AWS Marketplace installation
Buoyant Enterprise for Linkerd may be installed via AWS Marketplace. This guide demonstrates how to do so.
Prerequisites
- The
BUOYANT_LICENSEenvironment variable set, with functioning BEL CLI - An EKS cluster with access to the AWS Marketplace Docker registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com
eksctlinstalled locally- An EKS cluster with RegisterUsage permissions:
aws_account_id=$(aws sts get-caller-identity --query "Account" --output text)
# Select cluster_name from `aws eks list-clusters`.
cluster_name=[cluster-name]
# Associate an IAM OIDC (OpenID Connect) provider with the specified EKS cluster
# to enable IAM roles for service accounts.
eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve
# Retrieve the OIDC provider URL for the cluster.
oidc_provider=$(
aws eks describe-cluster --name $cluster_name \
--query "cluster.identity.oidc.issuer" --output text |
sed 's|^https://||'
)
# Create a JSON file defining the IAM trust policy for a role that will be
# assumed by pods in the cluster.
cat <<EOF > pod-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::$aws_account_id:oidc-provider/$oidc_provider"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"$oidc_provider:sub": "system:serviceaccount:*:*",
"$oidc_provider:aud": "sts.amazonaws.com"
}
}
}
]
}
EOF
# Create an IAM role for pods in the cluster using the trust policy file.
aws iam create-role \
--role-name eksPodRole-$cluster_name \
--assume-role-policy-document file://"pod-trust-policy.json"
# Attach the AWS-managed policy for metering usage to the newly created IAM
# role.
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage \
--role-name eksPodRole-$cluster_name
# Annotate every ServiceAccount in the cluster with the ARN of the IAM role.
kubectl get serviceaccount --all-namespaces --output=jsonpath='{range .items[*]}{.metadata.namespace} {.metadata.name}{"\n"}{end}' |
while read -r namespace name; do
kubectl annotate --namespace $namespace serviceaccount $name \
eks.amazonaws.com/role-arn=arn:aws:iam::$aws_account_id:role/eksPodRole-$cluster_name --overwrite
done
Install BEL via AWS Marketplace
curl https://enterprise.buoyant.io/install | sh
linkerd install --crds | kubectl apply -f -
linkerd install \
--set controllerImage=709825985650.dkr.ecr.us-east-1.amazonaws.com/buoyant-enterprise-for-linkerd/controller \
--set policyController.image.name=709825985650.dkr.ecr.us-east-1.amazonaws.com/buoyant-enterprise-for-linkerd/policy-controller \
--set proxy.image.name=709825985650.dkr.ecr.us-east-1.amazonaws.com/buoyant-enterprise-for-linkerd/proxy \
--set proxyInit.image.name=709825985650.dkr.ecr.us-east-1.amazonaws.com/buoyant-enterprise-for-linkerd/proxy-init |
kubectl apply -f -
helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
helm install linkerd-crds \
--create-namespace \
--namespace linkerd \
linkerd-buoyant/linkerd-enterprise-crds
helm install linkerd-control-plane \
--namespace linkerd \
--set license=$BUOYANT_LICENSE \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
--set controllerImage=709825985650.dkr.ecr.us-east-1.amazonaws.com/buoyant-enterprise-for-linkerd/controller \
--set policyController.image.name=709825985650.dkr.ecr.us-east-1.amazonaws.com/buoyant-enterprise-for-linkerd/policy-controller \
--set proxy.image.name=709825985650.dkr.ecr.us-east-1.amazonaws.com/buoyant-enterprise-for-linkerd/proxy \
--set proxyInit.image.name=709825985650.dkr.ecr.us-east-1.amazonaws.com/buoyant-enterprise-for-linkerd/proxy-init \
linkerd-buoyant/linkerd-enterprise-control-plane
Post-install
Every service account on the cluster must be annotated with the eksPodRole.
After installing BEL, run this command to ensure that the BEL service accounts
are annotated. Furthermore, this command must be run whenever a new
ServiceAccount is introduced to the cluster.
kubectl get serviceaccount --all-namespaces --output=jsonpath='{range .items[*]}{.metadata.namespace} {.metadata.name}{"\n"}{end}' |
while read -r namespace name; do
kubectl annotate --namespace $namespace serviceaccount $name \
eks.amazonaws.com/role-arn=arn:aws:iam::$aws_account_id:role/eksPodRole-$cluster_name --overwrite
done