-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
164 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,164 @@ | ||
--- | ||
sidebar_position: 8 | ||
title: AWS EKS CNI Mini-tutorial | ||
--- | ||
import CodeBlock from "@theme/CodeBlock"; | ||
import Tabs from '@theme/Tabs'; | ||
import TabItem from '@theme/TabItem'; | ||
|
||
Running the AWS VPC CNI plugin on EKS with Otterize. This mini-tutorial shows how to run the AWS VPC CNI plugin on EKS with Otterize. | ||
|
||
## Prerequisites | ||
|
||
* An EKS cluster with the AWS VPC CNI plugin installed. See [Installing the AWS VPC CNI plugin](https://docs.aws.amazon.com/eks/latest/userguide/pod-networking.html) for more information. | ||
* An Otterize account. See [Getting Started](https://docs.otterize.com/getting-started) for more information. | ||
* The [Otterize CLI](https://docs.otterize.com/cli/installation). | ||
* The [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html). | ||
* The [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) command-line tool. | ||
|
||
## Step one: Create an AWS EKS cluster with the AWS VPC CNI plugin | ||
|
||
### Prepare a Kubernetes cluster | ||
|
||
Before you start, you'll need an AWS Kubernetes cluster. Having a cluster with a [CNI](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that supports [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is required for this tutorial. | ||
|
||
Save this `yaml` as `sample-config-file.yaml`: | ||
|
||
```yaml | ||
apiVersion: eksctl.io/v1alpha5 | ||
kind: ClusterConfig | ||
|
||
metadata: | ||
name: np-ipv4-127 | ||
region: us-west-2 | ||
version: "1.27" | ||
|
||
kubernetesNetworkConfig: | ||
ipFamily: IPv4 | ||
|
||
managedNodeGroups: | ||
- name: np-ipv4-127-nodegroup | ||
instanceType: t3.medium | ||
desiredCapacity: 3 | ||
ssh: | ||
enableSsm: true | ||
iam: | ||
withAddonPolicies: | ||
albIngress: true | ||
|
||
addons: | ||
- name: vpc-cni | ||
version: v1.12.6-eksbuild.2 # optional | ||
- name: coredns | ||
version: v1.10.1-eksbuild.1 # optional | ||
``` | ||
Then run the following command to create your AWS cluster: | ||
```shell | ||
eksctl create cluster -f sample-config-file.yaml | ||
``` | ||
|
||
Once everything is up and running from the AWS EKS side, so you can install the Otterize agents, and some pods to test the network policy creation. | ||
|
||
## Step two: Install the Otterize agents | ||
|
||
### Install the Otterize agent on your cluster | ||
|
||
You can now install Otterize in your cluster, and optionally connect to Otterize Cloud. Connecting to Cloud lets you see what's happening visually in your browser, through the "access graph". | ||
|
||
So either forego browser visualization and: | ||
|
||
<details> | ||
<summary>Install Otterize in your cluster with the Kafka watcher component enabled, <b>without</b> Otterize Cloud</summary> | ||
|
||
``` | ||
helm repo add otterize https://helm.otterize.com | ||
helm repo update | ||
helm install otterize otterize/network-mapper -n otterize-system --create-namespace \ | ||
--set kafkawatcher.enable=true \ | ||
--set kafkawatcher.kafkaServers={"kafka-0.kafka"} | ||
``` | ||
|
||
</details> | ||
|
||
Or choose to include browser visualization and: | ||
|
||
<details> | ||
<summary>Install Otterize in your cluster, <b>with</b> Otterize Cloud</summary> | ||
|
||
#### Create an Otterize Cloud account | ||
|
||
{@include: ../_common/create-account.md} | ||
|
||
#### Install Otterize OSS, connected to Otterize Cloud | ||
|
||
{@include: ../_common/install-otterize-from-cloud-with-enforcement-and-kafka-watcher.md} | ||
|
||
</details> | ||
|
||
Finally, you'll need to install the Otterize CLI (if you haven't already) to interact with the network mapper: | ||
|
||
<details> | ||
<summary>Install the Otterize CLI</summary> | ||
|
||
{@include: ../_common/install-otterize-cli.md} | ||
|
||
</details> | ||
|
||
### Install the Otterize ecom demo application | ||
|
||
So that we have some pods to look at (and protect), you can install our E-commerce Demo application, or you can deploy your own application to see hwo this would work with your app. | ||
|
||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/otterize/ecom-demo/master/ecom-demo.yaml | ||
``` | ||
|
||
Once you have that installed and running your Otterize access graph should look something like this: | ||
|
||
![Access Graph](/img/quick-tutorials/aws-eks-mini/access-graph.png) | ||
|
||
## Step three: Create an intent | ||
|
||
Now that you have the Otterize agents installed, you can create an intent to make sure that, when you apply security, your service isn't blocked to the `frontend` service. | ||
|
||
```shell | ||
otterize network-mapper export --server frontend.otterize-ecom-demo | kubectl apply -f - | ||
``` | ||
|
||
At which point you should see that the `frontend` service is ready to be protected: | ||
|
||
![One intent applied](/img/quick-tutorials/aws-eks-mini/one-intent.png) | ||
|
||
And you can then protect the `frontend` service by applying the following `yaml` file: | ||
|
||
```yaml | ||
apiVersion: k8s.otterize.com/v1alpha2 | ||
kind: ProtectedService | ||
metadata: | ||
name: frontend | ||
namespace: otterize-ecom-demo | ||
spec: | ||
name: frontend | ||
``` | ||
Save that to a file called `protect-frontendservice.yaml` and then run: | ||
|
||
```shell | ||
% kubectl apply -f protect-frontendservice.yaml | ||
``` | ||
And you should see your access graph showing the service as protected: | ||
|
||
![Protected Service](/img/quick-tutorials/aws-eks-mini/protected.png) | ||
|
||
## What's next | ||
|
||
Have a look at the [Guide](https://docs.otterize.com/guides/protect-1-service-network-policies) on how to proceed through all of the remaining services and protect them one at a time. | ||
|
||
## Teardown | ||
|
||
To remove the deployed examples run: | ||
```bash | ||
helm uninstall otterize -n otterize-system | ||
helm uninstall otterize-ecom-demo -n otterize-ecom-demo | ||
helm delete ns otterize-ecom-demo | ||
``` |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.