User Guide
Kubernetes Version Upgrade EKS Setup
Overview
This page will walk you through setting up EKS clusters to support the CloudNatix K8s upgrade tool.
Step 1: Create an IAM Role
First, obtain the “external ID” for the access credential. This can be done through our CLI.
cnatix k8s upgrade credentials external-id
It will print out the message like this:
Use the following external ID:
<GUID to use>
Then, create an IAM role using the external ID. It should have a trust-policy like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::803339316953:role/K8sUpgradeControllerProd"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<your external ID from above>"
}
}
}
]
}
Save this into a file, e.g. trust-policy.json
. Then you can create the IAM role as follows:
aws iam create-role --role-name <role-name> --assume-role-policy-document file://<path-to-your-trust-policy.json>
Step 2: Set up the policy for the role
Create a JSON file (e.g. named role-policy.json
) with the following content.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:CreateAddon",
"eks:DeleteAddon",
"eks:DescribeCluster",
"eks:DescribeUpdate",
"eks:DescribeAddon",
"eks:DescribeAddonVersions",
"eks:DescribeInsight",
"eks:DescribeNodegroup",
"eks:TagResource",
"eks:ListAddons",
"eks:ListClusters",
"eks:ListInsights",
"eks:ListNodegroups",
"eks:UpdateAddon",
"eks:UpdateClusterVersion",
"eks:UpdateNodegroupVersion",
"eks:UpdateNodegroupConfig",
"eks:CreateNodeGroup",
"ec2:CreateLaunchTemplate",
"ec2:CreateTags",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeSubnets",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:UpdateAutoScalingGroup",
"iam:GetInstanceProfile"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"<ARN of the role that the self-managed nodes use>"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListAttachedRolePolicies"
],
"Resource": [
"<ARN of the role that the self-managed nodes use>",
"<ARN of the role that the EKS cluster uses>"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:aws:iam::<account-id>:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"
]
}
]
}
Then run the AWS CLI to set up the policy to the role you created above.
aws iam put-role-policy --role-name <your role name> --policy-name <policy name> --policy-document file://<path-to-your-role-policy.json>
You can choose any name for the policy.
Step 3: Register the IAM role to cloudnatix backend
Use the following command to register the AWS credentials to our backend.
cnatix k8s upgrade credentials create --csp=aws --iam-role-arn=<ARN of the role>
The account ID is the number related to your AWS account. The ARN is the one related to the role you created at the step 1 (you can check the “Arn” field from the output of aws iam get-role -–role-name=rolename
command).
Please note that permissions are not propogated across AWS accounts, so giving access to the root account does not enable the feature for all accounts.