diff --git a/content/en/docs/stable/Cloud Providers/aws.md b/content/en/docs/stable/Cloud Providers/aws.md index 16611fa..ef65700 100644 --- a/content/en/docs/stable/Cloud Providers/aws.md +++ b/content/en/docs/stable/Cloud Providers/aws.md @@ -5,11 +5,130 @@ description: > categories: [Cloud Provider] tags: [aws, ha, managed, core] --- + {{% pageinfo %}} Aws support for HA and Managed Clusters {{% /pageinfo %}} -Support for aws provider is added. -Supported functionality -- [ ] Managed EKS -- [x] Self-managed HA cluster with k3s and kubeadm + +{{% alert color="warning" title="Caution" %}} +we need credentials to access clusters + +these are confidential information so shouldn't be shared with anyone +{{% /alert %}} + + +## How these credentials are used by ksctl + +1. Environment Variables + +```bash +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" +``` + +2. Using command line + +```bash +ksctl cred +``` + +## Current Features + +### Cluster features +#### Highly Available cluster + +clusters which are managed by the user not by cloud provider + +you can choose between k3s and kubeadm as your bootstrap tool + +custom components being used +- Etcd database VM +- HAProxy loadbalancer VM for controlplane nodes +- controlplane VMs +- workerplane VMs + +#### Managed Cluster Elastic Kubernetes Service + +we provision Roles `ksctl-*` 2 for each cluster: +- `ksctl--wp-role` for the EKS NodePool +- `ksctl--cp-role` for the EKS controlplane + +we utilize the iam:AssumeRole to assume the role and create the cluster + + +##### Policies aka permissions for the user +here is the policy and role which we are using + +1. **iam-role-full-access(Custom Policy)** +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor6", + "Effect": "Allow", + "Action": [ + "iam:CreateInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:GetRole", + "iam:GetInstanceProfile", + "iam:RemoveRoleFromInstanceProfile", + "iam:CreateRole", + "iam:DeleteRole", + "iam:AttachRolePolicy", + "iam:PutRolePolicy", + "iam:ListInstanceProfiles", + "iam:AddRoleToInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:PassRole", + "iam:CreateServiceLinkedRole", + "iam:DetachRolePolicy", + "iam:DeleteRolePolicy", + "iam:DeleteServiceLinkedRole", + "iam:GetRolePolicy", + "iam:SetSecurityTokenServicePreferences" + ], + "Resource": [ + "arn:aws:iam::*:role/ksctl-*", + "arn:aws:iam::*:instance-profile/*" + ] + } + ] +} +``` + +2. **eks-full-access(Custom Policy)** +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "eks:ListNodegroups", + "eks:ListClusters", + "eks:*" + ], + "Resource": "*" + } + ] +} +``` + +3. **AmazonEC2FullAccess(Aws)** +4. **IAMReadOnlyAccess(Aws)** + +{{% alert color="info" title="Validaty of Kubeconfig" %}} +The Kubeconfig generated after you ran + +```shell +ksctl switch aws --name here-you-go --region us-east-1 +``` + +we are using sst token to authenticate with the cluster, so the kubeconfig is valid for 15 minutes + +once you see that there is a error of unauthorized then you need to re-run the above command + +{{% /alert %}} diff --git a/content/en/docs/stable/Cloud Providers/azure.md b/content/en/docs/stable/Cloud Providers/azure.md index 3dac715..f06a43b 100644 --- a/content/en/docs/stable/Cloud Providers/azure.md +++ b/content/en/docs/stable/Cloud Providers/azure.md @@ -99,7 +99,7 @@ ksctl cred #### Highly Available cluster clusters which are managed by the user not by cloud provider - using K3s kubernetes distribution which is lightweight +you can choose between k3s and kubeadm as your bootstrap tool custom components being used - Etcd database VM diff --git a/content/en/docs/stable/Cloud Providers/civo.md b/content/en/docs/stable/Cloud Providers/civo.md index 4254c20..026301c 100644 --- a/content/en/docs/stable/Cloud Providers/civo.md +++ b/content/en/docs/stable/Cloud Providers/civo.md @@ -46,7 +46,7 @@ ksctl cred #### Highly Available cluster clusters which are managed by the user not by cloud provider -> using K3s kubernetes distribution which is lightweight +you can choose between k3s and kubeadm as your bootstrap tool custom components being used - Etcd database VM diff --git a/content/en/docs/stable/Ksctl Operators/application.md b/content/en/docs/stable/Ksctl Operators/application.md index 7a3e669..a6abedd 100644 --- a/content/en/docs/stable/Ksctl Operators/application.md +++ b/content/en/docs/stable/Ksctl Operators/application.md @@ -26,16 +26,16 @@ It has a dependency on `ksctl agent` ### Supported Apps and CNI | Name | Type | Category | Ksctl_Name | |- | - | - | - | -| Argo-CD | App | CI/CD | argocd | -| Argo-Rollouts | App | CI/CD | argo-rollouts | -| Istio | App | Service Mesh | istio | -| Cilium | Cni | - | cilium | -| Flannel | Cni | - | flannel | -| Kube-Prometheus | App | Monitoring | prometheus-stack | +| Argo-CD | standard | CI/CD | standard-argocd | +| Argo-Rollouts | standard | CI/CD | standard-argorollouts | +| Istio | standard | Service Mesh | standard-istio | +| Cilium | standard | - | standard-cilium | +| Flannel | standard | - | standard-flannel | +| Kube-Prometheus | standard | Monitoring | standard-kubeprometheus | #### Example usage -Lets deploy `argocd@v2.9.X`, `prometheus-stack@v55.X.Y` +Lets deploy `argocd@v2.9.X`, `kube-prometheus-stack@v55.X.Y` ```yaml apiVersion: application.ksctl.com/v1alpha1 kind: Stack @@ -43,11 +43,11 @@ metadata: name: monitoring-plus-gitops spec: components: - - appName: argocd + - appName: standard-argocd appType: app version: v2.9.12 - - appName: prometheus-stack + - appName: standard-kubeprometheus appType: app version: "55.0.0" ``` @@ -66,11 +66,11 @@ metadata: name: monitoring-plus-gitops spec: components: - - appName: argocd + - appName: standard-argocd appType: app version: latest - - appName: prometheus-stack + - appName: standard-kubeprometheus appType: app version: latest ```