AWS S3 Bucket
- iControlJar: Directory name is icontroljar and the jar has to be placed here.
- MongoDB backup: Directory name should be mongo-backup.
- Vault backup: Directory name should be vault-backup.
- Axisjar, javax.xml.soap-api: Directory name should be axisjar.
Lets understand the different approaches to create a S3 bucket and configure S3 buckets that are accessible by EKS nodes.
Approach 1
- Create a bucket.
- Create an IAM policy.
- Attach this policy to the node groups with read/write access to the bucket.
Approach 2 (Recommended)
A standard and secure way of attaching permissions to pods in kubernetes are the AWS IRSA (IAM role for service account). Users can create a role and policy and then add an annotation to the pod service account. Follow the AWS official documentation website - IAM roles for service accounts.
The steps to create a S3 bucket and configure the IAM roles for IRSA are as follows:
- This step can also be performed using a helper script provided by AppViewX.
To use this script follow the steps below.
-
Download the artifact Managed-Kubernetes_helper_scripts.tar.gz to the bastion host and extract using the command:
tar -xf Managed-Kubernetes_helper_scripts.tar.gz -
Navigate to the extracted directory mk8s_helper_scripts.
cd mk8s_helper_scripts -
Edit the file eks_config.sh and replace <actualBucketname>, <actualAccountNumber>, <eksClusterName>, and <awsRegionName> with the actual values.
-
Execute the eks_config.sh file.
bash eks_config.sh
-
- Capture the output Annotation which is required in the global utility config. (This value must be added to the sub-field serviceAccountAnnotation of the parameter storageAccess.)
- Configure the Authentication to AWS ECR (AWS Image registry) to pull images from ECR.
- Get the Image registry name (images are stored here) and the AccessKey/secretKey which are required in the global utility config.
