AWSTemplateFormatVersion: "2010-09-09" Description: "Amazon EKS cluster pre/post-work blog sample" Parameters: ClusterName: Type: String PreworkScriptBucket: Type: String Default: aws-quickstart PreworkScriptObject: Type: String Default: "quickstart-examples/blog-assets/eks-cluster-prework/scripts/pw-script.sh" JobName: Type: String Default: example-job AllowedPattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' ConstraintDescription: "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" KubernetesNameSpace: Type: String Default: "prework-example" Resources: PreWorkIAMRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "pw-role-${JobName}" AssumeRolePolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDCProvider}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}" } } } ] } - NameSpace: !Ref KubernetesNameSpace ResourceName: !Sub "pw-service-account-${JobName}" OIDCProvider: !Join [ '', !Split [ 'https://', !Ref 'GetOIDCProvider' ] ] Path: "/" Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:HeadObject Resource: - !Sub "arn:${AWS::Partition}:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" GetOIDCProvider: Type: Custom::GetOIDCProvider Properties: ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader" AwsCliCommand: !Sub "eks describe-cluster --name ${ClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'" IdField: 'issuer' KubePreWorkNamespace: Type: "AWSQS::Kubernetes::Resource" Properties: ClusterName: !Ref ClusterName Namespace: default Manifest: !Sub | kind: Namespace apiVersion: v1 metadata: name: ${KubernetesNameSpace} KubePreWorkRole: Type: AWSQS::Kubernetes::Resource DependsOn: [ KubePreWorkNamespace ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace Manifest: !Sub - | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/name: "${ResourceName}" name: "${ResourceName}" # Modify for your scripts here rules: - apiGroups: - "" resources: - secrets verbs: - create - delete - get - ResourceName: !Sub "pw-role-${JobName}" NameSpace: !Ref "KubernetesNameSpace" KubePreWorkServiceAccount: Type: AWSQS::Kubernetes::Resource DependsOn: [ KubePreWorkNamespace ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace Manifest: !Sub - | apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: "${ResourceName}" annotations: eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName} name: "${ResourceName}" namespace: ${NameSpace} - ResourceName: !Sub "pw-service-account-${JobName}" NameSpace: !Ref KubernetesNameSpace RoleName: !Ref PreWorkIAMRole KubePreWorkRoleBinding: Type: AWSQS::Kubernetes::Resource DependsOn: [ KubePreWorkNamespace, KubePreWorkRole, KubePreWorkServiceAccount ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace Manifest: !Sub - | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/name: "${ResourceName}" name: "${ResourceName}" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "pw-role-${JobName}" subjects: - kind: ServiceAccount name: "pw-service-account-${JobName}" namespace: ${NameSpace} - ResourceName: !Sub "pw-role-binding-${JobName}" NameSpace: !Ref KubernetesNameSpace KubePreWorkJob: DependsOn: [ PreWorkIAMRole, KubePreWorkRole, KubePreWorkServiceAccount, KubePreWorkRoleBinding ] Type: AWSQS::Kubernetes::Resource Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace Manifest: !Sub - | apiVersion: batch/v1 kind: Job metadata: name: "${ResourceName}" namespace: ${NameSpace} spec: template: spec: containers: - name: ${ResourceName} image: amazonlinux:2 command: ["/bin/bash","-c"] args: - > sleep 15; export AWS_REGION=${AWS::Region}; export NS=${NameSpace}; yum install -y aws-cli; aws sts get-caller-identity; aws s3 cp ${!S3_SCRIPT_URL} ./prework-script.sh && chmod +x ./prework-script.sh && ./prework-script.sh env: - name: S3_SCRIPT_URL value: ${S3ScriptURL} - name: AWS_REGION value: ${AWS::Region} - name: KUBE_NAMESPACE value: ${KubernetesNameSpace} serviceAccountName: "pw-service-account-${JobName}" restartPolicy: Never backoffLimit: 4 - ResourceName: !Sub "pw-job-${JobName}" NameSpace: !Ref "KubernetesNameSpace" S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}"