Crossplane on Amazon EKS with IRSA
In this post we are going to setup Crossplane on AWS EKS Cluster with IRSA and provision the AWS Cloud Services.
IRSA is leveraged to launch the AWS Cloud Services
Amazon EKS
Amazon EKS is a managed Kubernetes service to run Kubernetes in the AWS cloud
Crossplane
Crossplane is a framework for building cloud native control planes without needing to write code.
https://github.com/crossplane/crossplane
## Launch EKS Cluster with IRSA for Crossplane
Leverage EKSCTL to launch the EKS Cluster using the below configuration, provided yaml leverages existing VPC to launch the Cluster. Substitute subnet ids before creating the cluster.
apiVersion: eksctl.io/v1alpha5kind: ClusterConfigmetadata: name: crossplane-demo region: us-east-1 version: '1.21'vpc: subnets: private: us-east-1a: { id: subnet-1234} us-east-1b: { id: subnet-1234} clusterEndpoints: publicAccess: trueiam: withOIDC: true serviceAccounts: - metadata: name: provider-aws-f78664a342f1 namespace: crossplane-system attachPolicyARNs: - "arn:aws:iam::aws:policy/AdministratorAccess"managedNodeGroups: - name: crossplane-nodegroup labels: { role: workers } instanceType: t3a.medium desiredCapacity: 1 volumeSize: 30 privateNetworking: trueSave the above contents in cluster.yaml and use the below command to create the cluster
eksctl create cluster -f cluster.yamlInstall Crossplane
Install the Crossplane using the helm chart by using the below commands
kubectl create namespace crossplane-systemhelm repo add crossplane-stable https://charts.crossplane.io/stablehelm repo updatehelm install crossplane --namespace crossplane-system crossplane-stable/crossplaneInstall Crossplane AWS provider
Provider contains the CRDs to launch the AWS Cloud Services. Apply the below configuration yamls to install the provider. Replace AWS_PROVIDER_ARN with the ARN of the role created during cluster creation
apiVersion: pkg.crossplane.io/v1alpha1kind: ControllerConfigmetadata: name: aws-config annotations: eks.amazonaws.com/role-arn: <AWS_PROVIDER_ARN>spec: podSecurityContext: fsGroup: 2000---apiVersion: pkg.crossplane.io/v1kind: Providermetadata: name: provider-awsspec:s package: crossplane/provider-aws:v0.24.1 controllerConfigRef: name: aws-configApply the below config which will allow Crossplane to use the IRSA role for launching the AWS Cloud Services.
apiVersion: aws.crossplane.io/v1beta1kind: ProviderConfigmetadata: name: aws-providerspec: credentials: source: InjectedIdentityCreate a S3 bucket using Crossplane
Apply the below yaml to test Crossplane setup with IRSA. Once this yaml is applied a S3 bucket will be created in the name s3-demo.
apiVersion: s3.aws.crossplane.io/v1beta1kind: Bucketmetadata: name: s3-demospec: deletionPolicy: Delete forProvider: acl: private locationConstraint: us-east-1 serverSideEncryptionConfiguration: rules: - applyServerSideEncryptionByDefault: sseAlgorithm: AES256 versioningConfiguration: status: Enabled providerConfigRef: name: aws-providerNotes:
In the EKS Cluster creation Admin policy is used for service account. This policy can be restricted to the particular service like S3, SQS based on the services created through Crossplane.
Top comments(0)
For further actions, you may consider blocking this person and/orreporting abuse
