How Do You Use Amazon Elastic Kubernetes Service with the CLI?

Problem scenario
You want to deploy Kubernetes to AWS.  How do you use Amazon EKS to create a cluster with the AWS CLI?

Solution
Prerequisites
i.  This assumes that your AWS CLI has been installed.  If you need assistance with this, see this posting.
ii.  This assumes that you have a role created.  If you need assistance with this, see this posting.
iii. You need to have kubeadm installed. The server with it needs to have 2 vCPUs and 1.7 GB of RAM or the installation will fail. If you need assistance installing it, see this posting.

Procedures
The command will look something like this (replace "contint" with the name you want to give your cluster):

aws eks create-cluster --name contint --role-arn arn:aws:iam::123456789:role/contint1 --resources-vpc-config subnetIds=subnet-87cb36dd,subnet-2e1ba163,subnet-d355a3c1,securityGroupIds=sg-33e3abbe

If you need help on how to craft the above statement, read the following. (After running the command be prepared to wait 15 minutes for the cluster to be created.)

The hyperlink in prerequisite ii can help you determine the "arn.../contint1" value. 

If you do not know the role-arn value, run this query:

aws iam list-roles | jq -r '.Roles[] | select(.AssumeRolePolicyDocument.Statement[].Principal.Service=="eks.amazonaws.com")'

If you do no know what subnet IDs or security group IDs to use, try these commands if you already have an EKS cluster running:

aws eks list-clusters

aws eks describe-cluster --name contint # where "contint" is the name of the cluster that the above command produces

If you do not have EKS clusters set up yet, run these commands to find your subnet IDs and Security Group ID:

For finding the default VPC ID (for the next suggestions), use this command: aws ec2 describe-vpcs | jq -r '.Vpcs[] | select(.IsDefault)'

For finding the Subnets, say, if you know the VPC you are looking for vpc-abc123, use this command but substitute the vpc-abc123 accordingly:
aws ec2 describe-subnets | jq -r '.Subnets[] | select(.VpcId=="vpc-abc123")' | grep SubnetId

To find the security group Ids if you know the VPC you are looking for vpc-abc123, use this command but substitute the vpc-abc123 accordingly:
aws ec2 describe-security-groups | jq -r '.SecurityGroups[] | select(.VpcId=="vpc-abc123")' | grep -i groupid

If you have a simple AWS environment, these can be useful (but are not necessary if you ran the more complex commands with "jq" above):
#aws ec2 describe-subnets | grep -i subnetid
#aws ec2 describe-security-groups | grep -i groupid

aws eks --region us-east-2 update-kubeconfig --name contint #change "us-east-2" to the region of your choice

To install the AWS IAM Authenticator, run the following commands (but replace "ec2-user:ec2-user" with the username and group name of your choice):

curl -Lk https://amazon-eks.s3.us-west-2.amazonaws.com/1.17.9/2020-08-04/bin/linux/amd64/aws-iam-authenticator > /tmp/aws-iam-authenticator

# If you need a newer version in the future, go here: https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html

sudo cp /tmp/aws-iam-authenticator /usr/local/bin

sudo chown ec2-user:ec2-user /usr/local/bin/aws-iam-authenticator

sudo chmod u+x /usr/local/bin/aws-iam-authenticator

If you want to create nodes, see this posting. Before you run the following command, be sure that there are two CPUs on your server (e.g., with cat /proc/cpuinfo) and be sure that Docker has been installed: sudo kubeadm init

You may want to run these commands to get flannel working such that the worker nodes are ready:

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/2140ac876ef134e0ed5af15c65e414cf26827915/Documentation/kube-flannel.yml

kubectl -n kube-system apply -f https://raw.githubusercontent.com/coreos/flannel/bc79dd1505b0c8681ece4de4c0d86c5cd2643275/Documentation/kube-flannel.yml

Finally, if the pods are not in the "Ready" state and "kubectl describe pods" shows an error about the CNI plugin not working or subnet.env not existing, you may want to log into the worker nodes and create /run/flannel/. This directory could house a copy of subnet.env. This file can sometimes be found on the worker nodes in /etc/flannel/subnet.env. The contents of the file should be as follows:

FLANNEL_NETWORK=10.244.0.0/16
FLANNEL_SUBNET=10.244.0.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=true

(The four lines above were taken from this page.)

How Do You Create an AWS User with Web Console Access to View EKS Clusters in the AWS Console?

One of the following problem scenarios apply.

Problem scenario #1
You want an AWS user to be able to log into the web console and view EKS clusters.  How do you do this?

OR

Problem scenario #2
You are using AWS and when you log into the AWS Console via a web browser with a user who is a member of a Group with two EKS policies, you go to Amazon EKS. But you see this error:

AccessDeniedException User: arn:aws:iam::12345678910:user/funuser is not authorized to perform: eks:ListClusters on resource: arn:aws:eks:us-west-2:12345678910:cluster/*

Can an IAM Role be used with the web console? How do you create an AWS user with web console access to view EKS clusters in the AWS Console?

Solution
Prerequisites
i.  This solution assumes you have an AWS user created with console access.  If you need help with this, see this posting.

ii.  This solution assumes the user has two EKS policies apply (either through a group or through direct attachment).  If you need help with this, see this posting.

iii. This assumes you have an ARN for a role that can manage Kubernetes clusters.  If you need help with creating this IAM Role that can manage Kubernetes/EKS clusters, see this posting.

If the role exists and you need help finding/determining the ARN, do either a or b below:

a.  If you have AWS CLI configured for the region that has a cluster in EKS, run this command to find the ARN: aws sts get-caller-identity

b.  If the role has already been created and you need help determining this, go here: https://console.aws.amazon.com/iam/home?
Then go to "Roles" on the left.  Find the name i.e., "goodrole" and click on it as it should be hyperlinked.  The "Role ARN" should be near the top.  It will be in this format: "arn:aws:iam::12345678910:role/rolename"  
You will need this value later.

Procedures
1.  Log into the AWS console.
2.  Go to this link: https://console.aws.amazon.com/iam/
3.  Go to "Policies" then click "Create policy."  
4.  Go to the JSON tab.  Paste this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:*"
            ],
            "Resource": "*"
        }
    ]
}

5.  Click "Review policy".
6.  Enter any name you want.  Remember the name for later.
7.  Click "Create Policy".
8.  Go to "Policies" then click "Create policy."  
9.  Go to the JSON tab.  Paste this but replace "arn:aws:iam::12345678910:role/rolename" with the ARN of the role that allows for the managing of EKS clusters (footnote #1):

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Sid": "PolicyStatementToAllowUserToPassOneSpecificRole",
        "Effect": "Allow",
        "Action": [ "iam:PassRole" ],
        "Resource": "arn:aws:iam::12345678910:role/rolename"
    }
    ]
}

10.  Click "Review policy".
11.  Enter any name you want.  Remember this name for later too.
12.  Click "Create Policy".
13.  Click on "Users" on the left.
14.  Click on the user that you want to be able to have full EKS rights (the user with the problem).
15.  Click on the "Permissions" tab then the "Add permissions" button.
16.  At the top, click on  "Attach existing policies directly."
17.  Select each of the two policies created earlier (based on their custom names from steps #6 and #11 above).
18.  Click "Next: Review".
19.  Click "Add permissions".
20.  Now you are done.  The user may have to refresh the web UI (but not necessarily log out). 

(1) To find this go to IAM -> Roles and click on the Role you want to find.

How Do You Use Amazon Elastic Kubernetes Service with the Web UI?

Problem scenario
You want to deploy a Kubernetes cluster in AWS.  How do you use Amazon EKS with the web UI?

Solution
Prerequisites
i.  Optional:  It is recommended to create a separate VPC for each cluster (according to Amazon's documentation here).  If you need to create a VPC, see this posting.

ii.  You need a Linux server with kubectl installed on it.  To install kubectl, on Ubuntu Linux running in AWS, run this command:  sudo snap install kubectl --classic

To install kubectl on a CentOS/RHEL/Fedora server, follow step #1 of this posting and ignore the other steps.

iii.  Install the aws-iam-authenticator on the same Linux server with kubectl.  If you need directions, see this posting.

iv.  Mentally determine which AWS user will run the kubectl commands if one exists.  This console user account (via any one of its access key and secret key pairs) needs to be the one to create the cluster too.  Part 2 of the Procedures below will require you to have access to the web UI console of AWS with this user.  

If you need assistance creating an AWS user (and an AWS group) for this purpose, follow two sets of directions in this order: First follow the steps in this posting.  Secondly do this posting.

v.  These directions require you to configure the AWS CLI with the user account determined in the step above.  "While the AWS CLI is not explicitly required to use Amazon EKS, the update-kubeconfig command greatly simplifies the kubeconfig creation process."  Taken from Amazon's documentation.

Click here if you want directions to install the AWS CLI.  Remember to use the access key (and its secret key) when following those linked directions that are the ones associated with the user referred to in prerequisite iv (above) of these directions.

Part 1  (Performed from a web browser.)
Create the Kubernetes cluster by following this section's directions:
1.  Log into the AWS Console (in a web browser) with the same user associated with the AWS CLI (which may have one, two, or more access keys).
2.a.  Go to this URL:  https://console.aws.amazon.com/eks/home
2.b.  Make sure you are in the region that you want to be in (e.g., us-west-1 or Northern California).
3.  Enter a cluster name (such as "Contint"), then click "Next step."
4.  Configuring the cluster should be self-explanatory.  
    a.  If the role you want is in the drop down box, select it, then choose the subnets and security groups as you desire.  Then click the "Create" button in the lower right-hand corner.  Then skip to step #6.  If you need a role, follow substeps b through k below.  
    b.  If you need to create a Role, go here in a different tab: https://console.aws.amazon.com/iam/home?#/roles
    c.  Click "Create role" (a blue button).  
    d.  The type of trusted entity (at the top) should be "AWS Service" (a button like option near the top).
    e.  Click the hyperlink for "EKS".
    f.  Click "Next: Permissions" (a blue button).
    g.  Click "Next: Tag" (a blue button).  
    h.  At your option you may enter a key name.  Click the "Next: Review" blue button in the lower right-hand corner.
    i.  Type in a "Role name" in the appropriate field.  Click the "Create role" blue button in the lower right-hand corner.    
    j.  Check individual security groups as you desire.  
    k.  Click "Create" (an orange button).
5.  You may need to wait a few minutes.  While it is being created you may want to click the refresh button (a semi-circular arrow near the "Delete" button).
6.  You will need various values from this web UI screen in the next step.

Part 2  (From a Linux command prompt)
7.  From the Linux back-end run this command:  aws eks update-kubeconfig --name Contint

We recommend you run the command above, but replace "Contint" with the name of the cluster.  If you do not want to automatically create the config file, you can manually create it.  To do so, follow these directions. If you need help using a new IAM user, see this posting.

How Do You Create a config File for Kubernetes Manually?

Problem scenario
You want to manually create a config file for Kubernetes.  (You do not want to run aws eks update-kubeconfig --name foobar.)  How do you do this?

Solution
These directions are most suited for Amazon EKS.  But they could be adapted for clusters running in other environments (not just AWS).  If you are using GCP, go to the very bottom of the directions and skip the rest.

1.  Go to your home directory: cd ~
2.  Create a .kube file: mkdir .kube
3.  Go inside this directory: cd .kube
4.  Replace "foobar" with the name of your cluster, and run this: vi config-foobar
5.  Paste the following inside it:

apiVersion: v1
clusters:
- cluster:
    server: <endpoint-url>
    certificate-authority-data: <base64-encoded-ca-cert>
  name: <role-arn>
contexts:
- context:
    cluster: <role-arn>
    user: <role-arn>
  name: <role-arn>
current-context: <role-arn>
kind: Config
preferences: {}
users:
- name: <role-arn>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
        - "token"
        - "-i"
        - "<cluster-name>"
         command: aws-iam-authenticator

6.  Follow these four steps (each quoted from https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html ), and get the values you need by going to this link https://us-east-2.console.aws.amazon.com/eks/home? in a web UI and then click on the cluster for which you want to configure and use.

  • Replace the <endpoint-url> with the endpoint URL that was created for your cluster.  (It will appear under the "API server endpoint" value.)
  • Replace the <base64-encoded-ca-cert> with the certificateAuthority.data that was created for your cluster.  (It will appear under the "Certificate Authority" value.)
  • Replace the <cluster-name> with your cluster name.
  • Replace the <role-arn> with the value for the "Role ARN" as the web UI shows.

For GCP
To automatically generate a new kubeconfig file when you are using GCP's Kubernetes, run this command: gcloud container clusters get-credentials "CONTINT"

Replace "CONTINT" with the name of the cluster you want the kubeconfig file to be for.

How Do You Troubleshoot the AWS CLI Error “Traceback … import pkg_resources”?

Problem scenario
You run an "aws" command but you receive an error message such as this:

Traceback (most recent call last):
  File "/usr/bin/aws", line 4, in <module>
    import pkg_resources
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 3007, in <module>

What should you do?

Solution
1.  Install pip.  If you need assistance, see this posting (especially the "Problem scenario" paragraph with hyperlinks based on distribution families of Linux).

2.  Do run this command:
sudo pip install colorama rsa s3transfer ruamel.yaml botocore

3.  Try the aws command again.  If it fails, install a different, older version of the awscli.  You can go to /bin/ and run "sudo mv aws-cli... aws-bak".  Then see this posting for details about installing the AWS CLI.

How Do You Create an IAM User Account in AWS to Run AWS CLI Commands and Log into the AWS Web UI to Manage EKS?

Problem scenario
You want to use Amazon EKS.  You tried to run an "aws eks" command but got an error about the root user not being allowed to perform the operation.  How do you create an IAM user account in AWS to run AWS CLI commands for EKS and log into the AWS web UI and view EKS clusters?

Solution
Prerequisite
This assumes you have a group that has the correct policies to enable EKS manipulation.  If you do not know how to do this, see the posting: How do you create a group for AWS users that can manage a Kubernetes cluster running in AWS?

Procedures
Follow How Do You Create an IAM User Account in AWS to Run AWS CLI Commands and Log into the AWS Web UI?  With step #10, choose the group for EKS.

How Do You Create a Group for AWS Users That Can Manage a Kubernetes Cluster Running in AWS?

Problem scenario
You use EKS to create a Kubernetes cluster.  How do you create a group for AWS user accounts to enable them to manage Kubernetes clusters in AWS?

Solution
1.  Log into the AWS web console.
2.  Go here: https://console.aws.amazon.com/iam/home?
3.  Go to Groups on the left.
4.  Click the "Create New Group" button.
5.  Enter a name (e.g., coolgroup).
6.  Click "Next Step".
7.  In the "Attach Policy" section, check the boxes for these five policies:
AmazonEKSClusterPolicy, ElasticLoadBalancingFullAccess, AmazonECS_FullAccess, AmazonEKSServicePolicy, AmazonECSTaskExecutionRolePolicy 
8.  Click "Next Step".
9.  Click "Create Group".

How Do You Create an IAM User Account in AWS to Run AWS CLI Commands and Log into the AWS Web UI?

Problem scenario
How do you create an AWS user that can run AWS CLI commands and log into the AWS web console?

Solution
1.  Log into the AWS web console.
2.  Go here: https://console.aws.amazon.com/iam/home?
3.  Go to Users on the left.
4.  Click the "Add User" button.
5.  Enter a name (e.g., jdoe).  
6.  Check the boxes for both "Programmatic access" and "AWS Management Console access".
7.  For the "Console Password", choose the option for the "Custom Password".
8.  If you are giving these credentials to someone else, keep the option checked for "Require password reset".  (Otherwise you may want to uncheck it.)
9.  Click "Next: Permissions" in the lower right-hand corner.
10.  Check the option for the group that you want.  (If you want directions for how to create a group, see How Do You Create a Group for AWS Users That Can Manage a Kubernetes Cluster Running in AWS? as an example.)  Then click "Next: Add Tags" in the lower right-hand corner.
11.  It is optional to add tags.  Click "Next: Review" in the lower right-hand corner.
12.  Click "Create User".
13.  Find the AWS Management Console URL.  This is important for the user to log in going forward.
14.  You may want to copy and/or save the secret access key at this time.

What Is a Shared Library in Jenkins?

Question
You have heard about shared libraries in the context of Jenkins Pipelines.  What is a Jenkins Pipeline shared library?

Answer
It is something that extends a Jenkins Pipeline (1).  A library is often composed of one or more of the following Roman numeral items (sources include (2) (3)):

  i.  Groovy-based DSL.
  ii. Groovy code and compiled programs.
  iii.  Java code and compiled programs.
  iv.  variables and other artifacts possibly in directories named /vars, /src, and /resources.  

There are three requirements for defining a shared library; these are a name, a code repository, and a version (1).  The version can refer to a branch in a Git repository (1).

One big benefit of using a shared library is that it makes other Jenkins Pipelines easier to maintain by keeping one group of common files, configuration settings and variables in one place (1).  Abstracting out the shared values and files you create an opportunity to have individual Jenkins Pipelines be of minimal sizes. (1)

The term shared library is used in the context of the C programming language.  To learn more about this see this link.

Citations
(1)  https://jenkins.io/doc/book/pipeline/shared-libraries/
(2)  https://medium.com/devopslinks/a-hacky-hackers-guide-to-jenkins-scripted-pipelines-part-4-dd49fcb0d62
(3)  https://automatingguy.com/2017/12/29/jenkins-pipelines-shared-libraries/

How Do You Create an Amazon Resource Name Role in AWS?

Problem scenario
You want to create an ARN Role in AWS.  What do you do?

Solution
1.  Log into the AWS web console and go here:  https://console.aws.amazon.com/iam/home?#/roles
2.  Click "Create role" (a blue button).  
3.  The type of trusted entity (at the top) should be "AWS Service" (a button like option near the top).  
4.  Click the hyperlink that you desire.  (For a role to that will create Kubernetes clusters, click "EKS").
5.a. Underneath the "Select your use case" section, click on "EKS".
5.b.  Click "Next: Permissions" (a blue button).
6.  Click "Next: Tags" (a blue button).  
7.  At your option you may enter a key name.  Click the "Next: Review" blue button in the lower right-hand corner.
8.  Type in a "Role name" in the appropriate field.  Click the "Create role" blue button in the lower right-hand corner.