Prepare the AWS configuration¶
On the bootstrap node, verify access to the target cloud endpoint from Docker. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://ec2.amazonaws.com"
The system output not must contain error records.
Generate the AWS Access Key ID with Secret Access Key for the user with the
IAMFullAccess
permissions and select the AWS default region name. For details, see AWS General Reference: Programmatic access.Change the directory to the
kaas-bootstrap
folder created by theget_container_cloud.sh
script.Export the following parameters by adding the corresponding values for the AWS
IAMFullAccess
user credentials created in the previous step:export KAAS_AWS_ENABLED=true export AWS_SECRET_ACCESS_KEY=XXXXXXX export AWS_ACCESS_KEY_ID=XXXXXXX export AWS_DEFAULT_REGION=us-east-2
For Container Cloud to communicate with the AWS APIs, create the AWS CloudFormation stack that contains properly configured IAM users and policies.
Note
If the AWS CloudFormation stack already exists in your AWS account, skip this step.
./container-cloud bootstrap aws policy
If you do not have access to create the CloudFormation stack, users, or policies:
Log in to your AWS Management Console.
On the home page, expand the upper right menu with your user name and capture your Account ID.
Create the CloudFormation template:
./container-cloud bootstrap aws policy --account-id <accountId> --dump > cf.yaml
Substitute the parameter enclosed in angle brackets with the corresponding value.
Send the
cf.yaml
template to your AWS account admin to create the CloudFormation stack from this template.The generated template includes the following lists of IAM permissions:
Node policies ec2:DescribeInstances
ec2:DescribeRegions
ecr:GetAuthorizationToken
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:GetRepositoryPolicy
ecr:DescribeRepositories
ecr:ListImages
ecr:BatchGetImage
Controller node policies ec2:AllocateAddress
ec2:AssociateRouteTable
ec2:AttachInternetGateway
ec2:AuthorizeSecurityGroupIngress
ec2:CreateInternetGateway
ec2:CreateNatGateway
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSecurityGroup
ec2:CreateSubnet
ec2:CreateTags
ec2:CreateVpc
ec2:ModifyVpcAttribute
ec2:DeleteInternetGateway
ec2:DeleteNatGateway
ec2:DeleteRouteTable
ec2:DeleteSecurityGroup
ec2:DeleteSubnet
ec2:DeleteTags
ec2:DeleteVpc
ec2:DescribeAccountAttributes
ec2:DescribeAddresses
ec2:DescribeAvailabilityZones
ec2:DescribeInstances
ec2:DescribeInstanceTypes
ec2:DescribeInternetGateways
ec2:DescribeImages
ec2:DescribeNatGateways
ec2:DescribeNetworkInterfaces
ec2:DescribeNetworkInterfaceAttribute
ec2:DescribeRegions
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
ec2:DescribeVpcAttribute
ec2:DescribeVolumes
ec2:DetachInternetGateway
ec2:DisassociateRouteTable
ec2:DisassociateAddress
ec2:ModifyInstanceAttribute
ec2:ModifyNetworkInterfaceAttribute
ec2:ModifySubnetAttribute
ec2:ReleaseAddress
ec2:RevokeSecurityGroupIngress
ec2:RunInstances
ec2:TerminateInstances
tag:GetResources
elasticloadbalancing:CreateLoadBalancer
elasticloadbalancing:ConfigureHealthCheck
elasticloadbalancing:DeleteLoadBalancer
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:RegisterInstancesWithLoadBalancer
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:CreateTargetGroup
elasticloadbalancing:DeleteTargetGroup
elasticloadbalancing:DescribeListeners
elasticloadbalancing:CreateListener
elasticloadbalancing:DeleteListener
elasticloadbalancing:RegisterTargets
elasticloadbalancing:DeregisterTargets
Control plane policies autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribeTags
ec2:DescribeInstances
ec2:DescribeImages
ec2:DescribeRegions
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVolumes
ec2:CreateSecurityGroup
ec2:CreateTags
ec2:CreateVolume
ec2:ModifyInstanceAttribute
ec2:ModifyVolume
ec2:AttachVolume
ec2:AuthorizeSecurityGroupIngress
ec2:CreateRoute
ec2:DeleteRoute
ec2:DeleteSecurityGroup
ec2:DeleteVolume
ec2:DetachVolume
ec2:RevokeSecurityGroupIngress
ec2:DescribeVpcs
elasticloadbalancing:AddTags
elasticloadbalancing:AttachLoadBalancerToSubnets
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
elasticloadbalancing:CreateLoadBalancer
elasticloadbalancing:CreateLoadBalancerPolicy
elasticloadbalancing:CreateLoadBalancerListeners
elasticloadbalancing:ConfigureHealthCheck
elasticloadbalancing:DeleteLoadBalancer
elasticloadbalancing:DeleteLoadBalancerListeners
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DetachLoadBalancerFromSubnets
elasticloadbalancing:DeregisterInstancesFromLoadBalancer
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:RegisterInstancesWithLoadBalancer
elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
elasticloadbalancing:AddTags
elasticloadbalancing:CreateListener
elasticloadbalancing:CreateTargetGroup
elasticloadbalancing:DeleteListener
elasticloadbalancing:DeleteTargetGroup
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTargetHealth
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyTargetGroup
elasticloadbalancing:RegisterTargets
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
iam:CreateServiceLinkedRole
kms:DescribeKey
Configure the
bootstrapper.cluster-api-provider-aws.kaas.mirantis.com
user created in the previous steps:Using your AWS Management Console, generate the AWS Access Key ID with Secret Access Key for
bootstrapper.cluster-api-provider-aws.kaas.mirantis.com
and select the AWS default region name.Note
Other authorization methods, such as usage of
AWS_SESSION_TOKEN
, are not supported.Export the AWS
bootstrapper.cluster-api-provider-aws.kaas.mirantis.com
user credentials that were created in the previous step:export KAAS_AWS_ENABLED=true export AWS_SECRET_ACCESS_KEY=XXXXXXX export AWS_ACCESS_KEY_ID=XXXXXXX export AWS_DEFAULT_REGION=us-east-2
In
templates/aws/machines.yaml.template
, modify thespec:providerSpec:value
section by substituting theami:id
parameter with the corresponding value for Ubuntu 20.04 from the required AWS region. For example:spec: providerSpec: value: apiVersion: aws.kaas.mirantis.com/v1alpha1 kind: AWSMachineProviderSpec instanceType: c5.4xlarge ami: id: ami-033a0960d9d83ead0
Warning
Do not stop the AWS instances dedicated to the Container Cloud clusters to prevent data failure and cluster disaster.