search

cloudposse / charts

The "Cloud Posse" Distribution of Kubernetes Applications
https://cloudposse.com/accelerate
Apache License 2.0
159 stars 64 forks source link

[route53-kubernetes] No permission to EKS master #145

Closed ozbillwang closed 6 years ago

ozbillwang commented 6 years ago

I found the chart route53-kubernetes here and try to use to manage the dns names.

But the document insists that this DaemonSet has to be deployed to master nodes. But in latest AWS EKS, we have no control to master nodes.

What should I do?

osterman commented 6 years ago

@ozbillwang good question! So the primary reason that running the route53-kubernetes on the masters is that it does not (or did not?) support assuming IAM roles. So to reduce blast radius, running it on the masters was more secure. We've deprecated our usage of route53-kubernetes and instead moved on to external-dns which does support assumed roles. Either way, there's more community support around external-dns, so I would pursue that.

Here's our "helmfile" definition for deploying external-dns on kops:

https://github.com/cloudposse/geodesic/blob/master/rootfs/conf/kops/helmfile.yaml#L270-L317

Also, here's the terraform module we use for kops to provision the IAM role. You'll need to do something similar for EKS.

https://github.com/cloudposse/terraform-aws-kops-external-dns

ozbillwang commented 6 years ago

thanks, I will try external-dns

osterman commented 6 years ago

@ozbillwang check out this PR: https://github.com/uswitch/kiam/pull/112 for an AWS EKS demo.