Setup a cluster with IRSA enabled
In this tutorial we’ll cover the basics of how to use Cluster API to provision Kubernetes clusters.
Setup a cluster on AWS with IRSA enabled
IRSA(IAM roles for service accounts) allows applications in a pod’s containers can use an AWS SDK or the AWS CLI to make API requests to AWS services using AWS Identity and Access Management (IAM) permissions. More details can be found here.
Setup cluster
Apply the cluster manifest:
kubectl apply -f examples/cluster/enable-pod-identity.yaml
Wait the control plane is up:
kubectl get cluster -w
Retrieve the cluster’s Kubeconfig:
clusterctl get kubeconfig pod-identity > /root/.kube/pod-identity.kubeconfig
Check node state:
kubectl --kubeconfig=/root/.kube/pod-identity.kubeconfig get nodes
Setup AWS pod identity webhook
Amazon EKS Pod Identity Webhook is for mutating pods that will require AWS IAM access.
AWS pod identity webhook requires cert-manager, (See cert-manager installation).
kubectl apply --kubeconfig=/root/.kube/pod-identity.kubeconfig -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
Install AWS pod identity webhook:
kubectl apply --kubeconfig=/root/.kube/pod-identity.kubeconfig -f examples/aws-pod-identity/pod-indentity.yaml
Now, the cluster is ready for use, try with Load Balancer Controller.
Cleanup
IMPORTANT: In order to ensure a proper cleanup of your infrastructure you must always delete the cluster object. Deleting the entire cluster template with kubectl delete -f capi-quickstart.yaml might lead to pending resources to be cleaned up manually.
kubectl delete cluster --all
Uninstall cluster operator:
helm uninstall kurator-cluster-operator -n kurator-system
Optional, clean CRDs:
kubectl delete crd $(kubectl get crds | grep cluster.x-k8s.io | awk '{print $1}')
kubectl delete crd $(kubectl get crds | grep kurator.dev | awk '{print $1}')
Optional, delete namespace:
kubectl delete ns kurator-system
Optional, unintall cert manager:
helm uninstall -n cert-manager cert-manager
Optional, shutdown cluster:
kind delete cluster --name kurator