Kubernetes is an open source container management system for deploying, scaling, and managing
containerized applications. Kubernetes is built by Google based on their internal proprietary container management
systems (Borg and Omega). Kubernetes provides a cloud agnostic platform to deploy your containerized applications with
built in support for common operational tasks such as replication, autoscaling, self-healing, and rolling deployments.
What is Elastic Container Service for Kubernetes (EKS)?
Elastic Container Service for Kubernetes is the official AWS solution for running a Kubernetes
cluster within AWS. EKS provisions and manages the Kubernetes Master
Components for you, removing a significant
operational burden for running Kubernetes. This means that EKS will automatically handle provisioning and scaling the
master components such that it is highly available and secure for your needs.
An EKS cluster represents a Kubernetes cluster that is available within your VPC to be used for scheduling your Docker
containers as Kubernetes Pods. EKS consists of two major
components that combine to formulate an EKS cluster, mapping to their Kubernetes counterparts:
EKS Control Plane: Contains the resources and endpoint to run and access the Kubernetes master components within your
VPC. The underlying resources are entirely managed by AWS. These correspond to
Kubernetes master components.
EKS Worker Nodes: Contains the resources that run your applications scheduled on the cluster as
Kubernetes Pods.
These are EC2 instances that you provision with a special AMI designed to connect to the control plane so that it is
available within your Kubernetes cluster. These correspond to
Kubernetes node components.
This Module will provision both the EKS Control Plane and EKS Worker Nodes, utilizing an Auto Scaling Group so that
failed worker nodes will automatically be replaced, and we can easily scale the worker nodes in the cluster. You can
then use other modules in this package to package your Docker containers into Pods that can then be deployed on to the
EKS cluster.
ECS vs EKS
EC2 Container Service (ECS) and Elastic Container Service for
Kubernetes are two AWS solutions for running Docker containers on EC2 instances or AWS
managed machines (via Fargate in the case of ECS). ECS is a proprietary solution by
AWS that provides a way of deploying your containerized applications on AWS resources without having to manually manage
them. EKS is a new offering by AWS that provides a managed Kubernetes experience on AWS resources with first class
support for AWS concepts like VPC, IAM roles, and Security Groups. Unlike ECS which uses proprietary technology, EKS
runs an open source platform (Kubernetes). As such, you can interface with it using the Kubernetes ecosystem of tools
and resources (e.g kubectl), just like any other Kubernetes cluster.
Which service you decide to go with is entirely dependent on your infrastructure needs. With ECS Fargate, you can focus
entirely on the application you are deploying and not have to worry about servers, clusters, and the underlying
infrastructure as a whole. However, if you want more control over your resources and infrastructure, you can use ECS
with EC2 instances. The downside with both is that you have to use a proprietary API to interact with the service that
is not portable outside of AWS (including no way to run ECS on your local computer for testing).
On the other hand, if you want to leverage existing tools and knowledge from the Kubernetes community, you can use EKS
instead. The code you develop to interface with EKS are to an extent portable to other Kubernetes clusters as well.
Furthermore, if you already have a Kubernetes cluster, you can reuse all of your kubernetes configuration. The downside
to using EKS over ECS, however, is that ECS provides simpler primitives for running your workloads, and mesh really well
with existing AWS infrastructure like Application and Network Load Balancers.
Here is a list of additional tradeoffs to consider between the two services:
Kubernetes is cloud agnostic. All of the major cloud providers support a managed Kubernetes experience
(GKE, EKS,
AKS). You can even deploy a Kubernetes cluster on prem on your own
hardware, or run it locally for testing. ECS on the other hand is proprietary and only works on AWS.
Kubernetes, being open, has a larger community than ECS with a ton of resources available including plugins, books,
guides, tools, etc.
Kubernetes has a built in solution for secrets management that works on all deployments of Kubernetes. With ECS, you
need to use an external service like KMS or Secret Manager, neither of which have first class support within ECS and
do not work locally.
Kubernetes has a mature data volume solution in
StatefulSets that allow you to leverage
the dynamic nature of your containers without worrying about persistence locality. ECS has volumes for persistent
state in containers, but require localizing the containers with the volumes.
Kubernetes has an official service discovery solution in the form of the DNS plugin that automatically allocates a
FQDN that route to your containerized application. ECS requires additional configuration with an external DNS system
(Route53) to achieve the same effect.
ECS has native integration with AWS IAM roles so that each container can have its own IAM role/permissions to access
AWS resources. Kubernetes requires a custom solution or third party plugin (e.g
kube2iam) to achieve the same effect.
You only have to pay for the EC2 costs of worker nodes in ECS. EKS has a high premium for running the control plane,
in addition to the EC2 costs of worker nodes.
ECS has a simpler configuration setup and therefore is easier to learn and get started with compared to Kubernetes.
As of October 2018, Terraform support for ECS is stronger than for Kubernetes.
If you would like to use ECS, Gruntwork also provides Modules for managing ECS resources in the
terraform-aws-ecs repository.
How do I authenticate kubectl to the EKS cluster?
The standard way to interact with a Kubernetes cluster is to use the
kubectl commandline utility. However, in order to use
kubectl to access your EKS cluster, you need to first authenticate it to the cluster. EKS manages authentication to
Kubernetes based on AWS IAM roles. The IAM roles automatically translate to the corresponding role in Kubernetes via the
Role Based Access Control (RBAC) system that Kubernetes
uses to handle authorization of Kubernetes resources. By default the AWS IAM role used to provision the EKS cluster is
granted admin level permissions (system:master role) that allow you to perform almost anything on the cluster via
kubectl. You can add additional role mappings or modify the default one by using the eks-k8s-role-mapping
module. See the module documentation for more
information.
To support all this, EKS requires kubectl to authenticate to an AWS IAM role. However, kubectl does not have a
native way to do this. There are a couple of ways to configure kubectl for authentication with IAM:
Beginning with AWS CLI version 1.16.156, you can use the aws eks get-token command.
Both options use the AWS API to generate an authentication token that contains a signed request to fetch the information about the
assumed AWS IAM role. This token is forwarded to the Kubernetes API server by kubectl, which is then used by EKS to authenticate the
request to the assumed IAM role, and then inherit permissions for the mapped RBAC role.
You can learn more about the details of aws eks get-token in the AWS CLI
docs.
Under the hood, EKS uses the AWS IAM Authenticator to manage authentication to the API. You can learn more about it in the official
documentation.
This Module provides several ways to help you setup kubectl to authenticate to the created EKS cluster. Note that
all of these methods assume you have a working kubectl and one of kubergrunt or AWS IAM authenticator installed.
The AWS IAM Authenticator requires a working go environment to install. You can follow the project
README for installation instructions. Alternatively, you can
install one of the prebuilt binaries of the AWS IAM Authenticator provided by AWS. The download URL for each platform is
available in the official documentation of AWS
EKS.
Important Note: On a new EKS cluster, the EKS worker nodes also rely on mapping their IAM role into a Kubernetes
RBAC role that provides access to the cluster. This is what allows the worker nodes to register themselves to the
control plane. Therefore, before you can schedule anything on the cluster, you must apply the eks-k8s-role-mapping
module with the eks_worker_iam_role_arn output variable from this module. See the
eks-cluster example for an example of this in action.
Automatic setup
The eks-cluster-control-plane module can configure kubectl to be able to authenticate with EKS as part of
provisioning the cluster. This Module uses the kubergrunt binary to create or update the kubectl config file with a
new context that can be used to interact with the newly provisioned EKS cluster. Set the configure_kubectl input
variable to true to turn on this behavior.
Note: This will only configure kubectl for the machine that provisions it. Other machines will need to be
separately configured.
You can call the kubergrunt binary outside of the Module. The binary expects the region where the EKS
cluster resides, as well as the name of the EKS cluster:
You can also setup kubectl manually using the provided outputs from this Module. This module will output a complete
kubectl config file under the output variable eks_kubeconfig that can be placed where you store your kubectl config
files. You must store the config file output and reference it when you run kubectl to authenticate against the
Kuberentes control plane managed by EKS. This option may be best if you have multiple Kubernetes cluster that you are
managing and need to distinguish the authentication config between the different clusters.
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"8e34b1511c8139bbe82d515766af82a1b9fce933"}]},{"name":".gitignore","path":".gitignore","sha":"c95113b7b14c0533152b21a0491d6fd76aacb253"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"2a146b2385ade859614e293dc083f39a9972b5fe"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"ecbeaab263c59e955b621268f161059633041e3d"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"a7cc7bd94443c252390564fa988755dbbe80d87d"},{"name":"GRUNTWORK_PHILOSOPHY.md","path":"GRUNTWORK_PHILOSOPHY.md","sha":"02d9873a74c99fe6d9b6b26bd9f8eb4a7a699c32"},{"name":"LICENSE.md","path":"LICENSE.md","sha":"a2cf01ecdd725fddd718ab91c80c115882c94f3c"},{"name":"README.adoc","path":"README.adoc","sha":"d7f2bd16fa80949980f7733f5a6f060a270430e8"},{"name":"_docs","children":[{"name":"eks-architecture.png","path":"_docs/eks-architecture.png","sha":"b4c9c46f88ed465c5575e915af54ad9920b56941"},{"name":"eks-icon.png","path":"_docs/eks-icon.png","sha":"83a29dc46e7bc6234ba5bb825e8ae283c56229a0"},{"name":"iam-role-icon.png","path":"_docs/iam-role-icon.png","sha":"c05bb05e6caae9b9db46505ce505a386f21fa2e4"}]},{"name":"core-concepts.md","path":"core-concepts.md","sha":"05a677fa120572a099fe546f16ec55c21207c10d","toggled":true},{"name":"examples","children":[{"name":"README.md","path":"examples/README.md","sha":"668e34198ac21f150743f330ab1208f5f67e6b3c"},{"name":"eks-cluster-managed-workers","children":[{"name":"README.md","path":"examples/eks-cluster-managed-workers/README.md","sha":"b8f9642b8db4b69f3e35faee0801f0421f92a83d"},{"name":"dependencies.tf","path":"examples/eks-cluster-managed-workers/dependencies.tf","sha":"c51d22849120296cb44e2637625fbe0ef4405a53"},{"name":"main.tf","path":"examples/eks-cluster-managed-workers/main.tf","sha":"3b2b55d3406fe1744c5e6224dcd29384efd27361"},{"name":"outputs.tf","path":"examples/eks-cluster-managed-workers/outputs.tf","sha":"bbf83d99c547cf6ccff2b6f0782d083de971cd32"},{"name":"user-data","children":[{"name":"user_data.sh","path":"examples/eks-cluster-managed-workers/user-data/user_data.sh","sha":"c5fdd13d5bb04f765f1c90e9f12d23c48e94a252"}]},{"name":"variables.tf","path":"examples/eks-cluster-managed-workers/variables.tf","sha":"cebb93007096724b08453a8d6c2fe01cb45b29e5"}]},{"name":"eks-cluster-with-iam-role-mappings","children":[{"name":"README.md","path":"examples/eks-cluster-with-iam-role-mappings/README.md","sha":"67c3a556cedc312b67bd50f8f439dff7bbad0034"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-iam-role-mappings/dependencies.tf","sha":"9652dab961175e0f2273b109b5f1724a38e3970f"},{"name":"main.tf","path":"examples/eks-cluster-with-iam-role-mappings/main.tf","sha":"6b1305f6b1b62529139d554a64ef99ae2a32b7e1"},{"name":"outputs.tf","path":"examples/eks-cluster-with-iam-role-mappings/outputs.tf","sha":"e641213ad585fffe0f165b9a543d54c9175a1a7d"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/eks-cluster-with-iam-role-mappings/user-data/user-data.sh","sha":"b10c34bfe4c9d10101472b47edbc3b7dff42a88e"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-iam-role-mappings/variables.tf","sha":"1cdeee06025ba70bc0af588d1143c80af0f68b26"}]},{"name":"eks-cluster-with-supporting-services","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/README.md","sha":"cd0e673a332314bdf5dfd0bae662e5eaea48e613"},{"name":"core-services","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/core-services/README.md","sha":"c1eb41e7cc60a67d29ef846daf3b2e974ca59e6e"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/core-services/dependencies.tf","sha":"977c72682567c034c4effe391757cab2f342086f"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/core-services/main.tf","sha":"bb947f0a53e670452159abdae6b1572a440c6c2c"},{"name":"outputs.tf","path":"examples/eks-cluster-with-supporting-services/core-services/outputs.tf","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/core-services/variables.tf","sha":"bc2d6c9fcad89fb5d1d8b27428c26a8409de3142"}]},{"name":"eks-cluster","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/eks-cluster/README.md","sha":"8a60a01004a93bbbf2091b730f0207f6dd2cc07e"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/dependencies.tf","sha":"58c85fb4cb629a91afe41602e56072c19905e79b"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/main.tf","sha":"f6a3b1158b00592809853a758d0e52467e3e8214"},{"name":"outputs.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/outputs.tf","sha":"be23a13dd6f4063be394b8ca7358b631d50fab8a"},{"name":"user-data","children":[{"name":"app_worker_user_data.sh","path":"examples/eks-cluster-with-supporting-services/eks-cluster/user-data/app_worker_user_data.sh","sha":"c5fdd13d5bb04f765f1c90e9f12d23c48e94a252"},{"name":"core_worker_user_data.sh","path":"examples/eks-cluster-with-supporting-services/eks-cluster/user-data/core_worker_user_data.sh","sha":"0fa26153108b3d030ceeaae777aeb0a7e115404e"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/variables.tf","sha":"53a92d4ea68f4d9b74c54e534d36e4d1924de703"}]},{"name":"nginx-service","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/nginx-service/README.md","sha":"0f6649ddb0cbb5aa80a5bc1f3318ea1fd5d0dc35"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/main.tf","sha":"fd8cb0c6dbc880a220467fc9e811f355a17f2864"},{"name":"templates","children":[{"name":"values.yaml","path":"examples/eks-cluster-with-supporting-services/nginx-service/templates/values.yaml","sha":"298435e01df9fa495b15d512073c62662d292cd3"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/variables.tf","sha":"36ea6f8a36b19e34dbeeb25ae7e5fcf30c956b0f"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/packer/README.md","sha":"6a974a7fd5da7ac13309d9e0c4aaba7bd8cb46c7"},{"name":"build.json","path":"examples/eks-cluster-with-supporting-services/packer/build.json","sha":"ec09a52aea9b37aabe721f76e32e8eea02ece16f"}]}]},{"name":"eks-fargate-cluster-with-irsa","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-irsa/README.md","sha":"27e8ad7773480a5431283c43609e3c7a47632f23"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-irsa/dependencies.tf","sha":"88e84376868ae8dfc7b90483aa0fffe1c9d1a9ae"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-irsa/main.tf","sha":"e15e4aff2ef57f8436ddc9bd60fce4245a2b2ef8"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster-with-irsa/outputs.tf","sha":"f059d7b74ffbfb06a0868d6d0a5d1831c8f45f10"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-irsa/variables.tf","sha":"ba960ca7cca1e1abd0598cdd53df530b85895735"}]},{"name":"eks-fargate-cluster-with-supporting-services","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-supporting-services/README.md","sha":"03531a9ce95edd0babef101bb2eeafde47a84505"},{"name":"core-services","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/README.md","sha":"cde0ae405e4d73e9e39c67045fb82de8187a673d"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/dependencies.tf","sha":"977c72682567c034c4effe391757cab2f342086f"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/main.tf","sha":"bae15ebef102b49230bdb466bb888469a7fb044f"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/variables.tf","sha":"fbe18fbde325d89c51737f66fc86762fbee090c5"}]},{"name":"eks-cluster","children":[{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/dependencies.tf","sha":"c7d533db5e590f72eddbe987d0b5353c11b570e1"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/main.tf","sha":"2424a9b951507551102d2ac33889947aa3859e4f"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/outputs.tf","sha":"edddf9a6ab6f5927db366689db79e1b91db9d8c8"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/variables.tf","sha":"68140487d4bf2696cda5fb9781c46d60b9e309e5"}]},{"name":"nginx-service","children":[{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/main.tf","sha":"d87d3cd6ec547794ce86a16216e6fca7386804e9"},{"name":"templates","children":[{"name":"values.yaml","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/templates/values.yaml","sha":"655914f91177135cb7c5f15b62166cfc82a62a91"}]},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/variables.tf","sha":"d3c166441cdc556b0839930fbc281b7e8a1bd57f"}]}]},{"name":"eks-fargate-cluster","children":[{"name":"README.md","path":"examples/eks-fargate-cluster/README.md","sha":"a1013138cb6f63a7109f287e76030b7cc71f447e"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster/dependencies.tf","sha":"88e84376868ae8dfc7b90483aa0fffe1c9d1a9ae"},{"name":"main.tf","path":"examples/eks-fargate-cluster/main.tf","sha":"565487a6c0ee5f81302234b60c828e6390f33fb9"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster/outputs.tf","sha":"c2cfdb7ae48dc63df1b65d18e88179e9ddbaa735"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/eks-fargate-cluster/user-data/user-data.sh","sha":"b10c34bfe4c9d10101472b47edbc3b7dff42a88e"}]},{"name":"variables.tf","path":"examples/eks-fargate-cluster/variables.tf","sha":"ea24bdd726a83dcd4c64976dc7322081304837cb"}]}]},{"name":"modules","children":[{"name":"eks-alb-ingress-controller-iam-policy","children":[{"name":"README.md","path":"modules/eks-alb-ingress-controller-iam-policy/README.md","sha":"c87be2ee00f8f59403f827303915b5a70c602002"},{"name":"iampolicy.json","path":"modules/eks-alb-ingress-controller-iam-policy/iampolicy.json","sha":"11b345cb86734392f4efca98ccbf76761bb5e313"},{"name":"main.tf","path":"modules/eks-alb-ingress-controller-iam-policy/main.tf","sha":"42b450dc6b17fba3ae8b66dd6cfca8f8e4e574be"},{"name":"outputs.tf","path":"modules/eks-alb-ingress-controller-iam-policy/outputs.tf","sha":"b551b0bcc6eb1b43bfff1606696566658564cfb4"},{"name":"variables.tf","path":"modules/eks-alb-ingress-controller-iam-policy/variables.tf","sha":"250152e6bfeb02a16bed4151ffc7156636db1bd9"}]},{"name":"eks-alb-ingress-controller","children":[{"name":"README.md","path":"modules/eks-alb-ingress-controller/README.md","sha":"39684ae899557d5b509bcf75cffab6a196fd389e"},{"name":"main.tf","path":"modules/eks-alb-ingress-controller/main.tf","sha":"2eac12e3dc5132538653e73cc39b47bc339938b0"},{"name":"variables.tf","path":"modules/eks-alb-ingress-controller/variables.tf","sha":"17208d1993109c8ee8ae41af02357974656ba1e2"}]},{"name":"eks-aws-auth-merger","children":[{"name":"Dockerfile","path":"modules/eks-aws-auth-merger/Dockerfile","sha":"5ac1f9c32ce10ae515a41a9e339fab08bce6faea"},{"name":"README.adoc","path":"modules/eks-aws-auth-merger/README.adoc","sha":"1a8e70b12c0304004b468fdda81dab2d0941c4fc"},{"name":"aws-auth-merger","children":[{"name":"aws_auth_merger.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/aws_auth_merger.go","sha":"63cf5b70211f5e2dc60ddb25b08e111787a3939c"},{"name":"aws_auth_merger_test.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/aws_auth_merger_test.go","sha":"218a7dbb20c3e5ba80e6540156a81241360c6930"},{"name":"cli.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/cli.go","sha":"8c335463605f65db25d773271da67a19d4caea7b"},{"name":"configmap_watch_controller.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/configmap_watch_controller.go","sha":"15852b7b2437ef1a46c4d66176ffaf48db294d20"},{"name":"debouncer.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/debouncer.go","sha":"2376c66675e380b636421c17ea573fa12a141dd0"},{"name":"debouncer_test.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/debouncer_test.go","sha":"e6cd8e44503b4dea3e81b26ff20db39c35c8c72e"},{"name":"go.mod","path":"modules/eks-aws-auth-merger/aws-auth-merger/go.mod","sha":"8740e625dd81f91954a8c6c8d7d7db38838ccaf4"},{"name":"go.sum","path":"modules/eks-aws-auth-merger/aws-auth-merger/go.sum","sha":"b7c89fd5be7b1ec4db3f2e56843c17976c781fbb"},{"name":"main.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/main.go","sha":"9061cabd38668a323387cf8b7252ed2b45cbf2b9"},{"name":"mapping.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/mapping.go","sha":"1d0a36862e4b4a24ddd6112b016acce54e643775"},{"name":"mapping_test.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/mapping_test.go","sha":"02c91e45a128d6c306ec42a548ac9023df350e78"}]},{"name":"core-concepts.md","path":"modules/eks-aws-auth-merger/core-concepts.md","sha":"2da0061c35747e9f280f8a440adfc4534da40fa4"},{"name":"main.tf","path":"modules/eks-aws-auth-merger/main.tf","sha":"d2a5b5fd266a623cdf5f6669c256acf5fe70339d"},{"name":"outputs.tf","path":"modules/eks-aws-auth-merger/outputs.tf","sha":"d733fb246403f97ac011cbedf3f1d2761badef82"},{"name":"variables.tf","path":"modules/eks-aws-auth-merger/variables.tf","sha":"429e5990df785c4c01c4a07668d41ce648e4e68b"}]},{"name":"eks-cluster-control-plane","children":[{"name":"README.md","path":"modules/eks-cluster-control-plane/README.md","sha":"ad90d83c6eea189d50c22069865c3f8cda1acd6a"},{"name":"dependencies.tf","path":"modules/eks-cluster-control-plane/dependencies.tf","sha":"5c71c526fdc6e550e5cf51dcb9a89dae10e8fca8"},{"name":"main.tf","path":"modules/eks-cluster-control-plane/main.tf","sha":"7d6c865c7796a23994bdb2abc87bd1981ae5d230"},{"name":"outputs.tf","path":"modules/eks-cluster-control-plane/outputs.tf","sha":"4cb9b9f5445bef1b3d93e4e3a14950eae72a2acb"},{"name":"scripts","children":[{"name":"find_and_run_kubergrunt.py","path":"modules/eks-cluster-control-plane/scripts/find_and_run_kubergrunt.py","sha":"24b01390e361b6131de0cca421bedf27eac41609"}]},{"name":"templates","children":[{"name":"kubectl_config.tpl","path":"modules/eks-cluster-control-plane/templates/kubectl_config.tpl","sha":"083a5e914505363541190db3ee412d8d9e15b4ec"}]},{"name":"variables.tf","path":"modules/eks-cluster-control-plane/variables.tf","sha":"f2742ac30bc16e0e5d466a4129d48c7b739f1f73"}]},{"name":"eks-cluster-managed-workers","children":[{"name":"README.md","path":"modules/eks-cluster-managed-workers/README.md","sha":"54382d2f993b4b5e9cac30e9b44c36138d0e8ea2"},{"name":"main.tf","path":"modules/eks-cluster-managed-workers/main.tf","sha":"fa0957a10cee66c886e311426aabaa76b71308d1"},{"name":"outputs.tf","path":"modules/eks-cluster-managed-workers/outputs.tf","sha":"391b5aff36a080568d94aae450d00b78488fb2e4"},{"name":"variables.tf","path":"modules/eks-cluster-managed-workers/variables.tf","sha":"0c1141a879699f7e4c05b49c0ab42a45a1ff12c4"}]},{"name":"eks-cluster-workers-cross-access","children":[{"name":"README.md","path":"modules/eks-cluster-workers-cross-access/README.md","sha":"6c4e50bda62acc6c06d836488ef54f7119f27aee"},{"name":"main.tf","path":"modules/eks-cluster-workers-cross-access/main.tf","sha":"98dd7772c485c12cfa2371ebc7fbf3421ecb0d36"},{"name":"outputs.tf","path":"modules/eks-cluster-workers-cross-access/outputs.tf","sha":"c6c7f7a89007c55be5470ffd639c05c3fb052ad7"},{"name":"variables.tf","path":"modules/eks-cluster-workers-cross-access/variables.tf","sha":"d64aab893b6e909416189e985f072dd8809dfa2f"}]},{"name":"eks-cluster-workers","children":[{"name":"README.md","path":"modules/eks-cluster-workers/README.md","sha":"e2ff0e1c7054539c1802087972ce6f2954c57ab0"},{"name":"dependencies.tf","path":"modules/eks-cluster-workers/dependencies.tf","sha":"d177e89ddc5cb6b4ab5b36ec96fd1ec22a008a49"},{"name":"main.tf","path":"modules/eks-cluster-workers/main.tf","sha":"0d95f6933aed03c5a4f6f207b65961cb80913fa2"},{"name":"outputs.tf","path":"modules/eks-cluster-workers/outputs.tf","sha":"d2dddf7803dbd3712c8f953c811c926eb141ace3"},{"name":"variables.tf","path":"modules/eks-cluster-workers/variables.tf","sha":"75aa2467f848a84bfce9007c18cd8534c458b758"}]},{"name":"eks-container-logs","children":[{"name":"README.md","path":"modules/eks-container-logs/README.md","sha":"3af3ffd83b5c0205f122ecba654dec888c6efd72"},{"name":"main.tf","path":"modules/eks-container-logs/main.tf","sha":"e009253eb39a968e5fde74d189cd964f5b626441"},{"name":"outputs.tf","path":"modules/eks-container-logs/outputs.tf","sha":"7061ed458fec528c8b8b587291f0eccb4324fb72"},{"name":"variables.tf","path":"modules/eks-container-logs/variables.tf","sha":"5ea6675992d0555490a38d822f5e8e18353149ee"}]},{"name":"eks-iam-role-assume-role-policy-for-service-account","children":[{"name":"README.md","path":"modules/eks-iam-role-assume-role-policy-for-service-account/README.md","sha":"efbbbd70fea3661c662750768facb7950239ffa3"},{"name":"main.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/main.tf","sha":"063478d0ad86bd49796e6ccfdce78df8690ed4e3"},{"name":"outputs.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/outputs.tf","sha":"c2910cec89910bb06a157311ac8c4bf72835dfe5"},{"name":"variables.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/variables.tf","sha":"dc660ddf84158851145289f6036a0fc19fbf7ce4"}]},{"name":"eks-k8s-cluster-autoscaler-iam-policy","children":[{"name":"README.md","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/README.md","sha":"a22e2264a296fe1bf00f2c8b2f72ae728d0277c3"},{"name":"main.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/main.tf","sha":"e2c933e4bd22a6c56a3b2206e8580e5dd5e24630"},{"name":"outputs.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/outputs.tf","sha":"8b6c4e1747b3fa6a88c6233ec87aa2f450dfd334"},{"name":"variables.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/variables.tf","sha":"7534ac11f3cd71e1a1bf9521065a474f5f56ec3c"}]},{"name":"eks-k8s-cluster-autoscaler","children":[{"name":"README.md","path":"modules/eks-k8s-cluster-autoscaler/README.md","sha":"a74848607c42fcef696f121c2506ace0b83ced87"},{"name":"main.tf","path":"modules/eks-k8s-cluster-autoscaler/main.tf","sha":"a3d6870ee182b0983837c098b377e2be6885e85d"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-k8s-cluster-autoscaler/templates/node_affinity.yaml","sha":"c6eaf8e94fa7c893857cc009df954443239a8fe0"},{"name":"values.yaml","path":"modules/eks-k8s-cluster-autoscaler/templates/values.yaml","sha":"081ab7f76dc4e753975b427d7cee51589965715d"}]},{"name":"variables.tf","path":"modules/eks-k8s-cluster-autoscaler/variables.tf","sha":"d5b3e8d46303947a8a9a6a3fba1e18a720fc8b84"}]},{"name":"eks-k8s-external-dns-iam-policy","children":[{"name":"README.md","path":"modules/eks-k8s-external-dns-iam-policy/README.md","sha":"a33d41f9824e6270ef4573d6b7e22b394224689c"},{"name":"main.tf","path":"modules/eks-k8s-external-dns-iam-policy/main.tf","sha":"3bce6ac6a113c2d2d22647f37d779c2dcabacb35"},{"name":"outputs.tf","path":"modules/eks-k8s-external-dns-iam-policy/outputs.tf","sha":"21604a63b741b94ea9ebffd20b18772131020fcf"},{"name":"variables.tf","path":"modules/eks-k8s-external-dns-iam-policy/variables.tf","sha":"c9d71db85ad8f3085d9ae3c3073bf46da6241b75"}]},{"name":"eks-k8s-external-dns","children":[{"name":"README.md","path":"modules/eks-k8s-external-dns/README.md","sha":"0feaa9793a59843f8999449ffcb2a53e9d33a120"},{"name":"main.tf","path":"modules/eks-k8s-external-dns/main.tf","sha":"86acf0f74e13ae71ba54cc6372818eeef0cf5532"},{"name":"variables.tf","path":"modules/eks-k8s-external-dns/variables.tf","sha":"cc5fda3437c6a96e5bd58940f359c06a3aef69c7"}]},{"name":"eks-k8s-role-mapping","children":[{"name":"README.md","path":"modules/eks-k8s-role-mapping/README.md","sha":"2962e93307761b2356c62f0ac8068dc01f98d9f4"},{"name":"main.tf","path":"modules/eks-k8s-role-mapping/main.tf","sha":"cc53d89973699f2be1242bbb85664e231158c802"},{"name":"outputs.tf","path":"modules/eks-k8s-role-mapping/outputs.tf","sha":"95d4d4ec652bb541b91a2844e00f68064b423e60"},{"name":"variables.tf","path":"modules/eks-k8s-role-mapping/variables.tf","sha":"5c696a015d9e8b44e5687b758c61ac49f3a4b7ef"}]},{"name":"eks-scripts","children":[{"name":"README.md","path":"modules/eks-scripts/README.md","sha":"7be1bd16caabc8f864937895958b2c38bb7af7b9"},{"name":"bin","children":[{"name":"map-ec2-tags-to-node-labels","path":"modules/eks-scripts/bin/map-ec2-tags-to-node-labels","sha":"a0e9f3cc0caec66c2fd01c66042164f267e3b7a9"},{"name":"map_ec2_tags_to_node_labels.py","path":"modules/eks-scripts/bin/map_ec2_tags_to_node_labels.py","sha":"f75ad19587e95b2bd8924125ea2a1a697154909f"}]},{"name":"dev_requirements.txt","path":"modules/eks-scripts/dev_requirements.txt","sha":"f56f9d1629a85734fe16ed70f00f36b830cd97c9"},{"name":"install.sh","path":"modules/eks-scripts/install.sh","sha":"7f192fca97b098482a8a398019d4d53f45dba478"}]},{"name":"eks-vpc-tags","children":[{"name":"README.md","path":"modules/eks-vpc-tags/README.md","sha":"b53e923baaa79718b55a272158ff9b710871a6ce"},{"name":"main.tf","path":"modules/eks-vpc-tags/main.tf","sha":"816b047f0a944d10c17bfafaaaa7f519c90aeff5"},{"name":"outputs.tf","path":"modules/eks-vpc-tags/outputs.tf","sha":"0ef2787cfd02ea8668c687302b1929618079a0b2"},{"name":"variables.tf","path":"modules/eks-vpc-tags/variables.tf","sha":"a6e332e9da4e473e1e42b1ca6c7b0ba139a77cfb"}]}]},{"name":"rfc","children":[{"name":"shipping-logs-to-cloudwatch.md","path":"rfc/shipping-logs-to-cloudwatch.md","sha":"606410240f3c5b5fe85175c05429c52c7e46ad42"}]},{"name":"setup.cfg","path":"setup.cfg","sha":"981bc2bfd0b35029438d56c6d862a7f1519b8fe6"},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"9bf8180d731bdc892279fcdbcbb03d245f31f83a"},{"name":"eks_cluster_drain_test.go","path":"test/eks_cluster_drain_test.go","sha":"def624eb66ff6eb746c651dea59c4415a85ffd76"},{"name":"eks_cluster_integration_test.go","path":"test/eks_cluster_integration_test.go","sha":"471a3100ec1db2b42e2f80f2184621b3553020f3"},{"name":"eks_cluster_managed_workers_test.go","path":"test/eks_cluster_managed_workers_test.go","sha":"0e67a65ab14f81d0872895e117b8ecb31acaca03"},{"name":"eks_cluster_test_helpers.go","path":"test/eks_cluster_test_helpers.go","sha":"e6b2979ffa4b9e933e18dcb4461ec319cf9a5932"},{"name":"eks_cluster_upgrade_test.go","path":"test/eks_cluster_upgrade_test.go","sha":"4fe634a2322165bdb8130628d5fc9fd93e7a0969"},{"name":"eks_cluster_with_auth_merger_test.go","path":"test/eks_cluster_with_auth_merger_test.go","sha":"fdbe2bc7eb1f4565e394f8ac6124c7bc795f3884"},{"name":"eks_cluster_with_iam_role_test.go","path":"test/eks_cluster_with_iam_role_test.go","sha":"962deb50187b8daed1df05102a30562248b8137e"},{"name":"eks_cluster_with_supporting_services_test.go","path":"test/eks_cluster_with_supporting_services_test.go","sha":"d1e60137ff053fa816c11fd4cb10e73c61b41126"},{"name":"eks_cluster_workers_optional_test.go","path":"test/eks_cluster_workers_optional_test.go","sha":"0f6179eb2f1d0d6809aebf7a16c7afa3f4e49fc3"},{"name":"eks_envelope_encryption_test.go","path":"test/eks_envelope_encryption_test.go","sha":"3d8b92c4d3d4244c6431ccae95f0faeb0328bdce"},{"name":"eks_fargate_cluster_disable_public_endpoint_test.go","path":"test/eks_fargate_cluster_disable_public_endpoint_test.go","sha":"25ba0984ef5979ca146d16b63654559939d822db"},{"name":"eks_fargate_cluster_irsa_test.go","path":"test/eks_fargate_cluster_irsa_test.go","sha":"8a1e4f4599f63b357af1ca36b135898e7663f1fe"},{"name":"eks_fargate_cluster_public_access_cidr_test.go","path":"test/eks_fargate_cluster_public_access_cidr_test.go","sha":"2a82ad5a0bbb9311bb9c91a2c0be3f3dbe1b4d5e"},{"name":"eks_fargate_cluster_test.go","path":"test/eks_fargate_cluster_test.go","sha":"a50d3691cbdec0ba41e2212015105254d7a516c7"},{"name":"eks_fargate_cluster_with_supporting_services_test.go","path":"test/eks_fargate_cluster_with_supporting_services_test.go","sha":"a236dc2c1647da144a3fa973492b18ad80d64103"},{"name":"eks_mixed_cluster_dns_test.go","path":"test/eks_mixed_cluster_dns_test.go","sha":"069332615ab046026f91262ebfb3715786132895"},{"name":"errors.go","path":"test/errors.go","sha":"be062fe0205ff82db8183d0fde639aa1883013ad"},{"name":"go.mod","path":"test/go.mod","sha":"2a66084362eee66b1df3c80716dc15fd4f845356"},{"name":"go.sum","path":"test/go.sum","sha":"6a50e9f9a87ea976f1e14cde47ae194d4b87be78"},{"name":"kubefixtures","children":[{"name":"autoscaler-test-pods-deployment.yml","path":"test/kubefixtures/autoscaler-test-pods-deployment.yml","sha":"b2d94c4bfa729b639290ee21629c19ca6ea694ee"},{"name":"eks-irsa-test.yml","path":"test/kubefixtures/eks-irsa-test.yml","sha":"db5439cf6d38873dbae71daa4197d6947990a94a"},{"name":"eks-k8s-role-mapping-test-role.yml","path":"test/kubefixtures/eks-k8s-role-mapping-test-role.yml","sha":"ede7587308d2a4ecf55042b05800099c43f3af7d"},{"name":"kube-system-sa-admin-binding.yml","path":"test/kubefixtures/kube-system-sa-admin-binding.yml","sha":"282d406512102cbe54e952575f26e7e0fbb2aa9a"},{"name":"nginx-deployment.yml","path":"test/kubefixtures/nginx-deployment.yml","sha":"a58866e59c113635af24982cfb0b530f0c416af0"},{"name":"robust-nginx-deployment.yml","path":"test/kubefixtures/robust-nginx-deployment.yml","sha":"87ead0f9733e422099bc430ed281e2054e698f10"}]},{"name":"script_tests","children":[{"name":"executor.sh","path":"test/script_tests/executor.sh","sha":"458c534996fbc045081d1cfae521c090f6787a7f"},{"name":"requirements.txt","path":"test/script_tests/requirements.txt","sha":"7372bb177f500724ac7b3d1730d5018d768e538b"},{"name":"test_map_ec2_tags_to_node_labels.py","path":"test/script_tests/test_map_ec2_tags_to_node_labels.py","sha":"6b88e92ac569e20ece5a35c74f053a08839e4638"},{"name":"tox.ini","path":"test/script_tests/tox.ini","sha":"3a18859a7fbe2f3897fd85f69b081e308f8e47a1"}]},{"name":"terratest_options.go","path":"test/terratest_options.go","sha":"9c0fc2cde3ebb6db359ea8cba88153c0eb66c7db"},{"name":"test_debug_helpers.go","path":"test/test_debug_helpers.go","sha":"c71a7a9d5b68f0f59d2518496d9f5893206b5e22"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"4633eab64d3382614ac38d1f3840e45c522486e2"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"background\">Background</h1><div class=\"preview__body--border\"></div><h2 class=\"preview__body--subtitle\" id=\"what-is-kubernetes\">What is Kubernetes?</h2>\n<p><a href=\"https://kubernetes.io\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes</a> is an open source container management system for deploying, scaling, and managing\ncontainerized applications. Kubernetes is built by Google based on their internal proprietary container management\nsystems (Borg and Omega). Kubernetes provides a cloud agnostic platform to deploy your containerized applications with\nbuilt in support for common operational tasks such as replication, autoscaling, self-healing, and rolling deployments.</p>\n<p>You can learn more about Kubernetes from <a href=\"https://kubernetes.io/docs/tutorials/kubernetes-basics/\" class=\"preview__body--description--blue\" target=\"_blank\">the official documentation</a>.</p>\n<h2 class=\"preview__body--subtitle\" id=\"what-is-elastic-container-service-for-kubernetes-eks\">What is Elastic Container Service for Kubernetes (EKS)?</h2>\n<p>Elastic Container Service for Kubernetes is the official AWS solution for running a <a href=\"https://kubernetes.io\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes</a>\ncluster within AWS. EKS provisions and manages the <a href=\"https://kubernetes.io/docs/concepts/overview/components/#master-components\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes Master\nComponents</a> for you, removing a significant\noperational burden for running Kubernetes. This means that EKS will automatically handle provisioning and scaling the\nmaster components such that it is highly available and secure for your needs.</p>\n<p>You can learn more about EKS from <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html\" class=\"preview__body--description--blue\" target=\"_blank\">the official\ndocumentation</a>.</p>\n<h2 class=\"preview__body--subtitle\" id=\"what-is-an-eks-cluster\">What is an EKS Cluster?</h2>\n<p>An EKS cluster represents a Kubernetes cluster that is available within your VPC to be used for scheduling your Docker\ncontainers as <a href=\"https://kubernetes.io/docs/concepts/workloads/pods/pod/\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes Pods</a>. EKS consists of two major\ncomponents that combine to formulate an EKS cluster, mapping to their Kubernetes counterparts:</p>\n<ul>\n<li>EKS Control Plane: Contains the resources and endpoint to run and access the Kubernetes master components within your\nVPC. The underlying resources are entirely managed by AWS. These correspond to\n<a href=\"https://kubernetes.io/docs/concepts/overview/components/#master-components\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes master components</a>.</li>\n<li>EKS Worker Nodes: Contains the resources that run your applications scheduled on the cluster as\n<a href=\"https://kubernetes.io/docs/concepts/workloads/pods/pod/\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes Pods</a>.\nThese are EC2 instances that you provision with a special AMI designed to connect to the control plane so that it is\navailable within your Kubernetes cluster. These correspond to\n<a href=\"https://kubernetes.io/docs/concepts/overview/components/#node-components\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes node components</a>.</li>\n</ul>\n<p>You can read more about the individual components in <a href=\"https://kubernetes.io/docs/concepts/overview/components\" class=\"preview__body--description--blue\" target=\"_blank\">the official Kubernetes\ndocs</a>.</p>\n<p>This Module will provision both the EKS Control Plane and EKS Worker Nodes, utilizing an Auto Scaling Group so that\nfailed worker nodes will automatically be replaced, and we can easily scale the worker nodes in the cluster. You can\nthen use other modules in this package to package your Docker containers into Pods that can then be deployed on to the\nEKS cluster.</p>\n<h2 class=\"preview__body--subtitle\" id=\"ecs-vs-eks\">ECS vs EKS</h2>\n<p><a href=\"https://aws.amazon.com/ecs/\" class=\"preview__body--description--blue\" target=\"_blank\">EC2 Container Service (ECS)</a> and <a href=\"https://aws.amazon.com/eks\" class=\"preview__body--description--blue\" target=\"_blank\">Elastic Container Service for\nKubernetes</a> are two AWS solutions for running Docker containers on EC2 instances or AWS\nmanaged machines (via <a href=\"https://aws.amazon.com/fargate/\" class=\"preview__body--description--blue\" target=\"_blank\">Fargate</a> in the case of ECS). ECS is a proprietary solution by\nAWS that provides a way of deploying your containerized applications on AWS resources without having to manually manage\nthem. EKS is a new offering by AWS that provides a managed Kubernetes experience on AWS resources with first class\nsupport for AWS concepts like VPC, IAM roles, and Security Groups. Unlike ECS which uses proprietary technology, EKS\nruns an open source platform (Kubernetes). As such, you can interface with it using the Kubernetes ecosystem of tools\nand resources (e.g <code>kubectl</code>), just like any other Kubernetes cluster.</p>\n<p>Which service you decide to go with is entirely dependent on your infrastructure needs. With ECS Fargate, you can focus\nentirely on the application you are deploying and not have to worry about servers, clusters, and the underlying\ninfrastructure as a whole. However, if you want more control over your resources and infrastructure, you can use ECS\nwith EC2 instances. The downside with both is that you have to use a proprietary API to interact with the service that\nis not portable outside of AWS (including no way to run ECS on your local computer for testing).</p>\n<p>On the other hand, if you want to leverage existing tools and knowledge from the Kubernetes community, you can use EKS\ninstead. The code you develop to interface with EKS are to an extent portable to other Kubernetes clusters as well.\nFurthermore, if you already have a Kubernetes cluster, you can reuse all of your kubernetes configuration. The downside\nto using EKS over ECS, however, is that ECS provides simpler primitives for running your workloads, and mesh really well\nwith existing AWS infrastructure like Application and Network Load Balancers.</p>\n<p>Here is a list of additional tradeoffs to consider between the two services:</p>\n<ul>\n<li>Kubernetes is cloud agnostic. All of the major cloud providers support a managed Kubernetes experience\n(<a href=\"https://cloud.google.com/kubernetes-engine/\" class=\"preview__body--description--blue\" target=\"_blank\">GKE</a>, <a href=\"https://aws.amazon.com/eks\" class=\"preview__body--description--blue\" target=\"_blank\">EKS</a>,\n<a href=\"https://docs.microsoft.com/en-us/azure/aks/\" class=\"preview__body--description--blue\" target=\"_blank\">AKS</a>). You can even deploy a Kubernetes cluster on prem on your own\nhardware, or run it locally for testing. ECS on the other hand is proprietary and only works on AWS.</li>\n<li>Kubernetes, being open, has a larger community than ECS with a ton of resources available including plugins, books,\nguides, tools, etc.</li>\n<li>Kubernetes has a built in solution for secrets management that works on all deployments of Kubernetes. With ECS, you\nneed to use an external service like KMS or Secret Manager, neither of which have first class support within ECS and\ndo not work locally.</li>\n<li>Kubernetes has a mature data volume solution in\n<a href=\"https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/\" class=\"preview__body--description--blue\" target=\"_blank\"><code>StatefulSets</code></a> that allow you to leverage\nthe dynamic nature of your containers without worrying about persistence locality. ECS has volumes for persistent\nstate in containers, but require localizing the containers with the volumes.</li>\n<li>Kubernetes has an official service discovery solution in the form of the DNS plugin that automatically allocates a\nFQDN that route to your containerized application. ECS requires additional configuration with an external DNS system\n(Route53) to achieve the same effect.</li>\n<li>ECS has native integration with AWS IAM roles so that each container can have its own IAM role/permissions to access\nAWS resources. Kubernetes requires a custom solution or third party plugin (e.g\n<a href=\"https://github.com/jtblin/kube2iam\" class=\"preview__body--description--blue\" target=\"_blank\">kube2iam</a>) to achieve the same effect.</li>\n<li>You only have to pay for the EC2 costs of worker nodes in ECS. EKS has a high premium for running the control plane,\nin addition to the EC2 costs of worker nodes.</li>\n<li>ECS has a simpler configuration setup and therefore is easier to learn and get started with compared to Kubernetes.</li>\n<li>As of October 2018, Terraform support for ECS is stronger than for Kubernetes.</li>\n</ul>\n<p>If you would like to use ECS, Gruntwork also provides Modules for managing ECS resources in the\n<a href=\"/repos/terraform-aws-ecs\" class=\"preview__body--description--blue\"><code>terraform-aws-ecs</code></a> repository.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-authenticate-kubectl-to-the-eks-cluster\">How do I authenticate kubectl to the EKS cluster?</h2>\n<p>The standard way to interact with a Kubernetes cluster is to use the\n<a href=\"https://kubernetes.io/docs/reference/kubectl/overview/\" class=\"preview__body--description--blue\" target=\"_blank\"><code>kubectl</code></a> commandline utility. However, in order to use\n<code>kubectl</code> to access your EKS cluster, you need to first authenticate it to the cluster. EKS manages authentication to\nKubernetes based on AWS IAM roles. The IAM roles automatically translate to the corresponding role in Kubernetes via the\n<a href=\"https://kubernetes.io/docs/reference/access-authn-authz/rbac/\" class=\"preview__body--description--blue\" target=\"_blank\">Role Based Access Control (RBAC)</a> system that Kubernetes\nuses to handle authorization of Kubernetes resources. By default the AWS IAM role used to provision the EKS cluster is\ngranted admin level permissions (<code>system:master</code> role) that allow you to perform almost anything on the cluster via\n<code>kubectl</code>. You can add additional role mappings or modify the default one by using the <a href=\"/repos/v0.44.3/terraform-aws-eks/modules/eks-k8s-role-mapping/README.md\" class=\"preview__body--description--blue\">eks-k8s-role-mapping\nmodule</a>. See the <a href=\"/repos/v0.44.3/terraform-aws-eks/modules/eks-k8s-role-mapping/README.md\" class=\"preview__body--description--blue\">module documentation</a> for more\ninformation.</p>\n<p>To support all this, EKS requires <code>kubectl</code> to authenticate to an AWS IAM role. However, <code>kubectl</code> does not have a\nnative way to do this. There are a couple of ways to configure <code>kubectl</code> for authentication with IAM:</p>\n<ol>\n<li>Beginning with AWS CLI version 1.16.156, you can use the <code>aws eks get-token</code> command.</li>\n<li>Rely on the <a href=\"https://github.com/kubernetes-sigs/aws-iam-authenticator\" class=\"preview__body--description--blue\" target=\"_blank\">AWS IAM Authenticator for Kubernetes</a> utility embedded into\n<a href=\"/repos/kubergrunt\" class=\"preview__body--description--blue\"><code>kubergrunt</code></a>.</li>\n</ol>\n<p>Both options use the AWS API to generate an authentication token that contains a signed request to fetch the information about the\nassumed AWS IAM role. This token is forwarded to the Kubernetes API server by <code>kubectl</code>, which is then used by EKS to authenticate the\nrequest to the assumed IAM role, and then inherit permissions for the mapped RBAC role.</p>\n<p>You can learn more about the details of <code>aws eks get-token</code> in <a href=\"https://docs.aws.amazon.com/cli/latest/reference/eks/get-token.html\" class=\"preview__body--description--blue\" target=\"_blank\">the AWS CLI\ndocs</a>.\nUnder the hood, EKS uses the AWS IAM Authenticator to manage authentication to the API. You can learn more about it in <a href=\"https://github.com/kubernetes-sigs/aws-iam-authenticator#how-does-it-work\" class=\"preview__body--description--blue\" target=\"_blank\">the official\ndocumentation</a>.</p>\n<p>This Module provides several ways to help you setup <code>kubectl</code> to authenticate to the created EKS cluster. Note that\nall of these methods assume you have a working <code>kubectl</code> and one of <code>kubergrunt</code> or AWS IAM authenticator installed.</p>\n<p>You can follow the <a href=\"https://kubernetes.io/docs/tasks/tools/install-kubectl/\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes client installation\ninstructions</a> to install <code>kubectl</code>.</p>\n<p>You can install <code>kubergrunt</code> from the <a href=\"#open_modal\" class=\"preview__body--description--blue\">Releases Page</a>. You can\nlearn more about <code>kubergrunt</code> code from <a href=\"/repos/kubergrunt/README.md\" class=\"preview__body--description--blue\">the project\nREADME</a>.</p>\n<p>The AWS IAM Authenticator requires a working go environment to install. You can follow the <a href=\"https://github.com/kubernetes-sigs/aws-iam-authenticator\" class=\"preview__body--description--blue\" target=\"_blank\">project\nREADME</a> for installation instructions. Alternatively, you can\ninstall one of the prebuilt binaries of the AWS IAM Authenticator provided by AWS. The download URL for each platform is\navailable in <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/configure-kubectl.html\" class=\"preview__body--description--blue\" target=\"_blank\">the official documentation of AWS\nEKS</a>.</p>\n<p><strong>Important Note</strong>: On a new EKS cluster, the EKS worker nodes also rely on mapping their IAM role into a Kubernetes\nRBAC role that provides access to the cluster. This is what allows the worker nodes to register themselves to the\ncontrol plane. Therefore, before you can schedule anything on the cluster, you must apply the <a href=\"/repos/v0.44.3/terraform-aws-eks/modules/eks-k8s-role-mapping/README.md\" class=\"preview__body--description--blue\">eks-k8s-role-mapping\nmodule</a> with the <code>eks_worker_iam_role_arn</code> output variable from this module. See the\n<a href=\"/repos/v0.44.3/terraform-aws-eks/examples/eks-cluster-with-iam-role-mappings/README.md\" class=\"preview__body--description--blue\">eks-cluster example</a> for an example of this in action.</p>\n<h3 class=\"preview__body--subtitle\" id=\"automatic-setup\">Automatic setup</h3>\n<p>The <code>eks-cluster-control-plane</code> module can configure <code>kubectl</code> to be able to authenticate with EKS as part of\nprovisioning the cluster. This Module uses the <code>kubergrunt</code> binary to create or update the <code>kubectl</code> config file with a\nnew context that can be used to interact with the newly provisioned EKS cluster. Set the <code>configure_kubectl</code> input\nvariable to <code>true</code> to turn on this behavior.</p>\n<p><strong>Note</strong>: This will only configure <code>kubectl</code> for the machine that provisions it. Other machines will need to be\nseparately configured.</p>\n<p>You can call the <code>kubergrunt</code> binary outside of the Module. The binary expects the region where the EKS\ncluster resides, as well as the name of the EKS cluster:</p>\n<pre>kubergrunt eks configure --eks-<span class=\"hljs-keyword\">cluster</span>-arn $EKS_CLUSTER_ARN\n</pre>\n<p>Alternatively, you can use <a href=\"https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html\" class=\"preview__body--description--blue\" target=\"_blank\">the AWS Command Line Interface\n(CLI)</a> built in EKS configure command:</p>\n<pre><span class=\"hljs-attribute\">aws</span> --region <span class=\"hljs-variable\">$AWS_REGION</span> eks update-kubeconfig --name <span class=\"hljs-variable\">$EKS_CLUSTER_NAME</span>\n</pre>\n<h3 class=\"preview__body--subtitle\" id=\"manual-setup\">Manual setup</h3>\n<p>You can also setup <code>kubectl</code> manually using the provided outputs from this Module. This module will output a complete\n<code>kubectl</code> config file under the output variable <code>eks_kubeconfig</code> that can be placed where you store your <code>kubectl</code> config\nfiles. You must store the config file output and reference it when you run <code>kubectl</code> to authenticate against the\nKuberentes control plane managed by EKS. This option may be best if you have multiple Kubernetes cluster that you are\nmanaging and need to distinguish the authentication config between the different clusters.</p>\n","repoName":"terraform-aws-eks","repoRef":"v0.40.0","serviceDescriptor":{"serviceName":"EC2 Kubernetes Service (EKS) Cluster","serviceRepoName":"terraform-aws-eks","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Deploy a Kubernetes cluster on top of Amazon EC2 Kubernetes Service (EKS).","imageUrl":"eks.png","licenseType":"subscriber","technologies":["Terraform","Python","Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Docker orchestration","fileName":"core-concepts.md","filePath":"/core-concepts.md","title":"Repo Browser: EC2 Kubernetes Service (EKS) Cluster","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}