Getting "Unable to recognize \"hello-k8s.yml\": Unauthorized" error when running kubectl apply -f hello-k8s.yml in CodeBuild phase

12/4/2019

I am new to Kubernetes and trying to create a AWS CodePipeline to deploy service to EKS stack.

I am following this tutorial I have followed all the steps including creating a role and adding permissions, so that CodeBuild will be able to talk with EKS.

The issue I am facing right now is when CodePipeline runs, it is failing for below command in the CodeBuild phase.

kubectl apply -f hello-k8s.yml

and giving this error

[Container] 2019/12/04 07:41:43 Running command kubectl apply -f hello-k8s.yml 
unable to recognize "hello-k8s.yml": Unauthorized 
unable to recognize "hello-k8s.yml": Unauthorized 

I am not very much sure whether its a credentials issue, because I have used all the steps to add user/role as per tutorial.

Can anyone please help me on this?

-- Pratik
amazon-web-services
aws-codebuild
aws-codepipeline
kubectl
kubernetes

1 Answer

12/5/2019

Deploying Yaml manifests to Kubernetes from CodeBuild requires these steps:

The high-level process includes the following steps:

  1. Create an IAM Service role for CodeBuild

  2. Map the CodeBuild Service role in EKS using “aws-auth” ConfigMap

  3. Create source files in Code repository

  4. Create and Start a CodeBuild Project

  5. Confirm the required objects are created in EKS cluster

Create an IAM Service role for CodeBuild (Don't use existing service role as it includes a '/path/')

Run the following commands to Create a CodeBuild Service Role and attach the required policies:

TRUST = "{   \"Version\": \"2012-10-17\",   \"Statement\": [     {       \"Effect\": \"Allow\",       \"Principal\": {         \"Service\": \"codebuild.amazonaws.com\"       },       \"Action\": \"sts:AssumeRole\"     }   ] }"

$ echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "eks:Describe*", "Resource": "*" } ] }' > /tmp/iam-role-policy

$ aws iam create-role --role-name CodeBuildKubectlRole --assume-role-policy-document "$TRUST" --output text --query 'Role.Arn'

$ aws iam put-role-policy --role-name CodeBuildKubectlRole --policy-name eks-describe --policy-document file:///tmp/iam-role-policy

$ aws iam attach-role-policy --role-name CodeBuildKubectlRole --policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess

$ aws iam attach-role-policy --role-name CodeBuildKubectlRole --policy-arn arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess

Map the CodeBuild Service role in EKS using “aws-auth” ConfigMap

Edit the ‘aws-auth’ ConfigMap and add the Role Mapping for the CodeBuild service role:

$ vi aws-auth.yaml



apiVersion: v1

kind: ConfigMap

metadata:

  name: aws-auth

  namespace: kube-system

data:

  mapRoles: |

    - rolearn:  arn:aws:iam::AccountId:role/devel-worker-nodes-NodeInstanceRole-14W1I3VCZQHU7

      username: system:node:{{EC2PrivateDNSName}}

      groups:

        - system:bootstrappers

        - system:nodes

    - rolearn: arn:aws:iam::AccountId:role/CodeBuildKubectlRole

      username: build

      groups:

        - system:masters


$ kubectl apply -f aws-auth.yaml

Create source files in Code repository

Create a repository in Github/CodeCommit with sample files as follows:

.
├── buildspec.yml
└── deployment
   └── pod.yaml

A sample repository is located here: https://github.com/shariqmus/codebuild-to-eks

Notes:

  • The buildspec.yml file installs kubectl, aws-iam-authenticator and configure kubectl in CodeBuild environment

  • Update the buildspec.yml file with the correct region and cluster_name on Line 16

  • Add the deployment YAML files in the “deployment” directory

Create and Start a Build Project

  1. Open the CodeBuild console

  2. Click ‘Create Build Project’ button

  3. Name the Project

  4. Use a CodeCommit repository where you have added the attached files : “buildspec.yml” and “pod.yaml”

  5. Use Managed Image > Ubuntu > Standard 1.0

  6. In the Role Name, select “CodeBuildKubectlRole”

  7. Click ‘Create Build Project’ button

  8. Create ‘Start Build’ button to start a Build

Confirm the required objects are created in EKS cluster

You can confirm this with a simple command, e.g.

$ kubectl get all --all-namespaces
-- shariqmaws
Source: StackOverflow