How to manage AWS Kubernetes clusters on command line

AWS Kubernetes can be managed via the command line through the use of a combination of aws-cli, kubectl, and aws-okta. These instructions primarily apply to AWS EKS.

To install these command line interfaces on your Mac OS X, use Homebrew.
brew install awscli
Next, use Homebrew to install kubectl.
brew install kubernetes-cli
If you’re like most enterprises and your leveraging Okta, then you’ll need to install the aws-okta cli as well. Aws-okta will require you to setup your Two-Factor Authentication (2FA) as Okta will send push notifications asking for permission to execute commands on your cluster.
brew install aws-okta

Set up AWS Okta configuration

Next, you’ll need to set up your AWS okta configuration for your profile. Your Okta administrator will need to provision you with the AWS App Embed URL from the General tab of the AWS application in your Okta org.

You’ll navigate to ~/.aws/config, to set the aws_saml_url. Your Okta admin also should provision you with a profile. Your configuration in ~/.aws/config should end up looking like:

aws_saml_url = home/amazon_aws/0oakkzcxxxxk5Dnvv0xx/272
role_arn = arn:aws:iam::557625315111:role/Allcode-Admin
After you’ve configured your .~/aws/config, try to run the following command:
aws-okta exec allcode-devops — kubectl
You may encounter the following error:
aws-okta exec allcode-devops — kubectl

getting creds via SAML: Okta credentials are not in your keyring. Please make sure you have added okta credentials with `aws-okta add`
You will want to run ‘aws-okta add’ to specify your Okta configuration. When you run aws-okta add, you will need to perform MFA on your phone, we use
Duo for this.
Once you have been verified, then you’ll notice that typing this command becomes painful, our recommendation is to setup an alias.
alias k8s-ac=”aws-okta exec allcode-devops — kubectl”

Alternatively, you can setup bash scripts. Remember the alias cannot be referenced in bash scripts. Below is an example of the contents of a bash script entitled get_pods.sh to get all of the available pods:

aws-okta exec allcode-devops — kubectl get pods
Invoking get pods will provide you with a list of all of the pods that are currently active in the cluster. You will use the name of the pod to invoke specific operations on a pod.

Name Ready Status Restarts Age
website-1560438000-95nvl 0/1 Completed 0 8h
app-server-k68kt 0/1 Completed 0 2m45s
rds-client-gkrlj 0/1 Completed 0 105s

Leveraging your pods

Once you have the list of pods, you can then perform a number of operations from the command line directly against the pod using kubectl.

In certain situations, we will want to use the labels from the yaml spec, to get details on the pod. To learn more about a specific pod, I’ll write a little script entitled describe_backend.sh, which will give me all of the details on a specific pod:

aws-okta exec allcode-devops — kubectl describe deployment $1
The output results from the describe invocation will consist of a plethora of information including the label of the node, replicas, environment variables, etc.

Name: backend
Namespace: default
CreationTimestamp: Thu, 30 May 2019 09:06:13 -0700
Labels: app=backend
Annotations: deployment.kubernetes.io/revision: 9
Selector: app=backend
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 25% max unavailable, 25% max surge
Pod Template:
Labels app=backend
Containers: backend:
Image: 557625311111.dkr.ecr.us-west-2.amazonaws.com/backend:0.3.3
Port: 8080/TCP
Host Port: 0/TCP
Environment:
Mongo_DB: AllCodeDatabase

Another one of our bash shell scripts will enable us to get a bash shell into the pod, so we can navigate to the logs or explore the health of the pod. The contents of my connect_bash.sh will look like the following where $1 will be the output from the get pods invocation.
aws-okta exec allcode-devops — kubectl exec -it $1 — /bin/bash
The command line invocation will result in a bash cli into the pod without going through the VPN! Helpful!
./connect_bash.sh backend-7d5f74d95f-vq111
[email protected]:/#

Joel Garcia
Joel Garcia

Joel Garcia has been building AllCode since 2015. He’s an innovative, hands-on executive with a proven record of designing, developing, and operating Software-as-a-Service (SaaS), mobile, and desktop solutions. Joel has expertise in HealthTech, VoIP, and cloud-based solutions. Joel has experience scaling multiple start-ups for successful exits to IMS Health and Golden Gate Capital, as well as working at mature, industry-leading software companies. He’s held executive engineering positions in San Francisco at TidalWave, LittleCast, Self Health Network, LiveVox acquired by Golden Gate Capital, and Med-Vantage acquired by IMS Health.