Day 8 of 90 DevOps Project: Creating a Private Kubernetes Cluster on AWS EKS with Public Jump Server Access
#devops#kubernetes#aws#beginners
Hey Everyone, Welcome Back!
I'm excited to share my latest project, part of my 90-day DevOps journey. I know there's been a delay in delivering this article, and I want to be transparent about the reasons. AWS charges led me to close my previous account and open a new one after my free tier expired. Unfortunately, I couldn't afford the services at that time, which caused some setbacks.
Despite these challenges, I'm proud to present the eighth project in my series: creating a private Kubernetes cluster on AWS EKS with public jump server access and IAM role configuration. In this article, I'll walk you through the process, highlighting the obstacles I faced and the solutions I implemented. My goal is to help others avoid similar issues and provide a clear path to achieving this setup. Additionally, I've learned the importance of closely monitoring the free tier usage to avoid unexpected costs.
By the end of this guide, you'll be able to:
Set up a private EKS cluster on AWS
Configure a public jump server for secure access
Implement IAM roles for secure cluster management
Let's dive in!
Step 1: Create a VPC
1.1 Create a VPC
VPC (Virtual Private Cloud): Your isolated network within AWS.
Steps:
Open the VPC Dashboard.
Click on "Create VPC".
Choose "VPC with Public and Private Subnets".
Configure the CIDR block, subnets, and other settings as needed.
Click "Create VPC".
1.2 Create Subnets
Public Subnet: For the jump server.
Private Subnet: For the EKS cluster nodes.
Steps:
Go to Subnets in the VPC Dashboard.
Click "Create subnet".
Select your VPC and configure subnets for both public and private.
1.3 Configure Route Tables
Routing: Ensures proper traffic flow between subnets.
Steps:
Go to Route Tables.
Create a route table for public subnets and associate an internet gateway.
Create a route table for private subnets with appropriate routes.
Step 2: Create Security Groups
2.1 Create Security Groups for EKS Nodes
Security Groups: Act as virtual firewalls.
Steps:
Open the EC2 Dashboard.
Navigate to Security Groups.
Click "Create security group".
Define inbound rules for necessary ports (port 22 for SSH, Kubernetes API, etc.).
2.2 Create Security Group for Jump Server
Steps:
Follow the same steps as above to create a security group for the jump server.
Allow inbound SSH access from your IP address.
Step 3: Create an EKS Cluster
3.1 Create IAM Roles
IAM Roles: Grant permissions to EKS nodes.
Steps:
Open the IAM Dashboard.
Create a role with the AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, and AmazonEC2ContainerRegistryReadOnly policies.
3.2 Create the EKS Cluster
EKS Cluster: The core of your Kubernetes environment.
Important Note: When creating your EKS cluster, select Kubernetes version 1.25. This version's extended support ends in May 2025, ensuring you have ample time for updates and maintenance without immediate upgrade concerns.
Steps:
Open the EKS Dashboard.
Click "Create cluster".
Configure the cluster name, Kubernetes version (select 1.25), and VPC settings.
Create the cluster and node group using the IAM roles configured.
Step 4: Deploy the Jump Server
4.1 Launch an EC2 Instance
Jump Server: An EC2 instance in the public subnet.
Steps:
Go to the EC2 Dashboard.
Launch an instance and select a suitable Amazon Machine Image (AMI).
Choose an instance type and configure it to be in the public subnet.
Assign the security group created for the jump server.
Launch the instance.
4.2 Configure SSH Access
Steps:
Obtain the public DNS of the instance.
SSH into your jump server using the key pair created during instance launch.
Step 5: Configure Access to EKS Cluster
5.1 Install kubectl on the Jump Server
kubectl: The Kubernetes command-line tool.
Steps:
SSH into your jump server.
Follow the official documentation to install kubectl.
5.2 Configure kubectl for EKS
Steps:
Update your kubeconfig file to point to your EKS cluster:
aws eks --region <your-region> update-kubeconfig --name <your-cluster-name>
Test the configuration:
kubectl get svc
Step 6: Secure Access with IAM Roles
6.1 Create IAM Role for Jump Server
Steps:
Create a role with the necessary permissions to access EKS.
Attach the role to the EC2 instance (jump server).
6.2 Verify IAM Role Configuration
Steps:
SSH into the jump server.
Ensure the IAM role has the correct permissions by running a test command:
aws sts get-caller-identity
Conclusion
You now have a private Kubernetes cluster on AWS EKS that can only be accessed through a public jump server. This setup ensures a secure and controlled environment, leveraging IAM roles for authentication and authorization.
Resources
Feel free to reach out if you have any questions or need further assistance. Happy coding!