AWS Controllers for Kubernetes

AWS Controllers for Kubernetes

• ack, aws-controllers-for-kubernetes, kubernetes • 5 min read
aws kubernetes controllers aws-controllers-for-kubernetes tutorial

What is AWS Controllers for Kubernetes (ACK)

  • is an open-source project that allows you to manage AWS services directly from within a Kubernetes cluster.

  • It extends the Kubernetes API by creating a separate controller for each integrated AWS service. This allows developers to provision and manage AWS resources like an S3 bucket or an RDS database using familiar Kubernetes tools, such as YAML manifests and kubectl.

    how ack works

How ACK works

ACK follows the standard Kubernetes control loop model to reconcile desired and current states for AWS resources.

  • ACK service controllers: For each AWS service you want to manage, you install a specific ACK controller into your Kubernetes cluster.

  • Custom Resource Definitions (CRDs): When you install an ACK controller, it registers new CRDs with the Kubernetes API. These CRDs represent the different AWS resource types, such as a Bucket for S3 or a Repository for Elastic Container Registry (ECR).

  • Kubernetes manifests: Developers define the desired AWS resource in a standard Kubernetes YAML file. For example, to create an S3 bucket, you would create a manifest with the kind: Bucket and specify its configuration.

  • Reconciliation loop: When the manifest is applied to the Kubernetes API, the ACK controller detects the new resource. It then uses the AWS SDK and APIs to create, update, or delete the corresponding resource in your AWS account to match the state defined in the manifest.

  • State management: ACK continuously monitors the state of the managed AWS resources. If the actual state in AWS diverges from the desired state in Kubernetes, the controller automatically takes action to bring them back into sync. Benefits of using ACK

  • Unified workflow: It allows application developers to manage both their containerized workloads and the underlying cloud infrastructure using a single, consistent toolset. This is ideal for organizations using a GitOps model, where the Git repository is the single source of truth.

  • Reduced complexity: You no longer need to switch between different tools and APIs, such as Terraform or the AWS CLI, to manage your application’s dependencies.

  • Built-in reconciliation: ACK automatically detects and corrects configuration drift, ensuring that your AWS resources always match the state defined in your Kubernetes manifests.

  • Secure access: Access to AWS services can be managed through native Kubernetes Role-Based Access Control (RBAC) and federated with AWS IAM using IAM Roles for Service Accounts (IRSA), enforcing least-privilege security.

  • Multi-tenancy support: ACK can be configured to provision resources into different AWS accounts based on the Kubernetes namespace. This makes it suitable for multi-tenant setups where different teams have their own budgets and AWS accounts.

An example of an S3 bucket manifest

apiVersion: s3.services.k8s.aws/v1alpha1
kind: Bucket
metadata:
  name: my-ack-managed-bucket
spec:
  name: my-unique-ack-managed-bucket
  acl: private

Applying this manifest to your cluster will prompt the ACK S3 controller to create a new S3 bucket named my-unique-ack-managed-bucket in your AWS account.

What ACK controllers exist

how do I know what aws ACK controllers exist and how do I install them to start using them in my cluster Introducing the AWS Controllers for Kubernetes (ACK …

To see what AWS Controllers for Kubernetes (ACK) exist, you can check the official ACK website on GitHub. The site lists all controllers and their project stage, indicating if they are fully released, in preview, or under development.

How do I install ACK Controllers into my cluster

The recommended method for installing ACK controllers into your cluster is with Helm, the package manager for Kubernetes.

  1. Find and check the controller status

Before you begin, verify that a controller exists for the AWS service you want to manage.

  • Visit the official service list: Navigate to the ACK services list page on GitHub.

  • Check the project stage: Find your desired service in the table and ensure its Project Stage is marked as RELEASED or at least PREVIEW. Proceed with caution with PREVIEW versions, as they may have breaking changes.

  1. Pre-installation setup

Before installing any controller, you must configure the following prerequisites for your Kubernetes cluster, such as Amazon EKS:

  • IAM permissions: You must create an IAM role that the ACK controller can assume to create, update, and delete AWS resources on your behalf.

  • OIDC provider: Your cluster needs an OpenID Connect (OIDC) identity provider, which allows your Kubernetes service accounts to authenticate with IAM.

  • IAM Role for Service Account (IRSA): Set up IRSA for the service account that your ACK controller will use. This ensures the controller pod has only the minimum required IAM permissions.

  1. Install an ACK controller with Helm

After setting up the prerequisites, you can install the controller using Helm. The general steps involve setting environment variables, retrieving the latest release version, logging in to the ECR Public registry, and installing the Helm chart with specific values for the AWS region. An example using the Amazon S3 controller is provided in the source documentation.

  1. Verify the installation

To verify the installation, check that the controller pod is running in the ack-system namespace using kubectl get pods -n ack-system. A successful installation will show the controller pod in a running and ready state. Once the controller is running, you can define AWS resources as Kubernetes custom resources and the ACK controller will provision them in your AWS account.

Have questions or want to share your own sysadmin story? Leave a comment below!

(I will set up comments eventually ;)