LATEST VERSION: v1.2 - RELEASE NOTES
Pivotal Container Service v1.2

Preparing AWS Before Deploying PKS

Page last updated:

This guide describes the preparation steps required to install Pivotal Container Service (PKS) on Amazon Web Services (AWS).

After you follow the procedures in Deploying Ops Manager on AWS and Configuring Ops Manager on AWS, you must create policies and instance profiles for the master node and worker node VMs before deploying PKS. Follow these procedures to create policies and instance profiles in your AWS environment.

Modify the Ops Manager IAM User or Role

To allow Ops Manager to assign the master node and worker node instance profiles to each VM, do one of the following:

  • If you selected the Use AWS Keys option in the AWS Config pane of the BOSH Director tile, follow the instructions in Modify the Ops Manager IAM User.

  • If you selected the Use AWS Instance Profile option in the AWS Config pane of the BOSH Director tile, follow the instructions in Modify the Ops Manager IAM Role.

For information about configuring the AWS Config pane of the BOSH Director tile, see the AWS Config Page section in Configuring Ops Manager on AWS.

Modify the Ops Manager IAM User

To allow Ops Manager to assign the master node and worker node instance profiles to each VM, change the inline policy of the Ops Manager IAM user:

  1. Log in to the AWS Management Console.
  2. Select IAM > Users.
  3. Select your Ops Manager IAM user for your environment.
  4. In Permissions, select the Ops Manager user policy, YOUR-ENVIRONMENT-NAME_ops_manager_user.
  5. Click Edit policy.
  6. Select JSON.
  7. Search for the iam:PassRole statement and replace the Resource field with *. For example:

    {
        "Sid": "AllowToCreateInstanceWithCurrentInstanceProfile",
        "Effect": "Allow",
        "Action": [
            "iam:PassRole"
        ],
        "Resource": "*"
    }
    
  8. Click Review Policy.

  9. Click Save changes.

Modify the Ops Manager IAM Role

To allow Ops Manager to assign the master node and worker node instance profiles to each VM, add the following inline policy to the Ops Manager IAM role:

  1. Log in to the AWS Management Console.
  2. Select IAM > Roles.
  3. Select your Ops Manager IAM role for your environment.
  4. Click Add inline policy.
  5. Select JSON.
  6. Copy and paste the following into the JSON tab:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*"
        }
    ]
    }
    
  7. Click Review Policy.

  8. Choose a name for the policy.

  9. Click Create policy.

Create IAM Instance Profiles

In order for Kubernetes to create load balancers and attach persistent disks to pods, you must create users with sufficient permissions.

To set up accounts with the correct permissions, create master node and worker node policies and associate them to instance profiles.

Step 1: Create the Master Node Policy

  1. Log in to the AWS Management Console.
  2. Select IAM > Policies.
  3. Click Create policy.
  4. Click JSON.
  5. Copy the following policy and paste it into the policy field:

     {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": "s3:*",
               "Resource": [
                   "arn:aws:s3:::kubernetes-*"
               ]
           },
           {
               "Effect": "Allow",
               "Action": "ec2:Describe*",
               "Resource": "*"
           },
           {
               "Effect": "Allow",
               "Action": "ec2:AttachVolume",
               "Resource": "*"
           },
           {
               "Effect": "Allow",
               "Action": "ec2:DetachVolume",
               "Resource": "*"
           },
           {
               "Effect": "Allow",
               "Action": [
                   "ec2:*"
               ],
               "Resource": [
                   "*"
               ]
           },
           {
               "Effect": "Allow",
               "Action": [
                   "elasticloadbalancing:*"
               ],
               "Resource": [
                   "*"
               ]
           }
         ]
     }
    
  6. Click Review policy.

  7. Give the policy a name. For example, pks-master-policy.

  8. Click Create policy.

Step 2: Create the Master Node Instance Profile

  1. From the AWS Management Console, select IAM > Roles.

  2. Click Create role.

  3. Under Select type of trusted entity, select AWS service.

  4. Under Choose the service that will use this role, select EC2.

  5. Click Next: Permissions.

  6. Select the policy you created in the previous section. For example, pks-master-policy.

  7. Click Next: Review.

  8. Name the role. For example, pks-master.

  9. Click Create role.

Step 3: Create the Worker Node Policy

  1. From the AWS Management Console, select IAM > Policies.
  2. Click Create policy.
  3. Click JSON.
  4. Copy the following policy and paste it into the policy field:

     {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Action": "ec2:Describe*",
              "Effect": "Allow",
              "Resource": "*"
          },
          {
              "Action": "ec2:AttachVolume",
              "Effect": "Allow",
              "Resource": "*"
          },
          {
              "Action": "ec2:DetachVolume",
              "Effect": "Allow",
              "Resource": "*"
          }
      ]
     }
    
  5. Click Review policy.

  6. Give the policy a name. For example, pks-worker-policy.

  7. Click Create policy.

Step 4: Create the Worker Node Instance Profile

  1. From the AWS Management Console, select IAM > Roles.

  2. Click Create role.

  3. Under Select type of trusted entity, select AWS service.

  4. Under Choose the service that will use this role, select EC2.

  5. Click Next: Permissions.

  6. Select the policy you created in the previous section. For example, pks-worker-policy.

  7. Click Next: Review.

  8. Name the role. For example, pks-worker.

  9. Click Create role.

Next Steps

After you complete this procedure, follow the instructions in the following topics:

  1. Creating an AWS Load Balancer for the PKS API
  2. Installing PKS on AWS

Please send any feedback you have to pks-feedback@pivotal.io.

Create a pull request or raise an issue on the source for this page in GitHub