value of <code>.status.endpoint</code> from <code>test-ack-aurora-cluster</code> DBCluster resource to the ConfigMap <code>ack-cluster-config</code> :<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">services.k8s.aws/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">FieldExport</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ack-cm-field-export</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">from</span><span class="pi">:</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">rds.services.k8s.aws</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DBCluster</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-ack-aurora-cluster</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">.status.endpoint"</span> <span class="na">to</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">configmap</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ack-cluster-config</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DATABASE_HOST</span> </code></pre> </li> <li> <p>Inspect the values of ConfigMap <code>ack-cluster-config</code><br> </p> <pre class="highlight shell"><code>kubectl get cm ack-cluster-config <span class="nt">-ojson</span>|jq <span class="nt">-r</span> <span class="s1">'.data'</span> </code></pre> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flo1dnn2lld88r6ii4krt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flo1dnn2lld88r6ii4krt.png" alt="ack-field-export-cm" width="800" height="79"></a></p> </li> </ol> <h3> Export the Database Details in a Secret </h3> <p><code>FieldExport</code> CRD allows you to export any spec or status field from a <code>DBCluster</code> or <code>DBInstance</code> into a Secret.</p> <ol> <li> <p>Create an empty <code>Secret</code> :<br> </p> <pre class="highlight shell"><code>kubectl create secret generic ack-cluster-secret secret/ack-cluster-secret created </code></pre> </li> <li> <p>Create a <code>FieldExport</code> to import the value of <code>.status.endpoint</code> from <code>test-ack-aurora-cluster</code> DBCluster resource to the Secret <code>ack-cluster-secret</code> :<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">services.k8s.aws/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">FieldExport</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ack-secret-field-export</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">from</span><span class="pi">:</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">rds.services.k8s.aws</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DBCluster</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-ack-aurora-cluster</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">.status.endpoint"</span> <span class="na">to</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">secret</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ack-cluster-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DATABASE_HOST</span> </code></pre> </li> <li> <p>Inspect the values of Secret <code>ack-cluster-secret</code><br> </p> <pre class="highlight shell"><code>kubectl view-secret ack-cluster-secret <span class="nt">--all</span> </code></pre> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fha83dbp7fsdvj5ls0zf7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fha83dbp7fsdvj5ls0zf7.png" alt="ack-field-export-secret" width="800" height="75"></a></p> <p><strong>Note:</strong> <code>view-secret</code> is a kubectl plugin, check out my <a href="https://shardul.dev/most-useful-kubectl-plugins/">blog</a> on how to use this plugin.</p> </li> </ol> <blockquote> <p>📌 <strong>FieldExport and ACK resource should be in the same namespace.</strong></p> </blockquote> <h2> Important - Clean up </h2> <p>To clean up the clusters, first disable the delete protection by setting <code>.spec.deletionProtection</code> to false for the <code>test-ack-aurora-cluster</code> DBCluster resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> test-ack-aurora-cluster.yaml dbcluster.rds.services.k8s.aws/test-ack-aurora-cluster configured </code></pre> </div> <p>Now, you can proceed to delete the instances first and then cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete <span class="nt">-f</span> test-ack-aurora-instance.yaml kubectl delete <span class="nt">-f</span> test-ack-aurora-cluster.yaml </code></pre> </div> rds ack controller kubernetes Most Useful kubectl Plugins Shardul Srivastava Sat, 15 Oct 2022 01:12:22 +0000 https://dev.to/aws-builders/most-useful-kubectl-plugins-11i1 https://dev.to/aws-builders/most-useful-kubectl-plugins-11i1 <p>Kubernetes provides a convenient utility <code>kubectl</code> to interact with the cluster. <code>kubectl</code> talks to <a href="https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/">kube-apiserver</a> and allows you to create, update and delete objects/resources in the cluster.</p> <h2> How To Pronounce kubectl </h2> <p>When you start using <code>kubectl</code>, the first thing that comes to mind is <code>how the heck do you pronounce this</code>. There are different pronunciations used by different people, as long as everybody is referring to the same command line tool, it's all good. </p> <p>Here are the three different pronunciations that I have heard people using:</p> <ol> <li><code>kube-control</code></li> <li><code>kube-cuttle</code></li> <li> <code>kube-cee-tee-ell</code> ←</li> </ol> <blockquote> <p>P.S: I use the last one 😄</p> </blockquote> <h2> What are kubectl Plugins </h2> <p>Kubernetes provides a way to extend the functionality of <code>kubectl</code> using plugins. Plugins allow us to add additional functionality to the <code>kubectl</code> command line tool.</p> <p><code>kubectl plugins</code> are executables whose names start with <code>kubectl-</code>. These executables should be part of the <code>PATH</code> so that <code>kubectl</code> can discover them. kubectl automatically detects them and runs them for you.</p> <p>Eg: If we have a plugin called <code>hello</code> then you can invoke it by using the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">kubectl hello</span> </code></pre> </div> <p>here kubectl would look for an executable with the name <code>kubectl-hello</code> in the <code>PATH</code></p> <h2> Install kubectl Plugins with Krew </h2> <p><code>kubectl plugins</code> can be installed in numerous ways, the easiest way would be to install the official plugin manager called <a href="https://github.com/kubernetes-sigs/krew/">krew</a>.</p> <p>Install <code>krew</code> by following the instructions for your operating system <a href="https://krew.sigs.k8s.io/docs/user-guide/setup/install/">here</a>.</p> <p>For Mac, it can be installed with the <code>brew</code> package manager:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>krew </code></pre> </div> <h3> Installing official plugins </h3> <p>krew maintains an index of officially maintained plugins called <a href="https://krew.sigs.k8s.io/plugins/">krew plugin index</a>. There are about <em>206</em> plugins maintained in the official krew index by the maintainers.</p> <p>Let's take a look at some of the most useful plugins</p> <h4> neat Plugin </h4> <p>Install <a href="https://github.com/itaysk/kubectl-neat">neat</a> plugin with krew :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl krew <span class="nb">install </span>neat </code></pre> </div> <p><code>neat</code> is my favorite plugin. While working with Kubernetes, you often would want to check the resource spec in the cluster, however, when you run the command, you get more fields than intended as part of the spec.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods nginx-7fd68f74d-ntpdc <span class="nt">-oyaml</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">creationTimestamp</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2022-10-14T16:18:08Z"</span> <span class="na">generateName</span><span class="pi">:</span> <span class="s">nginx-7fd68f74d-</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">pod-template-hash</span><span class="pi">:</span> <span class="s">7fd68f74d</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-7fd68f74d-ntpdc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">ownerReferences</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">blockOwnerDeletion</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">controller</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ReplicaSet</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-7fd68f74d</span> <span class="na">uid</span><span class="pi">:</span> <span class="s">4ff93f8e-a3c3-4c81-9556-e69eb47e9011</span> <span class="na">resourceVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">85985"</span> <span class="na">uid</span><span class="pi">:</span> <span class="s">714bf0d2-2456-4efc-a527-71f29943662c</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/shardul/nginx:v1</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="na">terminationMessagePath</span><span class="pi">:</span> <span class="s">/dev/termination-log</span> <span class="na">terminationMessagePolicy</span><span class="pi">:</span> <span class="s">File</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/var/run/secrets/kubernetes.io/serviceaccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kube-api-access-qskm4</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">dnsPolicy</span><span class="pi">:</span> <span class="s">ClusterFirst</span> </code></pre> </div> <p>the output is too verbose for troubleshooting. This is where <code>neat</code> plugin comes to our rescue.</p> <p>Let's get the pod details, this time add <code>| kubectl neat</code> at the end of the command :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods nginx-7fd68f74d-ntpdc <span class="nt">-oyaml</span> | kubectl neat </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">pod-template-hash</span><span class="pi">:</span> <span class="s">7fd68f74d</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-7fd68f74d-ntpdc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/shardul/nginx:v1</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/var/run/secrets/kubernetes.io/serviceaccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kube-api-access-qskm4</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p><code>kubectl-neat</code> omits <code>managedFields</code>, <code>default values</code> and <code>status</code> fields and some metadata fields such as <code>creationTimestamp</code>, <code>resourceVersion</code>,<code>selfLink</code> and <code>uid</code>.</p> <h4> view-secret Plugin </h4> <p>Install <a href="https://github.com/elsesiy/kubectl-view-secret">view-secret</a> plugin with krew:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl krew <span class="nb">install </span>view-secret </code></pre> </div> <p><code>view-secret</code> plugin saves a lot of time when you want to view a secret in the cluster, especially if it's a secret with multiple keys and values. Normally to view a secret you would do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret my-secret <span class="nt">-o</span> yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">key1</span><span class="pi">:</span> <span class="s">c3VwZXJzZWNyZXQ=</span> <span class="na">key2</span><span class="pi">:</span> <span class="s">dG9wc2VjcmV0</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">creationTimestamp</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2022-10-14T19:58:25Z"</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">resourceVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">88915"</span> <span class="na">uid</span><span class="pi">:</span> <span class="s">4b6fbf40-f27f-4744-ab61-2d7457a41ce6</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> </code></pre> </div> <p>then copy the values such as <code>c3VwZXJzZWNyZXQ=</code> and decode it with base64:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"c3VwZXJzZWNyZXQ="</span> | <span class="nb">base64</span> <span class="nt">-d</span> supersecret </code></pre> </div> <p>With the <code>view-secret</code> plugin, you can just do :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">kubectl view-secret my-secret --all</span> <span class="s">key1=supersecret</span> <span class="s">key2=topsecret</span> </code></pre> </div> <h4> access-matrix Plugin </h4> <p>Install <a href="https://github.com/corneliusweig/rakkess">access-matrix</a> plugin with krew :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl krew <span class="nb">install </span>access-matrix </code></pre> </div> <p>The <code>access-matrix</code> plugin is very useful to visualize your access in the cluster or to find out who can access a particular resource in the cluster.</p> <h4> blame Plugin </h4> <p>Install <a href="https://github.com/knight42/kubectl-blame">blame</a> plugin with krew :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl krew <span class="nb">install </span>blame </code></pre> </div> <p>The <code>blame</code> plugin helps you to figure out who changed several fields of an object in the cluster - <code>kubectl</code>, <code>kube-controller-manager</code> or <code>helm</code>. It internally uses the <code>.metadata.manageFields</code> field of the object to get this information. </p> <blockquote> <p>Read more about <code>metadata.managedFields</code> <a href="https://kubernetes.io/docs/reference/using-api/server-side-apply/">here</a>.</p> </blockquote> <p>If we edit a deployment <code>nginx</code> manually and update the replias to 2. We can see those details using the <code>blame</code> plugin that changes were done using <code>kubectl edit</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl blame deploy nginx </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">spec</span><span class="pi">:</span> <span class="na">kubectl-client-side-apply (Update 8 hours ago) progressDeadlineSeconds</span><span class="pi">:</span> <span class="m">600</span> <span class="na">kubectl-edit (Update 26 minutes ago) replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">kubectl-client-side-apply (Update 8 hours ago) revisionHistoryLimit</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <h4> df-pv Plugin </h4> <p>Install <a href="https://github.com/yashbhutwala/kubectl-df-pv">df-pv</a> plugin with krew :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl krew <span class="nb">install </span>df-pv </code></pre> </div> <p>If you are familiar with the <code>df</code> command in Linux and Mac, then you would love the <code>df-pv</code> plugin. It provides the same functionality as <code>df</code> provides, except that it provides details for <a href="https://kubernetes.io/docs/concepts/storage/persistent-volumes/">Persistent volumes</a> in a human-readable format.</p> <p>The <code>df-pv</code> plugin comes in handy if you want to get an overall view of PVs in the cluster. It shows you details like <code>Size</code>, <code>Used</code>, <code>Available</code>, and <code>%Used</code>.</p> <h2> Installing plugins directly from repositories </h2> <p>Apart from the krew index, <code>plugins</code> can be installed from private repositories via manual steps or using a custom plugin index.</p> <blockquote> <p>In the end plugins are just executables. </p> </blockquote> <h3> clean plugin </h3> <p>Install <a href="https://github.com/shardulsrivastava/kubectl-plugin#kubectl-clean">clean</a> plugin manually :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone git@github.com:shardulsrivastava/kubectl-plugin.git <span class="nb">cd </span>kubectl-plugin/plugins/clean <span class="nb">mv </span>kubectl-clean /usr/local/bin kubectl clean <span class="nt">--help</span> </code></pre> </div> <p>The <code>clean</code> plugin comes handy if you're using EKS or GKE where you have orphaned pods lying around cluttering the cluster. It cleans them all up in one go.</p> <p>To delete all the orphaned pods in your cluster<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl clean all </code></pre> </div> <p>or you can clean up a particular namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl clean my-namespace </code></pre> </div> <h3> gke-outdated plugin </h3> <p>Install <a href="https://github.com/shardulsrivastava/kubectl-plugin#kubectl-gke-outdated">gke-outdated</a> plugin manually :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone git@github.com:shardulsrivastava/kubectl-plugin.git <span class="nb">cd </span>kubectl-plugin/plugins/gke-outdated <span class="nb">mv </span>kubectl-gke_outdated print-table /usr/local/bin kubectl gke-outdated <span class="nt">--help</span> </code></pre> </div> <p>The <code>gke-outdated</code> plugin finds all the outdated GKE clusters in your GCP organization's folder.</p> <p>To check all the GKE clusters running outdated kubernetes versions inside folder Id <code>907623304376</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl gke-outdated 907623304376 1.22 </code></pre> </div> <p>this will list all the GKE clusters inside of folder <code>907623304376</code> that are running a version less than <code>1.22</code>.</p> kubect kubernetes plugins Scaling in EKS with Karpenter - Part 1 Shardul Srivastava Mon, 10 Oct 2022 22:06:12 +0000 https://dev.to/aws-builders/scaling-in-eks-with-karpenter-part-1-3c7e https://dev.to/aws-builders/scaling-in-eks-with-karpenter-part-1-3c7e <p>Kubernetes has become a de-facto standard because it takes care of a lot of complexities internally. One of those complexities is cluster autoscaling i.e provisioning of nodes based on the increased number of workloads.</p> <p><a href="https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler">Cluster Autoscaler</a> is a project maintained by a community called <code>sig-autoscaling</code>, one of the communities under <code>Kubernetes</code>. Check out more about Kubernetes Communities <a href="https://github.com/kubernetes/community">here</a>.</p> <p><code>Cluster autoscaler</code> supports a number of <a href="https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider">cloud providers</a> including EKS. <a href="https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/aws">here</a> is the guide to setup <code>cluster autoscaler</code> on EKS and various configuration <a href="https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/aws/examples">examples</a>.</p> <p><code>Cluster autoscaler</code> runs in the cluster as an addon and adds or removes the nodes in the cluster to allow the scheduling of workloads. It kicks in when any of the pods are not able to schedule due to insufficient resources. Node groups in EKS are backed by <code>EC2 Auto Scaling Groups</code> and <code>CA</code> updates the number of nodes in the ASG dynamically to ensure pods are scheduled. It also supports <strong>Mixed Instance policy</strong> for Spot instances that allows users to save costs with Spot instances with the added risk of workload interruption.</p> <p>While <code>CA</code> takes care of the scaling efficiently, there are still issues that EKS users face such as :</p> <ol> <li> <p>When there are no node in the Node group that matches the requirements of the pod and the pod remains unscheduled, which could cause an outage.</p> <blockquote> <p>While debugging these types of issues a common error message in autoscaler logs is <code>pod didn't trigger scale-up (it wouldn't fit if a new node is added)</code></p> </blockquote> </li> <li><p>Using too big instances in node groups, which leads to low resource utilization and increased cost.</p></li> <li><p>Using too low instances in Node groups, which leads to node groups maxing out and resulting in unscheduled pods.</p></li> <li><p>No way to identify the optimal choice of instance types based on workloads.</p></li> </ol> <p>All of these issues and many more can be solved with...</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmpjvhoxdnpfj79740e8.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmpjvhoxdnpfj79740e8.jpeg" alt="khaby" width="800" height="785"></a></p> <h2> Karpenter </h2> <p><a href="https://karpenter.sh/">Karpenter</a> is an open-source project by AWS that improves the efficiency and cost of running workloads on <strong>Kubernetes clusters</strong> (not just EKS, it's designed to have support for multiple cloud providers). </p> <p>Karpenter is group less i.e it works by provisioning nodes based on the workload and the provisioned nodes are not part of any ASG.</p> <p>This allows <code>Karpenter</code> to scale nodes more efficiently, retry in a few milliseconds when node capacity is not available instead of waiting for minutes in case of an ASG and gives the flexibility to provision instances from a variety of instance types without creating hundreds of node groups.</p> <h2> Karpenter Installation </h2> <p><code>Karpenter controller</code> runs on the cluster as a deployment and relies on a CRD called <a href="https://karpenter.sh/v0.17.0/provisioner/">Provisioner</a> to configure it's behaviour to handle workloads such as consolidate them to save costs, move them to another node with a different instance type and scale down nodes when they are empty.</p> <h3> Setup an EKS Cluster with Karpenter enabled </h3> <p><code>Karpenter</code> can be installed by following the steps in the <a href="https://karpenter.sh/v0.17.0/getting-started/">Karpenter - Getting Started Guide</a> which involves creating several Cloudformation stacks, IAM role cluster bindings. IMO, the simplest way to get started is to use <code>eksctl</code> that has support for <code>karpenter</code> installation out-of-box.</p> <p>Let's create a cluster with <code>eksctl</code> with a managed node group and <code>karpenter</code> installed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">eksctl.io/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">karpenter-cluster</span> <span class="na">region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.22"</span> <span class="na">tags</span><span class="pi">:</span> <span class="na">karpenter.sh/discovery</span><span class="pi">:</span> <span class="s">karpenter-cluster</span> <span class="c1"># Special tag for Karpenter that it uses to discover subnets and security groups</span> <span class="na">iam</span><span class="pi">:</span> <span class="na">withOIDC</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># required</span> <span class="na">karpenter</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0.15.0'</span> <span class="c1"># Current version of eksctl only supports 0.15.0 of karpenter.</span> <span class="na">createServiceAccount</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">managedNodeGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">managed-ng-1</span> <span class="c1"># Managed node group for karpenter controller itself, could use fargate too that would be much simpler.</span> <span class="na">minSize</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxSize</span><span class="pi">:</span> <span class="m">10</span> <span class="na">desiredCapacity</span><span class="pi">:</span> <span class="m">1</span> <span class="na">instanceType</span><span class="pi">:</span> <span class="s">t3.large</span> <span class="na">amiFamily</span><span class="pi">:</span> <span class="s">AmazonLinux2</span> </code></pre> </div> <p>this would create an EKS cluster <code>karpenter-cluster</code> in the <code>eu-west-1</code> region with a managed Node group <code>managed-ng-1</code>, install few of components for <code>karpenter</code> to work : </p> <ol> <li> <code>eksctl-KarpenterControllerPolicy-karpenter-cluster</code> - An <a href="https://github.com/aws/karpenter/blob/30a4a5af24fb065471c9ec1203db861d9eb45ac4/website/content/en/v0.15.0/getting-started/getting-started-with-eksctl/cloudformation.yaml#L34-L66">IAM policy</a> with permissions to provision nodes and spot instances.</li> <li> <code>eksctl-karpenter-cluster-iamservice-role</code> - An IAM role with IAM policy <code>eksctl-KarpenterControllerPolicy-karpenter-cluster</code> and attached to the service account used by <code>karpenter</code> to allow it to provision instances.</li> <li> <code>eksctl-KarpenterNodeRole-karpenter-cluster</code> - An <a href="https://github.com/aws/karpenter/blob/30a4a5af24fb065471c9ec1203db861d9eb45ac4/website/content/en/v0.15.0/getting-started/getting-started-with-eksctl/cloudformation.yaml#L15-L33">IAM role</a> for provisioned nodes to work and get registered with the cluster.</li> <li> <code>eksctl-KarpenterNodeInstanceProfile-karpenter-cluster</code> - An <a href="https://github.com/aws/karpenter/blob/30a4a5af24fb065471c9ec1203db861d9eb45ac4/website/content/en/v0.15.0/getting-started/getting-started-with-eksctl/cloudformation.yaml#L8-L14">Instance profile</a> for instance provisioned by <code>Karpenter</code>.</li> <li> <code>karpenter Helm Release</code> - Installation of <code>karpenter</code> using <a href="https://github.com/aws/karpenter/tree/main/charts/karpenter">Helm chart</a>.</li> </ol> <h3> Setup Karpenter Provisioner </h3> <p>To configure <code>Karpenter</code>, you need to create a <a href="https://karpenter.sh/v0.17.0/provisioner/">Provisioner</a> resource that defines how <code>Karpenter</code> provisions nodes and removes them. It has several configuration options but we will start with the basic <strong>Provisioner</strong> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">karpenter.sh/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Provisioner</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">subnetSelector</span><span class="pi">:</span> <span class="na">karpenter.sh/discovery</span><span class="pi">:</span> <span class="s">karpenter-cluster</span> <span class="na">securityGroupSelector</span><span class="pi">:</span> <span class="na">karpenter.sh/discovery</span><span class="pi">:</span> <span class="s">karpenter-cluster</span> </code></pre> </div> <blockquote> <p>For the sake of simplicity, we are using <code>provider</code> definiton directly, however recommendaion is to create another CRD of type <code>AWSNodeTemplate</code> and refer to it using <code>providerRef</code> configuration.</p> </blockquote> <p>Here <code>subnetSelector</code> and <code>securityGroupSelector</code> values allow <code>karpenter</code> to discover <strong>subnets</strong> and <strong>security groups</strong> i.e <code>karpenter</code> would discover the subnets and security groups using these tags and create the node in one of these subnets and attach the discovered security groups to the node.</p> <p>Let's create a sample deployment for <code>Nginx</code> with CPU request as <code>1</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/shardul/nginx:v1</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">1</span> </code></pre> </div> <p>Check if pods are running :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0glsctppx7ovfebtn8kg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0glsctppx7ovfebtn8kg.png" alt="pending pods" width="800" height="122"></a></p> <p>Initially Nginx pod is pending, <code>karpenter</code> detects a pending pod and kicks in to create a node to accommodate the pending pod, Check the <code>karpenter</code> controller logs to see the details :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">-n</span> karpenter logs <span class="nt">-f</span> <span class="nt">-l</span> app.kubernetes.io/instance<span class="o">=</span>karpenter <span class="nt">-c</span> controller 2022-10-09T15:35:31.066Z INFO controller.provisioning Computed 1 new node<span class="o">(</span>s<span class="o">)</span> will fit 1 pod<span class="o">(</span>s<span class="o">)</span> <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span><span class="o">}</span> 2022-10-09T15:35:31.253Z DEBUG controller.provisioning.cloudprovider Discovered subnets: <span class="o">[</span>subnet-0bb805312e46db35f <span class="o">(</span>eu-west-1b<span class="o">)</span> subnet-05bd621d69320799a <span class="o">(</span>eu-west-1c<span class="o">)</span> subnet-02828f6cf56a0eabc <span class="o">(</span>eu-west-1a<span class="o">)</span> subnet-0d94022cc49b76aeb <span class="o">(</span>eu-west-1a<span class="o">)</span> subnet-09ebfc5011dbf69fb <span class="o">(</span>eu-west-1b<span class="o">)</span> subnet-084a73ba681d60241 <span class="o">(</span>eu-west-1c<span class="o">)]</span> <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"provisioner"</span>: <span class="s2">"default"</span><span class="o">}</span> 2022-10-09T15:35:31.387Z DEBUG controller.provisioning.cloudprovider Discovered security <span class="nb">groups</span>: <span class="o">[</span>sg-03a9dd659d9a0b8fd sg-00a2bf520128db45b] <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"provisioner"</span>: <span class="s2">"default"</span><span class="o">}</span> 2022-10-09T15:35:31.390Z DEBUG controller.provisioning.cloudprovider Discovered kubernetes version 1.22 <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"provisioner"</span>: <span class="s2">"default"</span><span class="o">}</span> 2022-10-09T15:35:31.425Z DEBUG controller.provisioning.cloudprovider Discovered ami-04f335c3e4d6dcfad <span class="k">for </span>query <span class="s2">"/aws/service/eks/optimized-ami/1.22/amazon-linux-2-arm64/recommended/image_id"</span> <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"provisioner"</span>: <span class="s2">"default"</span><span class="o">}</span> 2022-10-09T15:35:31.446Z DEBUG controller.provisioning.cloudprovider Discovered ami-0ed22cc46dcbf16ed <span class="k">for </span>query <span class="s2">"/aws/service/eks/optimized-ami/1.22/amazon-linux-2/recommended/image_id"</span> <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"provisioner"</span>: <span class="s2">"default"</span><span class="o">}</span> 2022-10-09T15:35:31.483Z DEBUG controller.provisioning.cloudprovider Discovered launch template Karpenter-karpenter-cluster-5093968976540638239 <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"provisioner"</span>: <span class="s2">"default"</span><span class="o">}</span> 2022-10-09T15:35:31.523Z DEBUG controller.provisioning.cloudprovider Discovered launch template Karpenter-karpenter-cluster-9263159034123731516 <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"provisioner"</span>: <span class="s2">"default"</span><span class="o">}</span> 2022-10-09T15:35:33.829Z INFO controller.provisioning.cloudprovider Launched instance: i-0aa11b1f2eb52b92d, <span class="nb">hostname</span>: ip-192-168-32-230.eu-west-1.compute.internal, <span class="nb">type</span>: t3.medium, zone: eu-west-1c, capacityType: spot <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"provisioner"</span>: <span class="s2">"default"</span><span class="o">}</span> 2022-10-09T15:35:33.837Z INFO controller.provisioning Created node with 1 pods requesting <span class="o">{</span><span class="s2">"cpu"</span>:<span class="s2">"1125m"</span>,<span class="s2">"pods"</span>:<span class="s2">"3"</span><span class="o">}</span> from types t4g.micro, t3a.micro, t3.micro, t4g.small, t3a.small and 477 other<span class="o">(</span>s<span class="o">)</span> <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"provisioner"</span>: <span class="s2">"default"</span><span class="o">}</span> </code></pre> </div> <p>Immediately we can see that there is an <strong>additional node</strong> <code>ip-192-168-32-230.eu-west-1.compute.internal</code> launched by <code>karpenter</code></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd32ehnon5ejhuk6kjw9q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd32ehnon5ejhuk6kjw9q.png" alt="karpenter node provisioning" width="800" height="88"></a></p> <p>and the pod is running now on this node:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp3ie67un6m2gwnajr5d1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp3ie67un6m2gwnajr5d1.png" alt="running pods" width="800" height="120"></a></p> <p>Let's inspect the node created by the <code>karpenter</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get node ip-192-168-32-230.eu-west-1.compute.internal <span class="nt">-ojson</span> | jq <span class="nt">-r</span> <span class="s1">'.metadata.labels'</span> </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5k96cb913tn671rg1yql.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5k96cb913tn671rg1yql.png" alt="exlore provisioned node" width="800" height="390"></a></p> <p>We can see that it's a <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html">spot instance</a> of type <code>t3.medium</code>. </p> <p>By default, <code>karpenter</code> provisions <strong>spot instance</strong>. However, we can change it to <code>on-demand</code> instance too based on our requirements. Let's try to delete the deployment to see if <code>karpenter</code> removes the instances.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete deployment nginx </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcezbqyqu40n88kifs7y9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcezbqyqu40n88kifs7y9.png" alt="no pods" width="780" height="116"></a></p> <p>and the pod is gone, but the node is still there :</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5j1uo2dpth2547l6765g.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5j1uo2dpth2547l6765g.png" alt="node still there" width="800" height="88"></a></p> <h3> ttlSecondsAfterEmpty </h3> <p>With <code>ttlSecondsAfterEmpty</code>, Karpenter deletes empty instances after the TTL is elapsed.</p> <p>Let's update the Provisioner to this value :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">karpenter.sh/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Provisioner</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ttlSecondsAfterEmpty</span><span class="pi">:</span> <span class="m">60</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">subnetSelector</span><span class="pi">:</span> <span class="na">karpenter.sh/discovery</span><span class="pi">:</span> <span class="s">karpenter-cluster</span> <span class="na">securityGroupSelector</span><span class="pi">:</span> <span class="na">karpenter.sh/discovery</span><span class="pi">:</span> <span class="s">karpenter-cluster</span> </code></pre> </div> <p>Now <code>karpenter</code> will wait for 60 seconds before it cordons, drains, and deletes the empty node. We can check the details in the <code>karpenter</code> logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">-n</span> karpenter logs <span class="nt">-f</span> <span class="nt">-l</span> app.kubernetes.io/instance<span class="o">=</span>karpenter <span class="nt">-c</span> controller 2022-10-09T16:17:08.000Z INFO controller.node Triggering termination after 1m0s <span class="k">for </span>empty node <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"node"</span>: <span class="s2">"ip-192-168-32-230.eu-west-1.compute.internal"</span><span class="o">}</span> 2022-10-09T16:17:08.024Z INFO controller.termination Cordoned node <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"node"</span>: <span class="s2">"ip-192-168-32-230.eu-west-1.compute.internal"</span><span class="o">}</span> 2022-10-09T16:17:08.184Z INFO controller.termination Deleted node <span class="o">{</span><span class="s2">"commit"</span>: <span class="s2">"3d87474"</span>, <span class="s2">"node"</span>: <span class="s2">"ip-192-168-32-230.eu-west-1.compute.internal"</span><span class="o">}</span> </code></pre> </div> <p><strong>Note:</strong><br> For the nodes provisioned by <code>Karpenter</code>, it adds a <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/">finalizer</a> for graceful node termination, we can check this by inspecting the node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes ip-192-168-32-230.eu-west-1.compute.internal <span class="nt">-ojson</span> | jq <span class="nt">-r</span> <span class="s1">'.metadata.finalizers'</span> <span class="o">[</span> <span class="s2">"karpenter.sh/termination"</span> <span class="o">]</span> </code></pre> </div> Understanding Istio Access Logs Shardul Srivastava Sun, 06 Mar 2022 10:30:58 +0000 https://dev.to/aws-builders/understanding-istio-access-logs-2k5o https://dev.to/aws-builders/understanding-istio-access-logs-2k5o <p>Istio access logs are very helpful to understand the incoming traffic pattern. These logs are produced by the Envoy proxy and can be viewed overall at the Istio Ingress gateway or at the individual pod that is injected with the envoy proxy sidecar.</p> <h2> Enable Istio Access Logs </h2> <p>Istio access logs are not enabled by default, it can be enabled by setting the <code>meshConfig.accessLogFile</code> of the <code>IstioOperator</code> resource.</p> <p>A basic istio installation with access logs enabled would look like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">install.istio.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IstioOperator</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">meshConfig</span><span class="pi">:</span> <span class="na">accessLogFile</span><span class="pi">:</span> <span class="s">/dev/stdout</span> </code></pre> </div> <p>Here the value <code>/dev/stdout</code> outputs the access logs to standard output. By default these access logs are in <strong>TEXT</strong> format i.e it looks like this :</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="o">[</span>2022-10-23T20:38:15.413Z] <span class="s2">"GET / HTTP/1.1"</span> 200 - via_upstream - <span class="s2">"-"</span> 0 37 0 0 <span class="s2">"-"</span> <span class="s2">"curl/7.35.0"</span> <span class="s2">"3ce3e159-9dba-4617-9e85-feb1106a682c"</span> <span class="s2">"nginx"</span> <span class="s2">"192.168.42.152:80"</span> inbound|80|| 127.0.0.6:52375 192.168.42.152:80 192.168.59.90:34854 outbound_.80_._.nginx.default.svc.cluster.local default </code></pre> </div> <p>it can be changed to json by setting <code>.spec.meshConfig.accessLogEncoding</code> to <code>JSON</code> and logs would change to:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"response_code_details"</span><span class="p">:</span><span class="w"> </span><span class="s2">"via_upstream"</span><span class="p">,</span><span class="w"> </span><span class="nl">"downstream_remote_address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"192.168.59.90:58478"</span><span class="p">,</span><span class="w"> </span><span class="nl">"downstream_local_address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"192.168.42.152:80"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"e2873f51-0a42-4da4-a8e8-f711b46dea5c"</span><span class="p">,</span><span class="w"> </span><span class="nl">"authority"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nginx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requested_server_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"outbound_.80_._.nginx.default.svc.cluster.local"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_cluster"</span><span class="p">:</span><span class="w"> </span><span class="s2">"inbound|80||"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bytes_sent"</span><span class="p">:</span><span class="w"> </span><span class="mi">37</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"curl/7.35.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_local_address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"127.0.0.6:41549"</span><span class="p">,</span><span class="w"> </span><span class="nl">"x_forwarded_for"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"start_time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2022-10-23T22:15:39.663Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_code"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_transport_failure_reason"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"duration"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_service_time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_flags"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"192.168.42.152:80"</span><span class="p">,</span><span class="w"> </span><span class="nl">"route_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"default"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bytes_received"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTP/1.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"connection_termination_details"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Istio Access Logs Format </h2> <p>When Istio access logs are enabled, they are by default in this format</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="o">[</span>%START_TIME%] <span class="se">\"</span>%REQ<span class="o">(</span>:METHOD<span class="o">)</span>% %REQ<span class="o">(</span>X-ENVOY-ORIGINAL-PATH?:PATH<span class="o">)</span>% %PROTOCOL%<span class="se">\"</span> %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %CONNECTION_TERMINATION_DETAILS% <span class="se">\"</span>%UPSTREAM_TRANSPORT_FAILURE_REASON%<span class="se">\"</span> %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP<span class="o">(</span>X-ENVOY-UPSTREAM-SERVICE-TIME<span class="o">)</span>% <span class="se">\"</span>%REQ<span class="o">(</span>X-FORWARDED-FOR<span class="o">)</span>%<span class="se">\"</span> <span class="se">\"</span>%REQ<span class="o">(</span>USER-AGENT<span class="o">)</span>%<span class="se">\"</span> <span class="se">\"</span>%REQ<span class="o">(</span>X-REQUEST-ID<span class="o">)</span>%<span class="se">\"</span> <span class="se">\"</span>%REQ<span class="o">(</span>:AUTHORITY<span class="o">)</span>%<span class="se">\"</span> <span class="se">\"</span>%UPSTREAM_HOST%<span class="se">\"</span> %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%<span class="se">\n</span> </code></pre> </div> <p>here <code>%</code> is used to define a field to be printed in the access logs. To print the response code we can use <code>%RESPONSE_CODE%</code>. Let's look at some of the important fields here:</p> <ol> <li> <strong><code>%START_TIME%</code></strong> - Request start time.</li> <li> <strong><code>%RESPONSE_CODE%</code></strong> - Response code of the request.</li> <li> <strong><code>%RESPONSE_FLAGS%</code></strong> - Additional details about response. More details <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators:~:text=typed%20JSON%20logs.-,%25RESPONSE_FLAGS%25,-Additional%20details%20about" rel="noopener noreferrer">here</a> </li> <li> <strong><code>%RESPONSE_CODE_DETAILS%</code></strong> - Response code details. More details <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/response_code_details#response-code-details" rel="noopener noreferrer">here</a>.</li> <li> <strong><code>%DURATION%</code></strong> - Total duration of the request.</li> <li> <strong><code>%UPSTREAM_HOST%</code></strong> - Upstream where the request is routed to such as pod. It would print the pod's IP and port where the request went. Eg - <code>192.168.42.152:80</code> </li> <li> <strong><code>%REQ()%</code></strong> - This is used to print request headers. Eg - <code>%REQ(-FORWARDED-FOR)%</code> would print the <code>X-FORWARDED-FOR</code> request header.</li> <li> <strong><code>%RESP()%</code></strong> - This is used to print response headers. Eg - <code>%RESP(CONTENT-TYPE)%</code> would print the <code>CONTENT-TYPE</code> header in the response.</li> </ol> <p>An exhausting list of available fields can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators" rel="noopener noreferrer">here</a>. </p> <h2> Customize Access Logs Format </h2> <p>If you want to parse your logs with a tool like <a href="https://grafana.com/oss/loki/" rel="noopener noreferrer">Loki</a>, json format logs would be well suited. Access logs format can be changed by setting the <code>meshConfig.accessLogFormat</code>. </p> <p>Eg: To print json logs in a custom format</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">spec</span><span class="pi">:</span> <span class="na">meshConfig</span><span class="pi">:</span> <span class="na">accessLogFile</span><span class="pi">:</span> <span class="s">/dev/stdout</span> <span class="na">accessLogEncoding</span><span class="pi">:</span> <span class="s">JSON</span> <span class="na">accessLogFormat</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">{</span> <span class="s">"protocol": "%PROTOCOL%",</span> <span class="s">"upstream_service_time": "%REQ(X-ENVOY-UPSTREAM_SERVICE_TIME)%",</span> <span class="s">"upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%",</span> <span class="s">"duration": "%DURATION%",</span> <span class="s">"upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%",</span> <span class="s">"route_name": "%ROUTE_NAME%",</span> <span class="s">"downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%",</span> <span class="s">"user_agent": "%REQ(USER-AGENT)%",</span> <span class="s">"response_code": "%RESPONSE_CODE%",</span> <span class="s">"response_flags": "%RESPONSE_FLAGS%",</span> <span class="s">"start_time": "%START_TIME%",</span> <span class="s">"method": "%REQ(:METHOD)%",</span> <span class="s">"request_id": "%REQ(X-REQUEST-ID)%",</span> <span class="s">"upstream_host": "%UPSTREAM_HOST%",</span> <span class="s">"x_forwarded_for": "%REQ(X-FORWARDED-FOR)%",</span> <span class="s">"client_ip": "%REQ(TRUE-Client-IP)%",</span> <span class="s">"requested_server_name": "%REQUESTED_SERVER_NAME%",</span> <span class="s">"bytes_received": "%BYTES_RECEIVED%",</span> <span class="s">"bytes_sent": "%BYTES_SENT%",</span> <span class="s">"upstream_cluster": "%UPSTREAM_CLUSTER%",</span> <span class="s">"downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%",</span> <span class="s">"authority": "%REQ(:AUTHORITY)%",</span> <span class="s">"path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",</span> <span class="s">"response_code_details": "%RESPONSE_CODE_DETAILS%"</span> <span class="s">}</span> </code></pre> </div> <h2> Printing Known Request and Response Headers </h2> <p>EnvoyProxy allows printing request headers and response headers with <code>%REQ(X?Y):Z%</code> and <code>%RESP(X?Y):Z%</code> respectively. This can be used to print any request header or response header and if the header is not present an alternative header can be given optionally.</p> <p><strong><code>%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%</code></strong> would print the <code>X-ENVOY-ORIGINAL-PATH</code> header, if it doesn't exist <code>PATH</code> header would be printed and if even the <code>PATH</code> header is also not present then <code>-</code> would be printed instead.</p> <p>So we can print all the headers that we know the name of, but how about any dynamic headers whose name changes with every request.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fak2pgf3g92q9uqvgibo9.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fak2pgf3g92q9uqvgibo9.jpeg" alt="Istio Access logs IDK"></a></p> <h2> Printing All the Request Headers and Request Body </h2> <p>Istio uses EnvoyProxy which is extensible by design, <code>EnvoyFilter</code> provides a mechanism to customize the Envoy configuration.</p> <p>The <code>HTTP Lua filter</code> allows Lua scripts to be run during both the request and response flows. This Envoy HTTP Lua filter prints all the request headers :</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">EnvoyFilter</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">request-filter</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">istio-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">configPatches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">applyTo</span><span class="pi">:</span> <span class="s">HTTP_FILTER</span> <span class="na">match</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">GATEWAY</span> <span class="na">listener</span><span class="pi">:</span> <span class="na">filterChain</span><span class="pi">:</span> <span class="na">filter</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">envoy.filters.network.http_connection_manager</span> <span class="na">subFilter</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">envoy.filters.http.router</span> <span class="na">patch</span><span class="pi">:</span> <span class="na">operation</span><span class="pi">:</span> <span class="s">INSERT_BEFORE</span> <span class="na">value</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">envoy.lua</span> <span class="na">typed_config</span><span class="pi">:</span> <span class="s1">'</span><span class="s">@type'</span><span class="err">:</span> <span class="s">type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua</span> <span class="s">inlineCode</span><span class="err">:</span> <span class="pi">|</span> <span class="s">-- Called on the request path.</span> <span class="s">function envoy_on_request(request_handle)</span> <span class="s">request_handle:logCritical("Printing Request Headers =&gt; ")</span> <span class="s">for key, value in pairs(request_handle:headers()) do</span> <span class="s">request_handle:logCritical(key .. " =&gt; " .. value)</span> <span class="s">end</span> <span class="s">for chunk in request_handle:bodyChunks() do</span> <span class="s">request_handle:logCritical("Printing Request body =&gt; " .. chunk:getBytes(0, chunk:length()))</span> <span class="s">end</span> <span class="s">end</span> <span class="na">workloadSelector</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">istio-ingressgateway</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl apply <span class="nt">-f</span> istio-filter.yaml </code></pre> </div> <p>once applied, all the headers will be printed in the logs:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> 2022-10-23T23:48:39.750646Z critical envoy lua script log: Printing Request Headers =&gt; 2022-10-23T23:48:39.750688Z critical envoy lua script log: :authority =&gt; 54.77.207.3 2022-10-23T23:48:39.750691Z critical envoy lua script log: :path =&gt; / 2022-10-23T23:48:39.750693Z critical envoy lua script log: :method =&gt; GET 2022-10-23T23:48:39.750695Z critical envoy lua script log: :scheme =&gt; http 2022-10-23T23:48:39.750697Z critical envoy lua script log: user-agent =&gt; Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/537.32.36 (KHTML, live Gecko) Chrome/56.0.3006.85 Safari/537.32 2022-10-23T23:48:39.750699Z critical envoy lua script log: accept-encoding =&gt; gzip, deflate 2022-10-23T23:48:39.750701Z critical envoy lua script log: accept =&gt; */* 2022-10-23T23:48:39.750714Z critical envoy lua script log: x-forwarded-for =&gt; 192.168.59.163 2022-10-23T23:48:39.750716Z critical envoy lua script log: x-forwarded-proto =&gt; http 2022-10-23T23:48:39.750717Z critical envoy lua script log: x-envoy-internal =&gt; true 2022-10-23T23:48:39.750719Z critical envoy lua script log: x-request-id =&gt; 0d1def76-2d84-4ddb-9aa3-62b2445cc1f8 2022-10-23T23:48:39.750747Z critical envoy lua script log: x-envoy-peer-metadata-id =&gt; router~192.168.45.105~istio-ingressgateway-94b448d6d-pbsqj.istio-system~istio-system.svc.cluster.local </code></pre> </div> <p>Read more about EnvoyFilter <a href="https://istio.io/latest/docs/reference/config/networking/envoy-filter/" rel="noopener noreferrer">here</a></p> <blockquote> <p>Note: Here I am using <code>request_handle:logCritical</code> method because default logLevel is WARN for Istio components. <code>request_handle:logInfo</code> can be used, if logLevel is set to Info.</p> </blockquote> istio logs envoy filter EKS Auth Deep Dive Shardul Srivastava Fri, 17 Sep 2021 20:58:54 +0000 https://dev.to/aws-builders/eks-auth-deep-dive-4fib https://dev.to/aws-builders/eks-auth-deep-dive-4fib <p>If you use EKS then you have found yourself in a situation where a user can't access the cluster despite having all the IAM permissions and gets an <code>Unauthorized</code> message like <a href="https://friends.fandom.com/wiki/Eddie_Menuek" rel="noopener noreferrer">Eddie</a> here.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhpykbg9lncvvkmduyp9b.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhpykbg9lncvvkmduyp9b.jpeg" alt="eddie-locked" width="700" height="525"></a></p> <p>AWS EKS uses <code>IAM credentials</code> for <code>authentication</code> and <code>Kubernetes RBAC</code> for <code>authorization</code>. As per <a href="https://docs.aws.amazon.com/eks/latest/userguide/managing-auth.html" rel="noopener noreferrer">EKS docs</a>:</p> <blockquote> <p><code>EKS uses IAM permissions for authentication of valid entities such IAM users or roles. All the permissions for interacting with the EKS cluster is managed through Kubernetes RBAC</code></p> </blockquote> <p>or simply put, EKS doesn't work the same way as other services such as S3 where if you have <code>AmazonS3FullAccess</code>, you can access any S3 bucket and create or delete files/folders. In EKS, IAM permissions are only used to check if the user has valid IAM credentials and permissions to run any command using <code>kubectl</code> such as <code>kubectl get pods</code> is managed by Kubernetes API that uses <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/" rel="noopener noreferrer">RBAC</a> to control the access.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq70jx5gnhh9s4wrj27jc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq70jx5gnhh9s4wrj27jc.png" alt="aws-eks-auth" width="500" height="308"></a></p> <p>By default, the <code>IAM Role</code> or <code>IAM User</code> that was used to create the cluster, is added to the <code>system:masters</code> group and gets cluster-wide admin permission with <code>cluster-admin</code> ClusterRole.</p> <p>As per <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles" rel="noopener noreferrer">Kubernetes documentation</a> <code>system:masters</code> group is one of the <code>default</code> ClusterRoleBindings available in the Kubernetes cluster, it's attached to the <code>cluster-admin</code> ClusterRole that gives the user admin permissions in the cluster.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Default ClusterRole</th> <th>Default ClusterRoleBinding</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>cluster-admin</td> <td>system:masters group</td> <td>Allows super-user access to perform any action on any resource.</td> </tr> </tbody> </table></div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff1hm3xhl2kugcp747tid.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff1hm3xhl2kugcp747tid.jpeg" alt="unlimited-power" width="620" height="431"></a></p> <p><strong>Note:</strong> This mapping of creator IAM User or Role to <code>system:masters</code> group is not visible in any configuration such as <code>aws-auth</code> configmap.</p> <p>EKS allows giving access to other users by adding them in a configmap <code>aws-auth</code> in <code>kube-system</code> namespace. By default, this configmap is empty. However, If you are using <code>eksctl</code> to create the cluster, this config map will have the role created by <code>eksctl</code> for the node group and this role is attached to the <code>system:bootstrappers</code> and <code>system:nodes</code> groups.</p> <p><code>aws-auth</code> configmap is based on <a href="https://github.com/kubernetes-sigs/aws-iam-authenticator" rel="noopener noreferrer">aws-iam-authenticator</a> and has several configuration options:</p> <ol> <li><strong>mapRoles</strong></li> <li><strong>mapUsers</strong></li> <li><strong>mapAccounts</strong></li> </ol> <h2> Using mapRoles to Map an IAM Role to the Cluster </h2> <p><code>mapRoles</code> allows mapping an <code>IAM role</code> in the cluster to allow any entity or user assuming that role to access the cluster. After mapping an IAM role with <code>mapRoles</code>, any user or entity assuming this role is allowed to access the cluster, However, the level of access is defined by the <code>groups</code> attribute.</p> <p><code>mapRoles</code> has three attributes:</p> <ol> <li> <strong>rolearn</strong> - IAM Role ARN to map to EKS cluster.</li> <li> <strong>username</strong> - Username for the IAM Role to map in Kubernetes, this could be a static value like <code>eks-developer</code> or <code>ci-account</code> or a templated variable like <code>{{AccountID}}/{{SessionName}}/{{EC2PrivateDNSName}}</code> or both. This value would be printed in the <code>aws-authenticator</code> Cloudwatch logs if logging is enabled. </li> <li> <strong>groups</strong> - List of Kubernetes groups that are defined in <code>ClusterRoleBinding/RoleBinding</code>. Example </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Group</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">my-group"</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> </code></pre> </div> <p>Let's create two IAM roles <code>eks-admin</code> and <code>eks-dev</code> and assume the <code>eks-admin</code> role to create a cluster with one node group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">eksctl.io/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">iam-auth-cluster</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.21"</span> <span class="na">availabilityZones</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">us-east-1a</span> <span class="pi">-</span> <span class="s">us-east-1b</span> <span class="pi">-</span> <span class="s">us-east-1c</span> <span class="na">cloudWatch</span><span class="pi">:</span> <span class="na">clusterLogging</span><span class="pi">:</span> <span class="na">enableTypes</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">authenticator"</span><span class="pi">]</span> <span class="na">managedNodeGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">managed-ng-1</span> <span class="na">instanceType</span><span class="pi">:</span> <span class="s">t2.micro</span> <span class="na">minSize</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxSize</span><span class="pi">:</span> <span class="m">4</span> <span class="na">desiredCapacity</span><span class="pi">:</span> <span class="m">4</span> </code></pre> </div> <p>Once created, this cluster would have one NodeGroup and the IAM role associated with this node group would be added to the <code>aws-auth</code> configmap. </p> <p>Check the contents of <code>aws-auth</code> configMap :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get configmap aws-auth <span class="nt">-n</span> kube-system <span class="nt">-oyaml</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">mapRoles</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- groups:</span> <span class="s">- system:bootstrappers</span> <span class="s">- system:nodes</span> <span class="s">rolearn: arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eksctl-iam-auth-cluster-nodegroup-NodeInstanceRole-1RNKIEA50ZD0B</span> <span class="s">username: system:node:{{EC2PrivateDNSName}}</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-auth</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> </code></pre> </div> <p>By default, only <code>IAM Role</code> that created the cluster would have access to the cluster, any other IAM Role has to be added separately added in <code>aws-auth</code>. Let's try to assume the <code>eks-developer</code> IAM role and try to access the cluster with that role.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods error: You must be logged <span class="k">in </span>to the server <span class="o">(</span>Unauthorized<span class="o">)</span> </code></pre> </div> <p>As expected, <code>eks-developer</code> IAM role would not be allowed access. To allow <code>eks-developer</code> IAM role access to the cluster, add the mapping in the <code>aws-auth</code> configMap to map this role to <code>eks-developer</code> Kubernetes user. We can either directly edit the configMap or use <code>eksctl</code> to add this mapping:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>eksctl create iamidentitymapping <span class="se">\</span> <span class="nt">--cluster</span> iam-auth-cluster <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--arn</span> <span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-developer"</span> <span class="se">\</span> <span class="nt">--username</span> <span class="s2">"eks-developer"</span> </code></pre> </div> <p>this would create an entry under the <code>mapRoles</code> section in <code>aws-auth</code> configMap :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">mapRoles</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- groups:</span> <span class="s">- system:bootstrappers</span> <span class="s">- system:nodes</span> <span class="s">rolearn: arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eksctl-iam-auth-cluster-nodegroup-NodeInstanceRole-1RNKIEA50ZD0B</span> <span class="s">username: system:node:{{EC2PrivateDNSName}}</span> <span class="s">- rolearn: arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-developer</span> <span class="s">username: eks-developer</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-auth</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> </code></pre> </div> <p>Let's try again accessing cluster by assuming the <code>eks-developer</code> IAM role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: pods is forbidden: User <span class="s2">"eks-developer"</span> cannot list resource <span class="s2">"pods"</span> <span class="k">in </span>API group <span class="s2">""</span> at the cluster scope </code></pre> </div> <p>This time, we can access the cluster, however not allowed to list pods in the cluster due to not having enough RBAC permissions. RBAC permissions can be assigned to this IAM role in two ways :</p> <p><strong>1. RBAC permissions with Kubernetes User</strong><br> <strong>2. RBAC permissions with Kubernetes Groups</strong></p> <h3> RBAC permissions with Kubernetes User </h3> <p>We can assign RBAC permissions to an IAM role by binding mapped <code>Kubernetes User</code> in <code>aws-auth</code> i.e <code>eks-developer</code> to a <code>ClusterRole</code>/<code>Role</code>.</p> <ol> <li> <p>Create a <strong>ClusterRole</strong> <code>eks-developer-cluster-role</code> with permissions to <code>get</code>, <code>list</code> or <code>watch</code> the <code>pods</code> resources :<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">eks-developer-cluster-role</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="c1"># Pod is part of Core API Group and "" indicates the core API group</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">]</span> <span class="c1"># pods resource</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">]</span> <span class="c1"># Allow user to get, list of watch the pods.</span> </code></pre> </li> <li> <p>We have mapped IAM role <code>arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-developer</code> to Kubernetes user <code>eks-developer</code> in <code>aws-auth</code>, now create a <strong>ClusterRoleBinding</strong> to bind <code>developer-cluster-role</code> to the Kubernetes user <code>eks-developer</code>.<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">eks-developer-user-cluster-role-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">User</span> <span class="na">name</span><span class="pi">:</span> <span class="s">eks-developer</span> <span class="c1"># Kubernetes User mapped to the IAM role in aws-auth configmap.</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">eks-developer-cluster-role</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> </code></pre> </li> <li> <p>Access the cluster again by assuming the IAM role <code>eks-developer</code><br> </p> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-A</span> NAMESPACE NAME READY STATUS RESTARTS AGE kube-system aws-node-f584p 1/1 Running 0 79m kube-system coredns-66cb55d4f4-8hjj2 1/1 Running 0 91m kube-system coredns-66cb55d4f4-vtf6j 1/1 Running 0 91m kube-system kube-proxy-psjk5 1/1 Running 0 79m </code></pre> </li> </ol> <p>and this time it works!!!</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqeckq1k61yci21ddmpo.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqeckq1k61yci21ddmpo.jpeg" alt="baby-yess" width="400" height="400"></a></p> <p>We can also verify the access granted to the users by checking the <code>authenticator</code> logs in Cloudwatch:</p> <blockquote> <p><br> <code>time="2021-09-13T16:29:14Z" level=info msg="access granted" arn="arn:aws:iam::01755xxxxx:role/eks-developer" client="127.0.0.1:50410" groups="[]" method=POST path=/authenticate sts=sts.us-east-1.amazonaws.com uid="heptio-authenticator-aws:01755xxxxx:AROAQIFUWO66PDOXKSLMQ" username=eks-developer</code><br> </p> </blockquote> <h3> RBAC permissions with Kubernetes Groups </h3> <p>While assigning permissions directly to the Kubernetes User works just fine for most of the use-cases however this approach is not so great if you want to audit who is assuming the IAM role and accessing the cluster and would like additional information captured in the audit logs.</p> <p>One such use-case is <strong>AWS SSO</strong>, where many users are assigned to a permission set and whenever these users log in using their credentials, they assume the same <code>IAM role</code>.</p> <p>We can assign IAM permissions to an IAM role by creating a Kubernetes Group and add it to the <code>mapRoles.groups</code> field of IAM Role mapping in <code>aws-auth</code>.</p> <p>Let's take the earlier example of the <code>eks-developer</code> IAM role and create a ClusterRoleBinding with Kubernetes Group <code>developer</code> bound to <code>eks-developer-cluster-role</code> and add Kubernetes Group <code>developer</code> in the mapping of this IAM role in <code>aws-auth</code>.</p> <ol> <li> <p>First delete the earlier ClusterRoleBinding <code>eks-developer-user-cluster-role-binding</code> :<br> </p> <pre class="highlight shell"><code>kubectl delete clusterrolebindings eks-developer-user-cluster-role-binding clusterrolebinding.rbac.authorization.k8s.io <span class="s2">"eks-developer-user-cluster-role-binding"</span> deleted </code></pre> <p>As soon as we delete the <code>ClusterRolebinding</code>, <code>eks-developer</code> IAM role won't be able to list the pods, let's check the access by assuming the <code>eks-developer</code> IAM role :<br> </p> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-A</span> Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: pods is forbidden: User <span class="s2">"eks-developer"</span> cannot list resource <span class="s2">"pods"</span> <span class="k">in </span>API group <span class="s2">""</span> <span class="k">in </span>the namespace <span class="s2">"default"</span> </code></pre> </li> <li> <p>Delete <strong>IAM Mapping</strong> from <code>aws-auth</code> :<br> </p> <pre class="highlight shell"><code>eksctl delete iamidentitymapping <span class="se">\</span> <span class="nt">--cluster</span> iam-auth-cluster <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--arn</span> <span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-developer"</span> </code></pre> </li> <li> <p>Create a <strong>ClusterRoleBinding</strong> to bind Kubernetes Group <code>developer</code> to cluster role <code>eks-developer-cluster-role</code>:<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">eks-developer-group-cluster-role-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Group</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">eks-developer-cluster-role</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> </code></pre> </li> <li> <p>Add Kubernetes Group <code>developer</code> to IAM role mapping of <code>eks-developer</code> in <code>aws-auth</code> and include the session name in username using templated variable <code>{{SessionName}}</code>:<br> </p> <pre class="highlight shell"><code>eksctl create iamidentitymapping <span class="se">\</span> <span class="nt">--cluster</span> iam-auth-cluster <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--arn</span> <span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-developer"</span> <span class="se">\</span> <span class="nt">--username</span> <span class="s2">"eks-developer:{{SessionName}}"</span> <span class="se">\</span> <span class="nt">--group</span> <span class="s2">"developer"</span> </code></pre> <p>this would create an entry under <code>mapRoles</code> section in <code>aws-auth</code> configmap as:<br> </p> <pre class="highlight yaml"><code><span class="na">mapRoles</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- groups:</span> <span class="s">- developer</span> <span class="s">rolearn: arn:aws:iam::017558828988:role/eks-developer</span> <span class="s">username: eks-developer:{{SessionName}}</span> </code></pre> </li> </ol> <p>Check the Cloudwatch <code>authenticator</code> logs for the authenticated user assuming <code>eks-developer</code> IAM role and we can see that this time session name is appended to the username in logs:</p> <blockquote> <p><br> <code>time="2021-09-13T17:57:46Z" level=info msg="access granted" arn="arn:aws:iam::0175XXXXXXXX:role/eks-developer" client="127.0.0.1:48520" groups="[developer]" method=POST path=/authenticate sts=sts.us-east-1.amazonaws.com uid="heptio-authenticator-aws:0175XXXXXXXX:AROAQIFUWO66PDOXKSLMQ" username="eks-developer:eks-developer-session"</code><br> </p> </blockquote> <p>If the session name consists of <code>@</code>, it would be replaced with <code>-</code>. Let's assume the IAM role <code>eks-developer</code> with session name containing <code>@</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts assume-role <span class="se">\</span> <span class="nt">--role-arn</span> <span class="s2">"&lt;IAM_ROLE_ARN&gt;"</span> <span class="se">\</span> <span class="nt">--role-session-name</span> <span class="s2">"my-develper-session@123456789"</span> <span class="se">\</span> <span class="nt">--duration-seconds</span> 3600 </code></pre> </div> <p>Now Cloudwatch logs would have session name printed as <code>eks-developer:my-developer-session-123456789</code>.</p> <blockquote> <p><br> <code>time="2021-09-14T17:50:25Z" level=info msg="access granted" arn="arn:aws:iam::017558828988:role/eks-developer" client="127.0.0.1:57794" groups="[developer]" method=POST path=/authenticate sts=sts.us-east-1.amazonaws.com uid="heptio-authenticator-aws:017558828988:AROAQIFUWO66PDOXKSLMQ" username="eks-developer:my-develper-session-123456789"</code><br> </p> </blockquote> <p>There is one problem here, if your EKS cluster is being accessed from <strong>multiple AWS accounts</strong>, it would not be possible to track the AWS account of the user who accessed the EKS cluster just by session name.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1k1t6y9yf2462qtwzzq.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1k1t6y9yf2462qtwzzq.jpeg" alt="baby-what-now" width="600" height="707"></a></p> <p><code>{{AccountID}}</code> comes to the rescue, we can use this templated variable to get the <strong>AWS account ID</strong> of the user who is assuming the role, so we can set the username to :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws:<span class="o">{{</span>AccountID<span class="o">}}</span>:eks-developer:<span class="o">{{</span>SessionName<span class="o">}}</span> </code></pre> </div> <p>Please note that <code>iamidentitymapping</code> can't be overridden with <code>eksctl</code>, so you have to delete it and create it again.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> eksctl delete iamidentitymapping <span class="se">\</span> <span class="nt">--cluster</span> <span class="s2">"iam-auth-cluster"</span> <span class="se">\</span> <span class="nt">--region</span> <span class="s2">"us-east-1"</span> <span class="se">\</span> <span class="nt">--arn</span> <span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-developer"</span> eksctl create iamidentitymapping <span class="se">\</span> <span class="nt">--cluster</span> <span class="s2">"iam-auth-cluster"</span> <span class="se">\</span> <span class="nt">--region</span> <span class="s2">"us-east-1"</span> <span class="se">\</span> <span class="nt">--arn</span> <span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-developer"</span> <span class="se">\</span> <span class="nt">--username</span> <span class="s2">"aws:{{AccountID}}:eks-developer:{{SessionName}}"</span> <span class="se">\</span> <span class="nt">--group</span> <span class="s2">"developer"</span> </code></pre> </div> <p>Now we would get the <code>AWS Account ID</code> along with <code>Session Name</code> in cloudwatch logs :</p> <blockquote> <p><br> <code>time="2021-09-14T18:26:33Z" level=info msg="access granted" arn="arn:aws:iam::017558828988:role/eks-developer" client="127.0.0.1:39752" groups="[developer]" method=POST path=/authenticate sts=sts.us-east-1.amazonaws.com uid="heptio-authenticator-aws:0175XXXXXXXX:AROAQIFUWO66PDOXKSLMQ" username="aws:0175XXXXXXXX:eks-developer:my-develper-session-123456789"</code><br> </p> </blockquote> <p><strong>Note: If you want session name in raw format, you can use templated variable <code>{{SessionNameRaw}}</code> instead. However as of EKS 1.21, these two variables <code>{{AccessKeyID}}</code> and <code>{{SessionNameRaw}}</code> don't work.</strong></p> <h2> Using mapUser to Map an IAM User to the Cluster </h2> <p><code>mapUsers</code> allows mapping an <code>IAM User</code> to the cluster and add the user to one or more Kubernetes Groups. It has 3 attributes :</p> <ol> <li> <strong>userarn</strong> - ARN of IAM User to map to EKS cluster. This could be an IAM user from the same AWS account or another account.</li> <li> <strong>username</strong> - Static username to map this IAM User to, in Kubernetes. </li> <li> <strong>groups</strong> - List of Kubernetes groups that are defined in <code>ClusterRoleBinding/RoleBinding</code>.</li> </ol> <p><strong>Note: Templated variables are not supported in <code>username</code> field with mapUser.</strong></p> <p>To add an IAM user with ARN <code>arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:user/dev-user</code> in <code>aws-auth</code> configmap, we can run the below command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>eksctl create iamidentitymapping <span class="se">\</span> <span class="nt">--cluster</span> iam-auth-cluster <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--arn</span> <span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:user/dev-user"</span> <span class="se">\</span> <span class="nt">--username</span> <span class="s2">"dev-user"</span> </code></pre> </div> <p>this command would add these lines in <code>aws-auth</code> configMap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">mapUsers</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- userarn: arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:user/dev-user</span> <span class="s">username: dev-user</span> </code></pre> </div> <p>Since we didn't specify any group, <code>dev-user</code> would be able to authenticate to the cluster, however wouldn't be able to <code>list</code> or <code>get</code> any resources.</p> <p>For users mapped using <code>mapUsers</code>, RBAC permission can be given in two ways :</p> <p><strong>1. RBAC permissions with Kubernetes User</strong><br> <strong>2. RBAC permissions with Kubernetes Groups</strong></p> <h3> RBAC permissions with Kubernetes User </h3> <p>We can assign RBAC permissions to an <code>IAM user</code> by binding mapped <code>Kubernetes User</code> in <code>aws-auth</code> i.e <code>dev-user</code> to a <code>ClusterRole</code>/<code>Role</code>.</p> <ol> <li> <p>Create a <strong>ClusterRoleBinding</strong> to bind Kubernetes user <code>dev-user</code> to the <code>developer-cluster-role</code>:<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dev-user-cluster-role-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">User</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dev-user</span> <span class="c1"># Kubernetes User mapped to the IAM user in aws-auth configmap.</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">eks-developer-cluster-role</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> </code></pre> </li> <li><p>Map IAM user <code>arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:user/dev-user</code> to Kubernetes user <code>dev-user</code> in <code>aws-auth</code> configMap:<br><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> eksctl create iamidentitymapping <span class="se">\</span> <span class="nt">--cluster</span> iam-auth-cluster <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--arn</span> <span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:user/dev-user"</span> <span class="se">\</span> <span class="nt">--username</span> <span class="s2">"dev-user"</span> </code></pre> </div> <p>Once this <code>ClusterRoleBinding</code> is created and the IAM user is mapped in <code>aws-auth</code>, IAM user <code>dev-user</code> would be able to get, list, or watch pods in any namespace.</p> <h3> RBAC permissions with Kubernetes Groups </h3> <p>If we need to give the same set of permissions to multiple users, then instead of creating multiple <code>ClusterRoleBindings</code>, we can use Kubernetes Groups and attach that group to the users for whom those permissions are required.</p> <ol> <li> <p>Create a ClusterRoleBinding to bind Kubernetes Group <code>developer</code> to cluster role <code>eks-developer-cluster-role</code>:<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dev-user-group-cluster-role-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Group</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">eks-developer-cluster-role</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> </code></pre> </li> <li> <p>Map IAM user <code>arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:user/dev-user</code> to Kubernetes user <code>dev-user</code> with <code>dev</code> group in <code>aws-auth</code> configMap:<br> </p> <pre class="highlight shell"><code>eksctl create iamidentitymapping <span class="se">\</span> <span class="nt">--cluster</span> iam-auth-cluster <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--arn</span> <span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/dev-user"</span> <span class="se">\</span> <span class="nt">--username</span> <span class="s2">"dev-user"</span> <span class="se">\</span> <span class="nt">--group</span> <span class="s2">"dev"</span> </code></pre> <p>this would create an entry under <code>mapUsers</code> section in <code>aws-auth</code> configmap as:<br> </p> <pre class="highlight yaml"><code><span class="na">mapUsers</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- groups:</span> <span class="s">- dev</span> <span class="s">userarn: arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/dev-user</span> <span class="s">username: dev-user</span> </code></pre> </li> </ol> <h2> Using mapAccounts to Map IAM ARN in an AWS Account to the Cluster </h2> <p><code>mapAccounts</code> allows mapping all the <code>IAM Users</code> or <code>IAM Roles</code> of an <strong>AWS account</strong> to the cluster. It accepts the list of AWS Account IDs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mapAccounts</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- "&lt;AWS_ACCOUNT_ID_1&gt;"</span> <span class="s">- "&lt;AWS_ACCOUNT_ID_2&gt;"</span> </code></pre> </div> <p>After mapping the AWS accounts to the cluster, we can use <strong>Kubernetes User</strong> and <strong>Kubernetes Group</strong> to assign permissions to those IAM entities.</p> aws kubernetes eks authentication EKS IAM Deep Dive Shardul Srivastava Thu, 19 Aug 2021 18:56:24 +0000 https://dev.to/aws-builders/eks-iam-deep-dive-136d https://dev.to/aws-builders/eks-iam-deep-dive-136d <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvai1pgujygh2h9vxoz0g.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvai1pgujygh2h9vxoz0g.png" alt="aws-eks-iam"></a></p> <p>Amazon EKS cluster consists of <a href="https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html" rel="noopener noreferrer">Managed NodeGroups</a>, <a href="https://docs.aws.amazon.com/eks/latest/userguide/worker.html" rel="noopener noreferrer">Self Managed NodeGroups</a> and <a href="https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html" rel="noopener noreferrer">Fargate profiles</a>. NodeGroups are autoscaling groups behind the scene, while Fargate is serverless and creates one fargate node per pod.</p> <p>IAM permissions in EKS can be defined in two ways:</p> <ol> <li>IAM Role for NodeGroups</li> <li>IAM role for Service Accounts(IRSA)</li> </ol> <h2> IAM Role for NodeGroups </h2> <p>Whenever we create an EKS cluster using <code>eksctl</code> with node groups like below :</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">eksctl.io/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">monitoring-cluster</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.21"</span> <span class="na">availabilityZones</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">us-east-1a</span> <span class="pi">-</span> <span class="s">us-east-1b</span> <span class="pi">-</span> <span class="s">us-east-1c</span> <span class="na">managedNodeGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">managed-ng-1</span> <span class="na">instanceType</span><span class="pi">:</span> <span class="s">t3a.medium</span> </code></pre> </div> <p><code>eksctl</code> automatically creates an IAM role with minimum IAM permissions required for the cluster to work and attaches it to the nodes part of the node group. All the pods running on these nodes inherit these permissions.</p> <p>This role has 3 IAM policies attached that give basic access to the node :</p> <ol> <li> <code>AmazonEKSWorkerNodePolicy</code> - This policy allows EKS worker nodes to connect to EKS clusters.</li> <li> <code>AmazonEC2ContainerRegistryReadOnly</code> - This policy gives read-only access to ECR.</li> <li> <code>AmazonEKS_CNI_Policy</code> - This policy is required for <a href="https://github.com/aws/amazon-vpc-cni-k8s#setup" rel="noopener noreferrer">amazon-vpc-cni</a> plugin to function properly on nodes which is deployed as part of <code>aws-node</code> daemonset in <code>kube-system</code> namespace.</li> </ol> <p>These permissions may not be enough if you are running workloads that require various other IAM permissions. <code>eksctl</code> provides several ways to define additional permissions for the Node.</p> <h3> Attach IAM Policies using ARN to the Node Group. </h3> <p><code>eksctl</code> allows you to attach IAM policies to a node group using <code>attachPolicyARNs</code>. </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">managedNodeGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">managed-ng-1</span> <span class="na">iam</span><span class="pi">:</span> <span class="na">attachPolicyARNs</span><span class="pi">:</span> <span class="c1"># Mandatory IAM Policies for NodeGroup.</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly</span> <span class="c1"># AWS Managed or Customer Managed IAM Policy ARN.</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AmazonS3FullAccess</span> </code></pre> </div> <p>Please note that while specifying IAM policy ARNs using <code>attachPolicyARNs</code>, it's mandatory to include the above 3 IAM policies as they are required for the node to function properly.</p> <p>If you missed specifying these 3 IAM policies, you will get an error like this :</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> AWS::EKS::Nodegroup/ManagedNodeGroup: CREATE_FAILED – <span class="s2">"The provided role doesn't have the Amazon EKS Managed Policies associated with it. Please ensure the following policies [arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy, arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly] are attached "</span> </code></pre> </div> <h3> Attach IAM Role and Instance Profile to the Node Group </h3> <p>If you have an existing <code>IAM Role</code> and <code>Instance Profile</code>, then you can define that for a node group :</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">managedNodeGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">managed-ng-1</span> <span class="na">iam</span><span class="pi">:</span> <span class="na">instanceProfileARN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;Instance</span><span class="nv"> </span><span class="s">Profile</span><span class="nv"> </span><span class="s">ARN&gt;"</span> <span class="na">instanceRoleARN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;IAM</span><span class="nv"> </span><span class="s">Role</span><span class="nv"> </span><span class="s">ARN&gt;"</span> </code></pre> </div> <h3> Attach Addons IAM Policy </h3> <p><code>eksctl</code> provides out-of-box IAM policies for the cluster add-ons such as <code>cluster autoscaler</code>, <code>external DNS</code>, <code>cert-manager</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">managedNodeGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">managed-ng-1</span> <span class="na">iam</span><span class="pi">:</span> <span class="na">withAddonPolicies</span><span class="pi">:</span> <span class="na">imageBuilder</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">autoScaler</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">externalDNS</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">certManager</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">appMesh</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ebs</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">fsx</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">efs</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">albIngress</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">xRay</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">cloudWatch</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <ol> <li><p><code>imageBuilder</code> - Full ECR access with <code>AmazonEC2ContainerRegistryPowerUser</code>.</p></li> <li><p><code>autoScaler</code> - IAM policy for <a href="https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/aws#iam-policy" rel="noopener noreferrer">Cluster Autoscaler</a>.</p></li> <li><p><code>externalDNS</code> - IAM policy for <a href="https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy" rel="noopener noreferrer">External DNS</a>.</p></li> <li><p><code>certManager</code> - IAM Policy for <a href="https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role" rel="noopener noreferrer">Cert Manager</a>.</p></li> <li><p><code>appMesh</code> - IAM policy for <a href="https://github.com/aws/aws-app-mesh-controller-for-k8s/blob/master/config/iam/controller-iam-policy.json" rel="noopener noreferrer">AWS App Mesh</a>.</p></li> <li><p><code>ebs</code> - IAM Policy for <a href="https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json" rel="noopener noreferrer">AWS EBS CSI Driver</a>.</p></li> <li><p><code>fsx</code> - IAM Policy for <a href="https://github.com/kubernetes-sigs/aws-fsx-csi-driver/tree/master/docs#installation" rel="noopener noreferrer">AWS FSX Lustre</a>.</p></li> <li><p><code>efs</code> - IAM Policy for <a href="https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json" rel="noopener noreferrer">AWS EFS CSI Driver</a>.</p></li> <li><p><code>albIngress</code> - IAM Policy for <a href="https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json" rel="noopener noreferrer">ALB Ingress Controller</a>.</p></li> <li><p><code>xRay</code> - IAM Policy <code>AWSXRayDaemonWriteAccess</code> for <a href="https://github.com/aws/aws-xray-daemon" rel="noopener noreferrer">AWS X-ray Daemon</a> </p></li> <li><p><code>cloudWatch</code> - IAM Policy <code>CloudWatchAgentServerPolicy</code> for <a href="https://github.com/aws/amazon-cloudwatch-agent" rel="noopener noreferrer">AWS Cloudwatch Agent</a>.</p></li> </ol> <p>While all the above options allow you to define IAM permissions for the node group, there is a problem with defining IAM permissions at the node level.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fot1yz308b4adguc5wcme.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fot1yz308b4adguc5wcme.jpeg" alt="problem"></a></p> <p>All the pods running on nodes part of the node group will have these permissions thus not adhering to the <strong>principle of least privilege</strong>. For example, if we attach <code>EC2 Admin</code> and <code>Cloudformation</code> permissions to the node group to run <code>CI server</code>, any other pods running on this node group will effectively inherit these permissions.</p> <p>One way to overcome this problem is to create a separate node group for the CI server. ( Use <a href="https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/#concepts" rel="noopener noreferrer">taints</a> and <a href="https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity" rel="noopener noreferrer">affinity</a> to ensure only CI pods are deployed on this node group)</p> <p>However AWS access is not just required for CI servers, many applications use AWS services such as <code>S3</code>, <code>SQS</code>, and <code>KMS</code> and would require fine-grained IAM permissions. Creating one node group for every such application would not be an ideal solution and can lead to <strong>maintenance issues</strong>, <strong>higher cost</strong>, and <strong>low resource consumption</strong>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb1bzi3gm71dyrfkdfvji.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb1bzi3gm71dyrfkdfvji.jpeg" alt="solution"></a></p> <h2> IAM Roles for Service Accounts </h2> <p>Amazon EKS supports <code>IAM Roles for Service Accounts (IRSA)</code> that allows us to map AWS IAM Roles to Kubernetes Service Accounts. With IRSA, instead of defining IAM permissions on the node, we can attach an <strong>IAM role</strong> to a <strong>Kubernetes Service Account</strong> and attach the service account to the <strong>pod/deployment</strong>.</p> <p>IAM role is added to the Kubernetes service account by adding annotation <code>eks.amazonaws.com/role-arn</code> with value as the <code>IAM Role ARN</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-serviceaccount</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;IAM</span><span class="nv"> </span><span class="s">Role</span><span class="nv"> </span><span class="s">ARN&gt;"</span> </code></pre> </div> <p>EKS create a Mutating Admission Webhook <a href="https://github.com/aws/amazon-eks-pod-identity-webhook/" rel="noopener noreferrer">pod-identity-webhook</a> and uses it to intercept the pod creation request and update the pod spec to include IAM credentials.</p> <p>Check the <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook" rel="noopener noreferrer">Mutating Admission Webhooks</a> in the cluster:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io NAME WEBHOOKS AGE 0500-amazon-eks-fargate-mutation.amazonaws.com 2 21m pod-identity-webhook 1 28m vpc-resource-mutating-webhook 1 28m </code></pre> </div> <p><code>pod-identity-webhook</code> supports several configuration options:</p> <ol> <li> <code>eks.amazonaws.com/role-arn</code> - IAM Role ARN to attach to the service account.</li> <li> <code>eks.amazonaws.com/audience</code> - Intended autience of the <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection" rel="noopener noreferrer">token</a>, defaults to "sts.amazonaws.com" if not set.</li> <li> <code>eks.amazonaws.com/sts-regional-endpoints</code> - AWS STS is a global service, however, we can use regional STS endpoints to reduce latency. Set <code>true</code> to use regional STS endpoints.</li> <li> <code>eks.amazonaws.com/token-expiration</code> - AWS STS Token expiration duration, default is <code>86400 seconds</code> or <code>24 hours</code>. We can override this value by defining it at the <code>pod level</code>.</li> <li> <code>eks.amazonaws.com/skip-containers</code> - A comma-separated list of containers to skip adding volume and environment variables. <code>This annotation is only supported at the pod level.</code> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-serviceaccount</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;IAM</span><span class="nv"> </span><span class="s">Role</span><span class="nv"> </span><span class="s">ARN&gt;"</span> <span class="na">eks.amazonaws.com/audience</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sts.amazonaws.com"</span> <span class="na">eks.amazonaws.com/sts-regional-endpoints</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">eks.amazonaws.com/token-expiration</span><span class="pi">:</span> <span class="s2">"</span><span class="s">86400"</span> </code></pre> </div> <h3> How IRSA Works </h3> <p>When you define the IAM role for a service account using <code>eks.amazonaws.com/role-arn</code> annotation and add this service account to the pod, <code>pod-identity-webhook</code> mutates the pod spec to add <code>environment variables</code> and <a href="https://kubernetes.io/docs/concepts/storage/volumes/#projected" rel="noopener noreferrer">projected mount volumes</a>.</p> <p>These are the environment variables added by <code>pod-identity-webhook</code> in the pod spec:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_DEFAULT_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_ROLE_ARN</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;IAM</span><span class="nv"> </span><span class="s">ROLE</span><span class="nv"> </span><span class="s">ARN&gt;"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_WEB_IDENTITY_TOKEN_FILE</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/var/run/secrets/eks.amazonaws.com/serviceaccount/token"</span> </code></pre> </div> <ol> <li><p><code>AWS_DEFAULT_REGION</code> and <code>AWS_REGION</code> - Cluster Region </p></li> <li><p><code>AWS_ROLE_ARN</code> - IAM Role ARN.</p></li> <li><p><code>AWS_WEB_IDENTITY_TOKEN_FILE</code> - Path to the tokens file</p></li> </ol> <p><code>pod-identity-webhook</code> also adds a projected volume for service account token:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/var/run/secrets/eks.amazonaws.com/serviceaccount"</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-iam-token</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-iam-token</span> <span class="na">projected</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">serviceAccountToken</span><span class="pi">:</span> <span class="na">audience</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sts.amazonaws.com"</span> <span class="na">expirationSeconds</span><span class="pi">:</span> <span class="m">86400</span> <span class="na">path</span><span class="pi">:</span> <span class="s">token</span> </code></pre> </div> <p>a projected volume is created with the name <code>aws-iam-token</code> and mounted to the container at <code>/var/run/secrets/eks.amazonaws.com/serviceaccount</code>.</p> <p><strong>Let's test it out.</strong></p> <ul> <li>Create an EKS cluster with a Managed NodeGroup and an IAM service account <code>s3-reader</code> in the default namespace with <code>AmazonS3ReadOnlyAccess</code> IAM permissions :</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">eksctl.io/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">iam-cluster</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.21"</span> <span class="na">availabilityZones</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">us-east-1a</span> <span class="pi">-</span> <span class="s">us-east-1b</span> <span class="pi">-</span> <span class="s">us-east-1c</span> <span class="na">iam</span><span class="pi">:</span> <span class="na">withOIDC</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">serviceAccounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-reader</span> <span class="na">attachPolicyARNs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"</span> <span class="na">managedNodeGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">managed-ng-1</span> <span class="na">instanceType</span><span class="pi">:</span> <span class="s">t3a.medium</span> <span class="na">minSize</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxSize</span><span class="pi">:</span> <span class="m">4</span> <span class="na">desiredCapacity</span><span class="pi">:</span> <span class="m">4</span> </code></pre> </div> <p><strong>Note:</strong> We can also attach IAM Role directly using <code>attachRoleARN</code>. However, the role should have below <code>trust policy</code> to allow the pods to use this role :</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:oidc-provider/oidc.&lt;REGION&gt;.eks.amazonaws.com/&lt;CLUSTER_ID&gt;"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oidc.&lt;REGION&gt;.eks.amazonaws.com/&lt;CLUSTER_ID&gt;:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"system:serviceaccount:default:my-serviceaccount"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oidc.&lt;REGION&gt;.eks.amazonaws.com/CLUSTER_ID:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"system:serviceaccount:default:*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li>Check the role created by <code>eksctl</code> for service account <code>s3-reader</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> eksctl get iamserviceaccount s3-reader <span class="nt">--cluster</span><span class="o">=</span>iam-cluster <span class="nt">--region</span><span class="o">=</span>us-east-1 2021-08-25 02:51:14 <span class="o">[</span>ℹ] eksctl version 0.61.0 2021-08-25 02:51:14 <span class="o">[</span>ℹ] using region us-east-1 NAMESPACE NAME ROLE ARN default s3-reader &lt;IAM ROLE ARN&gt; </code></pre> </div> <ul> <li>Check the service account to verify <code>eks.amazonaws.com/role-arn</code> annotation:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get sa s3-reader <span class="nt">-oyaml</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s">&lt;IAM ROLE ARN&gt;</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">eksctl</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-reader</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">secrets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-reader-token-5hnn7</span> </code></pre> </div> <p>we can see that <code>eksctl</code> has created the IAM role, service account and automatically added the annotation to the service account.</p> <ul> <li>Since <code>eksctl</code> doesn't support all the annotations, let's add them manually:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl annotate <span class="se">\</span> sa s3-reader <span class="se">\</span> <span class="s2">"eks.amazonaws.com/audience=test"</span> <span class="se">\</span> <span class="s2">"eks.amazonaws.com/token-expiration=43200"</span> </code></pre> </div> <p><strong>Note:</strong> As of <code>EKS v1.21</code>, <code>eks.amazonaws.com/sts-regional-endpoints</code> annotation doesn't work due to this issue.</p> <div class="ltag_github-liquid-tag"> <h1> <a href="https://github.com/aws/amazon-eks-pod-identity-webhook/issues/110" rel="noopener noreferrer"> <img class="github-logo" alt="GitHub logo" src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg"> <span class="issue-title"> eks.amazonaws.com/sts-regional-endpoints has no effect </span> <span class="issue-number">#110</span> </a> </h1> <div class="github-thread"> <div class="timeline-comment-header"> <a href="https://github.com/arunvelsriram" rel="noopener noreferrer"> <img class="github-liquid-tag-img" src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Favatars.githubusercontent.com%2Fu%2F6568319%3Fv%3D4" alt="arunvelsriram avatar"> </a> <div class="timeline-comment-header-text"> <strong> <a href="https://github.com/arunvelsriram" rel="noopener noreferrer">arunvelsriram</a> </strong> posted on <a href="https://github.com/aws/amazon-eks-pod-identity-webhook/issues/110" rel="noopener noreferrer"><time>Mar 19, 2021</time></a> </div> </div> <div class="ltag-github-body"> <p><strong>What happened</strong>:</p> <p><code>eks.amazonaws.com/sts-regional-endpoints: "true"</code> annotation is not injecting <code>AWS_STS_REGIONAL_ENDPOINTS=regional</code> to the Pods.</p> <p><strong>What you expected to happen</strong>:</p> <p><code>AWS_STS_REGIONAL_ENDPOINTS=regional</code> is injected in to the Pods.</p> <p><strong>How to reproduce it (as minimally and precisely as possible)</strong>:</p> <ol> <li>Create a serviceaccount as mentioned in the README with annotation <code>eks.amazonaws.com/sts-regional-endpoints: "true"</code> </li> <li>Create a Pod, using that serviceaccount</li> </ol> <p><strong>Anything else we need to know?</strong>:</p> <p>I noticed that in the README there are two versions of the annotation:</p> <ul> <li> <code>eks.amazonaws.com/sts-regional-endpoints: "true"</code> - <a href="https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/README.md#eks-walkthrough" rel="noopener noreferrer">https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/README.md#eks-walkthrough</a> </li> <li> <code>eks.amazonaws.com/sts-regional-endpoint: "true"</code> - <a href="https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/README.md#aws_sts_regional_endpoints-injection" rel="noopener noreferrer">https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/README.md#aws_sts_regional_endpoints-injection</a> </li> </ul> <p>Which one is correct?</p> <p><strong>Environment</strong>:</p> <ul> <li>AWS Region: ap-south-1</li> <li>EKS Platform version (if using EKS, run <code>aws eks describe-cluster --name &lt;name&gt; --query cluster.platformVersion</code>): eks.1</li> <li>Kubernetes version (if using EKS, run <code>aws eks describe-cluster --name &lt;name&gt; --query cluster.version</code>): 1.19</li> <li>Webhook Version: Am using AWS EKS, so not sure how to find the version</li> </ul> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/aws/amazon-eks-pod-identity-webhook/issues/110" rel="noopener noreferrer">View on GitHub</a></div> </div> </div> <p>By default <code>eks.amazonaws.com/audience</code> is set to <code>sts.amazonaws.com</code> but we can set it to any value. To allow a different value for <code>audience</code>, we have to add this value in the <code>Audiences</code> section of the <code>OIDC Provider</code> and update the <code>trust policy</code> of the IAM Role to allow this audience.</p> <ul> <li> Go to <a href="https://console.aws.amazon.com/iamv2/home" rel="noopener noreferrer">IAM Console</a>, click on <code>Identity Providers</code> and add the audience to the <code>OIDC Identity provider</code>:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1dwuj8anj8r01yrc8495.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1dwuj8anj8r01yrc8495.png" alt="oidc-audience"></a></p> <ul> <li>Modify the trust policy of the IAM Role used with the service account to add this <code>audience</code> :</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:oidc-provider/oidc.eks.&lt;REGION&gt;.amazonaws.com/id/&lt;CLUSTER_ID&gt;"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oidc.eks.&lt;REGION&gt;.amazonaws.com/id/&lt;CLUSTER_ID&gt;:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"system:serviceaccount:default:s3-reader"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"oidc.eks.us-east-1.amazonaws.com/id/&lt;CLUSTER_ID&gt;:aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li>Create a pod to test the IAM permissions:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">iam-test</span> <span class="na">annotations</span><span class="pi">:</span> <span class="c1"># Skip injecting credentials to the sidecar container.</span> <span class="na">eks.amazonaws.com/skip-containers</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sidecar-busybox-container"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">s3-reader</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">iam-test</span> <span class="na">image</span><span class="pi">:</span> <span class="s">amazon/aws-cli</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">sts"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">get-caller-identity"</span> <span class="pi">]</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sidecar-busybox-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">radial/busyboxplus:curl</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl apply <span class="nt">-f</span> iam-test.yaml </code></pre> </div> <ul> <li>Once the pod is ready, check the environment variables in the pod:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get pods iam-test <span class="nt">-ojson</span>|jq <span class="nt">-r</span> <span class="s1">'.spec.containers[0].env'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS_DEFAULT_REGION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS_REGION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS_ROLE_ARN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;IAM ROLE ARN&gt;"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS_WEB_IDENTITY_TOKEN_FILE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <ul> <li>Check the <code>aws-iam-token volume</code> in the pod:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get pods iam-test <span class="nt">-ojson</span>|jq <span class="nt">-r</span> <span class="s1">'.spec.volumes[]| select(.name=="aws-iam-token")'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws-iam-token"</span><span class="p">,</span><span class="w"> </span><span class="nl">"projected"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"defaultMode"</span><span class="p">:</span><span class="w"> </span><span class="mi">420</span><span class="p">,</span><span class="w"> </span><span class="nl">"sources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"serviceAccountToken"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"audience"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expirationSeconds"</span><span class="p">:</span><span class="w"> </span><span class="mi">43200</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"token"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>we can see that <code>expirationSeconds</code> is <code>43200</code> as specified in the annotation <code>eks.amazonaws.com/token-expiration</code>.</p> <ul> <li>Check the <code>volumeMounts</code> in the pod:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get pods iam-test <span class="nt">-ojson</span>|jq <span class="nt">-r</span> <span class="s1">'.spec.containers[0].volumeMounts'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mountPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/run/secrets/kubernetes.io/serviceaccount"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kube-api-access-xjjqv"</span><span class="p">,</span><span class="w"> </span><span class="nl">"readOnly"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mountPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/run/secrets/eks.amazonaws.com/serviceaccount"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws-iam-token"</span><span class="p">,</span><span class="w"> </span><span class="nl">"readOnly"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <ul> <li>Check the logs of the pod <code>iam-test</code> to see the role assumed by the pod:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl logs iam-test <span class="nt">-c</span> iam-test </code></pre> </div> kubernetes aws iam eks Running Apache Spark on EKS Fargate Shardul Srivastava Sat, 14 Aug 2021 20:18:18 +0000 https://dev.to/aws-builders/running-apache-spark-on-eks-fargate-1l55 https://dev.to/aws-builders/running-apache-spark-on-eks-fargate-1l55 <p>Apache Spark is one of the most famous Big Data frameworks that allows you to process data at any scale. </p> <p>Spark jobs can run on the Kubernetes cluster and have native support for the Kubernetes scheduler in GA from <a href="https://spark.apache.org/releases/spark-release-3-1-1.html">release 3.1.1</a> onwards.</p> <p>Spark comes with a <code>spark-submit</code> script that allows submitting spark applications on a cluster using a single interface without the need to customize the script for different cluster managers.</p> <p><code>spark-submit</code> on Kubernetes cluster works as follows:</p> <ol> <li>Spark creates a Spark driver running within a Kubernetes pod.</li> <li>The driver creates executors which are also running within Kubernetes pods and connects to them and executes application code.</li> <li>When the application completes, the executor pods terminate and are cleaned up, but the driver pod persists logs and remains in “completed” state in the Kubernetes API until it’s eventually garbage collected or manually cleaned up.</li> </ol> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmxarfncezl1094ravi9h.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmxarfncezl1094ravi9h.png" alt="spark-eks" width="761" height="516"></a></p> <p>To submit a spark job on a kubernetes cluster using <code>spark-submit</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./bin/spark-submit <span class="se">\</span> <span class="nt">--master</span> k8s://https://&lt;k8s-apiserver-host&gt;:&lt;k8s-apiserver-port&gt; <span class="se">\</span> <span class="nt">--deploy-mode</span> cluster <span class="se">\</span> <span class="nt">--name</span> spark-pi <span class="se">\</span> <span class="nt">--class</span> org.apache.spark.examples.SparkPi <span class="se">\</span> <span class="nt">--conf</span> spark.executor.instances<span class="o">=</span>5 <span class="se">\</span> <span class="nt">--conf</span> spark.kubernetes.container.image<span class="o">=</span>&lt;spark-image&gt; <span class="se">\</span> <span class="nb">local</span>:///path/to/examples.jar </code></pre> </div> <p>While <code>spark-submit</code> provides support for several Kubernetes features such as <code>secrets</code>, <code>persistentVolumes</code>, <code>rbac</code> via <a href="https://spark.apache.org/docs/latest/running-on-kubernetes.html#configuration">configuration parameters</a>, it still lacks a lot of features thus it's not suitable to use in production effectively.</p> <h2> Spark on K8s Operator </h2> <p><a href="https://github.com/GoogleCloudPlatform/spark-on-k8s-operator">Spark on K8s Operator</a> is a project from Google that allows submitting spark applications on Kubernetes cluster using CustomResource Definition <a href="https://github.com/GoogleCloudPlatform/spark-on-k8s-operator/blob/master/docs/api-docs.md#sparkoperator.k8s.io/v1beta2.SparkApplication">SparkApplication</a>.<br> It uses mutating admission webhook to modify the pod spec and add the features not officially supported by <code>spark-submit</code>.</p> <p>The Kubernetes Operator for Apache Spark consists of:</p> <ol> <li>A <code>SparkApplication</code> controller that watches events of creation, updates, and deletion of <code>SparkApplication</code> objects and acts on the watch events, a submission runner that runs <code>spark-submit</code> for submissions received from the controller,</li> <li>A Spark pod monitor that watches for Spark pods and sends pod status updates to the controller,</li> <li>A <a href="https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/">Mutating Admission Webhook</a> that handles customizations for Spark driver and executor pods based on the annotations on the pods added by the controller,</li> <li>A command-line tool named <code>sparkctl</code> for working with the operator.</li> </ol> <p>The following diagram shows how different components interact and work together.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fizwol4kmf92ybjpx0p4g.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fizwol4kmf92ybjpx0p4g.png" alt="spark-operator" width="800" height="450"></a></p> <h2> Setup Spark on K8s Operator on EKS Fargate </h2> <ul> <li>Setup EKS cluster using <code>eksctl</code> with fargate profile for <code>default</code>, <code>kube-system</code>, and <code>spark</code> namespaces. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> eksctl apply <span class="nt">-f</span> - <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: spark-cluster region: us-east-1 version: "1.21" availabilityZones: - us-east-1a - us-east-1b - us-east-1c fargateProfiles: - name: fp-all selectors: - namespace: kube-system - namespace: default - namespace: spark </span><span class="no"> EOF </span></code></pre> </div> <ul> <li>Install <code>Spark on K8s Operator</code> using helm3 in the <code>spark</code> namespace. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> helm repo add spark-operator https://googlecloudplatform.github.io/spark-on-k8s-operator helm upgrade <span class="se">\</span> <span class="nt">--install</span> <span class="se">\</span> spark-operator <span class="se">\</span> spark-operator/spark-operator <span class="se">\</span> <span class="nt">--namespace</span> spark <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--set</span> webhook.enable<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> <span class="nv">sparkJobNamespace</span><span class="o">=</span>spark <span class="se">\</span> <span class="nt">--set</span> serviceAccounts.spark.name<span class="o">=</span>spark <span class="se">\</span> <span class="nt">--set</span> <span class="nv">logLevel</span><span class="o">=</span>10 <span class="se">\</span> <span class="nt">--version</span> 1.1.6 <span class="se">\</span> <span class="nt">--wait</span> </code></pre> </div> <ul> <li>Verify Operator installation </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get pods <span class="nt">-n</span> spark </code></pre> </div> <h2> Submit SparkPi on EKS Cluster </h2> <ul> <li>Submit the <code>SparkPi</code> application to the EKS cluster </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl apply <span class="nt">-f</span> - <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> apiVersion: "sparkoperator.k8s.io/v1beta2" kind: SparkApplication metadata: name: spark-pi namespace: spark spec: type: Scala mode: cluster image: "gcr.io/spark-operator/spark:v3.1.1" imagePullPolicy: Always mainClass: org.apache.spark.examples.SparkPi mainApplicationFile: "local:///opt/spark/examples/jars/spark-examples_2.12-3.1.1.jar" sparkVersion: "3.1.1" restartPolicy: type: Never driver: cores: 1 coreLimit: "1200m" memory: "512m" labels: version: 3.1.1 serviceAccount: spark executor: cores: 1 instances: 1 memory: "512m" labels: version: 3.1.1 </span><span class="no"> EOF </span></code></pre> </div> <p>Note: <a href="https://kubernetes.io/docs/concepts/storage/volumes/#hostpath">hostPath</a> volume mounts are not supported in Fargate.</p> <ul> <li>Check the status of <code>SparkApplication</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl <span class="nt">-n</span> spark describe sparkapplications.sparkoperator.k8s.io spark-pi </code></pre> </div> <ul> <li>Access Spark UI by port-forwarding to the <code>spark-pi-ui-svc</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl <span class="nt">-n</span> spark port-forward svc/spark-pi-ui-svc 4040:4040 </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsoqlp8l157tkci21kry9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsoqlp8l157tkci21kry9.png" alt="spark-pi" width="800" height="391"></a></p> <h2> Managing SparkApplication with sparkctl </h2> <p><code>sparkctl</code> is CLI tool for creating, listing, checking status of, getting logs of, and deleting <code>SparkApplications</code> running on the Kubernetes cluster.</p> <ul> <li>Build <code>sparkctl</code> from source: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git clone git@github.com:GoogleCloudPlatform/spark-on-k8s-operator.git <span class="nb">cd </span>spark-on-k8s-operator/sparkctl go build <span class="nt">-o</span> /usr/local/bin/sparkctl </code></pre> </div> <ul> <li>List SparkApplication objects in <code>spark</code> namespace: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> sparkctl list <span class="nt">-n</span> spark +----------+-----------+----------------+-----------------+ | NAME | STATE | SUBMISSION AGE | TERMINATION AGE | +----------+-----------+----------------+-----------------+ | spark-pi | COMPLETED | 1h | 1h | +----------+-----------+----------------+-----------------+ </code></pre> </div> <ul> <li>Check the status of SparkApplication <code>spark-pi</code> : </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> sparkctl status spark-pi <span class="nt">-n</span> spark application state: +-----------+----------------+----------------+-----------------+--------------------+--------------------+-------------------+ | STATE | SUBMISSION AGE | COMPLETION AGE | DRIVER POD | DRIVER UI | SUBMISSIONATTEMPTS | EXECUTIONATTEMPTS | +-----------+----------------+----------------+-----------------+--------------------+--------------------+-------------------+ | COMPLETED | 1h | 1h | spark-pi-driver | 10.100.97.206:4040 | 1 | 1 | +-----------+----------------+----------------+-----------------+--------------------+--------------------+-------------------+ executor state: +----------------------------------+-----------+ | EXECUTOR POD | STATE | +----------------------------------+-----------+ | spark-pi-418ac87b48d177c9-exec-1 | COMPLETED | +----------------------------------+-----------+ </code></pre> </div> <ul> <li>Check SparkApplication <code>spark-pi</code> logs: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> sparkctl log spark-pi <span class="nt">-n</span> spark </code></pre> </div> <ul> <li>Port-forward to Spark UI: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> sparkctl forward spark-pi <span class="nt">-n</span> spark </code></pre> </div> <p>you can access the Spark UI at <a href="http://localhost:4040">http://localhost:4040</a></p> kubernetes spark eks datascience Canary Deployment with Istio on EKS Shardul Srivastava Sat, 14 Aug 2021 12:27:03 +0000 https://dev.to/aws-builders/canary-deployment-with-istio-on-eks-2m98 https://dev.to/aws-builders/canary-deployment-with-istio-on-eks-2m98 <p>Canary deployment is a way of deploying the application in a phased manner. In this pattern, we deploy a new version of the application alongside the production version, then rollout the change to a small subset of servers. <br> Once new version of the application is tested by the real users, then rollout the change out to the rest of the servers.</p> <p>Canary deployments can be complex and involve testing in production and manual verification.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqlo7w0fwc5iwyza1e36d.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqlo7w0fwc5iwyza1e36d.png" alt="canary-release" width="593" height="210"></a></p> <p>To demonstrate Canary deployments, we will setup an EKS cluster, install Istio, deploy sample application and setup canary release of new version of application.</p> <p>you can follow the steps below or use the script <a href="https://github.com/shardulsrivastava/eks-istio-canary/blob/main/auto/setup-cluster">here</a>.</p> <h2> Setup EKS Cluster </h2> <p>Setup an EKS cluster of version <code>1.21</code> in <code>us-east-1</code> region with a managed node group <code>default-pool</code> of machine type <code>t3a-medium</code>. </p> <ul> <li>Download and install the latest version of <code>eksctl</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--silent</span> <span class="nt">--location</span> <span class="s2">"https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_</span><span class="si">$(</span><span class="nb">uname</span> <span class="nt">-s</span><span class="si">)</span><span class="s2">_amd64.tar.gz"</span> | <span class="nb">tar </span>xz <span class="nt">-C</span> /tmp <span class="nb">sudo mv</span> /tmp/eksctl /usr/local/bin </code></pre> </div> <p>for Mac and other operating systems, follow the steps <a href="https://eksctl.io/introduction/#installation">here</a>.</p> <ul> <li>Create EKS cluster </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> eksctl create cluster <span class="nt">--name</span> canary-cluster <span class="se">\</span> <span class="nt">--version</span> 1.21 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--nodegroup-name</span> default-pool <span class="se">\</span> <span class="nt">--node-type</span> t3a.medium <span class="se">\</span> <span class="nt">--nodes</span> 3 <span class="se">\</span> <span class="nt">--nodes-min</span> 0 <span class="se">\</span> <span class="nt">--nodes-max</span> 4 <span class="se">\</span> <span class="nt">--managed</span> </code></pre> </div> <p>Once the Control plane is ready, you should see the output like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> 2021-08-13 23:59:52 <span class="o">[</span>ℹ] waiting <span class="k">for </span>the control plane availability... 2021-08-13 23:59:52 <span class="o">[</span>✔] saved kubeconfig as <span class="s2">"/Users/shardulsrivastava/.kube/config"</span> 2021-08-13 23:59:52 <span class="o">[</span>ℹ] no tasks 2021-08-13 23:59:52 <span class="o">[</span>✔] all EKS cluster resources <span class="k">for</span> <span class="s2">"canary-cluster"</span> have been created 2021-08-14 00:01:57 <span class="o">[</span>ℹ] kubectl <span class="nb">command </span>should work with <span class="s2">"/Users/shardulsrivastava/.kube/config"</span>, try <span class="s1">'kubectl get nodes'</span> 2021-08-14 00:01:57 <span class="o">[</span>✔] EKS cluster <span class="s2">"canary-cluster"</span> <span class="k">in</span> <span class="s2">"us-east-1"</span> region is ready </code></pre> </div> <p>Note: You would need a minimum of <a href="https://eksctl.io/usage/minimum-iam-policies/">these permissions</a> to run the eksctl commands above.</p> <ul> <li>Download and install <code>kubectl</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">-LO</span> <span class="s2">"https://dl.k8s.io/release/</span><span class="si">$(</span>curl <span class="nt">-L</span> <span class="nt">-s</span> https://dl.k8s.io/release/stable.txt<span class="si">)</span><span class="s2">/bin/linux/amd64/kubectl"</span> <span class="nb">sudo install</span> <span class="nt">-o</span> root <span class="nt">-g</span> root <span class="nt">-m</span> 0755 kubectl /usr/local/bin/kubectl </code></pre> </div> <ul> <li>Check the pods running in cluster: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get pods <span class="nt">-A</span> </code></pre> </div> <p>At this point, your cluster would have only the <code>core-dns</code>, <code>kube-proxy</code>, and <code>amazon-vpc-cni</code> plugins.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4pb71izuokju0bvtyt5p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4pb71izuokju0bvtyt5p.png" alt="eks-cluster" width="800" height="174"></a></p> <h2> Setup Istio </h2> <p>Istio provides a convenient binary <code>istioctl</code> to set up and interact with Istio components.</p> <ul> <li>Install <code>istioctl</code> and if you're running these commands from an ec2 instance, add the installation directory to system path: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">-L</span> https://istio.io/downloadIstio | sh - <span class="nb">export </span><span class="nv">PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$PATH</span><span class="s2">:/home/ec2-user/istio-1.11.0/bin"</span> </code></pre> </div> <ul> <li>Istio has multiple configuration <a href="https://istio.io/latest/docs/setup/additional-setup/config-profiles/">profiles</a>, these profiles provide customization of the Istio control plane and of the sidecars for the Istio data plane. <code>default</code> profile is recommended for production deployments. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> istioctl <span class="nb">install</span> <span class="nt">--set</span> <span class="nv">profile</span><span class="o">=</span>default <span class="nt">-y</span> </code></pre> </div> <p>alternatively, you can also take the dump of the manifests and apply using kubectl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> istioctl manifest generate <span class="nt">--set</span> <span class="nv">profile</span><span class="o">=</span>default <span class="o">&gt;</span> generated-manifest.yaml kubectl apply <span class="nt">-f</span> generated-manifest.yaml </code></pre> </div> <p>Once installed, you should see the output like this for a successful installation.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4wc5pk2vn1ura373qt5r.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4wc5pk2vn1ura373qt5r.png" alt="istioctl-output" width="800" height="133"></a></p> <p>Note: If you get the below error, you should check the instance type you are using as there is a limit to the number of pods that can be scheduled on the node based on the node's instance type. See <a href="https://github.com/awslabs/amazon-eks-ami/blob/master/files/eni-max-pods.txt">here</a> for the list of instance types and the max pods.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8xqhm7lhc7fsb8bzrkr7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8xqhm7lhc7fsb8bzrkr7.png" alt="istioctl-error" width="800" height="95"></a></p> <ul> <li>Istio injects a <a href="https://github.com/envoyproxy/envoy">envoy proxy</a> side-car container to the pods to intercept traffic from pods, this behavior is enabled using label <code>istio-injection=enabled</code> on the namespace level and <code>sidecar.istio.io/inject=true</code> on the pod level.</li> </ul> <p>Add this label to the <code>default</code> namespace to instruct Istio to automatically inject Envoy sidecar proxies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl label namespace default istio-injection<span class="o">=</span>enabled </code></pre> </div> <p>Read more about Istio side-car injection <a href="https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/">here</a>.</p> <ul> <li>Install <code>Kiali</code>, <code>Prometheus</code> and <code>Grafana</code> to monitor and visualize mesh </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/istio/istio/1.10.3/samples/addons/prometheus.yaml kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/istio/istio/1.10.3/samples/addons/grafana.yaml kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/istio/istio/1.10.3/samples/addons/kiali.yaml </code></pre> </div> <p>Note: If you get an error like this <code>unable to recognize "https://raw.githubusercontent.com/istio/istio/1.10.3/samples/addons/kiali.yaml": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"</code>, then re-run the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/istio/istio/1.10.3/samples/addons/kiali.yaml </code></pre> </div> <h2> Setup Sample Application </h2> <p>To demonstrate how canary deployment works, let's set up version <code>v1</code> of an Nginx-based sample application and set up a service to expose it at port <code>80</code>.</p> <ul> <li>Deploy <code>v1</code> vesion of sample application : </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-v1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/shardul/nginx:v1</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-v1</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <ul> <li>Expose the application as a service: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> </code></pre> </div> <ul> <li>Setup a test pod to test the connectivity to the nginx service : </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl run <span class="nt">-it</span> test-connection <span class="nt">--image</span><span class="o">=</span>radial/busyboxplus:curl <span class="nt">--</span> sh <span class="o">[</span> root@test-connection:/ <span class="o">]</span><span class="nv">$ </span><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>curl nginx <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="p">;</span> <span class="k">done </span>You<span class="s1">'re at the root of nginx server v1 You'</span>re at the root of nginx server v1 You<span class="s1">'re at the root of nginx server v1 You'</span>re at the root of nginx server v1 </code></pre> </div> <h2> Canary Deployment with Istio </h2> <p>With Istio, traffic routing and replica deployment are totally independent of each other. Istio <a href="https://istio.io/latest/docs/concepts/traffic-management/#routing-rules">routing rules</a> provide fine-grained control over how to route traffic based on <code>host</code>, <code>port</code>, <code>headers</code>, <code>uri</code>, <code>method</code>, <code>source labels</code> and control the distribution of traffic.</p> <ul> <li>Deploy another version <code>v2</code> of the same application that uses image <code>quay.io/shardul/nginx:v2</code>. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-v2</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/shardul/nginx:v2</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-v2</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <p>Once the <code>v2</code> version is deployed, when we hit the service again, we would get the below output :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl <span class="nb">exec</span> <span class="nt">-it</span> test-connection <span class="nt">--</span> sh <span class="o">[</span> root@test-connection:/ <span class="o">]</span><span class="nv">$ </span><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>curl nginx <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="p">;</span> <span class="k">done </span>You<span class="s1">'re at the root of nginx server v2 You'</span>re at the root of nginx server v2 You<span class="s1">'re at the root of nginx server v1 You'</span>re at the root of nginx server v1 You<span class="s1">'re at the root of nginx server v2 You'</span>re at the root of nginx server v1 You<span class="s1">'re at the root of nginx server v1 You'</span>re at the root of nginx server v2 </code></pre> </div> <p>Since there are two deployments with different versions exposed from the same service, whenever you hit the service, it will hit the different versions of the application in a round-robin manner and hence this output.</p> <ul> <li> <a href="https://istio.io/latest/docs/reference/config/networking/gateway/">Istio Gateway</a> acts as a load balancer receiving incoming and outgoing HTTP/TCP connections and it's bound to the <code>istio-ingressgateway</code> resource created during installation as a <code>LoadBalancer</code> service.</li> </ul> <p>Setup a <code>default-gateway</code> for all the incoming traffic on port <code>80</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Gateway</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default-gateway</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">istio-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">istio</span><span class="pi">:</span> <span class="s">ingressgateway</span> <span class="na">servers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">port</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">HTTP</span> </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3ek9snqayacgiz0s5w14.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3ek9snqayacgiz0s5w14.png" alt="istio-ingressgateway" width="800" height="51"></a></p> <ul> <li> <a href="https://istio.io/latest/docs/reference/config/networking/destination-rule/">Destination Rule</a> allows you to define <a href="https://istio.io/latest/docs/reference/config/networking/destination-rule/#Subset">subsets</a> of an application based on a set of labels. For example, we have deployed two subsets <code>v1</code> and <code>v2</code> of an application, and they are identified by the label <code>version</code>.</li> </ul> <p>Setup a DestinationRule <code>nginx-dest-rule</code> to define two subsets <code>v1</code> and <code>v2</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-dest-rule</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">subsets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> </code></pre> </div> <ul> <li> <a href="https://istio.io/latest/docs/reference/config/networking/virtual-service/">Virtual Service</a> acts just like an Ingress resource and matches traffic and directs it to a service based on the HTTP routing rules.</li> </ul> <p>It can operate on internal as well as external service and can match traffic based on HTTP host, path (with full regular expression support), method, headers, ports, query parameters.</p> <p>Setup a VirtualService <code>nginx-virtual-svc</code> for host <code>nginx</code> that receives the incoming traffic on <code>default-gateway</code> and routes 90% of the traffic to the subset <code>v1</code> and 10% to subset <code>v2</code> defined in <code>nginx-dest-rule</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-virtual-svc</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">nginx</span> <span class="na">gateways</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">istio-system/default-gateway</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">90</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <p>After applying, <code>90%</code> of the traffic will be routed to version <code>v1</code> and <code>10%</code> to <code>v2</code> of the <code>nginx</code> service. Access the nginx service via <code>istio-ingressgateway</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-it</span> test-connection <span class="nt">--</span> sh <span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-H</span> <span class="s2">"Host: nginx"</span> istio-ingressgateway.istio-system <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="p">;</span> <span class="k">done</span> </code></pre> </div> <p>We can visualize the traffic flow using the Kiali dashboard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>istioctl dashboard kiali </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7yjm6y5gbcoyonzplrps.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7yjm6y5gbcoyonzplrps.png" alt="istio-canary-routing" width="800" height="391"></a></p> <p>In production, after testing the <code>canary version</code> to ensure that it's working fine, we can update the VirtualService to route 100% of the traffic to this version and rollout the newer version for all the users.</p> kubernetes canarydeployments istio eks Cloud Native Chaos Engineering with Chaos Mesh Shardul Srivastava Mon, 09 Aug 2021 19:51:35 +0000 https://dev.to/aws-builders/cloud-native-chaos-engineering-with-chaos-mesh-3a96 https://dev.to/aws-builders/cloud-native-chaos-engineering-with-chaos-mesh-3a96 <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgs1tq6sy5ex8xiw4x5qt.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgs1tq6sy5ex8xiw4x5qt.jpg" alt="chaos-engineering" width="750" height="500"></a></p> <p>With Cloud, distributed architectures have grown even more complex and with complexity comes the uncertainty in how the system could fail.</p> <p>Chaos Engineering aims to test system resiliency by injecting faults to identify weaknesses before they cause massive outages such as improper fallback settings for a service, cascading failures due to a single point of failure, or retry storms due to misconfigured timeouts.</p> <h2> History </h2> <p>Chaos Engineering started at Netflix back in 2010 when Netflix moved from on-prem servers to AWS infrastructure to test the resiliency of their infrastructure. </p> <p>In 2012, Netflix open-sourced <a href="https://github.com/Netflix/chaosmonkey">ChaosMonkey</a> under Apache 2.0 license that randomly terminates instances to ensure that services are resilient to instance failures.</p> <h2> Cloud Native Chaos Engineering in CNCF Landscape </h2> <p>CNCF focuses on Cloud Native Chaos Engineering defined as engineering practices focused on (and built on) Kubernetes environments, applications, microservices, and infrastructure.</p> <p>Cloud Native Chaos Engineering has 4 core principles:</p> <ol> <li>Open source</li> <li>CRDs for Chaos Management </li> <li>Extensible and pluggable</li> <li>Broad Community adoption</li> </ol> <p>CNCF has two sandbox projects for Cloud Native Chaos Engineering </p> <ol> <li><a href="https://github.com/chaos-mesh/chaos-mesh">ChaosMesh</a></li> <li><a href="https://github.com/litmuschaos/litmus">Litmus Chaos</a></li> </ol> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgmb5uh3kd7q6izwjsf3i.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgmb5uh3kd7q6izwjsf3i.png" alt="cncf-chaos-engineering" width="768" height="730"></a></p> <h2> Chaos Mesh </h2> <p>Chaos Mesh is a cloud-native Chaos Engineering platform that orchestrates chaos on Kubernetes environments. It is based on <a href="https://kubernetes.io/docs/concepts/extend-kubernetes/operator/">Kubernetes Operator pattern</a> and provides a Chaos Operator to inject into the applications and Kubernetes infrastructure in a manageable way.</p> <p>Chaos Operator uses Custom Resource Defition(CRD) to define chaos objects. It provides a variety of these CRDs for fault injection such as :</p> <ol> <li><a href="https://chaos-mesh.org/docs/simulate-pod-chaos-on-kubernetes/">PodChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-network-chaos-on-kubernetes">NetworkChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-dns-chaos-on-kubernetes">DNSChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-http-chaos-on-kubernetes">HTTPChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-heavy-stress-on-kubernetes">StressChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-io-chaos-on-kubernetes">IOChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-time-chaos-on-kubernetes">TimeChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-kernel-chaos-on-kubernetes">KernelChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-aws-chaos">AWSChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-gcp-chaos">GCPChaos</a></li> <li><a href="https://chaos-mesh.org/docs/simulate-jvm-application-chaos">JVMChaos</a></li> </ol> <h3> Chaos Mesh Installation </h3> <p>Chaos Mesh can be installed quickly using <a href="https://chaos-mesh.org/docs/quick-start#quick-installation">installation script</a>. However, it's recommended to use Helm 3 chart in production environments.</p> <p>To install Chaos Mesh using Helm :</p> <ol> <li>Add the Chaos Mesh repository to the Helm repository. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> helm repo add chaos-mesh https://charts.chaos-mesh.org </code></pre> </div> <ol> <li>It's recommended to install ChaosMesh in a separate namespace, so you can either create a namespace <code>chaos-testing</code> manually or let Helm create it automatically, if it doesn't exist : </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> helm upgrade <span class="se">\</span> <span class="nt">--install</span> <span class="se">\</span> chaos-mesh <span class="se">\</span> chaos-mesh/chaos-mesh <span class="se">\</span> <span class="nt">-n</span> chaos-testing <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--version</span> v2.0.0 <span class="se">\</span> <span class="nt">--wait</span> </code></pre> </div> <p>Note: If you're using GKE or EKS with <code>containerd</code>, then use<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> helm upgrade <span class="se">\</span> <span class="nt">--install</span> <span class="se">\</span> chaos-mesh <span class="se">\</span> chaos-mesh/chaos-mesh <span class="se">\</span> <span class="nt">-n</span> chaos-testing <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--set</span> chaosDaemon.runtime<span class="o">=</span>containerd <span class="se">\</span> <span class="nt">--set</span> chaosDaemon.socketPath<span class="o">=</span>/run/containerd/containerd.sock <span class="se">\</span> <span class="nt">--version</span> v2.0.0 <span class="se">\</span> <span class="nt">--wait</span> </code></pre> </div> <ol> <li>Verify if pods are running : </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get pods <span class="nt">-n</span> chaos-testing </code></pre> </div> <h3> Run First Chaos Mesh Experiment </h3> <p>Chaos Experiment describes what type of fault is injected and how.</p> <ul> <li>Setup an Nginx pod and expose it on port 80. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl run nginx <span class="nt">--image</span><span class="o">=</span>nginx <span class="nt">--labels</span><span class="o">=</span><span class="s2">"app=nginx"</span> <span class="nt">--port</span><span class="o">=</span>80 </code></pre> </div> <ul> <li>Get the IP of the nginx pod </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get pods nginx <span class="nt">-ojsonpath</span><span class="o">=</span><span class="s2">"{.status.podIP}"</span> </code></pre> </div> <ul> <li>Open another terminal and setup a test pod to test the connectivity to nginx pod : </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl run <span class="nt">-it</span> test-connection <span class="nt">--image</span><span class="o">=</span>radial/busyboxplus:curl <span class="nt">--</span> sh ping &lt;IP of the Nginx Pod&gt; <span class="nt">-c</span> 2 </code></pre> </div> <p>this should show you the time it takes to ping the IP :</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftpjo9rn4tw0gy2rb6mao.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftpjo9rn4tw0gy2rb6mao.png" alt="nginx-pod-connectivity" width="800" height="265"></a></p> <ul> <li>Create your first Chaos Experiment by running : </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl apply <span class="nt">-f</span> - <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> apiVersion: chaos-mesh.org/v1alpha1 kind: NetworkChaos metadata: name: nginx-network-delay spec: action: delay mode: one selector: namespaces: - default labelSelectors: 'app': 'nginx' delay: latency: '1s' duration: '60s' </span><span class="no"> EOF </span></code></pre> </div> <p>this will create a CRD of type <code>NetworkChaos</code> that will introduce a latency of <code>1 second</code> in the network of pods with labels <code>app:nginx</code> i.e nginx pod for the next <code>60 seconds</code>.</p> <ul> <li>Test the response of ping to the nginx pod now to see the delay of <code>1 second</code>.</li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz0m58z0ya82bmf6hiwix.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz0m58z0ya82bmf6hiwix.png" alt="nginx-pod-connectivity-with-delay" width="800" height="320"></a></p> <h3> Run HTTPChaos Experiment </h3> <p><code>HTTPChaos</code> allows you to inject faults in the request and response of an HTTP server. It supports <code>abort</code>,<code>delay</code>,<code>replace</code>,<code>patch</code> fault types.</p> <p><code>Note: Before proceeding, delete the NetworkChaos experiment created earlier.</code></p> <ol> <li>Check the response time of nginx pod : </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl <span class="nb">exec</span> <span class="nt">-it</span> test-connection <span class="nt">--</span> sh <span class="nb">time </span>curl &lt;IP of the Nginx Pod&gt; </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftspvf7p8ynhxh5gdnsfj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftspvf7p8ynhxh5gdnsfj.png" alt="nginx-pod-httpchaos" width="800" height="728"></a></p> <ul> <li>Create <code>HTTPSChaos</code> experiment by running: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl apply <span class="nt">-f</span> - <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> apiVersion: chaos-mesh.org/v1alpha1 kind: HTTPChaos metadata: name: nginx-http-delay spec: mode: all selector: labelSelectors: app: nginx target: Request port: 80 delay: 1s method: GET path: / duration: 5m </span><span class="no"> EOF </span></code></pre> </div> <p>this will create a CRD of type <code>HTTPChaos</code> that will introduce a latency of <code>1 seconds</code> to the requests sent to the pods with labels <code>app:nginx</code> i.e nginx pod on port 80 for the next <code>5 mins</code>.</p> <p>Note: If you get an error like <code>admission webhook "vauth.kb.io" denied the request</code>, as of version 2.0 there is an open issue <a href="https://github.com/chaos-mesh/chaos-mesh/issues/2187">2187</a> and a temporary fix is to delete the validating webhook.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io validate-auth </code></pre> </div> <ul> <li>Test the response time of nginx pod : </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">time </span>curl &lt;IP of the Nginx Pod&gt; </code></pre> </div> <p>you will see the additional <code>1 second</code> latency in the response.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhscss8vmlksy2sv9zp3e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhscss8vmlksy2sv9zp3e.png" alt="nginx-pod-httpchaos-delay" width="800" height="706"></a></p> kubernetes chaosengineering chaosmesh awscommunitybuilder