on 27-Jan-2020 11:22
EKS (Elastic Kubernetes Service) is popular! It allows you to deploy apps without managing the Kubernetes mgmt plane yourself. If you're planning to run an app using EKS, you will likely need to consider ingress security along with that app. Securing traffic into Kubernetes is a topic we love to talk about at F5.
It's fully automated! Since most people are new to Kubernetes (k8s for short), I find myself in need of a quick demo that's totally open for anyone to run. This way after I demo, the audience can go back to run it on their own, decompose it for themselves, and take their own time to understand it all.
Here's what we will automatically deploy:
In short, you'll need an AWS demo account, a workstation with Terraform installed, your AWS creds configured, and the aws-iam-authenticator installed.
If you don't have a workstation with Terraform installed, don't worry! You can easily set up the client workstation you need by deploying this demo workstation, which will have all the required tools. Then, configure your AWS IAM credentials.
When building a cloud solution example, I try to stay as "vendor neutral" as practical and avoid using 3rd party tools when possible. For example, I have written a demo using AWS Lambda functions, instead of a 3rd party automation tool, for post-deployment configuration. This might be preferred if you do not (or cannot) use a particular 3rd party tool. So I originally started down the path of following this article to completely build an EKS demo via CFT. I planned to extend the quickstart demo to include an ingress controller and security policy, along with an app to protect. I guess I planned to use Lambda functions again. However, after talking about this with colleagues, the workarounds came to seem silly: nobody would do this in real life, so constraining myself to only using a CFT seemed unnecessary. Instead I chose to use the ubiquitous tool Terraform. This is easier to use and also saves me from requiring a user to have a few other tools, like kubectl, helm, and aws-iam-authenticator, etc. So, for better or worse, Terraform is a pre-req here. The workstation I've used is Ubuntu 18.04.
git clone https://github.com/mikeoleary/aws-eks-bigip-terraform cd aws-eks-bigip-terraform/vpc terraform init terraform plan terraform apply
You've deployed! You will need to wait around 20 mins for everything to deploy: a VPC, EKS, a BIG-IP, and then an application in EKS to be protected by BIG-IP.
Once your Terraform commands have completed, you should see output values. If not, type this and take a note of the output values:
Now, open a web browser and visit http://<public_ip_app>.
If you want to inspect the configuration of BIG-IP, visit https://<public_dns> and login with username admin and password <password>.
If you want to see the pods, service, or configmap running in EKS, run:
mkdir ~/.kube terraform output kubeconfig > ~/.kube/config kubectl describe po kubectl describe svc kubectl describe configmap
Don't stop here! Remember, you'll need to follow the steps to destroy your AWS resources, otherwise you'll be charged for running these AWS resources. Coincidentally you can use Terraform to limit this kind of rogue AWS spend, so don't be this guy:
To destroy this demo in full, type:
Let's review what just happened.
After all this, the components are all in place. We have an app in k8s that is exposed to ingress traffic, which is routed via the BIG-IP and automatically updated. Our app is protected!
Thanks for reading this article, please leave a comment if you have any questions.
Nice one Michael! Tks for that!
Hey Michael, nice work.
I will give a try on this one and let you know.
There is the following remark on the awsiam-authenticator from AWS documentation that will probably require a small update on your document:
If you're running the AWS CLI version 1.16.156 or later, then you don't need to install the authenticator. Instead, you can use the
command. For more information, see Create kubeconfig manually.
BTW Michael, you need to change your AMI for the BIG-IP to a patched version to avoid the CVE on TMUI, and also restrict the Security Groups to something different than source IP 0.0.0.0/0
and for the ones that decide to not install a VM to deploy, as recommended by Michael, on MAC there are few things you need to install using home-brew, like "wget" for example. But as mentioned by Michael, this is not the "recommended" mode 😊