Configure kubectl for Amazon EKS

To use the stock kubectl client for EKS you need to:

  • install the AWS IAM Authenticator for Kubernetes

https://docs.aws.amazon.com/eks/latest/userguide/configure-kubectl.html

  • modify your kubectl configuration file to use it for authentication

 

Other things that may be useful are:

  • helm – if you’re using Helm charts to manage your cluster in EKS
  • kubectl and awscli – goes without saying

E.g. check your aws cli version with:

aws --version and upgrade with `pip install awscli –upgrade –user`

  • assume-role – if you’re using IAM roles

https://github.com/remind101/assume-role

  • nice to have is fzf: https://github.com/junegunn/fzf#installation

 

To update your kubeconfig use:

aws eks update-kubeconfig --name CLUSTER_NAME-eks --region REGION

You’ll need an up-to-date version of the awscli. E.g. 1.15.53 won’t cut it.

aws --version
aws-cli/1.15.53 Python/2.7.10 Darwin/17.7.0 botocore/1.10.52
aws eks update-kubeconfig --name <cluster-name> --region us-east-1
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:

 

To assume role use:

eval $(assume-role <role-name>)

Issues:

If you get:

error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors

it would be because you don’t have a profile in your ~/.aws/config

Your profile in ~/.aws/config should look like:

[profile iam-manager]
region=us-east-1
output=json

# IAM roles
[profile role-name]
region = us-east-1
role_arn = arn:aws:iam::<account number with role you want to assume>:role/NameOfAssumeRole
source_profile = iam-manager

 

You should be able to run:

assume-role <role-name>

and see the assume role output.

 

 

 

Testing:

To test you can access your EKS cluster, use:

kubectl get all -n kube-system

Or for none-system:

kubectl get all

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *