Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🏗 Build Analytical Platform Compute EKS #3555

Closed
2 of 3 tasks
Tracked by #2955
jacobwoffenden opened this issue Mar 4, 2024 · 11 comments
Closed
2 of 3 tasks
Tracked by #2955

🏗 Build Analytical Platform Compute EKS #3555

jacobwoffenden opened this issue Mar 4, 2024 · 11 comments
Assignees
Labels

Comments

@jacobwoffenden
Copy link
Member

jacobwoffenden commented Mar 4, 2024

User Story

As an Analytical Platform Product Engineer
I need to host applications that can't live on Cloud Platform
So that we can run the service

Value / Purpose

DPAT's EKS lives in DPAT account, and can't easily be renamed, my proposal it to provision a new Modernisation Platform (analytical-platform-compute), and rebuild our EKS cluster (without any Data Platform components)

Useful Contacts

@jacobwoffenden

User Types

Analytical Platform Product Engineering

Hypothesis

If we rebuild our new EKS cluster in Analytical Platform Compute
Then we have home for Analytical Platform Dashboard, Analytical Platform Tools, and Analytical Platform Airflow

Proposal

  • Request new Modernisation Platform accounts (analytical-platform-compute)
  • Retire new Modernisation Platform accounts (data-platform-compute)
  • Build out EKS cluster

Additional Information

DPAT EKS currently hosts:

  • Data Platform Assets (web service serving images)
  • Data Platform's Open Metadata and DataHub instances
  • GitHub Actions Self Hosted Runner capability

Definition of Done

@jacobwoffenden
Copy link
Member Author

02/05/24 update:

@jacobwoffenden
Copy link
Member Author

Cluster creation blocked as MemberInfrastructureAccess cannot create OIDC provider due to org SCP

Error: creating IAM OIDC Provider: operation error IAM: CreateOpenIDConnectProvider, https response error StatusCode: 403, RequestID: 56134a29-6a14-430b-879a-2f4fa59f0e41, api error AccessDenied: User: arn:aws:sts::381491960855:assumed-role/MemberInfrastructureAccess/aws-go-sdk-1715608907993994861 is not authorized to perform: iam:CreateOpenIDConnectProvider on resource: arn:aws:iam::381491960855:oidc-provider/oidc.eks.eu-west-2.amazonaws.com/id/1972AFFBD0701A0D1FD291E34F7D1287 with an explicit deny in a service control policy

@jacobwoffenden
Copy link
Member Author

jacobwoffenden commented May 13, 2024

13/05/24 update:

  • In an effort to not build the cluster bit-by-bit, I configured VPC CNI to use IRSA immediately, but theres a dependency on the cluster being "ready" so that the IRSA enabled role can create... 🐔 & 🥚

    • I switched back to the default of VPC CNI using the node's role, and enabling the VPC CNI policy, but I will perform another experiment tomorrow of the CNI policy being attached to the node and VPC CNI using IRSA immediately (in Analytical Platform Development)
  • However cluster creation was ultimately blocked by an organisational SCP denying iam: CreateOpenIDConnectProvider

    • @dms1981 added the permissions to MemberInfrastructureAccess which exposed the SCP
    • @ewastempel removed the accounts from the OU, and introduced another error because GitHub Action couldn't assume the backend role

@jacobwoffenden jacobwoffenden moved this from 🚫 Blocked to 🚀 In Progress in Analytical Platform May 14, 2024
@jacobwoffenden jacobwoffenden changed the title ♻️ Rebuild EKS cluster in Analytical Platform Compute 🏗 Build Analytical Platform Compute EKS May 15, 2024
@jacobwoffenden
Copy link
Member Author

15/05/24 update:

@jacobwoffenden jacobwoffenden moved this from 🚀 In Progress to 🚫 Blocked in Analytical Platform May 15, 2024
@jacobwoffenden
Copy link
Member Author

16/05/24 update:

@jacobwoffenden jacobwoffenden moved this from 🚫 Blocked to 🚀 In Progress in Analytical Platform May 20, 2024
@jacobwoffenden
Copy link
Member Author

jacobwoffenden commented May 20, 2024

20/05/24 update:

  • aws-cloudwatch-metrics installed but is configured to use hostNetwork: true as it currently doesn't support either IRSA or EKS Pod Identity 😭
  • aws-for-fluent-bit installed, publishing to CMK encrypted CloudWatch log group using IRSA 🎉

@jacobwoffenden
Copy link
Member Author

@jacobwoffenden
Copy link
Member Author

jacobwoffenden commented May 22, 2024

22/05/24 update:

  • No work carried out

@jacobwoffenden
Copy link
Member Author

Moving to blocked due to aws/containers-roadmap#2359, cannot proceed as plans aren't successful. Have raised in #ext-slack

@jacobwoffenden
Copy link
Member Author

1.30 compatibility has been added to aws-guardduty-agent

@jacobwoffenden jacobwoffenden moved this from 🚫 Blocked to 🚀 In Progress in Analytical Platform May 30, 2024
@github-project-automation github-project-automation bot moved this from 🚀 In Progress to 🎉 Done in Analytical Platform May 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Archived in project
Development

No branches or pull requests

2 participants