| Info |
|---|
The article instructs on providing explains how to provide access to Amazon EKS Cluster for Cloudaware to discover EKS resources automatically. |
...
Since Amazon does not manage credentials for API inside a cluster, Cloudaware Collector IAM role needs to be manually provided with read access to Kubernetes API on a cluster level. At that point, Cloudaware will be able to retrieve EKS Nodes, Pods and other details. Read more
Cloudaware supports the following options of EKS access configuration:
| Table of Contents | ||
|---|---|---|
|
EKS access entries
Use EKS access entries to manage the Kubernetes permissions of IAM principals from outside the cluster.
The cluster must meet one of the following requirements: a platform version equal to or later than those listed in the table below, or a Kubernetes version equal to or newer than those listed. Read more
Kubernetes version | Platform version |
|---|---|
1.30 | eks.2 |
1.29 | eks.1 |
1.28 | eks.6 |
1.27 | eks.10 |
1.26 | eks.11 |
1.25 | eks.12 |
1.24 | eks.15 |
1.23 | eks.17 |
To begin using access entries, change the authentication mode of the cluster to either the API_AND_CONFIG_MAP or API modes. Note that once the access entry method is enabled, it cannot be disabled. Read more
Migrate existing aws-auth ConfigMap entries to access entries. Read more
aws-auth ConfigMap (legacy)
Full Access
1. Ensure that the AWS credentials that kubectl is using are already authorized for your cluster (the IAM user that who created the cluster has the required permissions by default). Open the aws-auth ConfigMap:
| Code Block |
|---|
kubectl edit -n kube-system configmap/aws-auth |
...
2. Add CloudAware IAM role to the ConfigMap.
2.1. To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin (under your username in the upper right corner) → . Go to Amazon accounts → locate the AWS account where the access to EKS should be granted → click SEE ALL in column 'Connected Identities':
...
2.2. To add an IAM role: add , add the role details to the mapRoles section of the ConfigMap under data. Use the section below if it is not present in the file:
| Code Block |
|---|
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: <CLOUDAWARE_ROLE_ARN>
username: cloudaware
groups:
- system:masters |
WHERE
<CLOUDAWARE_ROLE_ARN> in rolearn - is a placeholder that needs to be replaced by your Cluster Role ARN.
username - the username within Kubernetes to be mapped to the IAM role (doesn't require changes).
groups - a list of groups within Kubernetes where the role is mapped to (doesn't require changes). Check Default Roles and Role Bindings for more information.
Read-Only Access
In case you would like to grant the To grant read-only access for Cloudaware, allowing the creation of ClusterRole and ClusterRole Binding in Kubernetes:
...