ㅁ Create IAM Role
간단한 sample kubernetes service를 deploy하기 위하여 AWS CodeBuild를 사용한다. 이 것을 위하여 먼저 EKS Cluster와 Interacting이 가능한 IAM role을 먼저 정의한다.
다음과 같이 정의한다.
cd ~/environment
TRUST="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::${ACCOUNT_ID}:root\" }, \"Action\": \"sts:AssumeRole\" } ] }"
echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "eks:Describe*", "Resource": "*" } ] }' > /tmp/iam-role-policy
aws iam create-role --role-name EksWorkshopCodeBuildKubectlRole --assume-role-policy-document "$TRUST" --output text --query 'Role.Arn'
aws iam put-role-policy --role-name EksWorkshopCodeBuildKubectlRole --policy-name eks-describe --policy-document file:///tmp/iam-role-policy
Now that we have the IAM role created, we are going to add the role to the aws-auth ConfigMap for the EKS cluster.
Once the ConfigMap includes this new role, kubectl in the CodeBuild stage of the pipeline will be able to interact with the EKS cluster via the IAM role.
IAM 역할이 생성되어 EKS Cluster에 aws-auth ConfigMap에 role을 추가한다. ConfigMap에 새로운 Role이 포함되면 pieplinedml CodeBuild 단계에 있는 kubectl은 IAM role을 통해 EKS cluster와 interact 가능하다.
ROLE=" - rolearn: arn:aws:iam::${ACCOUNT_ID}:role/EksWorkshopCodeBuildKubectlRole\n username: build\n groups:\n - system:masters"
kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$ROLE\";next}1" > /tmp/aws-auth-patch.yml
kubectl patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-patch.yml)"
kubectl edit -n configmap/aws-auth 명령으로 ConfigMap 편집이 가능하다.
'AWS EKS 실습 > EKS Intermediate' 카테고리의 다른 글
| Monitoring using Prometheus and Grafana (0) | 2021.03.20 |
|---|---|
| Implement Logging with EFK (0) | 2021.03.19 |
| CI/CD with CodePipeline (다시 볼것) (0) | 2021.03.19 |
| Deploying Jenkins for Kubernetes (0) | 2021.03.19 |
| Advanced POD CPU and Memory management (0) | 2021.03.18 |
