eks_cli 0.1.0

data/README.md

@@ -0,0 +1,52 @@
+# EKS-CLI
+
+EKS cluster bootstrap with batteries included
+
+## Usage
+
+```
+$ gem install eks_cli
+$ eks bootstrap us-west-2 --cluster-name=My-EKS-Cluster
+$ eks create-cluster-vpc --cluster-name=My-EKS-Cluster
+$ eks create-cluster-security-group --cluster-name My-EKS-Cluster --open-ports=22
+$ eks create-nodegroup --cluster-name My-EKS-Cluster --group-name nodes --ssh-key-name my-ssh-key --min 1 --max 3
+$ eks create-nodegroup --cluster-name My-EKS-Cluster --group-name other-nodes --ssh-key-name my-ssh-key --min 3 --max 3 --instance-type m5.2xlarge
+$ eks create-nodegroup --all --cluster-name My-EKS-Cluster --yes
+```
+
+## Extra Stuff
+
+### Setting IAM policies to be attached to EKS nodes
+
+`$ eks set-iam-policies --cluster-name=My-EKS-Cluster --policies=AmazonS3FullAccess AmazonDynamoDBFullAccess`
+
+Makes sure all nodegroup instances are attached with the above policies once created
+
+### Routing Route53 hostnames to Kubernetes service
+
+`$ eks update-dns my-cool-service.my-company.com cool-service --route53-hosted-zone-id=XXXXX --elb-hosted-zone-id=XXXXXX --cluster-name=My-EKS-Cluster`
+
+Takes the ELB endpoint from `cool-service` and puts it as an alias record of `my-cool-service.my-company.com`
+
+### Enabling GPU
+
+`$ eks enable-gpu --cluster-name EKS-Staging`
+
+Installs the nvidia device plugin required to have your GPUs exposed
+
+*Assumptions*: 
+
+1. You have a nodegroup using [EKS GPU AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html)
+2. This nodegroup uses a GPU instance (p2.x / p3.x etc)
+
+### Adding Dockerhub Secrets
+
+`$ eks set-docker-registry-credentials <dockerhub-user> <dockerhub-email> <dockerhub-password> --cluster-name My-EKS-Cluster`
+
+Adds your dockerhub credentials as a secret and attaches it to the default serviceaccount imagePullSecrets
+
+### Creating Default Storage Class
+
+`$ eks create-default-storage-class --cluster-name My-EKS-Cluster`
+
+Creates a standard gp2 default storage class named gp2

data/bin/eks

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require 'eks_cli'
+EksCli::Cli.start(ARGV)

data/eks_cli.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |s|
+  s.name        = 'eks_cli'
+  s.version     = '0.1.0'
+  s.date        = '2018-11-18'
+  s.summary     = "Make EKS great again!"
+  s.description = "A utility to manage and create EKS (Kubernetes) cluster on Amazon Web Services"
+  s.authors     = ["Erez Rabih"]
+  s.email       = 'erez.rabih@gmail.com'
+  s.homepage    =
+    'https://github.com/nanit/eks_cli'
+  s.license       = 'MIT'
+  s.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  s.bindir        = "bin"
+  s.executables   = ["eks"]
+  s.require_paths = ["lib"]
+  s.add_dependency 'thor'
+  s.add_dependency 'aws-sdk-iam'
+  s.add_dependency 'aws-sdk-eks'
+  s.add_dependency 'aws-sdk-ec2'
+  s.add_dependency 'aws-sdk-cloudformation'
+  s.add_dependency 'aws-sdk-route53'
+  s.add_dependency 'activesupport'
+  s.add_dependency 'kubeclient'
+end
+

data/lib/assets/default_storage_class.yaml

@@ -0,0 +1,10 @@
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: gp2
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: kubernetes.io/aws-ebs
+parameters:
+  type: gp2
+reclaimPolicy: Retain

data/lib/assets/nodegroup_cf_template.yaml

@@ -0,0 +1,305 @@
+---
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Amazon EKS - Node Group - Released 2018-08-30'
+
+Parameters:
+
+  KeyName:
+    Description: The EC2 Key Pair to allow SSH access to the instances
+    Type: AWS::EC2::KeyPair::KeyName
+
+  NodeImageId:
+    Type: AWS::EC2::Image::Id
+    Description: AMI id for the node instances.
+
+  NodeInstanceType:
+    Description: EC2 instance type for the node instances
+    Type: String
+    Default: t2.medium
+    AllowedValues:
+    - t2.small
+    - t2.medium
+    - t2.large
+    - t2.xlarge
+    - t2.2xlarge
+    - m3.medium
+    - m3.large
+    - m3.xlarge
+    - m3.2xlarge
+    - m4.large
+    - m4.xlarge
+    - m4.2xlarge
+    - m4.4xlarge
+    - m4.10xlarge
+    - m5.large
+    - m5.xlarge
+    - m5.2xlarge
+    - m5.4xlarge
+    - m5.12xlarge
+    - m5.24xlarge
+    - c4.large
+    - c4.xlarge
+    - c4.2xlarge
+    - c4.4xlarge
+    - c4.8xlarge
+    - c5.large
+    - c5.xlarge
+    - c5.2xlarge
+    - c5.4xlarge
+    - c5.9xlarge
+    - c5.18xlarge
+    - i3.large
+    - i3.xlarge
+    - i3.2xlarge
+    - i3.4xlarge
+    - i3.8xlarge
+    - i3.16xlarge
+    - r3.xlarge
+    - r3.2xlarge
+    - r3.4xlarge
+    - r3.8xlarge
+    - r4.large
+    - r4.xlarge
+    - r4.2xlarge
+    - r4.4xlarge
+    - r4.8xlarge
+    - r4.16xlarge
+    - x1.16xlarge
+    - x1.32xlarge
+    - p2.xlarge
+    - p2.8xlarge
+    - p2.16xlarge
+    - p3.2xlarge
+    - p3.8xlarge
+    - p3.16xlarge
+    ConstraintDescription: Must be a valid EC2 instance type
+
+  NodeAutoScalingGroupMinSize:
+    Type: Number
+    Description: Minimum size of Node Group ASG.
+    Default: 1
+
+  NodeAutoScalingGroupMaxSize:
+    Type: Number
+    Description: Maximum size of Node Group ASG.
+    Default: 3
+
+  NodeVolumeSize:
+    Type: Number
+    Description: Node volume size
+    Default: 20
+
+  ClusterName:
+    Description: The cluster name provided when the cluster was created. If it is incorrect, nodes will not be able to join the cluster.
+    Type: String
+
+  BootstrapArguments:
+    Description: Arguments to pass to the bootstrap script. See files/bootstrap.sh in https://github.com/awslabs/amazon-eks-ami
+    Default: ""
+    Type: String
+
+  NodeGroupName:
+    Description: Unique identifier for the Node Group.
+    Type: String
+
+  ClusterControlPlaneSecurityGroup:
+    Description: The security group of the cluster control plane.
+    Type: AWS::EC2::SecurityGroup::Id
+
+  VpcId:
+    Description: The VPC of the worker instances
+    Type: AWS::EC2::VPC::Id
+
+  Subnets:
+    Description: The subnets where workers can be created.
+    Type: List<AWS::EC2::Subnet::Id>
+
+  ClusterSecurityGroup:
+    Description: Security group ID for in-cluster communication between node groups
+    Type: AWS::EC2::SecurityGroup::Id
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      -
+        Label:
+          default: "EKS Cluster"
+        Parameters:
+          - ClusterName
+          - ClusterControlPlaneSecurityGroup
+      -
+        Label:
+          default: "Worker Node Configuration"
+        Parameters:
+          - NodeGroupName
+          - NodeAutoScalingGroupMinSize
+          - NodeAutoScalingGroupMaxSize
+          - NodeInstanceType
+          - NodeImageId
+          - NodeVolumeSize
+          - KeyName
+          - BootstrapArguments
+      -
+        Label:
+          default: "Worker Network Configuration"
+        Parameters:
+          - VpcId
+          - Subnets
+
+Resources:
+
+  NodeInstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Path: "/"
+      Roles:
+      - !Ref NodeInstanceRole
+
+  NodeInstanceRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - ec2.amazonaws.com
+          Action:
+          - sts:AssumeRole
+      Path: "/"
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+        - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
+        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
+
+  NodeSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Security group for all nodes in the cluster
+      VpcId:
+        !Ref VpcId
+      Tags:
+      - Key: !Sub "kubernetes.io/cluster/${ClusterName}"
+        Value: 'owned'
+
+  NodeSecurityGroupIngress:
+    Type: AWS::EC2::SecurityGroupIngress
+    DependsOn: NodeSecurityGroup
+    Properties:
+      Description: Allow node to communicate with each other
+      GroupId: !Ref NodeSecurityGroup
+      SourceSecurityGroupId: !Ref NodeSecurityGroup
+      IpProtocol: '-1'
+      FromPort: 0
+      ToPort: 65535
+
+  NodeSecurityGroupFromControlPlaneIngress:
+    Type: AWS::EC2::SecurityGroupIngress
+    DependsOn: NodeSecurityGroup
+    Properties:
+      Description: Allow worker Kubelets and pods to receive communication from the cluster control plane
+      GroupId: !Ref NodeSecurityGroup
+      SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup
+      IpProtocol: tcp
+      FromPort: 1025
+      ToPort: 65535
+
+  ControlPlaneEgressToNodeSecurityGroup:
+    Type: AWS::EC2::SecurityGroupEgress
+    DependsOn: NodeSecurityGroup
+    Properties:
+      Description: Allow the cluster control plane to communicate with worker Kubelet and pods
+      GroupId: !Ref ClusterControlPlaneSecurityGroup
+      DestinationSecurityGroupId: !Ref NodeSecurityGroup
+      IpProtocol: tcp
+      FromPort: 1025
+      ToPort: 65535
+
+  NodeSecurityGroupFromControlPlaneOn443Ingress:
+    Type: AWS::EC2::SecurityGroupIngress
+    DependsOn: NodeSecurityGroup
+    Properties:
+      Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane
+      GroupId: !Ref NodeSecurityGroup
+      SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup
+      IpProtocol: tcp
+      FromPort: 443
+      ToPort: 443
+
+  ControlPlaneEgressToNodeSecurityGroupOn443:
+    Type: AWS::EC2::SecurityGroupEgress
+    DependsOn: NodeSecurityGroup
+    Properties:
+      Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443
+      GroupId: !Ref ClusterControlPlaneSecurityGroup
+      DestinationSecurityGroupId: !Ref NodeSecurityGroup
+      IpProtocol: tcp
+      FromPort: 443
+      ToPort: 443
+
+  ClusterControlPlaneSecurityGroupIngress:
+    Type: AWS::EC2::SecurityGroupIngress
+    DependsOn: NodeSecurityGroup
+    Properties:
+      Description: Allow pods to communicate with the cluster API Server
+      GroupId: !Ref ClusterControlPlaneSecurityGroup
+      SourceSecurityGroupId: !Ref NodeSecurityGroup
+      IpProtocol: tcp
+      ToPort: 443
+      FromPort: 443
+
+  NodeGroup:
+    Type: AWS::AutoScaling::AutoScalingGroup
+    Properties:
+      DesiredCapacity: !Ref NodeAutoScalingGroupMaxSize
+      LaunchConfigurationName: !Ref NodeLaunchConfig
+      MinSize: !Ref NodeAutoScalingGroupMinSize
+      MaxSize: !Ref NodeAutoScalingGroupMaxSize
+      VPCZoneIdentifier:
+        !Ref Subnets
+      Tags:
+      - Key: Name
+        Value: !Sub "${ClusterName}-${NodeGroupName}-Node"
+        PropagateAtLaunch: 'true'
+      - Key: !Sub 'kubernetes.io/cluster/${ClusterName}'
+        Value: 'owned'
+        PropagateAtLaunch: 'true'
+    UpdatePolicy:
+      AutoScalingRollingUpdate:
+        MinInstancesInService: '1'
+        MaxBatchSize: '1'
+
+  NodeLaunchConfig:
+    Type: AWS::AutoScaling::LaunchConfiguration
+    Properties:
+      AssociatePublicIpAddress: 'true'
+      IamInstanceProfile: !Ref NodeInstanceProfile
+      ImageId: !Ref NodeImageId
+      InstanceType: !Ref NodeInstanceType
+      KeyName: !Ref KeyName
+      SecurityGroups:
+      - !Ref NodeSecurityGroup
+      - !Ref ClusterSecurityGroup
+      BlockDeviceMappings:
+        - DeviceName: /dev/xvda
+          Ebs:
+            VolumeSize: !Ref NodeVolumeSize
+            VolumeType: gp2
+            DeleteOnTermination: true
+      UserData:
+        Fn::Base64:
+          !Sub |
+            #!/bin/bash
+            set -o xtrace
+            /etc/eks/bootstrap.sh ${ClusterName} ${BootstrapArguments}
+            /opt/aws/bin/cfn-signal --exit-code $? \
+                     --stack  ${AWS::StackName} \
+                     --resource NodeGroup  \
+                     --region ${AWS::Region}
+
+Outputs:
+  NodeInstanceRole:
+    Description: The node instance role
+    Value: !GetAtt NodeInstanceRole.Arn
+

data/lib/assets/nvidia_device_plugin.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nvidia-device-plugin-daemonset
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      name: nvidia-device-plugin-ds
+  template:
+    metadata:
+      # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
+      # reserves resources for critical add-on pods so that they can be rescheduled after
+      # a failure.  This annotation works in tandem with the toleration below.
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ""
+      labels:
+        name: nvidia-device-plugin-ds
+    spec:
+      tolerations:
+      # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
+      # This, along with the annotation above marks this pod as a critical add-on.
+      - key: CriticalAddonsOnly
+        operator: Exists
+      containers:
+      - image: nvidia/k8s-device-plugin:1.10
+        name: nvidia-device-plugin-ctr
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+        volumeMounts:
+          - name: device-plugin
+            mountPath: /var/lib/kubelet/device-plugins
+      volumes:
+        - name: device-plugin
+          hostPath:
+            path: /var/lib/kubelet/device-plugins

data/lib/eks_cli/cli.rb

@@ -0,0 +1,161 @@
+require 'thor'
+
+autoload :JSON, 'json'
+
+module EksCli
+
+  autoload :Config, 'config'
+  autoload :NodeGroup, 'nodegroup'
+  module CloudFormation
+    autoload :Stack, 'cloudformation/stack'
+    autoload :VPC, 'cloudformation/vpc'
+  end
+  module EKS
+    autoload :Cluster, 'eks/cluster'
+  end
+  module K8s
+    autoload :Auth, 'k8s/auth'
+    autoload :Client, 'k8s/client'
+  end
+  module EC2
+    autoload :SecurityGroup, 'ec2/security_group'
+  end
+  module IAM
+    autoload :Client, 'iam/client'
+  end
+  module Route53
+    autoload :Client, 'route53/client'
+  end
+  module VPC
+    autoload :Client, 'vpc/client'
+  end
+
+  class Cli < Thor
+
+    class_option :cluster_name, required: true, aliases: :c
+
+    desc "bootstrap REGION", "bootstrap cluster configuration"
+    def bootstrap(region)
+      role = IAM::Client.new(cluster_name).create_eks_role
+      Config[cluster_name].bootstrap({region: region, eks_role_arn: role.arn})
+    end
+
+    desc "show-config", "print cluster configuration"
+    option :group_name, desc: "group name to show configuration for"
+    def show_config
+      if options[:group_name]
+        puts JSON.pretty_generate(Config[cluster_name].for_group(options[:group_name]))
+      else
+        puts JSON.pretty_generate(Config[cluster_name].read_from_disk)
+      end
+    end
+
+    desc "create-cluster-vpc", "creates a vpc according to aws cloudformation template"
+    def create_cluster_vpc
+      cfg = CloudFormation::VPC.create(cluster_name)
+      Config[cluster_name].write(cfg)
+    end
+
+    desc "create-eks-cluster", "create EKS cluster on AWS"
+    def create_eks_cluster
+      cluster = EKS::Cluster.new(cluster_name).create
+      cluster.await
+      Config[cluster_name].write({cluster_arn: cluster.arn})
+      cluster.update_kubeconfig
+    end
+
+    desc "enable-gpu", "installs nvidia plugin as a daemonset on the cluster"
+    def enable_gpu
+      K8s::Client.new(cluster_name).enable_gpu
+    end
+
+    desc "set-docker-registry-credentials USERNAME PASSWORD EMAIL", "sets docker registry credentials"
+    def set_docker_registry_credentials(username, password, email)
+      K8s::Client.new(cluster_name).set_docker_registry_credentials(username, password, email)
+    end
+
+    desc "create-default-storage-class", "creates default storage class on a new k8s cluster"
+    def create_default_storage_class
+      K8s::Client.new(cluster_name).create_default_storage_class
+    end
+
+    desc "create-nodegroup", "creates all nodegroups on environment"
+    option :all, type: :boolean, default: false, desc: "create all nodegroups. must be used in conjunction with --yes"
+    option :group_name, type: :string, desc: "create a specific nodegroup. can't be used with --all"
+    option :ami, desc: "AMI for the nodegroup"
+    option :instance_type, desc: "EC2 instance type (m5.xlarge etc...)"
+    option :num_subnets, type: :numeric, desc: "Number of subnets (AZs) to spread the nodegroup across"
+    option :ssh_key_name, desc: "Name of the default SSH key for the nodes"
+    option :taints, desc: "Kubernetes taints to put on the nodes for example \"dedicated=critical:NoSchedule\""
+    option :min, type: :numeric, desc: "Minimum number of nodes on the nodegroup"
+    option :max, type: :numeric, desc: "Maximum number of nodes on the nodegroup"
+    option :yes, type: :boolean, default: false, desc: "Perform nodegroup creation"
+    def create_nodegroup
+      Config[cluster_name].update_nodegroup(options) unless options[:all]
+      if options[:yes]
+        cf_stacks = nodegroups.map {|ng| ng.create(wait_for_completion: false)}
+        CloudFormation::Stack.await(cf_stacks)
+        cf_stacks.each {|s| IAM::Client.new(cluster_name).attach_node_policies(s.node_instance_role_name)}
+        K8s::Auth.new(cluster_name).update
+      end
+    end
+
+    desc "delete-nodegroup", "deletes cloudformation stack for nodegroup"
+    option :all, type: :boolean, default: false, desc: "delete all nodegroups. can't be used with --name"
+    option :name, type: :string, desc: "delete a specific nodegroup. can't be used with --all"
+    def delete_nodegroup
+      nodegroups.each(&:delete)
+    end
+
+    desc "update-auth", "update aws auth configmap to allow all nodegroups to connect to control plane"
+    def update_auth
+      K8s::Auth.new(cluster_name).update
+    end
+
+    desc "detach-iam-policies", "detaches added policies to nodegroup IAM Role"
+    option :all, type: :boolean, default: false, desc: "detach from all nodegroups. can't be used with --name"
+    option :name, type: :string, desc: "detach from a specific nodegroup. can't be used with --all"
+    def detach_iam_policies
+      nodegroups.each(&:detach_iam_policies)
+    end
+
+    desc "set-iam-policies", "sets IAM policies to be attached to created nodegroups"
+    option :policies, type: :array, required: true, desc: "IAM policies ARNs"
+    def set_iam_policies
+      Config[cluster_name].set_iam_policies(options[:policies])
+    end
+
+    desc "create-cluster-security-group", "creates a SG for cluster communication"
+    option :open_ports, type: :array, default: [], desc: "open ports on cluster nodes"
+    def create_cluster_security_group
+      open_ports = options[:open_ports].map(&:to_i)
+      gid = EC2::SecurityGroup.new(cluster_name, open_ports).create
+      Config[cluster_name].write({nodes_sg_id: gid})
+    end
+
+    desc "update-dns HOSTNAME K8S_SERVICE_NAME", "alters route53 CNAME records to point to k8s service ELBs"
+    option :route53_hosted_zone_id, required: true, desc: "hosted zone ID for the cname record on route53"
+    option :elb_hosted_zone_id, required: true, desc: "hosted zone ID for the ELB on ec2"
+    option :namespace, default: "default", desc: "the k8s namespace of the service"
+    def update_dns(hostname, k8s_service_name)
+      Route53::Client.new(cluster_name).update_dns(hostname, k8s_service_name, options[:namespace], options[:route53_hosted_zone_id], options[:elb_hosted_zone_id])
+    end
+
+    desc "set-inter-vpc-networking TO_VPC_ID TO_SG_ID", "creates a vpc peering connection, sets route tables and allows network access on SG"
+    def set_inter_vpc_networking(to_vpc_id, to_sg_id)
+      VPC::Client.new(cluster_name).set_inter_vpc_networking(to_vpc_id, to_sg_id)
+    end
+
+    no_commands do
+      def cluster_name; options[:cluster_name]; end
+
+      def all_nodegroups; Config[cluster_name]["groups"].keys ;end
+
+      def nodegroups
+        ng = options[:group_name] ? [options[:group_name]] : all_nodegroups
+        ng.map {|n| NodeGroup.new(cluster_name, n)}
+      end
+    end
+
+  end
+end

data/lib/eks_cli/cloudformation/client.rb

@@ -0,0 +1,11 @@
+require 'aws-sdk-cloudformation'
+require 'config'
+module EksCli
+  module CloudFormation
+    class Client
+      def self.get(cluster_name)
+        @client ||= Aws::CloudFormation::Client.new(region: Config[cluster_name]["region"])
+      end
+    end
+  end
+end