Setup a cluster with IRSA enabled

Setup a clsuter allows applications in a pod’s containers can use an AWS SDK or the AWS CLI to make API requests to AWS services using AWS IAM.

In this tutorial we’ll cover the basics of how to use Cluster API to provision Kubernetes clusters.

Setup a cluster on AWS with IRSA enabled

IRSA(IAM roles for service accounts) allows applications in a pod’s containers can use an AWS SDK or the AWS CLI to make API requests to AWS services using AWS Identity and Access Management (IAM) permissions. More details can be found here.

Setup cluster

Apply the cluster manifest:

kubectl apply -f examples/cluster/enable-pod-identity.yaml

Wait the control plane is up:

kubectl get cluster -w

Retrieve the cluster’s Kubeconfig:

clusterctl get kubeconfig pod-identity > /root/.kube/pod-identity.kubeconfig

Check node state:

kubectl --kubeconfig=/root/.kube/pod-identity.kubeconfig get nodes

Setup AWS pod identity webhook

Amazon EKS Pod Identity Webhook is for mutating pods that will require AWS IAM access.

AWS pod identity webhook requires cert-manager, (See cert-manager installation).

kubectl apply --kubeconfig=/root/.kube/pod-identity.kubeconfig -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml

Install AWS pod identity webhook:

kubectl apply --kubeconfig=/root/.kube/pod-identity.kubeconfig -f examples/aws-pod-identity/pod-indentity.yaml

Now, the cluster is ready for use, try with Load Balancer Controller.

Cleanup

IMPORTANT: In order to ensure a proper cleanup of your infrastructure you must always delete the cluster object. Deleting the entire cluster template with kubectl delete -f capi-quickstart.yaml might lead to pending resources to be cleaned up manually.

kubectl delete cluster --all

Uninstall cluster operator:

helm uninstall kurator-cluster-operator -n kurator-system

Optional, clean CRDs:

kubectl delete crd $(kubectl get crds | grep cluster.x-k8s.io | awk '{print $1}')
kubectl delete crd $(kubectl get crds | grep kurator.dev | awk '{print $1}')

Optional, delete namespace:

kubectl delete ns kurator-system

Optional, unintall cert manager:

helm uninstall -n cert-manager cert-manager

Optional, shutdown cluster:

kind delete cluster --name kurator