Versions Compared

Version Old Version 46 New Version 47
Changes made by

Daria Lebedeva

Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

The article explains how to provide access to Amazon EKS Cluster for Cloudaware to discover EKS resources (pods, nodes, etc) automatically. Read more

...

Cloudaware supports the following options of EKS access configuration based on cluster authentication mode:

Access entries

Use access entries to manage the Kubernetes permissions of IAM principals from outside the cluster.

Note that Ensure the cluster must meet meets one of the following requirements: a platform version that is equal to or later than listed in the table below, or a Kubernetes version that is equal to or newer than those listed. Otherwise, use aws-auth ConfigMap option. Read more

Kubernetes version

Platform version

1.30

eks.2

1.29

eks.1

1.28

eks.6

1.27

eks.10

1.26

eks.11

1.25

eks.12

1.24

eks.15

1.23

eks.17

To begin using access entries, change the authentication mode of the cluster to either the API_AND_CONFIG_MAP or API modes. Note that once Ensure that the access entry method is enabled , it cannot be disabledin AWS. Read more

Migrate existing aws-auth ConfigMap entries to access entries. Read more

aws-auth ConfigMap (legacy)

All clusters created before the introduction of access entries have the ConfigMap method enabled. Use aws-auth ConfigMap to manage the Kubernetes permissions of IAM principals from inside the cluster. Provide provide Cloudaware with read access to Kubernetes API on a cluster level using the Cloudaware Collector IAM role.

Full access

1. Ensure that the AWS credentials that Kubectl is using are already authorized for your cluster (the IAM user who created the cluster has the required permissions by default). Open the aws-auth:

...

2. Add CloudAware IAM role to the ConfigMap.:

2.1. To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin. Go to Amazon accounts → locate Organizations & Accounts → the tab Accounts. Locate the AWS account where access to EKS should be granted → click SEE ALL in column 'Connected Identities':

...

2.2. To add an assign the IAM role, add the role details to the mapRoles section of the ConfigMap under data. Use the section below if it is not present in the file:

...

Code Block
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: cloudaware

WHERE

<CLOUDAWARE_ROLE_ARN> in rolearn is a placeholder that needs to be replaced by your Cluster Role ARN.

To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin (under your username in the upper right corner) → Amazon accounts → locate . Go to Amazon Organizations & Accounts → the tab Accounts. Locate the AWS account where the access to EKS should be granted → click SEE ALL in column 'Connected Identities':

...

Make sure to not remove the existing mappings in mapRoles and/or mapUsers sections. You only need to append a role for Cloudaware.

...

Further Configuration

Note

If your the Amazon EKS Cluster is running in a private network, check this guide to install Cloudaware Breeze agent for secure connection.

...