1. Answers
  2. What is the process for configuring EKS with a bastion host?

How do I set up EKS with a bastion host?

To set up an EKS (Elastic Kubernetes Service) with a bastion host, you’d typically go through a series of steps where you create a VPC, subnets, an EKS cluster, and a bastion host. The bastion host provides secure access via SSH to instances within the VPC, acting as a jump box for administrative tasks.

Below, you’ll find a complete example where we define:

  1. A Virtual Private Cloud (VPC).
  2. Subnets within the VPC (public and private).
  3. An EKS cluster within the VPC.
  4. A Bastion host within a public subnet.

Here’s the full program:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const eksVpc = new aws.ec2.Vpc("eks_vpc", {cidrBlock: "10.0.0.0/16"});
const publicSubnet = new aws.ec2.Subnet("public_subnet", {
    vpcId: eksVpc.id,
    cidrBlock: "10.0.1.0/24",
    availabilityZone: "us-west-2a",
    mapPublicIpOnLaunch: true,
});
const privateSubnet = new aws.ec2.Subnet("private_subnet", {
    vpcId: eksVpc.id,
    cidrBlock: "10.0.2.0/24",
    availabilityZone: "us-west-2a",
});
const eksClusterSg = new aws.ec2.SecurityGroup("eks_cluster_sg", {
    vpcId: eksVpc.id,
    egress: [{
        fromPort: 0,
        toPort: 0,
        protocol: "-1",
        cidrBlocks: ["0.0.0.0/0"],
    }],
});
const eksClusterRole = new aws.iam.Role("eks_cluster_role", {
    name: "example-eks-cluster-role",
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Effect: "Allow",
            Principal: {
                Service: "eks.amazonaws.com",
            },
        }],
    }),
});
const eksCluster = new aws.eks.Cluster("eks_cluster", {
    name: "example-eks-cluster",
    roleArn: eksClusterRole.arn,
    vpcConfig: {
        subnetIds: [
            publicSubnet.id,
            privateSubnet.id,
        ],
    },
});
const eksClusterPolicy = new aws.iam.RolePolicyAttachment("eks_cluster_policy", {
    role: eksClusterRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
});
const bastionSg = new aws.ec2.SecurityGroup("bastion_sg", {
    name: "bastion_sg",
    vpcId: eksVpc.id,
    ingress: [{
        fromPort: 22,
        toPort: 22,
        protocol: "tcp",
        cidrBlocks: ["0.0.0.0/0"],
    }],
    egress: [{
        fromPort: 0,
        toPort: 0,
        protocol: "-1",
        cidrBlocks: ["0.0.0.0/0"],
    }],
});
const bastionHost = new aws.ec2.Instance("bastion_host", {
    ami: "ami-0c55b159cbfafe1f0",
    instanceType: aws.ec2.InstanceType.T2_Micro,
    subnetId: publicSubnet.id,
    securityGroups: [bastionSg.name],
    tags: {
        Name: "BastionHost",
    },
});
export const vpcId = eksVpc.id;
export const publicSubnetId = publicSubnet.id;
export const privateSubnetId = privateSubnet.id;
export const eksClusterName = eksCluster.name;
export const bastionHostId = bastionHost.id;

This example includes:

  • VPC and Subnets: A VPC with one public and one private subnet to host the bastion and the EKS cluster.
  • EKS Cluster: An EKS cluster that uses the given VPC and subnets.
  • IAM Role and Security Group: An IAM role with the AmazonEKSClusterPolicy attached, and security groups for both the EKS cluster and bastion host.
  • Bastion Host: An EC2 instance configured as a bastion host within the public subnet with an open SSH port.

This setup ensures you have a secure, scalable Kubernetes cluster managed by EKS and the necessary infrastructure to access and manage it via a bastion host.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up