EKS Service Roles for Secure Cluster Add-ons Management

Question

Pulumi · Accepted Answer

When creating an Amazon EKS (Elastic Kubernetes Service) cluster, you'll typically need to set up IAM (Identity and Access Management) roles that grant the Kubernetes control plane permission to make calls to AWS APIs on your behalf. This is essential for certain add-ons and services that need to interact with other AWS resources.

For managing EKS cluster add-ons securely, you will therefore need to create roles with specific policies that grant necessary permissions for each add-on, like the Cluster Autoscaler, the AWS Load Balancer Controller, or external-dns, among others.

In the following Pulumi Python program, we'll create an EKS cluster and a set of IAM roles that could be assumed by the Kubernetes service accounts. We'll use higher-level Pulumi libraries where possible, which simplify the definitions of these resources.

For the IAM roles, we are considering creating roles that would have permissions tailored for different add-ons and Kubernetes operations. The actual policies attached would depend on what each add-on requires.

Let's go through each step in the process.

1. **EKS Cluster**: Create an EKS cluster using the `aws.eks.Cluster` resource. This represents the EKS Cluster in AWS.

2. **IAM Roles for EKS**: Create IAM roles using the `aws.iam.Role` resource with policies that will allow the add-ons to manage AWS resources.

3. **IAM Role Policies**: Define the IAM policies using the `aws.iam.RolePolicyAttachment` resource to attach policies to the roles created.

4. **Service Account Associations**: Use the `aws.eks.PodIdentityAssociation` to associate IAM roles with Kubernetes service accounts. This allows add-ons running on your EKS cluster to authenticate with AWS services using the linked IAM roles.

Here's how to assemble all this with Pulumi:

```python
import pulumi
import pulumi_aws as aws
import json

# Define the EKS cluster
eks_cluster = aws.eks.Cluster('my-eks-cluster',
    role_arn=aws_iam_role.example.arn, # Assuming IAM role is created separately for the cluster with necessary trust relationships
    vpc_config=aws.eks.ClusterVpcConfigArgs(
        subnet_ids=aws_subnet.example.ids, # Assuming subnets are already created and passed here
    ),
    tags={
        'Name': 'my-eks-cluster',
    })

# Create an IAM role which can be used by an EKS add-on service
eks_addon_role = aws.iam.Role('eks-addon-role',
    assume_role_policy=json.dumps({
        'Version': '2012-10-17',
        'Statement': [{
            'Action': 'sts:AssumeRoleWithWebIdentity',
            'Principal': {'Service': 'eks.amazonaws.com'},
            'Effect': 'Allow',
        }],
    }),
    tags={
        'Name': 'eks-addon-role',
    })

# Create a policy attachment for the IAM role that includes the necessary permissions for an add-on
policy_attachment = aws.iam.RolePolicyAttachment('addon-policy-attachment',
    role=eks_addon_role.name,
    policy_arn='arn:aws:iam::aws:policy/service-role/AmazonEKS_CNI_Policy') # Assuming a specific add-on policy

# Associate the IAM role with a Kubernetes service account in the EKS cluster
pod_identity_association = aws.eks.PodIdentityAssociation('pod-identity-association',
    cluster_name=eks_cluster.name,
    namespace='kube-system',
    service_account='aws-load-balancer-controller', # The name of the service account used by the add-on
    role_arn=eks_addon_role.arn)

# Export the cluster's endpoint and kubeconfig for easy access to the cluster
pulumi.export('cluster_endpoint', eks_cluster.endpoint)
pulumi.export('kubeconfig', eks_cluster.kubeconfig)
```

In this program:
- We create an EKS cluster with the necessary VPC configurations. You need to predefine IAM roles and Subnets in your AWS account and then point to them in this script.
- We then create an IAM role with an assume role policy that allows the role to be assumed by a web identity, which in this case is the EKS service, enabling add-ons running within the cluster to assume this role.
- A policy attachment is created and associated with the IAM role we defined. The policy should grant permissions that an EKS add-on would require. In the script, we attach the AmazonEKS_CNI_Policy as an example, typically used by the EKS CNI add-on.
- We create an IAM role association with a Kubernetes service account using the Pod Identity Association. This binds the IAM role to a service account within the cluster, allowing the add-on which uses this service account to interact with AWS services under the permissions granted through the IAM role.
- Finally, we export the cluster endpoint and kubeconfig which can be used to access the newly created EKS cluster.

Remember to replace placeholder values with actual ARNs, names, and other specific information. In real-world usage, you would create individual roles and policies for each add-on in your EKS cluster as needed, following the least privilege principle to ensure security.