If there are features that you think are missing, please feel free to open up a discussion via a GitHub issue. This is a great way to collaborate within the community and capture any shared knowledge for all to see; I will do my best to ensure that knowledge is captured somewhere within this project so that others can benefit from it.
- Cluster public endpoint access disabled; only private endpoint access enabled
- Cluster secrets encrypted with customer managed KMS key
- EBS volumes encrypted with customer managed KMS key
- EC2 instances (nodes) use BottleRocket OS
- AWS service access via VPC endpoints and or Gateway endpoints
- VPC default NACLs modified to deny all traffic; custom NACLs provided
- VPC default security group modified to deny all traffic
- You must have AWS SSO enabled on your account/organization. We will be using AWS Client VPN to provide user access to the cluster and AWS SSO is used to authenticate users when accessing the client VPN.
- Refer to https://medium.com/trackit/how-to-create-an-aws-client-vpn-endpoint-using-aws-sso-and-terraform-6902dff5b71b up to
Step 3: Terraform Configuration
(ignore this section since we will be handling our own Terraform configuration here).
- Download and install AWS Client VPN client https://aws.amazon.com/vpn/client-vpn-download/
- You must have a valid AWS ACM certificate. This is required to setup the AWS Client VPN to ensure traffic across the VPN client is TLS encrypted
- Provision resources as they are defined in the
us-east-1
directory using:
terraform init -upgrade=true
terraform apply
- Once the cluster is up and running and the node group is provisioned, update your Terraform state to align with changes made by the AWS API. This doesn't modify any resources, it just simply aligns your statefile with the current state. You can read more about this at the following links if interested:
terraform apply -refresh-only
terraform plan # should show `No changes. Your infrastructure matches the configuration.`
- With the cluster up and running we can start making some adjustments. First, lets remove the VPC CNI permissions from the nodes and instead rely on the IRSA created specifically for the VPC CNI addon. In the
eks.tf
file, changeiam_role_attach_cni_policy
fromtrue
tofalse
:
# Change this line from `true` to `false`
iam_role_attach_cni_policy = true -> false
After saving your changes, run the following commands to update your resources:
terraform apply
terraform apply -refresh-only # re-sync our state to match the change we performed
- AWS Client VPN setup -> https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/