AWS CodePipeline 和部署到 EKS [英] AWS CodePipeline and deployingto EKS

查看:36
本文介绍了AWS CodePipeline 和部署到 EKS的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用 AWS CodePipeline 构建容器并将其部署到 EKS 集群.

Am working on an AWS CodePipeline for building and deploying containers to EKS cluster.

似乎 AWS CodePipeline 不支持仅 ECS"对 EKS 的部署操作.我尝试探索其他选项,例如使用 lambda 函数,我找到了以下在 lambda 中运行 kubectl 命令的示例

It seems like AWS CodePipeline does not support a deployment action to EKS "only ECS". I tried exploring other options like using lambda function, I found the below example for running kubectl commands in lambda

https://github.com/tmuskal/lambda-kubectl

尽管如此,EKS 使用 aws-iam-authenticator 来为 kubeconfig 生成令牌.不知道这将如何适应 lambda 上下文.

Nonetheless, EKS uses aws-iam-authenticator in order to generate tokens for kubeconfig. Not sure how that would fit in the lambda context though.

关于主题的任何建议将不胜感激.

Any advice on topic would be highly appreciated.

推荐答案

AWS 不支持 EKS 的部署操作.但是,可以通过使用代码管道和代码构建来实现 EKS 集群的持续构建和部署.需要设置一些IAM角色和权限,允许codebuild运行kubectl并部署在eks集群上.

AWS doesn't support a deployment action for EKS. However, it can be achieved by using code pipeline and code build to make it continuous build and deployment for EKS cluster. Need to set up some IAM roles and permission in terms of allowing codebuild to run kubectl and deploy on eks cluster.

  1. 需要创建一个角色 (kubernetes_deployment),它有权允许 EKS 代表您管理集群.

  1. Need to create a role lets say (kubernetes_deployment) which has the permission to allow EKS to manage clusters on your behalf.

  • 附加到 kubernetes_deployment 角色的权限

  • Permission attached to the kubernetes_deployment role

AmazonEKSClusterPolicy

AmazonEKSServicePolicy

内联策略如下

{
  "Version": "2012-10-17",
  "Statement": [
   {
     "Sid": "VisualEditor0",
     "Effect": "Allow",
     "Action": "eks:DescribeCluster",
     "Resource": "*"
   }
 ]
}

在您的 aws 中创建代码构建参考 参考此构建规范

Create a codebuild in your aws refer Refer this for buildspec

  • 确保在代码构建中使用的服务角色应该具有 sts:assume 对有权管理 eks 集群的 kubernetes_deployment 角色的权限

  • make sure service role used in codebuild should have sts:assume permission for kubernetes_deployment role which has access to manage eks cluster

   {
      "Version": "2012-10-17",
      "Statement": [
       {
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam:: 
           <accountno>:role/kubernetes_deployment"
         }
       ]
      }

更新 kubernetes_deployment 角色的信任关系以允许 codebuild 服务角色使用

Update the trust relationship for kubernetes_deployment role to allow used by codebuild service role

 {
   "Version": "2012-10-17",
   "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
          "AWS": "arn:aws:iam::<account>:role/service-role/codebuild-service-role",
           "Service": "eks.amazonaws.com"
       },
       "Action": "sts:AssumeRole"
    }
 ]
}

  • 在eks集群中授权kubernetes_deployment角色

  • Make kubernetes_deployment role as authorized in eks cluster

    - rolearn: arn:aws:iam::<account>:role/kubernetes_deployment
  username: kubernetes_deployment
  groups:
   - system:masters

    • 这篇关于AWS CodePipeline 和部署到 EKS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

    查看全文
    相关文章
    其他开发最新文章
    热门教程
    热门工具
    登录 关闭
    扫码关注1秒登录
    发送“验证码”获取 | 15天全站免登陆