Wednesday, January 18, 2023

Step by Step Installation of crossplane on AWS EKS

 If you want to create your cloud resources such as AWS EC2, S3 bucket etc from within Kubernetes, then you need to use Crossplane. Its an open source project. Following is step  by step instructions to install crossplane on AWS EKS.

-- Make sure kubectl version is v1.23 and helm version is v3.8.2

-- All files which are being used in this code are available at github.

Step 1: Create EKS cluster

Step 2: Run following commands:

For IAM Setup:

ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

# A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. permission-boundary.json file is available in github repo here.

sed -i.bak "s/ACCOUNT_ID/${ACCOUNT_ID}/g" permission-boundary.json

aws iam create-policy \

    --policy-name crossplaneBoundary \

    --policy-document file://permission-boundary.json

# Amazon EKS supports using OpenID Connect (OIDC) identity providers as a method to authenticate users to your cluster. crossplane-ssp is my cluster's name. You can use your own.

OIDC_PROVIDER=$(aws eks describe-cluster --name crossplane-ssp --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")




  "Version": "2012-10-17",

  "Statement": [


      "Effect": "Allow",

      "Principal": {

        "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"


      "Action": "sts:AssumeRoleWithWebIdentity",

      "Condition": {

        "StringLike": {

          "${OIDC_PROVIDER}:sub": "system:serviceaccount:crossplane-system:provider-*"







echo "${TRUST_RELATIONSHIP}" > trust.json

# IAM role for provider-aws

aws iam create-role --role-name crossplane-provider-aws --assume-role-policy-document file://trust.json --description "IAM role for provider-aws" --permissions-boundary ${PERMISSION_BOUNDARY_ARN}

aws iam attach-role-policy --role-name crossplane-provider-aws --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess

# Annotate the service account to use IRSA.

sed -i.bak "s/ACCOUNT_ID/${ACCOUNT_ID}/g" aws-provider.yaml

# Install Crossplane

kubectl create namespace crossplane-system

helm repo add crossplane-stable

helm repo update

helm install crossplane --namespace crossplane-system --version 1.10.1 crossplane-stable/crossplane

# wait for the provider CRD to be ready.

kubectl wait --for condition=established --timeout=300s crd/

kubectl apply -f aws-provider.yaml

# wait for the AWS provider CRD to be ready.

kubectl wait --for condition=established --timeout=300s crd/

kubectl apply -f aws-provider-config.yaml

#create resources

kubectl apply -f ec2.yaml

kubectl get instance

kubectl describe instance

kubectl apply -f s3.yaml

kubectl get Bucket

kubectl describe Bucket

No comments: