Automating the provisioning of a production-ready Kubernetes cluster with AWS EKS & CDK

Enter the AWS Cloud Development Kit (CDK)

An example of using the CDK to set up an EKS cluster with best practices as well as all the common add-ons

  • Putting the EKS control plane endpoints into a VPC with private subnets off the public Internet
  • Setting up a bastion and/or a Client VPN to be able to manage that securely
  • Enabling the logging on the service so things like the control plane audit logs go to CloudWatch Logs
  • Including a set of Gatekeeper policies with a good security baseline (aligned with the legacy restricted Pod Security Policy plus a few other sensible things that are easy to do with Gatekeeper)
  • Implementing GitOps around changes/upgrades to the cluster and its add-ons by setting up CodeBuild with a web-hook to re-run the cdk deploy when changes to this template are merged

Let’s dig into the template a little bit

  • Creating a new managed Amazon Elasticsearch
  • Creating an AWS IAM Role bound to a Kubernetes service account via OIDC to give our Fluent Bit Pods access to ship logs to that new Elasticsearch with a dynamic reference to its ARN as the resource in the IAM Policy (rather than *)
  • Deploy the AWS provided Helm chart for aws-for-fluent-bit with a dynamic reference to the new Elasticsearch we’re creating as the host to ship the logs to in the values

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store