How do I set up EKS with a bastion host?
To set up an EKS (Elastic Kubernetes Service) with a bastion host, you’d typically go through a series of steps where you create a VPC, subnets, an EKS cluster, and a bastion host. The bastion host provides secure access via SSH to instances within the VPC, acting as a jump box for administrative tasks.
Below, you’ll find a complete example where we define:
- A Virtual Private Cloud (VPC).
- Subnets within the VPC (public and private).
- An EKS cluster within the VPC.
- A Bastion host within a public subnet.
Here’s the full program:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const eksVpc = new aws.ec2.Vpc("eks_vpc", {cidrBlock: "10.0.0.0/16"});
const publicSubnet = new aws.ec2.Subnet("public_subnet", {
vpcId: eksVpc.id,
cidrBlock: "10.0.1.0/24",
availabilityZone: "us-west-2a",
mapPublicIpOnLaunch: true,
});
const privateSubnet = new aws.ec2.Subnet("private_subnet", {
vpcId: eksVpc.id,
cidrBlock: "10.0.2.0/24",
availabilityZone: "us-west-2a",
});
const eksClusterSg = new aws.ec2.SecurityGroup("eks_cluster_sg", {
vpcId: eksVpc.id,
egress: [{
fromPort: 0,
toPort: 0,
protocol: "-1",
cidrBlocks: ["0.0.0.0/0"],
}],
});
const eksClusterRole = new aws.iam.Role("eks_cluster_role", {
name: "example-eks-cluster-role",
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "sts:AssumeRole",
Effect: "Allow",
Principal: {
Service: "eks.amazonaws.com",
},
}],
}),
});
const eksCluster = new aws.eks.Cluster("eks_cluster", {
name: "example-eks-cluster",
roleArn: eksClusterRole.arn,
vpcConfig: {
subnetIds: [
publicSubnet.id,
privateSubnet.id,
],
},
});
const eksClusterPolicy = new aws.iam.RolePolicyAttachment("eks_cluster_policy", {
role: eksClusterRole.name,
policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
});
const bastionSg = new aws.ec2.SecurityGroup("bastion_sg", {
name: "bastion_sg",
vpcId: eksVpc.id,
ingress: [{
fromPort: 22,
toPort: 22,
protocol: "tcp",
cidrBlocks: ["0.0.0.0/0"],
}],
egress: [{
fromPort: 0,
toPort: 0,
protocol: "-1",
cidrBlocks: ["0.0.0.0/0"],
}],
});
const bastionHost = new aws.ec2.Instance("bastion_host", {
ami: "ami-0c55b159cbfafe1f0",
instanceType: aws.ec2.InstanceType.T2_Micro,
subnetId: publicSubnet.id,
securityGroups: [bastionSg.name],
tags: {
Name: "BastionHost",
},
});
export const vpcId = eksVpc.id;
export const publicSubnetId = publicSubnet.id;
export const privateSubnetId = privateSubnet.id;
export const eksClusterName = eksCluster.name;
export const bastionHostId = bastionHost.id;
This example includes:
- VPC and Subnets: A VPC with one public and one private subnet to host the bastion and the EKS cluster.
- EKS Cluster: An EKS cluster that uses the given VPC and subnets.
- IAM Role and Security Group: An IAM role with the AmazonEKSClusterPolicy attached, and security groups for both the EKS cluster and bastion host.
- Bastion Host: An EC2 instance configured as a bastion host within the public subnet with an open SSH port.
This setup ensures you have a secure, scalable Kubernetes cluster managed by EKS and the necessary infrastructure to access and manage it via a bastion host.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.