Deprecate Private Access and Logging - use awcli instead (#1715)

content/docs/aws/logging.md

@@ -6,34 +6,42 @@ weight = 70
 
 Amazon EKS control plane logging provides audit and diagnostic logs directly from the Amazon EKS control plane to [CloudWatch](https://aws.amazon.com/cloudwatch/) Logs in your account. These logs make it easy for you to secure and run your clusters. You can select the exact log types you need, and logs are sent as log streams to a group for each Amazon EKS cluster in [CloudWatch](https://aws.amazon.com/cloudwatch/).
 
-If you look at `${KF_DIR}/aws_config/cluster_features.yaml`, you will see following configuration:
-
-```shell
-CONTROL_PLANE_LOGGING=false
-CONTROL_PLANE_LOGGING_COMPONENTS=api,audit,authenticator,controllerManager,scheduler
-
-WORKER_NODE_GROUP_LOGGING=false
-```
-
 By default, cluster control plane logs and worker node group logs aren't sent to CloudWatch Logs. You must enable each log type individually to send logs for your cluster.
 
-
 ### Control Plane Logging
 
-You can update `CONTROL_PLANE_LOGGING=true` to enable control plane logs and customize the components you want to collect logs from. Only these components are available and you have to use command between components.
+You can easily use aws command to enable control plane logs and customize the components you want to collect logs from. Only following components are available.
 
 * api
 * audit
 * authenticator
 * controllerManager
 * scheduler
 
-Open the [CloudWatch Console](https://console.aws.amazon.com/cloudwatch/home#logs:prefix=/aws/eks). Choose the cluster that you want to view logs for. The log group name format is `/aws/eks/${AWS_CLUSTER_NAME}/cluster`.
+Run command to enable logs
+```shell
+aws eks --region us-west-2 update-cluster-config --name ${AWS_CLUSTER_NAME} \
+--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
+```
 
-> Note: If you set `CONTROL_PLANE_LOGGING=false`, the value of `CONTROL_PLANE_LOGGING_COMPONENTS` will not be used.
+Open the [CloudWatch Console](https://console.aws.amazon.com/cloudwatch/home#logs:prefix=/aws/eks). Choose the cluster that you want to view logs from. The log group name format is `/aws/eks/${AWS_CLUSTER_NAME}/cluster`.
 
 ### Worker Node Group Logging
 
-You can update `WORKER_NODE_GROUP_LOGGING=true` to enable worker node group logs and all pod logs are sent to CloudWatch.  The log group name format is `/eks/${AWS_CLUSTER_NAME}/containers`.
+You can add `fluentd-cloud-watch` to addons to enable worker node group logs and all pod logs are sent to CloudWatch.
+```
+  plugins:
+  - kind: KfAwsPlugin
+    metadata:
+      name: aws
+    spec:
+      region: us-west-2
+      addons:
+      - fluentd-cloud-watch
+```
+
+You will see three log groups in total.
 
-If you want to change logs setting after you have created your cluster, please check [here](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) for details.
+* /aws/containerinsights/${AWS_CLUSTER_NAME}/containers
+* /aws/containerinsights/${AWS_CLUSTER_NAME}/dataplane
+* /aws/containerinsights/${AWS_CLUSTER_NAME}/host

content/docs/aws/private-access.md

@@ -10,19 +10,17 @@ This section helps you to enable private access for your Amazon EKS cluster's Ku
 
 You can enable private access to the Kubernetes API server so that all communication between your worker nodes and the API server stays within your VPC. You can also completely disable public access to your API server so that it's not accessible from the internet.
 
-You can enable private access in `${KF_DIR}/aws_config/cluster_features.sh`.
-
-```shell
-PRIVATE_LINK=false
-ENDPOINT_PUBLIC_ACCESS=true
-ENDPOINT_PRIVATE_ACCESS=false
+```
+aws eks update-cluster-config \
+    --region region \
+    --name <your_eks_cluster_name> \
+    --resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true
 ```
 
-By default, this API server endpoint is public to the internet (`ENDPOINT_PUBLIC_ACCESS=true`) , and access to the API server is secured using a combination of [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) and native Kubernetes [Role Based Access Control](https://kubernetes.io/docs/admin/authorization/rbac/) (`ENDPOINT_PRIVATE_ACCESS=false`).
+By default, this API server endpoint is public to the internet (`endpointPublicAccess=true`) , and access to the API server is secured using a combination of [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) and native Kubernetes [Role Based Access Control](https://kubernetes.io/docs/admin/authorization/rbac/) (`endpointPrivateAccess=false`).
 
-You can enable private access to the Kubernetes API server so that all communication between your worker nodes and the API server stays within your VPC (`ENDPOINT_PRIVATE_ACCESS=true`). You can also completely disable public access to your API server so that it's not accessible from the internet (`ENDPOINT_PUBLIC_ACCESS=false`). In this case, you need to have an instance inside your VPC to talk with your Kubernetes API server.
+You can enable private access to the Kubernetes API server so that all communication between your worker nodes and the API server stays within your VPC (`endpointPrivateAccess=true`). You can also completely disable public access to your API server so that it's not accessible from the internet (`endpointPublicAccess=false`). In this case, you need to have an instance inside your VPC to talk with your Kubernetes API server.
 
 Note: You may see `InvalidParameterException` if you have invalid combination.
 
-Please check [Amazon EKS Cluster Endpoint Access Control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) for more details.
-
+Please check [Amazon EKS Cluster Endpoint Access Control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) for more details.