AWS Kubernetes management through the CLI

AWS Kubernetes can be managed via the command line through the use of a combination of aws-cli, kubectl, and aws-okta. These instructions primarily apply to AWS EKS.

To install these command line interfaces on your Mac OS X, use Homebrew.

brew install awscli

Next, use Homebrew to install kubectl .

brew install kubernetes-cli

If you’re like most enterprises and your leveraging Okta, then you’ll need to install the aws-okta cli as well. Aws-okta will require you to setup your Two-Factor Authentication (2FA) as Okta will send push notifications asking for permission to execute commands on your cluster.

brew install aws-okta

Next, you’ll need to setup your AWS okta configuration for your profile. Your Okta administrator will need to provision you with the AWS App Embed URL from the General tab of the AWS application in your Okta org. You’ll navigate to ~/.aws/config, to set the aws_saml_url. Your Okta admin also should provision you with a profile. Your configuration in ~/.aws/config should end up looking like

[profile allcode-devops] aws_saml_url = home/amazon_aws/0oakkzcxxxxk5Dnvv0xx/272 role_arn = arn:aws:iam::557625315111:role/Allcode-Admin

After you’ve configured your .~/aws/config, try to run the following command

aws-okta exec allcode-devops -- kubectl

You may encounter the following error:

aws-okta exec allcode-devops -- kubectl 

getting creds via SAML: Okta credentials are not in your keyring. Please make sure you have added okta credentials with `aws-okta add`

You will want to run ‘aws-okta add’ to specify your Okta configuration. When you run ‘aws-okta add’, you will need to perform MFA on your phone, we use Duo for this.

Once you have been verified, then you’ll notice that typing this command becomes painful, our recommendation is to setup an alias.

alias k8s-ac="aws-okta exec allcode-devops -- kubectl"

Alternatively, you can setup bash scripts. Remember the alias cannot be referenced in bash scripts. Below is an example of the contents of a bash script entitled to get all of the available pods

aws-okta exec allcode-devops -- kubectl get pods

Invoking “get pods” will provide you with a list of all of the pods that are currently active in the cluster. You will use the name of the pod to invoke specific operations on a pod.

NAME                     READY   STATUS      RESTARTS   AGE
website-1560438000-95nvl   0/1     Completed   0          8h
app-server-k68kt           0/1     Completed   0          2m45s
rds-client-gkrlj           0/1     Completed   0          105s

To learn how to acquire bash access to one of your pods, read this blog post