Removed kube2iam and added support for IRSA#4
Conversation
Removed kube2iam and all references Added IRSA support to cloudwatch agent, fluentd, and external-dns Updated some external-dns settings Upgraded to the most recent EKS module Upgraded to the newest EKS version and AMI Renamed and standardized some role names
|
Still want to fill in the readme a bit more and remove the CNI role from the workers, and instead add IRSA support to the |
| } | ||
|
|
||
| security_context { | ||
| fs_group = 65534 |
There was a problem hiding this comment.
Required for applications inside the container to be able to access the token file that gets mounted
| eks_worker_asg_min_size = 2 | ||
| eks_worker_asg_max_size = 6 | ||
| eks_cluster_version = "1.15" | ||
| eks_worker_instance_type = "t3.medium" |
There was a problem hiding this comment.
t2.small doesn't have enough network interfaces to be very useful even on staging.
| # https://us-east-1.console.aws.amazon.com/systems-manager/parameters/%252Faws%252Fservice%252Feks%252Foptimized-ami%252F1.14%252Famazon-linux-2%252Frecommended%252Fimage_id/description?region=us-east-1 | ||
| eks_worker_ami = "ami-07be7092831897fd6" | ||
| # https://us-east-1.console.aws.amazon.com/systems-manager/parameters/%252Faws%252Fservice%252Feks%252Foptimized-ami%252F1.15%252Famazon-linux-2%252Frecommended%252Fimage_id/description?region=us-east-1 | ||
| eks_worker_ami = "ami-0e710550577202c55" |
There was a problem hiding this comment.
At one point the code was actually populating the correct AMI here based on the region you chose, but it looks like that was removed. This will be a manual change people will have to make depending on the region they choose which is not great.
There was a problem hiding this comment.
I noticed that. I've more or less started a whole new implementation on the template parser / writer to be way less fancy and a lot more predictable. Might make sense for us to flag these with comments in-line so we can fix it up as we go. This repository is the bulk of the value.
| private_subnets = ["10.10.32.0/19", "10.10.64.0/19", "10.10.96.0/19"] | ||
| public_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"] | ||
| database_subnets = ["10.10.10.0/24", "10.10.11.0/24", "10.10.12.0/24"] | ||
| azs = ["${var.region}a", "${var.region}b"] # Most regions have 3+ azs |
There was a problem hiding this comment.
Reduced to 2 AZs. The extra one is just extra cost without much benefit for smaller companies.
| # TODO, determine if this should be true/false | ||
| manage_aws_auth = true | ||
| # Unfortunately fluentd doesn't yet support oidc auth so we need to grant it to the worker nodes | ||
| workers_additional_policies = ["arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"] |
There was a problem hiding this comment.
This was a bit of a pain. Hopefully the fluentd cloudwatch plugin is updated soon to support it.
Co-Authored-By: David Cheung <[email protected]>
Co-Authored-By: David Cheung <[email protected]>
Removed kube2iam and added support for IRSA
3 participants
Removed kube2iam and all references
Added IRSA support to cloudwatch agent, fluentd, and external-dns
Updated some external-dns settings
Upgraded to the most recent EKS module
Upgraded to the newest EKS version and AMI
Renamed and standardized some role names