Aws eks list pods

Aws eks list pods. Disable automatic pagination. Sep 17, 2019 · On AWS EKS I'm adding deployment with 17 replicas (requesting and limiting 64Mi memory) to a small cluster with 2 nodes type t3. kubectl autoscale deployment php-apache --cpu-percent=50 --min=1 --max=10. Within the project folder, we create a Terraform module (folder) for managing VPC called 1_vpc. Windows containers aren't supported for Amazon EKS Pods on Fargate. Each Pod has its own unique IP address. The default PSA and PSS configurations will be present when the cluster is created. Self-managed node groups are not listed. In this post, we'll deep-dive into how this feature works, some elements that make it unique, and why you might consider using it. At the end of this tutorial, you will have a running Amazon EKS cluster that you can deploy applications to. Make sure that your client IP address is on the allow list over the port that the Service uses. In Lambda console create a Python package with runtime 3. For an IAM principal to view Kubernetes resources in Amazon EKS console, the principal must be associated with a Kubernetes role or clusterrole with necessary permissions to read the resources. 2. Kubernetes supports Container Network Interface (CNI) plugins for cluster networking. list-pod-identity-associations is a paginated operation. small. By default the AWS Load Balancer controller will register targets using ‘Instance’ type and this target will be Dec 1, 2020 · Because the EKS console is hosted on AWS, there’s nothing extra to setup or configure. Creating a secret in AWS Secrets Manager is the first step in securely managing sensitive information for your applications. Confirm that the IAM role's trust policy is configured correctly. When the average CPU load is below 50 percent, the autoscaler tries to reduce the number of pods in the deployment Run the following command to enable network policy. Jan 10, 2024 · Step 2: Create an S3 bucket and a service account to test the new Pod Identitie. Confirm that the aws-node pods are running on your cluster. aws iam get-role --role-name my-role --query Role. This is so much more straightforward than the rest of the answers. List the EKS Pod Identity associations in a cluster. eks ] list-clusters ¶. If you deployed Windows resources, then all instances of linux in the following output are windows. For an EKS Cluster there are 2 types of targets you can register in the target group: Instance & IP, which target type is used has implications on what gets registered and how traffic is routed from the Load Balancer to the pod. I guesss you can do somethinglike this 1. Nov 26, 2023 · Starting today, you can use Amazon EKS Pod Identity to simplify your applications that access AWS services. Pod networking, also called the cluster networking, is the center of Kubernetes networking. This command creates an autoscaler that targets 50 percent CPU utilization for the deployment, with a minimum of one pod and a maximum of ten pods. The following command adds an access entry for the node's IAM role. James Wierzba. The control plane (i. If the volume is failing to mount, then review the efs-plugin logs. Sep 26, 2023 · Introduction. Then specify the key and value for each tag. The port is exposed on all nodes in the Amazon EKS cluster. Cost monitoring is an essential aspect of managing your Kubernetes clusters on Amazon EKS. But I want AWS CLI command to list down all the images used to spin up all the nodes in a AWS EKS Cluster. Amazon EKS supports containers to access instance metadata using the IMDSv2 format. helm upgrade --set enableNetworkPolicy=true aws-vpc-cni --namespace kube-system eks/aws-vpc-cni. For a m5. In the Service quotas list, you can see the service quota name, applied value (if it's available), AWS default quota, and whether the quota value is adjustable. Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on Amazon Web Services without needing to setup or maintain your own Kubernetes control plane. As you can see there are differences in these commands such as Self-managed node groups are not listed in the second command. They are similar to Amazon EC2 instance profile or Lambda execution roles, but specifically designed for Pods in EKS Cluster. When you launch an Amazon EKS cluster with at least one node, two replicas of the CoreDNS image are deployed by default, regardless of the number of nodes deployed in your cluster. Oct 14, 2023 · In conclusion, pod identity management in AWS EKS is the cornerstone of a robust security posture in Kubernetes clusters. aws eks list-clusters --region <AWS_REGION> --profile target-env. What I already know works List the EKS Pod Identity associations in a cluster. Clone the psa-pss-testing GitHub repository. yaml. Mar 17, 2020 · The pod now has basic list permissions on the AWS resources as defined in the previous step. Run this command to create a ConfigMap called fluent-bit-cluster-info, including the cluster name and the Region that you want to send logs to. An example output is as follows. kubectl get pods -n kube-system | grep 'aws-node\|amazon'. kubectl get pods -n jenkins. Yes – Manual configuration or using Amazon EKS provided AWS CloudFormation templates to deploy Linux (x86) , Linux (Arm), or Windows nodes. To retrieve the ebs-plugin container logs, run the following commands: kubectl logs deployment/ebs-csi-controller -n kube-system -c ebs-plugin. Amazon EKS Best Practices Guide for Networking. # Verify that jenkins deployment/pods are up running. EC2 Instance Metadata Service v2 can be leveraged to get the AZ details. For each SSL connection, the AWS CLI will verify SSL certificates. This way you only need to whitelist the NAT public IP. If the logs indicate that there are AWS Identity and Access Management (IAM) permissions issues, then do the following: Check that an OIDC provider is associated with the Amazon EKS cluster. The maximum number of EKS Pod Identity association results returned by ListPodIdentityAssociations in paginated output. Dec 19, 2023 · The new capabilities of EKS Cluster Access Management help address some of the issues with IAM in EKS by allowing you to manage access to your clusters using the AWS API. Amazon Elastic Kubernetes Service ( Amazon EKS) add-ons were originally introduced in December 2021. When you create a Fargate profile, you must specify a Pod execution role for the Amazon EKS components that run on the Fargate infrastructure using the profile. To list down pods for a particular namespace kubectl get pod -n YOUR_NAMESPACE -o wide. How would I do this from a Lambda function? Rather than relying on the “aws eks get-token” being present in my Lambda environment I’d like to investigate a pure code solution for improved performance. Note: The expose command creates a service without creating a YAML file. In my EKS cluster, I have a few node groups that cover availability zone A and B. Sep 17, 2020 · OPA is a general purpose policy engine that allows us to define and enforce policies. I tried to find similiar kubectl command but after many research I and not finding anything, I am looking for AWS CLI command. Feb 21, 2022 · To follow the principle of least privilege we create an IAM role with a trusted policy which restricts its usage to a specific EKS cluster, namespace and service account. A taint is a node property that enables nodes to reject a set of pods. I had two pods with the same service account setup, but one of them would consistently return the node group IAM role instead of the service role when I ran "aws sts get-caller-identity". EKS Pod Identity is for EKS only, and as a result, it simplifies how cluster administrators can configure Kubernetes applications to obtain IAM Feb 19, 2024 · In late 2023, AWS introduced a new EKS feature called Pod Identities, a successor of IAM Role for Service Accounts (IRSA). But I could not find. On the Overview tab, the first thing you’ll notice is a list of your cluster nodes. See Public+Private subnets for more details. CoreV1Api() ret = v1. Working with the CoreDNS Amazon EKS add-on. To add a tag, choose Add tag. Simply open up the console and select your cluster. Deployment: Nginx App 1. On top of that, you can opt to place all your worker nodes in the private subnet for better security. See also: AWS API Documentation. --help. You can setup NAT with Elastic IP address and route your cluster egress thru this NAT. PDF RSS. load_incluster_config() v1 = client. These role session tags enable administrators to author a single role that can work across service accounts by allowing access to AWS resources based on matching tags. If you access the Kubernetes Service over the internet, then confirm that your nodes have a Public IP address. At launch, they provided a mechanism for installing and managing a curated set of add-ons for Amazon EKS clusters. If you don’t already have one, create an Amazon EKS 1. You simply need to enable "Audit" logging in the "Logging" section of the EKS console. To delete a tag, choose Remove tag. Additionally, we will illustrate the validation of user-friendly The following table helps you understand which networking use cases you can use together and the capabilities and Amazon VPC CNI plugin for Kubernetes settings that you can use with different Amazon EKS node types. Sep 25, 2020 · And for list-nodegroup from AWS documentation. Ingress manifest going to have a additional annotation related to target-type: ip as these are going to be Cost monitoring. Create an IAM Role. Jun 4, 2021 · Jun 4, 2021 at 14:25. Choose the Tags tab, and then choose Manage tags. 6 and upload the zip file. Find the status of your pod. Amazon EC2. By default, the AWS CLI uses SSL when communicating with AWS services. 1 Answer. Check the CSI driver pod logs to determine the cause of the mount failures. # Fetch the Application URL or navigate to the AWS Console for the Load Balancer. Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment, whether running in on-premises data centers or public clouds. Earlier this week, AWS released a new feature, EKS Pod Identity, that aims to simplify granting AWS access to pods running in an EKS cluster. Then, create a service account with the IAM role that we previously created. To see the cause of the mount failures, check the controller pod logs. Jul 17, 2020 · 1 Answer. Conclusion: EKS Pod Identity provides a new and better way to grant access to AWS resources to a pod running in a cluster. Output: service "nginx-service-cluster-ip" exposed. This guide helps you to create all of the required resources to get started with Amazon Elastic Kubernetes Service (Amazon EKS) using the AWS Management Console and the AWS CLI. Verify that a security group or network access control list (network ACL) isn't blocking the pods when it communicates with CoreDNS. You need to have role and rolebinding to list pods for that namespace. To stream containers logs to CloudWatch Logs, install AWS for Fluent Bit using these steps: 1. Step-04: Create a Horizontal Pod Autoscaler resource for the "hpa-demo-deployment". In particular, the new feature enables you to: Map AWS identities to pre-defined AWS-managed Kubernetes permissions called "access policies". Description ¶. e. When the average CPU load is lower than 50 Check the EFS CSI driver pod logs. You previously could when you deployed the controller to I want to configure Amazon CloudWatch Container Insights to see my Amazon Elastic Kubernetes Service (Amazon EKS) cluster metrics. Lists the Amazon EKS clusters in your Amazon Web Services account in the specified Region. This pattern demonstrates the use of Kubernetes node affinity, node taints, and Pod tolerations to intentionally schedule application Pods on specific worker nodes in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster on the Amazon Web Services (AWS) Cloud. 1 Step 3: Create Pod Identity Association Jan 30, 2024 · CloudFormation - AWS::EKS::PodIdentityAssociation. We are going to create a fargate profile using eksctl on our existing EKS Cluster eksdemo1. eksctl get podidentityassociation lists all the service accounts that are connecting with other AWS resources. Create an IAM Policy (only via terraform). The default is 85%. It is critical to understand Kubernetes networking to operate your cluster and applications efficiently. grep arn value and use it as context in kubectl cmd (kubectl get pods --context arn:aws:eks:us-east-1:123123123123123:cluster/cluster Amazon EKS releases several variations of Amazon EC2 AMIs to enable support. Nov 28, 2023 · LAST UPDATED December 1, 2023. . Confirm that the role and service account are configured correctly. Create a Horizontal Pod Autoscaler resource for the php-apache deployment. For a detailed explanation of this capability, see the Oct 29, 2023 · Step 2: Create Secret in AWS Secrets Manager. Sep 9, 2021 · Deploy the Jenkins Application to the EKS Cluster. Jan 25, 2022 · 3. See Amazon EKS Clusters. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications. To troubleshoot the pod status in Amazon EKS, complete the following steps: To get the status of your pod, run the following command: $ kubectl get pod. Rolebinding for that role. All Amazon EKS add-ons include the latest security patches, bug fixes, and are validated by AWS to work with Amazon EKS. Turn on the Amazon VPC CNI custom networking feature: kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true. list-access-entries; list-access-policies; list-addons; list-associated-access-policies; list-clusters; list-eks-anywhere-subscriptions; list-fargate-profiles; list-identity-provider-configs; list-insights; list-nodegroups; list-pod-identity-associations; list-tags-for-resource; list-updates; register-cluster; tag-resource; untag-resource Feb 4, 2018 · [ aws . You can filter the list by the namespace that the association is in or the service account that the association uses. From the AWS services list, search for and select Amazon Elastic Kubernetes Service (Amazon EKS) or AWS Fargate. kubectl apply -f eks-connector-clusterrole. list_pod_for_all_namespaces(watch=False) The above command throws a 403 error, This I believe is due to the different auth mechanism that AWS EKS uses. Ingress Service: Application Load Balancer. Check your worker nodes. Create a namespace called amazon-cloudwatch, if you don't have one already: 2. For more information, see Why won't my pods connect to other pods in Amazon EKS? Verify that the kube-proxy pod is working Sep 30, 2022 · The configuration file that aws eks update-kubeconfig generates depends on having AWS credentials available, whether via the ~/. After a lot of debugging, I noticed that the pod that worked was running AWS CLI v2, while the pod that didn't work had AWS CLI v1. Both IRSA and Pod Identities are used to access AWS resources like S3, SNS, SQS, ELB, EBS and […] Override command's default URL with the given URL. Connect with an AWS IQ expert. list the clusters in region (aws eks list-clusters --region us-east-1), 2. To get additional information on a single worker node, run the following command To resolve the issue, view your existing access entries by replacing my-cluster in the following command with the name of your cluster and then running the modified command: aws eks list-access-entries --cluster-name. All Amazon EKS AMIs don't currently support the g5g and mac families. – Eduardo Baitello. Link the OIDC provider to the EKS OIDC URL. The previous limit of 64 Pods is no longer the case, after a Windows Server update starting with OS Build 17763. Can provide bootstrap arguments at deployment of a node, such as extra kubelet arguments. You can also run a DescribeCluster command to describe the contents of any cluster. kubectl create role developer --verb=get,list,watch --resource=pods,pods/status --namespace=edna. Check/Select EKS Pod Identity Agent and click. Click on Create: This is will start EKS POD Identity DeamonSet in the kube-system namespace Command Line of Step2: $ aws eks create-addon \ --cluster-name REPLACEME_WITH_CLUSTER_NAME \ --addon-name eks-pod-identity-agent \ --addon-version v1. 8xlarge node, it can hold up to 234 pods. To retrieve the efs-plugin container logs, run the following commands : kubectl logs deployment/efs-csi-controller -n kube-system -c efs-plugin. aws/config file or the AWS_ACCESS_KEY_ID and related environment variables or elsewhere. It is focused just on doing this one thing and doing it well. Oct 16, 2019 · I found a complete history in AWS CloudWatch logs. See https://docs. When you use this parameter, ListPodIdentityAssociations returns only maxResults results in a single page along with a nextToken response element. Create ENIConfig objects to define subnets and security groups for the pods to use. Amazon EKS node type. By gaining visibility into your cluster costs, you can optimize resource utilization, set budgets, and make data-driven decisions about your deployments. This command creates an autoscaler that targets 50 percent CPU utilization for the deployment, with a minimum of one Pod and a maximum of ten Pods. com/eks/latest/userguide/control-plane-logs. In this article we will use spikeseed-blog as the namespace and admin-sa as the service account. Choose Update to finish. If you are using the commands that I When a Pod uses AWS credentials from an IAM role that's associated with a service account, the AWS CLI or other SDKs in the containers for that Pod use the credentials that are provided by that role. See ‘aws help’ for descriptions of global parameters. my-cluster. 0. View the details of the deployed service. If the volume fails during creation, then refer to the ebs-plugin and csi-provisioner logs. kubectl get svc -n jenkins. In our implementation, we use Terraform S3 backend storing state files and DynamoDB for Terraform execution locks. In this guide, you manually create each resource. answered Oct 18, 2019 at 19:04. It can replace IRSA by providing more control and flexibility for platform teams in enterprise environments. The output returns the name, Kubernetes version, operating system (OS), and IP address of the worker nodes. Amazon EKS add-ons allow you to consistently ensure that your Amazon EKS clusters are secure and stable and reduce Cost monitoring. 0-eksbuild. , the master components) runs in an account managed by AWS, and it's always "hidden" from your point of view. These nodes are the compute resources that power your Kubernetes applications, from the perspective of the Kubernetes Dec 13, 2023 · Though AWS has IRSA, managing it at scale is a relatively tedious task when compared with eks-pod-identity-agent. CoreDNS is a flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. This chapter covers storage options for Amazon EKS clusters. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a Kubernetes Oct 27, 2022 · The sequence of operations for testing pod security with PSA and PSS are provided in the following list. To get information from the Events history of your pod, run the following command: $ kubectl describe pod YOUR_POD_NAME. All information in the table applies to Linux IPv4 nodes only. Multiple API calls may be issued in order to retrieve the entire data set of results. Security groups for Pods integrate Amazon EC2 security groups with Kubernetes Pods. Kubernetes is an open-source system that automates the management, scaling, and deployment of containerized applications. This is your guy sven! EKS Pod Identity offers cluster administrators a simplified workflow for authenticating applications to access various other AWS resources such as Amazon S3 buckets, Amazon DynamoDB tables, and more. Oct 17, 2022 · In this example we will add an entry that authorizes your IAM role identity to list pods. Nov 13, 2018 · Go to Lambda console and make sure you follow these steps: Upload zip file. EKS Pod Identity introduces a new attack vector that can be abused to move laterally to the cloud domain, access cloud resources, and escalate privileges in the cloud. aws. Amazon EKS provides two cost monitoring solutions, each with its own unique Oct 3, 2023 · In this tutorial, you will configure the ExternalDNS add-on on your Amazon EKS cluster. The action aws:eks:pod-network-blackhole-port should not be run in parallel with other actions that target the same pod and use the same trafficType. Amazon EKS provides two cost monitoring solutions, each with its own unique May 9, 2022 · First, we need to create a project folder called managing-amazon-eks-using-terraform. For more information run eksctl create iamserviceaccount. The last step is to attach the policy with the role. 2746. By mastering the art of fine-grained access control, embracing the Amazon EKS Best Practices Guide for Networking. Create role. Using the AWS CLI, you'll store a sample secret that will later be accessed by your Kubernetes cluster. To expose a deployment of ClusterIP type, run the following imperative command: kubectl expose deployment nginx-deployment --type=ClusterIP --name=nginx-service-cluster-ip. Attach the IAM Policy to the Feb 9, 2024 · Cluster to cloud. If you deployed a Windows service, replace linux with windows. Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that eliminates the need to install, operate, and maintain your own Kubernetes control plane on Amazon Web Services (AWS). This option overrides the default behavior of verifying SSL certificates. Subsequently, we can list all pods using those service accounts to see which resources have elevated permissions & audit Apr 21, 2021 · AWS provides a list to tell what the maximum number of pods can be assigned to a node based on the type. Feb 29, 2024 · Auditing AWS EKS Pod Permissions. 1. IP Address Allocation Amazon EKS runs up-to-date versions of the open-source Kubernetes software, so you can use all the existing plugins and tooling from the Kubernetes community. To make sure that the instance type you select is compatible with Amazon EKS, consider the following criteria. That being said, policy-as-code (PAC) solutions are considerably more flexible. kubectl -n eks-sample-app describe service eks-sample-linux-service. html for more info. We are going to deploy a simple workload. Sorted by: 2. This will involve creating a private hosted zone, installation of the ExternalDNS add-on that utilizes the IAM Role for Service Account (IRSA) for the management of AWS Route53 DNS records. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from Pods that you deploy to nodes running on many Amazon EC2 instance types and Fargate. Oct 1, 2018 · from kubernetes import client, config config. 29 Feb 2024. The complete command would be kubectl get pod --all-namespaces -o wide, this will give all the details including node information. list-clusters is a paginated operation. View the Cluster Autoscaler pod logs by running the following command: kubectl logs -f -n kube-system -l app=cluster-autoscaler. Below command should output the list of Amazon EKS clusters in the target account. As AWS outlines in their blog, the EKS Pod Identity Agent — which operates as a DaemonSet on each worker node — exchanges a JWT token for temporary IAM Override command’s default URL with the given URL. While IRSA is still out there and useful, it can be deduced that EKS Pod Identity feature provides an easier way to achieve the same outcome. (Alternative of kubectl get pods -n namespace) I tried searching in the following documentation. This role is added to the cluster's Kubernetes Role based access control (RBAC) for authorization. Jan 29, 2024 · We can use kubectl to list down images used to spin up a container. NodePort Service: Nginx App1. You can't retrieve logs from the vpc-resource-controller Pod. The pods running on the nodes are consumers/producers on various Kafka topics (MSK). An ENIConfig object defines one subnet and a list of security groups. aws s3api create-bucket --bucket fadyio-eks-pod-identity --region us-east-1. References: Description ¶. Yes – For more information, see the bootstrap script usage information on GitHub. # Replace with jenkins manager pod name and fetch Jenkins login password. EKS Pod Identities provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Check the network ACLS that are linked to the worker node subnets. Counting with kube-system pods, total running pods per node is 11 and 1 is left pending, i. To clean up the image cache with Amazon EKS worker nodes, use the following kubelet garbage collection arguments: The --image-gc-high-threshold argument defines the percent of disk usage that initiates image garbage collection. amazon. AssumeRolePolicyDocument. This enhancement provides you with a seamless and easy to configure experience that lets you define required IAM permissions for your applications in Amazon Elastic Kubernetes Service (Amazon EKS) clusters so you can connect with AWS services outside […] Mar 23, 2019 · EKS worker nodes run in your AWS account as standard EC2 instances and connect to your cluster's control plane via the API server endpoint. Oct 17, 2012 · Connect with an AWS IQ expert. Applications running in EKS often require access to AWS resources, including S3 buckets, DynamoDB tables, Secrets Manager secrets, KMS keys, SQS queues, and other resources. Create an S3 bucket for testing, again, you can do it via the console or AWS CLI. OPA is a CNCF Incubating project and supports enforcing policies in a variety of areas, including microservices, Kubernetes, CI/CD pipeline, service mesh and API gateways. Note: If the endpoint list is empty, then check the pod status of the CoreDNS pods. kubectl create rolebinding developer-binding --role=developer --user=developer --serviceaccount=edna:default -n The Amazon EKS Pod execution role provides the IAM permissions to do this. Arm and non-accelerated Amazon EKS AMIs don't support the g3, g4, inf, and p families. On the Manage tags page, add or delete your tags as necessary. describe the cluster (aws eks describe-cluster --name <cluster_name>) 3. Apr 5, 2021 · These tools will do: Create an AWS OpenID Connect provider. Dec 15, 2023 · EKS Pod Identities are a feature of AWS EKS (Elastic Kubernetes Service) that allows applications running in EKS to securely access AWS resources using IAM Roles. When I use my Amazon Elastic Kubernetes Service (Amazon EKS) cluster, I want to troubleshoot errors, such as Access Denied, Unauthorized, and Forbidden. Repeat this process for each tag that you want to add or delete. Hope this helps. The --image-gc-low-threshold argument defines the LowThresholdPercent value. Amazon EKS add-ons provide installation and management of a curated set of add-ons for Amazon EKS clusters. 23 cluster. Lists the Amazon EKS managed node groups associated with the specified cluster in your AWS account in the specified Region. : Node #1: aws-node-1 coredns-5-1as3 coredns-5-2das kube-proxy-1 +7 app pod replicas Node #2: aws-node-1 kube-proxy-1 Is there any way to list the eks pods of a specific namespace from AWS lambda python using SDK?. As a security auditor, mapping EKS pods in a cluster to assigned IAM policy permissions can be challenging. If you don't restrict access to the credentials that are provided to the Amazon EKS node IAM role , the Pod still has access to these credentials. Parallel actions using different traffic types are supported. Short description. Apply the Amazon EKS Connector cluster role YAML to your Kubernetes cluster. FIS can only moni†or the status of fault injection when the securityContext of the target pods is set to readOnlyRootFilesystem: false. The Pod Security Standards (PSS) were developed to replace the Pod Security Policy (PSP), by providing a solution that was built-in to Kubernetes and did not require solutions from the Kubernetes ecosystem. EKS Pod Identity attaches tags to the temporary credentials to each pod with attributes such as cluster name, namespace, service account name. The add-on for CoreDNS was amongst the first add-ons we released because DNS plays such a pivotal role in Kubernetes. To list the worker nodes that are registered to the Amazon EKS control plane, run the following command: kubectl get nodes -o wide. Kubernetes API Authentication from AWS Lambda. mo jz vf lx yo ej ze ww aa zh