eksctl create iamserviceaccount \\
--name dynamodb-pull-sa \\
--region=ap-northeast-2 \\
--cluster skills-eks-cluster \\
--namespace=app \\
--attach-policy-arn "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess" \\
--override-existing-serviceaccounts \\
--approve
#!/bin/bash
ROLE_ARN=$(eksctl get iamserviceaccount --cluster skills-eks-cluster --name dynamodb-pull-sa --namespace app --region ap-northeast-2 --output json | jq -r '.[].status.roleARN')
ROLE_NAME=$(aws iam get-role --role-name $(aws iam list-roles --query "Roles[?Arn=='$ROLE_ARN'].RoleName" --output text) --query "Role.RoleName" --output text)
keys=$(aws kms list-keys --output json)
key_ids=$(echo $keys | jq -r '.Keys[].KeyId')
for key_id in $key_ids; do
name_tag=$(aws kms list-resource-tags --key-id $key_id --query "Tags[].TagValue" --output text 2> /dev/null)
if [ "$name_tag" == "eks-kms" ]; then
kms_arn=$(aws kms describe-key --key-id $key_id --query "KeyMetadata.Arn" --output text)
fi
done
- KMS Policy (DynamoDB KMS에 EKS IRSA로 생성한 ROLE_ARN 넣어주기)
apiVersion: apps/v1
kind: Deployment
metadata:
name: order
namespace: app
labels:
app: order
spec:
replicas: 2
selector:
matchLabels:
app: order
template:
metadata:
labels:
app: order
spec:
serviceAccount: dynamodb-pull-sa
containers:
- name: order-cnt
image: IMAGE
ports:
- containerPort: 8080
env:
- name: AWS_REGION
valueFrom:
secretKeyRef:
name: db-credentials
key: REGION
nodeSelector:
skills: app
IMAGE_URL=$(aws ecr describe-repositories --repository-name order --query "repositories[].repositoryUri" --output text)
IMAGE_TAG=$(aws ecr describe-images --repository-name order --query "imageDetails[].imageTags" --output text)
IMAGE="$IMAGE_URL:$IMAGE_TAG"
sed -i "s|IMAGE|$IMAGE|g" deployment.yaml
kubectl apply -f deployment.yaml
apiVersion: v1
kind: Service
metadata:
name: order
namespace: app
spec:
selector:
app: order
ports:
- protocol: TCP
port: 8080
targetPort: 8080
kubectl apply -f service.yaml