Versions Compared

Version Old Version 1 New Version Current
Changes made by

Daria Lebedeva

Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

The article instructs on explains how to grant Cloudaware with read-only provide access to Amazon EKS Cluster resources so that Cloudaware for auto-discovers for Cloudaware to discover EKS resources automatically.

1. Check to see if you have already applied the aws-auth ConfigMap. (тут ссылка на доку, типа если у вас нету, то пиздуйте в доку и делайте по ней).

...

Read more

Table of Contents
stylenone

Access entries (recommended)

Use access entries to manage the Kubernetes permissions of IAM principals from outside the cluster. Leverage AWS documentation to ensure that:

  • The cluster meets one of the requirements for using access entries (platform/Kubernetes versions).Read more

  • Ensure that the access entry as a cluster authentication mode is enabled in AWS.Read more

  • Existing aws-auth ConfigMap entries are migrated to access entries (optional). Read more

aws-auth ConfigMap (legacy)

All clusters created before the introduction of access entries have the ConfigMap method enabled. Use aws-auth ConfigMap to provide Cloudaware with access to Kubernetes cluster.

Full access

Ensure you have access to the cluster and are authorized to make changes.

1. Open the aws-auth ConfigMap.:

Code Block
kubectl edit -n kube-system configmap/aws-auth

...

2. Add CloudAware IAM role to the ConfigMap:
 2.1. To locate CloudAware IAM role ARN, log in to your Cloudaware account → Admin. Go to Amazon Organizations & Accounts → the tab Accounts. Locate the AWS account where access to EKS should be granted → click SEE ALL in the column 'Connected Identities':
...
 2.2. To add assign the IAM role, add the role details to the mapRoles section of the ConfigMap under data. Use the section below if it is not present in the file: 
 Code Block
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - groupsrolearn: <CLOUDAWARE_ROLE_ARN>
     - systemusername:bootstrappers cloudaware
     - systemgroups:nodes
        rolearn:- arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF
      username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMapsystem:masters
WHERE
 <CLOUDAWARE_ROLE_ARN> in rolearn - is a placeholder that needs to be replaced by your Cluster Role ARN
username - the username within Kubernetes to be mapped to the IAM role (doesn't require changes)
groups - a list of groups within Kubernetes where the role is mapped to (doesn't require changes). Check Default Roles and Role Bindings for more information
Read-only access
To grant read-only access for Cloudaware, allowing the creation of ClusterRole and ClusterRole Binding in Kubernetes:
 1. Create cloudaware-rbac.yaml using the section below:
 Code Block
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudaware-reader
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestampname: "2020-09-30T21:09:18Z"cloudaware-binding
subjects:
- kind: User
  name: aws-authcloudaware
  namespace: kube-systemdefault
  resourceVersionapiGroup: "1021"
roleRef:
   selfLink: /api/v1/namespaces/kube-system/configmaps/aws-authkind: ClusterRole
  name: cloudaware-reader
  uidapiGroup: dcc31de5-3838-11e8-af26-02e00430057c
 2.2 Add CloudAware IAM role to the configMap.
To add an IAM role (for example, for federated users): add the role details to the mapRoles section of the ConfigMap, under data. Add this section if it does not already exist in the file. Each entry supports the following parameters:
  • rolearn: The ARN of the IAM role to add.
  • username: The user name within Kubernetes to map to the IAM role.
  • groups: A list of groups within Kubernetes to which the role is mapped. For more information, see Default Roles and Role Bindings in the Kubernetes documentation.
...
""
WHERE
 ClusterRole cloudaware-reader grants read access to all resources within the cluster 
 ClusterRoleBinding cloudaware-binding maps the aforementioned cluster role to Cloudaware User
 2. Run the following command:
 Code Block
kubectl create -f cloudaware-rbac.yaml
 3. To map IAM users and roles to Kubernetes users in the EKS cluster, define them in the aws-auth ConfigMap which should exist after creation of your cluster. To add an IAM role to the cluster, modify this ConfigMap by adding the respective ARN and Kubernetes username value to the mapRole property as an array item. To perform the modification, run the following command:
 Code Block
kubectl -n kube-system edit configmap aws-auth
See the example below:
 Code Block
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: 
...
cloudaware
WHERE
 <CLOUDAWARE_ROLE_ARN> in rolearn is a placeholder that needs to be replaced by your Cluster Role ARN
To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin. Go to Amazon Organizations & Accounts → the tab Accounts. Locate the AWS account where access to EKS should be granted → click SEE ALL in the column 'Connected Identities':
...
Make sure to not remove the existing mappings in mapRoles and/or mapUsers sections. You only need to append a role for Cloudaware.
Further configuration
If the Amazon EKS Cluster is running in a private network, check this guide to install Cloudaware Breeze agent for secure connection.
EKS resources in CMDB
To view discovered EKS resources, go to Cloudaware CMDB Navigator → select Amazon Web Services → Compute → EKS.
...