cdk-eks-blueprints icon indicating copy to clipboard operation
cdk-eks-blueprints copied to clipboard

Published 20 hours ago verified publisher icon aws-quickstart

How to set mastersRole in EKS cluster

Open laptua opened this issue 3 years ago • 4 comments

Describe the bug

I try to create EKS using blueprint but found no way I could set mastersRole for EKS

export default class EKSCluster  extends Stack{
    constructor(scope: Construct, id: string, props?: StackProps) {
        super(scope, id, props)
        const accountID = '9302';
        const region = 'ap-southeast-2';
        const stackID = ${id}-ekscluster;
        const clusterProvider = new blueprints.GenericClusterProvider({
            privateCluster: true,
            version: KubernetesVersion.V1_21,
            mastersRole: Role.fromRoleArn(this,'imported-role', arn:aws:iam::${Stack.of(this).account}:role/Existing-Role-Name,{mutable: false}),
            managedNodeGroups: [
                {
                    id: "mng-ondemand",
                    amiType: NodegroupAmiType.AL2_X86_64,
                    instanceTypes: [new InstanceType('m5.2xlarge')],
                    nodeGroupSubnets: {
                        subnetGroupName: 'application',
                    }
                },
                {
                    id: "mng2-spot",
                    instanceTypes: [InstanceType.of(InstanceClass.BURSTABLE3, InstanceSize.MEDIUM)],
                    nodeGroupCapacityType: CapacityType.SPOT,
                    nodeGroupSubnets: {
                        subnetGroupName: 'application',
                    }
                }
            ],
            vpcSubnets: [
                {
                    subnetGroupName: 'application',
                },
            ]
        })

        blueprints.EksBlueprint.builder()
            .account(accountID)
            .region(region)
            .clusterProvider(clusterProvider)
            .resourceProvider(GlobalResources.Vpc, new VpcProvider('vpc-0d7c8'))
            .build(scope, stackID)

    }
}

result:

❯ cdk synth  EKSTest/EKSTest-ekscluster
{ account: '9302, region: 'ap-southeast-2' }
looking up non-default vpc-0d7c8VPC
EKSTest2/ImmutableRoleimported-role should be defined in the scope of the EKSTest2-ekscluster stack to prevent circular dependencies

Any idea how to set mastersRole ?

Expected Behavior

Able to set mastersRole as per doc https://catalog.us-east-1.prod.workshops.aws/workshops/c15012ac-d05d-46b1-8a4a-205e7c9d93c9/en-US/40-deploy-clusters/200-cluster/210-cluster

masterRole: IAM Principal which would join systems\:masters, the Kubernetes RBAC group having full control over the cluster. We set this value to include clusterAdmin to the RBAC group.

Current Behavior

EKSTest2/ImmutableRoleimported-role should be defined in the scope of the EKSTest2-ekscluster stack to prevent circular dependencies

Reproduction Steps

run code above

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.25.0 (build ae1cb4b)

EKS Blueprints Version

1.0.4

Node.js Version

v14.19.3

Environment details (OS name and version, etc.)

running in macbook

Other information

s

laptua avatar Jul 12 '22 01:07 laptua

We will provide an option to pass the role in a more intuitive way. You should not extend a stack and use a blueprint within that stack. Blueprints framework creates its own stack. At present you can accomplish it by creating a subclass of the GenericClusterProvider, override internalCreateCluster method and setting the master role as

  protected internalCreateCluster(scope: Construct, id: string, clusterOptions: any) : eks.Cluster {
        clusterOptions['mastersRole'] =  Role.fromRoleArn(scope, "", "");
        return new eks.Cluster(scope, id, clusterOptions);
    }

shapirov103 avatar Jul 13 '22 05:07 shapirov103

Hello @shapirov103 any updates on this more intuitive way to set mastersRole.

bnaydenov avatar Oct 20 '22 21:10 bnaydenov

Hello @bnaydenov, it is in progress now, I will include either in the next maintenance release or minor which should be within 2 weeks.

shapirov103 avatar Oct 24 '22 13:10 shapirov103

@shapirov103 thanks for the info.

Meanwhile, I think for the rest of us with this problem, following example(based on your suggestion above) can be used as temporary solution until your proposed change is ready.

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as blueprints from '@aws-quickstart/eks-blueprints';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as eks  from 'aws-cdk-lib/aws-eks';

class MyCustomClusterProvider extends blueprints.GenericClusterProvider { 
    
    protected internalCreateCluster(scope: Construct, id: string, clusterOptions: any): eks.Cluster {
        
        clusterOptions['mastersRole'] = iam.Role.fromRoleArn(scope,
            'my-role-stack',
            `arn:aws:iam::123456789012:role/my-role-name`,
            {mutable: false},
        );
        return new eks.Cluster(scope, id, clusterOptions);
    } 
}

export class MyCustomBlueprint extends Construct {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id);

    const account = props?.env?.account!;
    const region = props?.env?.region!;
    
    const clusterProvider = new MyCustomClusterProvider({
      version: eks.KubernetesVersion.V1_21,   
    });

    const blueprint = blueprints.EksBlueprint.builder()
      .clusterProvider(clusterProvider)
      .account(account)
      .region(region)
      .addOns()
      .teams()
      .resourceProvider()
      .build(scope, id+'-eks');
  }
}

ping @laptua

bnaydenov avatar Oct 25 '22 19:10 bnaydenov

Hey,

do you have any new information i see that this is implemented for nodeRole but not for mastersRole. The workaround is good so far!

derbauer97 avatar Jan 31 '23 12:01 derbauer97

Will update this issue shortly with an approach. Working on it.

shapirov103 avatar Feb 03 '23 18:02 shapirov103

Issue is fixed with PR. Closing this ticket.

elamaran11 avatar Oct 12 '23 12:10 elamaran11