AWS CodePipeline并部署到EKS [英] AWS CodePipeline and deployingto EKS
问题描述
Am正在使用AWS CodePipeline来构建容器并将其部署到EKS集群.
Am working on an AWS CodePipeline for building and deploying containers to EKS cluster.
AWS CodePipeline似乎不支持对EKS仅ECS"的部署操作.我尝试探索其他选项,例如使用lambda函数,发现以下示例在lambda中运行kubectl命令
It seems like AWS CodePipeline does not support a deployment action to EKS "only ECS". I tried exploring other options like using lambda function, I found the below example for running kubectl commands in lambda
https://github.com/tmuskal/lambda-kubectl
尽管如此,EKS使用aws-iam-authenticator来生成kubeconfig的令牌.虽然不确定在lambda上下文中如何适应.
Nonetheless, EKS uses aws-iam-authenticator in order to generate tokens for kubeconfig. Not sure how that would fit in the lambda context though.
任何有关该主题的建议将不胜感激.
Any advice on topic would be highly appreciated.
推荐答案
AWS不支持EKS的部署操作.但是,可以通过使用代码管道和代码构建使其连续构建和部署到EKS集群来实现.需要在允许代码构建运行kubectl并在eks群集上部署方面设置一些IAM角色和权限.
AWS doesn't support a deployment action for EKS. However, it can be achieved by using code pipeline and code build to make it continuous build and deployment for EKS cluster. Need to set up some IAM roles and permission in terms of allowing codebuild to run kubectl and deploy on eks cluster.
-
需要创建一个角色,让它说(kubernetes_deployment),该角色具有允许EKS代表您管理集群的权限.
Need to create a role lets say (kubernetes_deployment) which has the permission to allow EKS to manage clusters on your behalf.
-
附加到kubernetes_deployment角色的权限
Permission attached to the kubernetes_deployment role
AmazonEKSClusterPolicy
AmazonEKSServicePolicy
内联政策如下
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "*"
}
]
}
在您的AWS中创建代码构建,请参考对此进行引用buildspec
Create a codebuild in your aws refer Refer this for buildspec
-
确保在代码构建中使用的服务角色应具有sts:assump角色的kubernetes_deployment角色,该角色具有管理eks集群的权限
make sure service role used in codebuild should have sts:assume permission for kubernetes_deployment role which has access to manage eks cluster
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::
<accountno>:role/kubernetes_deployment"
}
]
}
更新kubernetes_deployment角色的信任关系以允许由代码构建服务角色使用
Update the trust relationship for kubernetes_deployment role to allow used by codebuild service role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account>:role/service-role/codebuild-service-role",
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
使kubernetes_deployment角色在eks集群中获得授权
Make kubernetes_deployment role as authorized in eks cluster
- rolearn: arn:aws:iam::<account>:role/kubernetes_deployment
username: kubernetes_deployment
groups:
- system:masters
这篇关于AWS CodePipeline并部署到EKS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!