This repository contains cloudformation templates, powershell scripts, kubernetes deployment configurations and sample applications required to set up AWS managed Active Directory and gMSA account setup to demonstrate gMSA end-to-end workflow with Amazon Elastic Kubernetes Services (EKS) cluster.
NOTE: gMSA functionality has been validated on EKS v1.14 master with v1.14 worker nodes, v1.16. EKS master with v1.16 worker nodes, v1.17 EKS master with v1.16 & v1.17 worker nodes. v1.15 is pending validation.
- AWS CLI
- Powershell core
- EKS Cluster where AWS Managed AD is available
Clone the repo and execute the commands from the respective directories
Follow the instructions from ./amazon-eks-gmsa/cloud-formation-templates/README.md to setup infrastructure required to demonstrate EKS gMSA. This step will install following resources.
- Customer Master Key
- Customer Master Key IAM Policy
- SSM Parameters
- AWS Managed Active Directory (AD)
- SSM document to join a AWS managed AD
- SSM document to generate a gMSA account and credential spec content
Follow the EKS documentation to launch EKS Windows worker. You may have to enable gMSA feature-gates. Refer the following readme to enable featuregate. Follow the instructions ./amazon-eks-gmsa/eks-deployments/instance-domain-join.md to join AD Domain
- Enable gMSA Feature-Gates if gMSA is in alpha state
- Attach Customer Master Key IAM Policy to EKS Windows Instances
- Attach Domain Join SSM document to EKS Windows Autoscaling group
Follow the instructions from ./amazon-eks-gmsa/eks-deployments/README.md to deploy the following resources to EKS Cluster.
- Custom Resource Definition (CRD)
- Create a new gMSA Account
- Deploy Credspec to EKS Cluster
- Deploy gMSA webhook
- CoreDNS config patching
Follow the instructions from ./amazon-eks-gmsa/sample-applications/README.md for launching an online bookstore application. Another simple application that uses gMSA credentials to open web service can be launched following the instructions from ./amazon-eks-gmsa/sample-applications/IIS-auth-application/README.md
For troubleshooting, please follow the steps here and refer kubernetes official documentation here.
This project is licensed under the MIT-0 License.