Periodic update 12/19/22-12:39pm PST

0xlen · Dec 19, 2022 · 413c30b · 413c30b
1 parent fd5732d
commit 413c30b
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 36 deletions.
diff --git a/doc_source/alternate-cni-plugins.md b/doc_source/alternate-cni-plugins.md
@@ -1,6 +1,6 @@
 # Alternate compatible CNI plugins<a name="alternate-cni-plugins"></a>
 
-Amazon EKS only officially supports the\. [Amazon VPC CNI plugin for Kubernetes](managing-vpc-cni.md)\. Amazon EKS runs upstream Kubernetes and is certified Kubernetes however, so you can install alternate CNI plugins to Amazon EC2 nodes in your cluster\. Your cluster will fail to install an alternate CNI plugin to Fargate nodes, if you have them in your cluster\. The [Amazon VPC CNI plugin for Amazon EKS](https://github.com/aws/amazon-vpc-cni-plugins) is already on your Fargate nodes, but it's the only plugin that you can use with Fargate nodes\. If you plan to use an alternate CNI plugin in production, then we strongly recommend that you either obtain commercial support, or have the in\-house expertise to troubleshoot and contribute fixes to the open source CNI plugin project\.
+Amazon EKS only officially supports the [Amazon VPC CNI plugin for Kubernetes](managing-vpc-cni.md)\. Amazon EKS runs upstream Kubernetes and is certified Kubernetes however, so you can install alternate CNI plugins to Amazon EC2 nodes in your cluster\. Your cluster will fail to install an alternate CNI plugin to Fargate nodes, if you have them in your cluster\. The [Amazon VPC CNI plugin for Amazon EKS](https://github.com/aws/amazon-vpc-cni-plugins) is already on your Fargate nodes, but it's the only plugin that you can use with Fargate nodes\. If you plan to use an alternate CNI plugin in production, then we strongly recommend that you either obtain commercial support, or have the in\-house expertise to troubleshoot and contribute fixes to the open source CNI plugin project\.
 
 Amazon EKS maintains relationships with a network of partners that offer support for alternate compatible CNI plugins\. See the following partners' documentation for details on supported Kubernetes versions and qualifications and testing performed\.
 

diff --git a/doc_source/default-roles-users.md b/doc_source/default-roles-users.md
@@ -55,24 +55,26 @@ In addition to the `ClusterRoles` returned in the output that are prefaced with,
 + **`aws-node`** – This `ClusterRole` supports the [Amazon VPC CNI plugin for Kubernetes](managing-vpc-cni.md), which Amazon EKS installs on all clusters\.
 + **`vpc-resource-controller-role`** – This `ClusterRole` supports the [Amazon VPC resource controller](https://github.com/aws/amazon-vpc-resource-controller-k8s), which Amazon EKS installs on all clusters\. 
 
-To see the specification for a `ClusterRole`, replace *eks:addon\-manager* in the following command with a `ClusterRole` returned in the output of the previous command\. The following example returns the specification for the *eks:addon\-manager* `ClusterRole`\.
+To see the specification for a `ClusterRole`, replace *eks:k8s\-metrics* in the following command with a `ClusterRole` returned in the output of the previous command\. The following example returns the specification for the *eks:k8s\-metrics* `ClusterRole`\.
 
 ```
-kubectl describe clusterrole eks:addon-manager
+kubectl describe clusterrole eks:k8s-metrics
 ```
 
-Abbreviated output is as follows\.
+The example output is as follows\.
 
 ```
-Name:         eks:addon-manager
+Name:         eks:k8s-metrics
 Labels:       <none>
 Annotations:  <none>
 PolicyRule:
-  Resources                                        Non-Resource URLs  Resource Names                      Verbs
-  ---------                                        -----------------  --------------                      -----
-  customresourcedefinitions.apiextensions.k8s.io   []                 [eniconfigs.crd.k8s.amazonaws.com]  [create delete get list patch update watch]
-  clusterrolebindings.rbac.authorization.k8s.io    []                 [aws-node]                          [create delete get list patch update watch]
-...
+  Resources         Non-Resource URLs  Resource Names  Verbs
+  ---------         -----------------  --------------  -----
+                    [/metrics]         []              [get]
+  endpoints         []                 []              [list]
+  nodes             []                 []              [list]
+  pods              []                 []              [list]
+  deployments.apps  []                 []              [list]
 ```
 
 **ClusterRoleBindings** – `ClusterRoleBindings` are scoped to your cluster\. 
@@ -87,25 +89,25 @@ In addition to the `ClusterRoleBindings` returned in the output, the following `
 + **`aws-node`** – This `ClusterRoleBinding` supports the [Amazon VPC CNI plugin for Kubernetes](managing-vpc-cni.md), which Amazon EKS installs on all clusters\. 
 + **`vpc-resource-controller-rolebinding`** – This `ClusterRoleBinding` supports the [Amazon VPC resource controller](https://github.com/aws/amazon-vpc-resource-controller-k8s), which Amazon EKS installs on all clusters\. 
 
-To see the specification for a `ClusterRoleBinding`, replace *eks:addon\-manager* in the following command with a `ClusterRoleBinding` returned in the output of the previous command\. The following example returns the specification for the *eks:addon\-manager* `ClusterRoleBinding`\.
+To see the specification for a `ClusterRoleBinding`, replace *eks:k8s\-metrics* in the following command with a `ClusterRoleBinding` returned in the output of the previous command\. The following example returns the specification for the *eks:k8s\-metrics* `ClusterRoleBinding`\.
 
 ```
-kubectl describe clusterrolebinding eks:addon-manager
+kubectl describe clusterrolebinding eks:k8s-metrics
 ```
 
 The example output is as follows\.
 
 ```
-Name:         eks:addon-manager
+Name:         eks:k8s-metrics
 Labels:       <none>
 Annotations:  <none>
 Role:
   Kind:  ClusterRole
-  Name:  eks:addon-manager
+  Name:  eks:k8s-metrics
 Subjects:
-  Kind  Name               Namespace
-  ----  ----               ---------
-  User  eks:addon-manager
+  Kind  Name             Namespace
+  ----  ----             ---------
+  User  eks:k8s-metrics
 ```
 
 **Roles** – `Roles` are scoped to a Kubernetes namespace\. All Amazon EKS created `Roles` are scoped to the `kube-system` namespace\.
@@ -116,24 +118,23 @@ The following command returns all of the Amazon EKS created Kubernetes `Roles` o
 kubectl get roles -n kube-system | grep eks
 ```
 
-To see the specification for a `Role`, replace *eks:addon\-manager* in the following command with the name of a `Role` returned in the output of the previous command\. The following example returns the specification for the *eks:addon\-manager* `Role`\.
+To see the specification for a `Role`, replace *eks:k8s\-metrics* in the following command with the name of a `Role` returned in the output of the previous command\. The following example returns the specification for the *eks:k8s\-metrics* `Role`\.
 
 ```
-kubectl describe role eks:addon-manager -n kube-system
+kubectl describe role eks:k8s-metrics -n kube-system
 ```
 
-Abbreviated output is as follows\.
+The example output is as follows\.
 
 ```
-Name:         eks:addon-manager
+Name:         eks:k8s-metrics
 Labels:       <none>
 Annotations:  <none>
 PolicyRule:
-  Resources          Non-Resource URLs     Resource Names          Verbs
-  ---------          -----------------     --------------          -----
-  configmaps         []                    [coredns]               [create delete get list patch update watch]
-  configmaps         []                    [kube-proxy-config]     [create delete get list patch update watch]
-...
+  Resources         Non-Resource URLs  Resource Names             Verbs
+  ---------         -----------------  --------------             -----
+  daemonsets.apps   []                 [aws-node]                 [get]
+  deployments.apps  []                 [vpc-resource-controller]  [get]
 ```
 
 **RoleBindings** – `RoleBindings` are scoped to a Kubernetes namespace\. All Amazon EKS created `RoleBindings` are scoped to the `kube-system` namespace\.
@@ -144,25 +145,25 @@ The following command returns all of the Amazon EKS created Kubernetes `RoleBind
 kubectl get rolebindings -n kube-system | grep eks
 ```
 
-To see the specification for a `RoleBinding`, replace *eks:addon\-manager* in the following command with a `RoleBinding` returned in the output of the previous command\. The following example returns the specification for the *eks:addon\-manager* `RoleBinding`\.
+To see the specification for a `RoleBinding`, replace *eks:k8s\-metrics* in the following command with a `RoleBinding` returned in the output of the previous command\. The following example returns the specification for the *eks:k8s\-metrics* `RoleBinding`\.
 
 ```
-kubectl describe rolebinding eks:addon-manager -n kube-system
+kubectl describe rolebinding eks:k8s-metrics -n kube-system
 ```
 
 The example output is as follows\.
 
 ```
-Name:         eks:addon-manager
+Name:         eks:k8s-metrics
 Labels:       <none>
 Annotations:  <none>
 Role:
   Kind:  Role
-  Name:  eks:addon-manager
+  Name:  eks:k8s-metrics
 Subjects:
-  Kind  Name               Namespace
-  ----  ----               ---------
-  User  eks:addon-manager
+  Kind  Name             Namespace
+  ----  ----             ---------
+  User  eks:k8s-metrics
 ```
 
 ------
diff --git a/doc_source/eks-add-ons.md b/doc_source/eks-add-ons.md
@@ -13,7 +13,7 @@ You can use Amazon EKS add\-ons with any Amazon EKS [node type](eks-compute.md)\
 + Amazon EKS add\-ons run on the nodes that you provision or configure for your cluster\. Node types include Amazon EC2 instances and Fargate\.
 + You can modify fields that aren't managed by Amazon EKS to customize the installation of an Amazon EKS add\-on\. For more information, see [ Kubernetes field management](kubernetes-field-management.md)\.
 + If you create a cluster with the AWS Management Console, the Amazon EKS `kube-proxy`, Amazon VPC CNI plugin for Kubernetes, and CoreDNS Amazon EKS add\-ons are automatically added to your cluster\. If you use `eksctl` to create your cluster with a `config` file, `eksctl` can also create the cluster with Amazon EKS add\-ons\. If you create your cluster using `eksctl` without a `config` file or with any other tool, the self\-managed `kube-proxy`, Amazon VPC CNI plugin for Kubernetes, and CoreDNS add\-ons are installed, rather than the Amazon EKS add\-ons\. You can either manage them yourself or add the Amazon EKS add\-ons manually after cluster creation\.
-+ The `eks:addon-cluster-admin` `ClusterRoleBinding` on every cluster is used by Amazon EKS to manage the lifecycle of add\-ons\.  All clusters starting with the following platform versions use the `ClusterRoleBinding`\.    
++ The `eks:addon-cluster-admin` `ClusterRoleBinding` binds the `cluster-admin` `ClusterRole` to the `eks:addon-manager` identity\. The role has the necessary permissions for the `eks:addon-manager` identity to create Kubernetes namespaces and install add\-ons into namespaces\. If the `eks:addon-cluster-admin` `ClusterRoleBinding` is removed, the Amazon EKS cluster continues to function, however Amazon EKS is no longer able to manage any add\-ons\. All clusters starting with the following platform versions use the new `ClusterRoleBinding`\.    
 [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html)
 
 You can add, update, or delete Amazon EKS add\-ons using the Amazon EKS API, AWS Management Console, AWS CLI, and `eksctl`\. For more information, see [Managing Amazon EKS add\-ons](managing-add-ons.md)\. You can also create Amazon EKS add\-ons using [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-addon.html)\.

diff --git a/doc_source/vpc-interface-endpoints.md b/doc_source/vpc-interface-endpoints.md
@@ -9,13 +9,13 @@ For more information, see [Access AWS services through AWS PrivateLink](https://
 ## Considerations for Amazon EKS<a name="vpc-endpoint-considerations"></a>
 + Before you set up an interface endpoint for Amazon EKS, review [Considerations](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints) in the *AWS PrivateLink Guide*\.
 + Amazon EKS supports making calls to all of its API actions through the interface endpoint, but not to the Kubernetes APIs\. The Kubernetes API server already supports a [private endpoint](cluster-endpoint.md)\. The Kubernetes API server private endpoint creates a private endpoint for the Kubernetes API server that you use to communicate with your cluster \(using Kubernetes management tools such as `kubectl`\)\. You can enable [private access](private-clusters.md) to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC\. AWS PrivateLink for the Amazon EKS API helps you call the Amazon EKS APIs from your VPC without exposing traffic to the public internet\.
-+ You can't configure your cluster to only be accessed through an interface endpoint\.
++ You can't configure Amazon EKS to only be accessed through an interface endpoint\.
 + Standard pricing for AWS PrivateLink applies for interface endpoints for Amazon EKS\. You are billed for every hour that an interface endpoint is provisioned in each Availability Zone and for data processed through the interface endpoint\. For more information, see [AWS PrivateLink pricing](http://aws.amazon.com/privatelink/pricing/)\.
 + VPC endpoint policies are not supported for Amazon EKS\. By default, full access to Amazon EKS is allowed through the interface endpoint\. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Amazon EKS through the interface endpoint\.
 + You can use VPC flow logs to capture information about IP traffic going to and from network interfaces, including interface endpoints\. You can publish flow log data to Amazon CloudWatch or Amazon S3\. For more information, see [Logging IP traffic using VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) in the Amazon VPC User Guide\.
 + You can access the Amazon EKS APIs from an on\-premises data center by connecting it to a VPC that has an interface endpoint\. You can use AWS Direct Connect or AWS Site\-to\-Site VPN to connect your on\-premises sites to a VPC\.
 + You can connect other VPCs to the VPC with an interface endpoint using an AWS Transit Gateway or VPC peering\. VPC peering is a networking connection between two VPCs\. You can establish a VPC peering connection between your VPCs, or with a VPC in another account\. The VPCs can be in different AWS Regions\. Traffic between peered VPCs stays on the AWS network\. The traffic doesn't traverse the public internet\. A Transit Gateway is a network transit hub that you can use to interconnect VPCs\. Traffic between a VPC and a Transit Gateway remains on the AWS global private network\. The traffic isn't exposed to the public internet\.
-+ You can only create an interface endpoint for Amazon EKS if your cluster's VPC uses `IPv4`\. `IPv6` isn't supported\.
++ VPC interface endpoints for Amazon EKS are only accessible over `IPv4`\. `IPv6` isn't supported\.
 
 ## Create an interface endpoint for Amazon EKS<a name="vpc-endpoint-create"></a>