Managing EKS Clusters with IAM Service Roles

Question

Pulumi · Accepted Answer

To manage Amazon EKS (Elastic Kubernetes Service) clusters effectively, IAM (Identity and Access Management) service roles are an essential piece. EKS requires certain IAM roles to interact with other AWS services to provide features like logging, monitoring, and to allow nodes to join the cluster.

In the context of an EKS cluster, there are typically two main roles:

1. **EKS Service Role**: This role is assumed by the EKS service itself, allowing it to make calls to other AWS services on your behalf. For instance, it's used to manage the infrastructure of the cluster like nodes and networking.
2. **Node Instance Role**: When you run worker nodes within your EKS cluster, each node assumes an instance role that grants it permissions to do things like pulling container images or attaching persistent storage.

A Pulumi program to create an EKS cluster with the necessary IAM roles would look something like this. The program will involve:
- Creating an IAM role for EKS with the necessary service role policy.
- Creating an IAM role for the worker nodes with the policies they require to function correctly.
- Setting up an EKS cluster using those roles.
- Optionally, create an instance profile for the node role which is attached to EC2 instances for worker nodes.

Let's break down these components in a sample Pulumi Python program. This program assumes you have the AWS Pulumi provider installed and configured.

```python
import pulumi
import pulumi_aws as aws
import pulumi_eks as eks

# Create an IAM role that will be used by the AWS EKS service.
eks_role = aws.iam.Role("eksRole",
    assume_role_policy="""{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {
                "Service": "eks.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }]
    }"""
)

# Attach the AmazonEKSClusterPolicy to the EKS service role.
eks_policy_attachment = aws.iam.RolePolicyAttachment("eksPolicyAttachment",
    role=eks_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
)

# Create the IAM role that will be assumed by the worker nodes.
worker_node_role = aws.iam.Role("workerNodeRole",
    assume_role_policy="""{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }]
    }"""
)

# Attach the required policies for worker nodes.
worker_node_policy_attachment = aws.iam.RolePolicyAttachment("workerNodePolicyAttachment",
    role=worker_node_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
)

worker_cni_policy_attachment = aws.iam.RolePolicyAttachment("workerCniPolicyAttachment",
    role=worker_node_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEKSCNIPolicy"
)

worker_registry_policy_attachment = aws.iam.RolePolicyAttachment("workerRegistryPolicyAttachment",
    role=worker_node_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
)

# Create an instance profile for the worker nodes.
worker_instance_profile = aws.iam.InstanceProfile("workerInstanceProfile",
    role=worker_node_role.name
)

# Now, let's create an EKS cluster using the roles created above.
my_eks_cluster = eks.Cluster("myEksCluster",
    role_arn=eks_role.arn,
    vpc_id="vpc-1234556",
    subnet_ids=["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"],
    instance_type="t2.medium",
    desired_capacity=2,
    min_size=1,
    max_size=3,
    node_role_arn=worker_node_role.arn,
    instance_profile_name=worker_instance_profile.name
)

# Export the EKS cluster name and kubeconfig.
pulumi.export('eks_cluster_name', my_eks_cluster.name)
pulumi.export('kubeconfig', my_eks_cluster.kubeconfig)
```

The above program starts by defining the IAM roles for both the EKS service and worker nodes. It assigns predefined AWS-managed policies to these roles that contain permissions sets required by EKS and its worker nodes. An instance profile is then created and associated with the worker node role, which allows EC2 instances to utilize the permissions in the role.

After the IAM roles and policies are set up, the program creates an EKS cluster. It specifies the IAM role to be assumed by the EKS control plane and the IAM role for the worker nodes. Finally, it exports the cluster's name and configuration that can be used to interact with your Kubernetes cluster via `kubectl`.

To continue with this program, install the `pulumi`, `pulumi_aws`, and `pulumi_eks` Python packages using `pip`. Then, run `pulumi up` to provision the resources.

For more details:
- [EKS in Pulumi](https://www.pulumi.com/registry/packages/eks/api-docs/cluster/)
- [IAM Roles in Pulumi AWS](https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/)