Set up an Amazon EKS cluster in Studio
The following instructions describe how to set up an Amazon EKS cluster in Studio.
-
Create a domain or have one ready. For information on creating a domain, see Guide to getting set up with Amazon SageMaker AI.
-
Add the following permission to your execution role.
For information on SageMaker AI execution roles and how to edit them, see Understanding domain space permissions and execution roles.
To learn how to attach policies to an IAM user or group, see Adding and removing IAM identity permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeHyerpodClusterPermissions", "Effect": "Allow", "Action": [ "sagemaker:DescribeCluster" ], "Resource": "
hyperpod-cluster-arn
" }, { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:CompleteLayerUpload", "ecr:GetAuthorizationToken", "ecr:UploadLayerPart", "ecr:InitiateLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:PutImage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Sid": "UseEksClusterPermissions", "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:AccessKubernetesApi", "eks:DescribeAddon" ], "Resource": "eks-cluster-arn
" }, { "Sid": "ListClustersPermission", "Effect": "Allow", "Action": [ "sagemaker:ListClusters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:StartSession", "ssm:TerminateSession" ], "Resource": "*" } ] } -
Grant IAM users access to Kubernetes with EKS access entries.
-
Navigate to the Amazon EKS cluster associated with your HyperPod cluster.
-
Choose the Access tab and create an access entry for the execution role you created.
-
In step 1, Select the execution role you created above in the IAM principal dropdown.
-
In step 2, select a policy name and select an access scope that you want the users to have access to.
-
-
-
(Optional) To ensure a more smooth experience, we recommend that you add tags to your clusters. For information on how to add tags, see Edit a SageMaker HyperPod cluster to update your cluster using the SageMaker AI console.
-
Tag your Amazon Managed Grafana workspace to your Studio domain. This will be used to quickly link to your Grafana workspace directly from your cluster in Studio. To do so, add the following tag to your cluster to identify it with your Grafana workspace ID,
ws-id
.Tag Key = “
grafana-workspace
”, Tag Value = “ws-id
”.
-
-
(Optional) Restrict task view in Studio for EKS clusters. For information on viewable tasks in Studio, see Tasks.
Restrict task view in Studio for EKS clusters
You can restrict Kubernetes namespace permissions for users, so that they will only have access to view tasks belonging to a specified namespace. The following provides information on how to restrict the task view in Studio for EKS clusters. For information on viewable tasks in Studio, see Tasks.
Users will have visibility to all EKS cluster tasks by default. You can restrict users’ visibility for EKS cluster tasks to specified namespaces, ensuring that users can access the resources they need while maintaining strict access controls. You will need to provide the namespace for the user to display jobs of that namespace once the following is set up.
Once the restriction is applied, you will need to provide the namespace to the users assuming the role. Studio will only display the jobs of the namespace once the user provides inputs namespace they have permissions to view in the Tasks tab.
The following configuration allows administrators to grant specific, limited access to data scientists for viewing tasks within the cluster. This configuration grants the following permissions:
-
List and get pods
-
List and get events
-
Get Custom Resource Definitions (CRDs)
YAML Configuration
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: pods-events-crd-cluster-role rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] - apiGroups: [""] resources: ["events"] verbs: ["get", "list"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: pods-events-crd-cluster-role-binding subjects: - kind: Group name: pods-events-crd-cluster-level apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: pods-events-crd-cluster-role apiGroup: rbac.authorization.k8s.io
-
Save the YAML configuration to a file named
cluster-role.yaml
. -
Apply the configuration using
kubectl
: kubectl apply -f cluster-role.yaml
-
Verify the configuration:
kubectl get clusterrole pods-events-crd-cluster-role kubectl get clusterrolebinding pods-events-crd-cluster-role-binding
-
Assign users to the
pods-events-crd-cluster-level
group through your identity provider or IAM.