Kubernetes Credentials Management

In order to integrate a vendor-managed Kubernetes cluster into our system, you can either opt o Create a new cluster or Import an existing one. This process involves adding specific credentials based on your vendor.

Supported Credential Types include:

Visit https://home.appscode.com/user/settings/credentials to manage credential.

AWS

To create or import EKS clusters to AppsCode Dashboard, you need to create a access-key with the following policies.

  • AmazonEC2FullAccess (AWS Managed Policy)
  • AWSCloudFormationFullAccess (AWS Managed Policy)
  • EKSAllAccess
  • IamLimitedAccess

Steps:

  • Create user
  • Create required policies
  • Attach the policies to the user
  • Create access key

Details:

  • Create user
    sh
    aws iam create-user --user-name "eks-cluster"
  • Create policies
    • Export AWS Account ID
      sh
      export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
    • Create AmazonEC2FullAccess (AWS Managed Policy) policy
      sh
      echo '{
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": "ec2:*",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "elasticloadbalancing:*",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "cloudwatch:*",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "autoscaling:*",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "iam:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Condition": {
                      "StringEquals": {
                          "iam:AWSServiceName": [
                              "autoscaling.amazonaws.com",
                              "ec2scheduled.amazonaws.com",
                              "elasticloadbalancing.amazonaws.com",
                              "spot.amazonaws.com",
                              "spotfleet.amazonaws.com",
                              "transitgateway.amazonaws.com"
                          ]
                      }
                  }
              }
          ]
      }' > ec2-policy.json
      sh
      aws iam create-policy --policy-name ec2-policy --policy-document file://ec2-policy.json
      
      POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`ec2-policy`].Arn' --output text)
      aws iam attach-user-policy --user-name "eks-cluster" --policy-arn $POLICY_ARN
    • Create AWSCloudFormationFullAccess (AWS Managed Policy) policy
      sh
      echo '{
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "cloudformation:*"
                  ],
                  "Resource": "*"
              }
          ]
      }' > cloudformation-policy.json
      sh
      aws iam create-policy --policy-name cloudformation-policy --policy-document file://cloudformation-policy.json
      
      POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`cloudformation-policy`].Arn' --output text)
      aws iam attach-user-policy --user-name "eks-cluster" --policy-arn $POLICY_ARN
    • Create EKSAllAccess policy
      sh
      echo '{
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
                 "Action": "eks:*",
                 "Resource": "*"
             },
             {
                 "Action": [
                     "ssm:GetParameter",
                     "ssm:GetParameters"
                 ],
                 "Resource": [
                     "arn:aws:ssm:*:${AWS_ACCOUNT_ID}:parameter/aws/*",
                     "arn:aws:ssm:*::parameter/aws/*"
                 ],
                 "Effect": "Allow"
             },
             {
                 "Action": [
                 "kms:CreateGrant",
                 "kms:DescribeKey"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
             },
             {
                 "Action": [
                 "logs:PutRetentionPolicy"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
             }
         ]
      }' > eks-policy-template.json
      
      envsubst < eks-policy-template.json > eks-policy.json
      sh
      aws iam create-policy --policy-name eks-policy --policy-document file://eks-policy.json
      
      POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`eks-policy`].Arn' --output text)
      aws iam attach-user-policy --user-name "eks-cluster" --policy-arn $POLICY_ARN
    • Create IamLimitedAccess policy
      sh
      echo '{
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "iam:CreateInstanceProfile",
                      "iam:DeleteInstanceProfile",
                      "iam:GetInstanceProfile",
                      "iam:RemoveRoleFromInstanceProfile",
                      "iam:GetRole",
                      "iam:CreateRole",
                      "iam:DeleteRole",
                      "iam:AttachRolePolicy",
                      "iam:PutRolePolicy",
                      "iam:AddRoleToInstanceProfile",
                      "iam:ListInstanceProfilesForRole",
                      "iam:PassRole",
                      "iam:DetachRolePolicy",
                      "iam:DeleteRolePolicy",
                      "iam:GetRolePolicy",
                      "iam:GetOpenIDConnectProvider",
                      "iam:CreateOpenIDConnectProvider",
                      "iam:DeleteOpenIDConnectProvider",
                      "iam:TagOpenIDConnectProvider",
                      "iam:ListAttachedRolePolicies",
                      "iam:TagRole",
                      "iam:GetPolicy",
                      "iam:CreatePolicy",
                      "iam:DeletePolicy",
                      "iam:ListPolicyVersions"
                  ],
                  "Resource": [
                      "arn:aws:iam::${AWS_ACCOUNT_ID}:instance-profile/eksctl-*",
                      "arn:aws:iam::${AWS_ACCOUNT_ID}:role/eksctl-*",
                      "arn:aws:iam::${AWS_ACCOUNT_ID}:policy/eksctl-*",
                      "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/*",
                      "arn:aws:iam::${AWS_ACCOUNT_ID}:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
                      "arn:aws:iam::${AWS_ACCOUNT_ID}:role/eksctl-managed-*"
                  ]
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "iam:GetRole"
                  ],
                  "Resource": [
                      "arn:aws:iam::${AWS_ACCOUNT_ID}:role/*"
                  ]
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "iam:CreateServiceLinkedRole"
                  ],
                  "Resource": "*",
                  "Condition": {
                      "StringEquals": {
                          "iam:AWSServiceName": [
                              "eks.amazonaws.com",
                              "eks-nodegroup.amazonaws.com",
                              "eks-fargate.amazonaws.com"
                          ]
                      }
                  }
              }
          ]
      }' > iam-policy-template.json
      
      envsubst < iam-policy-template.json > iam-policy.json
      sh
      aws iam create-policy --policy-name iam-policy --policy-document file://iam-policy.json
      
      POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`iam-policy`].Arn' --output text)
      aws iam attach-user-policy --user-name "eks-cluster" --policy-arn $POLICY_ARN
  • Create Access Token for the user
    sh
    aws iam create-access-key --user-name "eks-cluster"

Then add the credential here you got from previous step.

Azure

To configure Azure credentials for accessing and managing Azure Kubernetes Service (AKS) clusters, follow these steps using the Azure CLI:

  • Set the Azure subscription ID using the following command.
    sh
    export AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
  • Create Azure Service Principal with Contributor role.
    sh
    az ad sp create-for-rbac --role Contributor --scopes="/subscriptions/${AZURE_SUBSCRIPTION_ID}" --sdk-auth
  • Save Credentials
    The command will output a JSON response containing the service principal details, including clientId (Application ID), clientSecret (Client Secret), subscriptionId, tenantId, and other information. Save these credentials securely as they will be used to configure the AKS cluster.

Then add the credential here.

Digital Ocean

To access Digital Ocean Managed clusters, you need to create a API token from Digital Ocean.

Ref: How to Create a Personal Access Token

Then add the credential here you got from Digital Ocean.





Google Cloud

To access GKE clusters, you need to create a GCP service account with with container.admin role.

  • Set Project id, service account name
    sh
    # Set the project ID where you registered your Domain
    PROJECT_ID="myproject-id" # change it to your project id
    GKE_SA_NAME="gke-cluster" # change it to your desired sa name
    GKE_SA_EMAIL="$GKE_SA_NAME@${PROJECT_ID}.iam.gserviceaccount.com"
  • Create Service account and Assign permission
    sh
    gcloud iam service-accounts create $GKE_SA_NAME --display-name $GKE_SA_NAME
    
    # assign google service account to dns.admin role in cloud-dns project
    gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:$GKE_SA_EMAIL --role "roles/container.admin"
  • Create a Service Account Secret
    sh
    # download static credentials
    gcloud iam service-accounts keys create $GKE_SA_NAME-credentials.json \
    --iam-account $GKE_SA_EMAIL

Then add the service account credentials here.

Google OAuth

Simplest way to access GKE clusters is through creating Google OAuth type credential.
Just head over here and

  • Choose a Name
  • Select Credential Type: Google OAuth
  • Click Continue with Google

This will create a credential, you will be able to access your k8s cluster with.




Linode

To access LKE clusters, you need to create a API token from Linode with the following permissions.

  • Kubernetes (Read/Write)

Ref: Manage Linode Personal Access Tokens

Then add the credential here you got from Linode.




Rancher

To access Rancher clusters through AppsCode, you need to create an API token in your Rancher system. Follow these steps:

  1. In Rancher, click on the profile icon.
  2. Select Account & API Keys.
  3. Click Create API Key.
  4. Provide a name and set the expiration for the API key.
  5. Click Create to complete the API token creation.

Reference: Rancher API Keys

Copy the generated access key, secret key, and API endpoint from the Account & API Keys overview page.

Next, add these credentials to the AppsCode user settings credentials page.