Deploy Kriten on EKS: Secure and Isolated Environments for Teams

IT Automation has the potential to increase the speed and accuracy of running cloud or on-premise infrastructure. We’ve worked in IT automation for many years, and as a result, we know the issues teams come up against that act as a roadblock to IT automation adoption.

That’s why we developed Kriten—to address some of the main adoption inhibitors. The beauty of Kriten is it can be integrated with various platforms, including Amazon’s Elastic Kubernetes Service (EKS).

This article aims to facilitate the secure installation of Kriten into an Amazon EKS cluster, leveraging AWS Certificate Manager, Route 53, ALB, and EKS. This setup is designed to cater to different teams, allowing them to independently spin up their instances of Kriten within separate namespaces and URLs. The process ensures that each team's Kriten environment is isolated and secure, promoting efficient collaboration and resource management.

What is Kriten?

Kriten is a code execution platform. The tool was written for and runs on Kubernetes as a cloud-native application. Kriten exposes containerised applications written in any modern language as a no-code REST API endpoint, with local or/and AD authentication and granular RBAC. It allows the requester to execute that code as a Kubernetes job and to get results asynchronously.

Key features

  • No-code REST API exposure of custom application and script execution: A user-friendly platform that speeds up deployment and reduces complexity.

  • Local and/or AD user authentication: Ensure secure access control.

  • Granular RBAC to permission CRUD operations against Kriten configured objects: Control who can view, create, modify or delete resources, ensuring only users with access can make changes.

  • Kriten scales with Kubernetes: Benefit from elasticity to scale up or down and high availability as the load increases.

To learn more about Kriten’s features, please read our Kriten Documentation.

Use Case

The DevOps and Infrastructure (Infra) teams can autonomously deploy Kriten using dedicated Helm charts, ensuring each team gets a distinct and secure URL for Kriten.

  • The Helm installation seamlessly automates various tasks:

    • It dynamically creates Route53 entries tailored for each deployment.

    • Corresponding rules for the Application Load Balancer (ALB) are generated, ensuring accurate traffic routing.

    • All these configurations are then seamlessly bound to the Kriten service within the EKS cluster, ensuring a cohesive infrastructure.

  • Deploying a wildcard certificate provides an added layer of security. This ensures that every new Kriten URL, regardless of its specific sub-domain, remains safeguarded and encrypted, bolstering the overall security posture of the deployment.

Prerequisites and Guidelines

Before proceeding with the installation, please ensure the following prerequisites are met:

  • Installation into a dedicated Kubernetes cluster or namespace is recommended to limit access to Kriten resources for dedicated teams only.

  • Kriten is the only workload that should be running in the cluster/namespace.

  • EKS version 1.23+ is required.

  • Helm version v3+ is required.

  • EBS plugin with a well-configured AWS policy is required for volume creation in PostgreSQL.

  • Installed AWS Ingress load-balancer controller with well-configured AWS policy.

  • The Kriten version is 0.3 for this demo.

AWS Certificate Installation in Certificate Manager

A wildcard certificate is used in the ingress. Please follow these steps to install the AWS certificate in the Certificate Manager:

  1. Navigate to the AWS Certificate Manager.

  2. Request a new certificate.

  3. Choose the option for a wildcard certificate and enter the domain details. (e.g. *.kriten.evolvere-link.lab)

  4. Complete the validation process as per the instructions provided by AWS.

  5. Once validated, the certificate will be available for use in the ingress.

Install External DNS using Helm

Usage of External-DNS

  • Automated DNS Management: External-DNS watches for changes to Kubernetes Ingresses resources and automatically updates the DNS records in your AWS Route 53.

  • Automatic ALB Record Creation: When using AWS and deploying an Ingress, External-DNS can automatically create the corresponding DNS records in Route 53 to point to the ALB. This automation streamlines connecting your Kubernetes services to the outside world.

Install External-DNS

To install External DNS, follow these steps:

Create IAM Policy and Role for External-DNS:

  • Navigate to the AWS IAM console.

    • Create a new IAM role with the necessary permissions for External-DNS to interact with Route 53 and other AWS services.

    • Note down the ARN of the created IAM role.

#IAM policy sample

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

#IAM role sample
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<YOUR_REGION>.amazonaws.com/id/<YOUR_OIDC_PROVIDER_ID>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.<YOUR_REGION>.amazonaws.com/id/<YOUR_OIDC_PROVIDER_ID>:sub": "system:serviceaccount:kube-system:external-dns"
                }
            }
        }
    ]
}

Add the External-DNS Helm Repository:

  • Open your terminal or command line interface.

  • Add the External-DNS Helm repository by running.

helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/

Install External-DNS using Helm:

Install External-DNS in the kube-system namespace with the following Helm command:

helm install external-dns external-dns/external-dns \ 
--namespace kube-system \ 
--set image.repository=registry.k8s.io/external-dns/external-dns \ 
--set serviceAccount.create=true \ 
--set serviceAccount.name=external-dns \ 
--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"=<IAM_ROLE_ARN> \ 
--set provider=aws

Replace <IAM_ROLE_ARN> with the ARN of the IAM role you created earlier.

Install Kriten for the DevOps Team

Step 1: Create the DevOps Namespace

Create a dedicated namespace for the DevOps team in your Kubernetes cluster:

kubectl create namespace devops

Step 2: Clone the Kriten Chart

Clone the Kriten Helm chart from the official repository:

git clone https://github.com/kriten-io/kriten-charts.git

Step 3: Edit the values.yaml file

Navigate to the cloned directory and edit the values.yaml file to configure the service and ingress settings:

namespace: devops
image:
  tag: "0.3" 
service:
  type: NodePort
  port: 80

postgresql:
  host: devops-kriten-postgresql

ingress:
  enabled: true
  className: "alb"
  annotations: 
    alb.ingress.kubernetes.io/certificate-arn: <your-certificate-arn>
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/group.name: kriten
    alb.ingress.kubernetes.io/listen-ports: "[{\"HTTPS\":443}, {\"HTTPS\":80}]"
    external-dns.alpha.kubernetes.io/hostname: devops.kriten.your-domain.com
    nginx.ingress.kubernetes.io/use-regex: "true"
  hosts:
    - host: "devops.kriten.your-domain.com" 
      paths:
        - path: /
          pathType: Prefix

Step 4: Install Kriten Using Helm

Deploy Kriten in the devops namespace using Helm:

helm install devops-kriten . -f values.yaml --namespace devops

Step 5: Test the Kriten Login

Verify the installation by accessing Kriten through the provided URL and logging in.

export KRITEN_URL=https://devops.kriten.your-domain.com
curl -c ./token.txt $KRITEN_URL'/api/v1/login' \
--header 'Content-Type: application/json' \
--data '{
  "username": "root",
  "password": "root",
  "provider": "local"
}'

Install Kriten for the Infrastructure Team

Repeat the above steps for the Infra team, ensuring to replace devops with infra in all commands and configurations. Additionally, update the hostname in the values.yaml file to reflect the Infra team's URL:

namespace: infra
image:
  tag: "0.3" 
service:
  type: NodePort
  port: 80

postgresql:
  host: infra-kriten-postgresql

ingress:
  enabled: true
  className: "alb"
  annotations: 
    alb.ingress.kubernetes.io/certificate-arn: <your-certificate-arn>
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/group.name: kriten
    alb.ingress.kubernetes.io/listen-ports: "[{\"HTTPS\":443}, {\"HTTPS\":80}]"
    external-dns.alpha.kubernetes.io/hostname: infra.kriten.your-domain.com
    nginx.ingress.kubernetes.io/use-regex: "true"
  hosts:
    - host: "infra.kriten.your-domain.com" 
      paths:
        - path: /
          pathType: Prefix

In Summary: Kriten Deployment Guide for Amazon EKS

By following these steps, both the DevOps and Infra teams can have their own instances of Kriten running in separate namespaces within the EKS cluster. This setup allows for secure and isolated environments tailored to each team's needs.

For more information about how to use Kriten, you can check out the Kriten Installation GitHub or refer to Kriten Documentation on GitHub. We’d be happy to answer any questions so that you get the most out of our new platform.