| Info |
|---|
The article instructs on explains how to provide access to Amazon EKS Cluster for Cloudaware to discover EKS resources automatically. |
Since Amazon does not manage credentials for API inside a cluster, Cloudaware Collector IAM role needs to be manually provided with read access to Kubernetis API on a cluster level. At that point, Cloudaware will be able to retrieve EKS Nodes, Pods and other details. Read more
Cloudaware supports the following options of EKS access configuration:
| Table of Contents |
|---|
Full Access
...
| Table of Contents | ||
|---|---|---|
|
Access entries (recommended)
Use access entries to manage the Kubernetes permissions of IAM principals from outside the cluster. Leverage AWS documentation to ensure that:
The cluster meets one of the requirements for using access entries (platform/Kubernetes versions).Read more
Ensure that the access entry as a cluster authentication mode is enabled in AWS.Read more
Existing aws-auth ConfigMap entries are migrated to access entries (optional). Read more
aws-auth ConfigMap (legacy)
All clusters created before the introduction of access entries have the ConfigMap method enabled. Use aws-auth ConfigMap to provide Cloudaware with access to Kubernetes cluster.
Full access
Ensure you have access to the cluster and are authorized to make changes.
1. Open the aws-auth ConfigMap:
| Code Block |
|---|
kubectl edit -n kube-system configmap/aws-auth |
...
2. Add CloudAware IAM role to the ConfigMap.:
2.1. To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin (under your username in the upper right corner) → Amazon accounts → locate . Go to Amazon Organizations & Accounts → the tab Accounts. Locate the AWS account where the access to EKS should be granted → click SEE ALL in the column 'Connected Identities':
...
2.2. To add an assign the IAM role: add , add the role details to the mapRoles section of the ConfigMap under data. Use the section below if it is not present in the file:
| Code Block |
|---|
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: <CLOUDAWARE_ROLE_ARN>
username: cloudaware
groups:
- system:masters |
WHERE
<CLOUDAWARE_ROLE_ARN> in rolearn - is a placeholder that needs to be replaced by your Cluster Role ARN.
username - the username within Kubernetes to be mapped to the IAM role (doesn't require changes).
groups - a list of groups within Kubernetes where the role is mapped to (doesn't require changes). Check Default Roles and Role Bindings for more information.
Read-
...
only access
To grant read-only access for Cloudaware, allowing the creation of ClusterRole and ClusterRole Binding in Kubernetes:
...
ClusterRole cloudaware-reader grants read access to all resources within the cluster .
ClusterRoleBinding cloudaware-binding maps the aforementioned cluster role to Cloudaware User.
2. Run the following command:
...
| Code Block |
|---|
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: <CLOUDAWARE_ROLE_ARN>
username: cloudaware |
WHERE
<CLOUDAWARE_ROLE_ARN> in rolearn is a placeholder that needs to be replaced by your Cluster Role ARN.
To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin (under your username in the upper right corner) → Amazon accounts → locate . Go to Amazon Organizations & Accounts → the tab Accounts. Locate the AWS account where the access to EKS should be granted → click SEE ALL in the column 'Connected Identities':
...
Make sure to not remove the existing mappings in mapRoles and/or mapUsers sections. You only need to append a role for Cloudaware.
Further
...
configuration
Note
EKS resources in CMDB
To view discovered EKS resources, go to Cloudaware CMDB Navigator → select Amazon Web Services → Compute → EKS.
...