CloudNatix logo

User Guide

Kubernetes Version Upgrade EKS Setup

Overview

This page will walk you through setting up EKS clusters to support the CloudNatix K8s upgrade tool.

Step 1: Create an IAM Role

First, obtain the “external ID” for the access credential. This can be done through our CLI.

cnatix k8s upgrade credentials external-id

It will print out the message like this:

Use the following external ID:
<GUID to use>

Then, create an IAM role using the external ID. It should have a trust-policy like this.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::803339316953:role/K8sUpgradeControllerProd"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": <your external ID from above>
        }
      }
    }
  ]
}

Save this into a file, e.g. trust-policy.json. Then you can create the IAM role as follows:

aws iam create-role --role-name <role-name> --assume-role-policy-document file://<path-to-your-trust-policy.json>

Step 2: Set up the policy for the role

Create a JSON file (e.g. named role-policy.json) with the following content.

{
  "Version": "2012-10-17",
  "Statement": [
    {
    "Effect": "Allow",
    "Action": [
        "eks:CreateAddon",
        "eks:DeleteAddon",
        "eks:DescribeCluster",
        "eks:DescribeUpdate",
        "eks:DescribeAddon",
        "eks:DescribeAddonVersions",
        "eks:DescribeInsight",
        "eks:DescribeNodegroup",
        "eks:TagResource",
        "eks:ListAddons",
        "eks:ListClusters",
        "eks:ListInsights",
        "eks:ListNodegroups",
        "eks:UpdateAddon",
        "eks:UpdateClusterVersion",
        "eks:UpdateNodegroupVersion",
        "eks:UpdateNodegroupConfig",
        "eks:CreateNodeGroup",
        "ec2:CreateLaunchTemplate",
        "ec2:DescribeInstances",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeLaunchTemplates",
        "ec2:DescribeSubnets",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLaunchConfigurations",
        "autoscaling:DeleteAutoScalingGroup",
        "autoscaling:CreateOrUpdateTags",
        "iam:GetInstanceProfile",
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "<ARN of the role that the self-managed nodes use>"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
	"iam:ListAttachedRolePolicies"
      ],
      "Resource": [
        "<ARN of the role that the self-managed nodes use>",
        "<ARN of the role that the EKS cluster uses>"
      ]
         },
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
      ],
      "Resource": [
        "arn:aws:iam::<account-id>:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"
      ]
    }
  ]
}

Then run the AWS CLI to set up the policy to the role you created above.

aws iam put-role-policy --role-name <your role name> --policy-name <policy name> --policy-document file://<path-to-your-role-policy.json>

You can choose any name for the policy.

Step 3: Register the IAM role to cloudnatix backend

Use the following command to register the AWS credentials to our backend.

cnatix k8s upgrade credentials create --csp=aws --iam-role-arn=<ARN of the role>

The account ID is the number related to your AWS account. The ARN is the one related to the role you created at the step 1 (you can check the “Arn” field from the output of aws iam get-role –role-name=rolename command).

Please note that permissions are not propogated across AWS accounts, so giving access to the root account does not enable the feature for all accounts.

Previous
Upgrading Kubernetes Clusters with CloudNatix automation
Next
Node Drain Agent Guide