When we are creating SCs on the cloud and you run commands in this section such as "kubectl apply -f sc.yml" is that run inside an EC2 instance that has kubernetes tools installed? Or are you using the EKS service? – do you happen to have any suggested resources for getting started with EKS?
Cheers!
1 Answers
Hi Adam,
I don’t have resources for EKS, but I have some comments re StorageClasses on AWS.
Firstly, the sc.yml file is in the courses GH repo at https://github.com/ACloudGuru-Resources/Kubernetes_Deep_Dive_NP/blob/master/lesson-storage/sc.yml << I’m pretty sure you already know that.
Second, you’re using kubectl to POST the YAML to the Kubernetes API server. This passes the configuration to the relevant components wthin the control plane to implement the configuration. The control plane runs a set of cloud-related controllers managed by the cloud-controller-manager which has the smarts to talk to native services in the underlying cloud platform. If you’re provisioning from AWS using something like the provisioner: kubernetes.io/aws-ebs provisioner, Kubernetes will talk to AWS and dynamically provision the EBS volume for you.
HTH
Hi Nigel, Does this means that K8s doesn’t need any sort of IAM Roles or Access Keys or Secret Access Keys to communicate with AWS API’s for provisioning EBS Volumes?
Hi Manish, I know you directed this at Nigel but… the link between EKS and IAM is very loose. In order to create an EKS cluster the user of course needs the proper permissions in IAM. That user automatically becomes the admin of the cluster when it is created. For additional users things get woolly. EKS runs under an assumed role with specific permissions. Any admin of the cluster can provision storage under that role. Adding extra admins is where it gets weird. There is a cm called aws-auth that you add the additional users via their ARN. Once that is applied and a user connects via the CLI with the appropriate keys AWS validates the user but no permissions flow down to K8S from IAM. The IAM user can be RO and in the cluster the same user can be a cluster-admin. That’s all defined as in K8S RBAC. All IAM does, essentially, is confirm that the user keys are legit; nothing else. So users other than the original cluster creator need to be granted RBAC permissions to create storageclass objects, then the provisioning on AWS is handled via the API under the assumed role.
I am running Kubernetes on Google cloud. How is it possible to provision aws-ebs here?. I ran kubectl apply -f .sc.yml and it created 2 storage classes . storageclass.storage.k8s.io/fast created storageclass.storage.k8s.io/slow created
I am wondering shouldn’t this work only if it was on AWS?
Hi Shellygangadharan. You cannot provision AWS resources to a K8s cluster on another cloud.
aws-ebsvolumes can only be provisioned to clusters on AWS.