Search code examples
aws-codepipelineaws-codebuildamazon-eks

AWS CodePipeline and deployingto EKS

Am working on an AWS CodePipeline for building and deploying containers to EKS cluster.

It seems like AWS CodePipeline does not support a deployment action to EKS “only ECS”. I tried exploring other options like using lambda function, I found the below example for running kubectl commands in lambda

https://github.com/tmuskal/lambda-kubectl

Nonetheless, EKS uses aws-iam-authenticator in order to generate tokens for kubeconfig. Not sure how that would fit in the lambda context though.

Any advice on topic would be highly appreciated.

Solution

  • AWS doesn't support a deployment action for EKS. However, it can be achieved by using code pipeline and code build to make it continuous build and deployment for EKS cluster. Need to set up some IAM roles and permission in terms of allowing codebuild to run kubectl and deploy on eks cluster.

    1. Need to create a role lets say (kubernetes_deployment) which has the permission to allow EKS to manage clusters on your behalf.

      • Permission attached to the kubernetes_deployment role

        AmazonEKSClusterPolicy

        AmazonEKSServicePolicy

        inline policy as below

        {
  "Version": "2012-10-17",
  "Statement": [
   {
     "Sid": "VisualEditor0",
     "Effect": "Allow",
     "Action": "eks:DescribeCluster",
     "Resource": "*"
   }
 ]
}

    2. Create a codebuild in your aws refer Refer this for buildspec

      • make sure service role used in codebuild should have sts:assume permission for kubernetes_deployment role which has access to manage eks cluster

           {
      "Version": "2012-10-17",
      "Statement": [
       {
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam:: 
           <accountno>:role/kubernetes_deployment"
         }
       ]
      }

    3. Update the trust relationship for kubernetes_deployment role to allow used by codebuild service role

       {
   "Version": "2012-10-17",
   "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
          "AWS": "arn:aws:iam::<account>:role/service-role/codebuild-service-role",
           "Service": "eks.amazonaws.com"
       },
       "Action": "sts:AssumeRole"
    }
 ]
}

    4. Make kubernetes_deployment role as authorized in eks cluster

      - rolearn: arn:aws:iam::<account>:role/kubernetes_deployment
  username: kubernetes_deployment
  groups:
   - system:masters