diff --git a/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/01-ECR-Nginx-Deployment.yml b/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/01-ECR-Nginx-Deployment.yml new file mode 100644 index 00000000..e31dfd24 --- /dev/null +++ b/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/01-ECR-Nginx-Deployment.yml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubeapp-ecr + labels: + app: kubeapp-ecr +spec: + replicas: 2 + selector: + matchLabels: + app: kubeapp-ecr + template: + metadata: + labels: + app: kubeapp-ecr + spec: + containers: + - name: kubeapp-ecr + image: 180789647333.dkr.ecr.us-east-1.amazonaws.com/aws-ecr-kubenginx:1.0.0 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + memory: "256Mi" + cpu: "1000m" + ports: + - containerPort: 80 \ No newline at end of file diff --git a/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/02-ECR-Nginx-NodePortService.yml b/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/02-ECR-Nginx-NodePortService.yml new file mode 100644 index 00000000..e500953c --- /dev/null +++ b/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/02-ECR-Nginx-NodePortService.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: kubeapp-ecr-nodeport-service + labels: + app: kubeapp-ecr + annotations: +#Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer + alb.ingress.kubernetes.io/healthcheck-path: /index.html +spec: + type: NodePort + selector: + app: kubeapp-ecr + ports: + - port: 80 + targetPort: 80 diff --git a/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/03-ECR-Nginx-ALB-IngressService.yml b/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/03-ECR-Nginx-ALB-IngressService.yml new file mode 100644 index 00000000..3556c946 --- /dev/null +++ b/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests-old/03-ECR-Nginx-ALB-IngressService.yml @@ -0,0 +1,41 @@ +# Annotations Reference: https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: ecr-ingress-service + labels: + app: kubeapp-ecr + annotations: + # Ingress Core Settings + kubernetes.io/ingress.class: "alb" + alb.ingress.kubernetes.io/scheme: internet-facing + # Health Check Settings + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/healthcheck-port: traffic-port + alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15' + alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5' + alb.ingress.kubernetes.io/success-codes: '200' + alb.ingress.kubernetes.io/healthy-threshold-count: '2' + alb.ingress.kubernetes.io/unhealthy-threshold-count: '2' + ## SSL Settings + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]' + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/9f042b5d-86fd-4fad-96d0-c81c5abc71e1 + #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used) + # SSL Redirect Setting + alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' + # External DNS - For creating a Record Set in Route53 + external-dns.alpha.kubernetes.io/hostname: ecrdemo.kubeoncloud.com +spec: + rules: + - http: + paths: + - path: /* # SSL Redirect Setting + backend: + serviceName: ssl-redirect + servicePort: use-annotation + - path: /* + backend: + serviceName: kubeapp-ecr-nodeport-service + servicePort: 80 +# Important Note-1: In path based routing order is very important, if we are going to use "/*", try to use it at the end of all rules. + diff --git a/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests/03-ECR-Nginx-ALB-IngressService.yml b/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests/03-ECR-Nginx-ALB-IngressService.yml index 3556c946..1e4098b5 100644 --- a/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests/03-ECR-Nginx-ALB-IngressService.yml +++ b/10-ECR-Elastic-Container-Registry-and-EKS/02-kube-manifests/03-ECR-Nginx-ALB-IngressService.yml @@ -1,41 +1,43 @@ -# Annotations Reference: https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/ -apiVersion: extensions/v1beta1 +# Annotations Reference: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/ +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ecr-ingress-service labels: app: kubeapp-ecr annotations: + # Load Balancer Name + alb.ingress.kubernetes.io/load-balancer-name: ecr-ingress # Ingress Core Settings - kubernetes.io/ingress.class: "alb" + #kubernetes.io/ingress.class: "alb" (OLD INGRESS CLASS NOTATION - STILL WORKS BUT RECOMMENDED TO USE IngressClass Resource) alb.ingress.kubernetes.io/scheme: internet-facing # Health Check Settings alb.ingress.kubernetes.io/healthcheck-protocol: HTTP alb.ingress.kubernetes.io/healthcheck-port: traffic-port + #Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15' alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5' alb.ingress.kubernetes.io/success-codes: '200' alb.ingress.kubernetes.io/healthy-threshold-count: '2' - alb.ingress.kubernetes.io/unhealthy-threshold-count: '2' + alb.ingress.kubernetes.io/unhealthy-threshold-count: '2' ## SSL Settings alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]' - alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/9f042b5d-86fd-4fad-96d0-c81c5abc71e1 + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/d86de939-8ffd-410f-adce-0ce1f5be6e0d #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used) # SSL Redirect Setting - alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' + alb.ingress.kubernetes.io/ssl-redirect: '443' # External DNS - For creating a Record Set in Route53 - external-dns.alpha.kubernetes.io/hostname: ecrdemo.kubeoncloud.com + external-dns.alpha.kubernetes.io/hostname: ecrdemo.kubeoncloud.com spec: rules: - http: - paths: - - path: /* # SSL Redirect Setting + paths: + - path: / + pathType: Prefix backend: - serviceName: ssl-redirect - servicePort: use-annotation - - path: /* - backend: - serviceName: kubeapp-ecr-nodeport-service - servicePort: 80 + service: + name: kubeapp-ecr-nodeport-service + port: + number: 80 # Important Note-1: In path based routing order is very important, if we are going to use "/*", try to use it at the end of all rules. diff --git a/11-DevOps-with-AWS-Developer-Tools/README.md b/11-DevOps-with-AWS-Developer-Tools/README.md index 35da758e..c007137f 100644 --- a/11-DevOps-with-AWS-Developer-Tools/README.md +++ b/11-DevOps-with-AWS-Developer-Tools/README.md @@ -109,6 +109,86 @@ aws iam put-role-policy --role-name EksCodeBuildKubectlRole --policy-name eks-de # Verify the same on Management Console ``` +### For Windows users who are using Powershell +```t +Here is a solutions to creating the Trust policy from AWS Tech Support + +I understand that you are following an instruction to create an IAM role for CodeBuild but the commands do not work for PowerShell. + +In PowerShell, the format is different from the scripts in Mac OS. Cmdlets are used in PowerShell. I have used Cmdlets in PowerShell to create a role and attach an inline policy. Please check the following for the details: + +1. Create IAM Role for CodeBuild to Interact with EKS + +First create a new file NewRoleTrustPolicy.json with the following contents: + +{ + +"Version": "2012-10-17", + +"Statement": [ + +{ + +"Sid": "", + +"Effect": "Allow", + +"Principal": { + +"AWS": "arn:aws:iam::xxxxxxxxxxxx:root" + +}, + +"Action": "sts:AssumeRole" + +} + +] + +} + +Note: please replace your account ID in the above Principal parameter. + + +New-IAMRole -AssumeRolePolicyDocument (Get-Content -raw NewRoleTrustPolicy.json) -RoleName EksCodeBuildKubectlRole + +After the above command, you can check if the IAM role EksCodeBuildKubectlRole is created in your AWS account. Please check the New-IAMRole Cmdlet reference in [1]. + + +2. Define Inline Policy with eks Describe permission in a file iam-eks-describe-policy + +First create a new file iam-eks-describe-policy.json with the following contents: + +{ "Version": "2012-10-17", + +"Statement": + +[ { "Effect": "Allow", + +"Action": "eks:Describe*", + +"Resource": "*" } + +] + +} + +Write-IAMRolePolicy -RoleName EksCodeBuildKubectlRole -PolicyName eks-describe -PolicyDocument (Get-Content -Raw iam-eks-describe-policy.json) + + +After the above command, you can check if the IAM role EksCodeBuildKubectlRole has the inline policy eks-describe attached. Please check the Write-IAMRolePolicy Cmdlet reference in [2]. +I hope the above information can help you. + +References +================ +[1]: New-IAMRole +https://docs.aws.amazon.com/powershell/latest/reference/items/New-IAMRole.html +[2]: Write-IAMRolePolicy +https://docs.aws.amazon.com/powershell/latest/reference/items/Write-IAMRolePolicy.html + + +``` + ## Step-07: Update EKS Cluster aws-auth ConfigMap with new role created in previous step - We are going to add the role to the `aws-auth ConfigMap` for the EKS cluster. - Once the `EKS aws-auth ConfigMap` includes this new role, kubectl in the CodeBuild stage of the pipeline will be able to interact with the EKS cluster via the IAM role. @@ -132,6 +212,42 @@ kubectl patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-pat kubectl get configmap aws-auth -o yaml -n kube-system ``` +### This is for the changing the Configmap with Windows PowerShell +```t +This is for the changing the Configmap and PowerShell + +In PowerShell, the following steps can be used: + +1. kubectl edit -n kube-system configmap/aws-auth +2. In step1, there will be a file opened for you to edit configmap/aws-auth. +In the opened file, there is a mapRoles field such as: +data: +mapRoles: | +- rolearn: +username: system:node:{{EC2PrivateDNSName}} +groups: +- system:bootstrappers +- system:nodes + +3. Add the EksCodeBuildKubectlRole information into the mapRoles field of the file such as: +data: +mapRoles: | +- rolearn: arn:aws:iam::018185988195:role/EksCodeBuildKubectlRole +username: build +groups: +- system:masters +- rolearn: +username: system:node:{{EC2PrivateDNSName}} +groups: +- system:bootstrappers +- system:nodes + +Save the file. + + +4. After the file is saved and closed, configmap/aws-auth has been edited. You can check configmap/aws-auth using the command "kubectl describe -n kube-system configmap/aws-auth". +``` + ## Step-08: Review the buildspec.yml for CodeBuild & Environment Variables ### Code Build Introduction @@ -362,4 +478,4 @@ kubectl delete -f kube-manifests/ - https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html - https://github.com/aws/aws-codebuild-docker-images/blob/master/al2/x86_64/standard/3.0/Dockerfile - **STS Assume Role:** https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html -- https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html \ No newline at end of file +- https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html diff --git a/presentation/AWS-Fargate-and-EKS-Masterclass-V8.pdf b/presentation/AWS-Fargate-and-EKS-Masterclass-V8.pdf new file mode 100644 index 00000000..4f0721cf Binary files /dev/null and b/presentation/AWS-Fargate-and-EKS-Masterclass-V8.pdf differ