AWS Usage - hqzhang/cloudtestbed GitHub Wiki
How to setup AWS AWS and Kubernet RBAC(role based access control)
AWS/Kubernetes Concept
1.Kubernetes Access Control
Two kind of users: normal users managed by an outside (sshkey/token)
service accounts managed by Kubernetes
Namespaces are a way to divide cluster resources between multiple users
Deployment:
ServiceAccount is used to control POD access.
Role/ClusterRole: is used to define permissions
RoleBinding is used to link them together
ClusterRoleBinding is used to link them togetherI
2.AWS Access Control
Users – with access key(token)
Was account id user name
arn:aws:iam::1864543883xx:user/[email protected]
User attach Permission(policy) and group
Policy —define permission
Groups – attach policy
Roles – Use IAM roles for Amazon EC2 instances, like service account in hibernates
Permissions – Grant least privilege.
Auditing – Turn on AWS CloudTrail.
Password – Configure a strong password policy.
MFA – Enable MFA for privileged users.
Roles – Use IAM roles for Amazon EC2 instances.
Sharing – Use IAM roles to share access.
Rotate – Rotate security credentials regularly.
Conditions – Restrict privileged access further with conditions.
Root – Reduce or remove use of root.
resource "aws_instance" "instance" {
iam_profile—-aws_iam_instance_profile(control_profile)
—-aws_iam_role(control_role)
xxx"aws_iam_role_policy" “control_policy"
3. StatfulSet used to like deployments but
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
spec:
selector:
matchLabels:
app: nginx # has to match .spec.template.metadata.labels
serviceName: "nginx"
replicas: 3 # by default is 1
template:
metadata:
labels:
app: nginx # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: nginx
image: k8s.gcr.io/nginx-slim:0.8
ports:
- containerPort: 80
name: web
volumeMounts:
- name: www
mountPath: /usr/share/nginx/html
volumeClaimTemplates:
- metadata:
name: www
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "my-storage-class"
resources:
requests:
storage: 1Gi
AWS ELASTICSEARCH
aws es create-elasticsearch-domain --domain-name ${DOMAIN_NAME} \
--elasticsearch-version 7.1 \
--elasticsearch-cluster-config InstanceType=r5.large.elasticsearch,InstanceCount=3,\
DedicatedMasterEnabled=true,DedicatedMasterType=r5.large.elasticsearch,DedicatedMasterCount=3 \
--ebs-options EBSEnabled=true,VolumeType=gp2,VolumeSize=10 \
--access-policies '{"Version": "2012-10-17","Statement": [{"Effect": "Allow", "Principal": {"AWS": "*"}, "Action": "es:*","Resource": "arn:aws:es:us-west-2:1864543xxxx:domain/'${DOMAIN_NAME}'/*","Condition": {"IpAddress": {"aws:SourceIp": "'${ip}'"}}}]}
#AWS CLI for CloudFormation
0) create mackey as keypair and create default vac
1) https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/sample-templates-services-us-west-2.html and get ec2 link:
wget https://s3-us-west-2.amazonaws.com/cloudformation-templates-us-west-2/EC2InstanceWithSecurityGroupSample.template
2) change name.
mv EC2InstanceWithSecurityGroupSample.template single-instance.json
3) convert json to iml
ruby -ryaml -rjson -e 'puts YAML.dump(JSON.load(ARGF))' < single-instance.json > single-instance.yml
4) get section:
cat single-instance.json | jq 'keys[]'
5) view editor
subl -a single-instance.yml
6) deploy CloudFormation
aws cloudformation create-stack --template-body file://templates/single-instance.yml \
--stack-name single-instance \
--parameters ParameterKey=KeyName,ParameterValue=mackey \
ParameterKey=InstanceType,ParameterValue=t2.micro
66) deploy instance
1) aws ec2 create-vpc --cidr-block 10.0.0.0/16
aws ec2 create-subnet --vpc-id vpc-2f09a348 --cidr-block 10.0.1.0/24
aws ec2 create-subnet --vpc-id vpc-2f09a348 --cidr-block 10.0.0.0/24
11) open stack
neutron net-create $netname|grep id|awk '{print $4}'
neutron subnet-create $netname $subcidr --name $netname |grep id|awk '{print $4}')
neutron port-create --fixed-ip subnet_id=$subid,ip_address="192.168.4.20" --name=public-net1|grep id |awk '{print $4}')
neutron port-create $netname --name $netname|grep id |awk '{print $4}')
echo $portid
2) aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --vpc-id vpc-2f09a348 --internet-gateway-id igw-1ff7a07b
aws ec2 create-route-table --vpc-id vpc-2f09a348
aws ec2 create-route --route-table-id rtb-c1c8faa6 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-1ff7a07b
aws ec2 associate-route-table --subnet-id subnet-b46032ec --route-table-id rtb-c1c8faa6
3) aws ec2 create-key-pair --key-name MyKeyPair --query 'KeyMaterial' --output text > MyKeyPair.pem
aws ec2 create-security-group --group-name SSHAccess --description "Security group for SSH access" --vpc-id vpc-2f09a348
aws ec2 authorize-security-group-ingress --group-id sg-e1fb8c9a --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 run-instances --image-id ami-a4827dc9 \
--count 1 \
--instance-type t2.micro \
--key-name MyKeyPair \
--security-group-ids sg-e1fb8c9a \
--subnet-id subnet-b46032ec
4)aws ec2 run-instances --image-id ami-a4827dc9 --count 1 --instance-type t2.micro --key-name MyKeyPair --security-group-ids sg-e1fb8c9a --subnet-id subnet-b46032ec
44)
nova boot --flavor $flavorname --key-name $keyname --image $imageid --nic port-id=$portid $servername
444)
1) aws ec2 create-security-group --group-name EC2SecurityGroup --description "Security Group for EC2 instances to allow port 22"
2) aws ec2 authorize-security-group-ingress --group-name EC2SecurityGroup --protocol tcp --port 22 --cidr 0.0.0.0/0
3) aws ec2 run-instances
--image-id ami-5ec1673e \
--instance-type t2.micr
--key-name mackey \
--security-groups EC2SecurityGroup \
--placement AvailabilityZone=us-west-2b \
--block-device-mappings DeviceName=/dev/sdh,Ebs={VolumeSize=100} \
--count 2
33)nova boot
--image $imageid
--flavor $flavorname
--key-name $keyname
--nic port-id=$portid $servername
333)az vm create \
--image UbuntuLTS \
--resource-group myResourceGroup \
--name myVM \
--location eastus \
--availability-set myAvailabilitySet \
--nics myNic \
--admin-username azureuser \
--generate-ssh-keys
7) verification
Ssh [email protected]
Amazon Linux AMI
8) delete
aws cloudformation delete-stack --stack-name single-instance
1. Azurre command and az acs
1) install on macOS
curl -L https://aka.ms/InstallAzureCli | bash
11) create instance
az group create --name myResourceGroup --location eastus
az network vnet create \
--resource-group myResourceGroup \
--name myVnet \
--address-prefix 192.168.0.0/16 \
--subnet-name mySubnet \
--subnet-prefix 192.168.1.0/24
az network public-ip create \
--resource-group myResourceGroup \
--name myPublicIP \
--dns-name mypublicdns
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image win2016datacenter \
--admin-username azureuser \
--admin-password myPassword
az vm create \
--resource-group myResourceGroup \
--name myVM \
--location eastus \
--availability-set myAvailabilitySet \
--nics myNic \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys
az vm open-port --port 80 --resource-group myResourceGroup --name myVM
2) az login -u [email protected]
(az account set -s techsnips)
az account show
az provider register -n Microsoft.ContainerService
az provider register -n Microsoft.Compute
az provider register -n Microsoft.Network
az provider register -n Microsoft.Storage
Az provider list -o table
Az group create -n techsnips-aks --location eastus
Az aks create --resource-group techsnips-aks --name techsnips-aks --node-count 1 --generate-ssh-keys \
--kubernetes-version 1.9.6 --node-vm-size=Standard_B2s
(--ssh-key-value created by ssh-keygen -f keypairfile)
az aks install-cli
az aks get-credentials --resource-group techsnips-aks --name techsnips-aks
(Merge credential to ~/.kube/config)
kubectl get cps
kubectl cluster-info
kubectl create -f azure_vote.yaml
kubectl get pod --watch
Kc get svc --watch
kubectl run --image=nginx mewed
kubectl get pods
kubectl expose pod mewed-xxxxx --port=80 --type=LoadBalancer
Wget https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml
Kubectl apply -f azure-vote-all-in-one-redis.yaml
1. aws eks
./assume_role_enum.py --account-id 186454388355 --profile default
aws sts assume-role --role-arn arn:aws:iam::186454388355:role/eksrole --role-session-name "RoleSession1" --query 'Credentials'
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/role-name --role-session-name "RoleSession1" --profile IAM-user-name
export CLUSTER=nginxcluster
export EKS_ENDPOINT=$(aws eks describe-cluster --name ${CLUSTER} --query cluster.[endpoint] --output=text)
export EKS_CA_DATA=$(aws eks describe-cluster --name ${CLUSTER} --query cluster.[certificateAuthority.data] --output text)
cat <<EoF > ${HOME}/.kube/config-${CLUSTER}
apiVersion: v1
clusters:
- cluster:
server: ${EKS_ENDPOINT}
certificate-authority-data: ${EKS_CA_DATA}
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aws
name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
args:
- "token"
- "-i"
- "${CLUSTER}"
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-west-2
- eks
- get-token
- --cluster-name
- nginxcluster
- --role
- arn:aws:iam::186454388355:role/eksrole
command: aws
EoF
- "token"
- "-i"
- "REPLACE_ME_WITH_YOUR_CLUSTER_ID"
- "-r"
- "arn:aws:iam::186454388355:user/[email protected]"
- "arn:aws:iam::186454388355:role/eksrole"
export KUBECONFIG=${HOME}/.kube/config-${CLUSTER}
echo "export KUBECONFIG=${KUBECONFIG}" >> ${HOME}/.bashrc
SecurityGroups sg-00d22b52eeedbd67c
SubnetIds subnet-06bab9cba338477a7,subnet-0edf157e5454b6ab0,subnet-03c63c0e6b6207812
VpcId vpc-0fdae3c532e25a42b