Access EKS cluster
You must access the GOV.UK Kubernetes platform Elastic Kubernetes Service cluster to use the platform.
To access the cluster, you must have:
- installed gds-cli
- obtained access to AWS
- accessed AWS using
gds-cli
You must select a role and environment to make sure you gain access to the right cluster.
Select a role and environment
An AWS Identity and Access Management (IAM) role is an IAM identity that has specific permissions.
You must select one of the following roles to access the cluster:
- admin
- poweruser
- readonly
The admin role:
- has read-write access to a specific cluster in a specific environment
- can view everything in that cluster including secrets
The poweruser role:
- has read-write access to a specific namespace in a specific cluster in a specific environment
- can view everything in that namespace excluding secrets
The readonly role:
- has readonly access to a specific cluster in a specific environment
- can view everything in that cluster excluding secrets
Open the
gds-cli
.Run the following to export the AWS credentials for the appropriate GOV.UK environment and role:
eval $(gds aws govuk-<govuk-environment>-<role> -e --art 8h)
export AWS_REGION=eu-west-1
where:
- <govuk-environment>
is the GOV.UK environment that you want to get credentials for and will be test
, integration
, staging
, or production
- <role>
is the appropriate role and will be admin
, poweruser
or readonly
Test your access
If it’s your first time accessing the cluster through kubectl, add the
govuk
cluster to your kubectl configuration in~/.kube/config
:aws eks update-kubeconfig --name govuk
To make it easier to switch between clusters, namespaces or users, edit your kubectl configuration (usually located at
~/.kube/config
) and rename the new context with a more human readable context name.To do this, edit the
name
field of the last context in the kubectl configuration. For example, you can set thename
to<govuk-environment>
.See the Kubernetes documentation on configuring access to multiple clusters for more information.
To check that you have access to the cluster, run:
kubectl config use-context <govuk-environment> kubectl cluster-info
If you have access, you should get information about the GOV.UK EKS cluster control plane, like in the following example:
Kubernetes control plane is https://{GOVUK_CLUSTER_ADDRESS}.{AWS_REGION}.eks.amazonaws.com
Switching clusters
To switch clusters:
Run the export AWS credentials command in the
gds-cli
, selecting the appropriate GOV.UK environment and role:eval $(gds aws govuk-<govuk-environment>-<role> -e --art 8h) export AWS_REGION=eu-west-1
where:
<govuk-environment>
is the GOV.UK environment that you want to get credentials for and will betest
,integration
,staging
, orproduction
<role>
is the appropriate role and will beadmin
,poweruser
orreadonly
Switch to the correct kubectl context:
kubectl config use-context <govuk-environment>
You can get a list of context by running:
kubectl config get-contexts