Versions Compared

Version Old Version 5 New Version 6
Changes made by

Daria Lebedeva

Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

The article instructs on how to provide Cloudaware with read-only access to Amazon EKS Cluster resources so that Cloudaware is able to discover EKS resources automatically.

1. Download, edit, and apply the AWS authenticator configuration map.

1.1. Download the configuration map

Code Block
curl -o aws-auth-cm.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/aws-auth-cm.yaml

1.2. Open the file with a text editor. Replace <ARN of instance role (not instance profile)> with the Amazon Resource Name (ARN) of the IAM role associated with your nodes, and save the file. Do not modify any other lines in this file.

The role ARN cannot include a path. The format of the role ARN must be arn:aws:iam::<123456789012>:role/<role-name>. For more information, see aws-auth ConfigMap does not grant access to the cluster.

2. Ensure that the AWS credentials that kubectl is using are already authorized for your cluster. The IAM user that created the cluster has these permissions by default.


2 1.1. Open the aws-auth ConfigMap:

Code Block
kubectl edit -n kube-system configmap/aws-auth

2 1.2 Add CloudAware IAM role to the configMap.

...

groups - a list of groups within Kubernetes to which the role is mapped. Read Default Roles and Role Bindings in the Kubernetes documentation for more information

2. In case you would like to grant the read-only access for Cloudaware in order to allow creation of ClusterRole and ClusterRoleBinding in Kubernetes, use one of the sections below:

Code Block
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudaware-reader
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]

Code Block
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudaware-binding
subjects:
- kind: User
  name: cloudaware
  namespace: default
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: cloudaware-reader
  apiGroup: ""

ClusterRole cloudaware-reader grants read access to all resources within the cluster. ClusterRoleBinding cloudaware-binding maps the aforementioned cluster role to Cloudaware User.

To map IAM users and roles to Kubernetes users in the EKS cluster, you have to define them in the aws-auth ConfigMap which should exist after creation of your cluster. To add an IAM role to the cluster, modify this ConfigMap by adding the respective ARN and Kubernetes username value to the mapRole property as an array item. To perform the modification, run the following command:

Code Block
kubectl -n kube-system edit configmap aws-auth

See the example below:

Code Block
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: cloudaware

Make sure to not remove the existing mappings in mapRoles and/or mapUsers sections. You only need to append a role for Cloudaware.