Versions Compared

Version Old Version 43 New Version Current
Changes made by

Daria Lebedeva

Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

The article explains how to provide access to Amazon EKS Cluster for Cloudaware to discover EKS resources automatically.

...

Read more

...

Table of Contents
stylenone

...

Access entries (recommended)

Use EKS access entries to manage the Kubernetes permissions of IAM principals from outside the cluster. Leverage AWS documentation to ensure that:

  • The cluster

...

  • meets one of the

...

Kubernetes version

Platform version

1.30

eks.2

1.29

eks.1

1.28

eks.6

1.27

eks.10

1.26

eks.11

1.25

eks.12

1.24

eks.15

1.23

eks.17

To begin using access entries, change the authentication mode of the cluster to either the API_AND_CONFIG_MAP or API modes. Note that once the access entry method is enabled, it cannot be disabled. Read more

...

  • requirements for using access entries (platform/Kubernetes versions).Read more

  • Ensure that the access entry as a cluster authentication mode is enabled in AWS.Read more

  • Existing aws-auth ConfigMap entries are migrated to access entries (optional). Read more

aws-auth ConfigMap (legacy)

Full Access

...

All clusters created before the introduction of access entries have the ConfigMap method enabled. Use aws-auth ConfigMap to provide Cloudaware with access to Kubernetes cluster.

Full access

Ensure you have access to the cluster and are authorized to make changes.

1. Open the aws-auth:

Code Block
kubectl edit -n kube-system configmap/aws-auth

...

2. Add CloudAware IAM role to the ConfigMap.:

2.1. To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin. Go to Amazon accounts → locate Organizations & Accounts → the tab Accounts. Locate the AWS account where access to EKS should be granted → click SEE ALL in the column 'Connected Identities':

...

2.2. To add an assign the IAM role, add the role details to the mapRoles section of the ConfigMap under data. Use the section below if it is not present in the file:

...

groups - a list of groups within Kubernetes where the role is mapped to (doesn't require changes). Check Default Roles and Role Bindings for more information

Read-

...

only access

To grant read-only access for Cloudaware, allowing the creation of ClusterRole and ClusterRole Binding in Kubernetes:

...

ClusterRole cloudaware-reader grants read access to all resources within the cluster .

ClusterRoleBinding cloudaware-binding maps the aforementioned cluster role to Cloudaware User.

2. Run the following command:

...

Code Block
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: cloudaware

WHERE

<CLOUDAWARE_ROLE_ARN> in rolearn is a placeholder that needs to be replaced by your Cluster Role ARN.

To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin (under your username in the upper right corner) → Amazon accounts → locate . Go to Amazon Organizations & Accounts → the tab Accounts. Locate the AWS account where the access to EKS should be granted → click SEE ALL in the column 'Connected Identities':

...

Make sure to not remove the existing mappings in mapRoles and/or mapUsers sections. You only need to append a role for Cloudaware.

Further

...

configuration

If your the Amazon EKS Cluster is running in a private network, check this guide to install Cloudaware Breeze agent for secure connection.

EKS resources in CMDB

To view discovered EKS resources, go to Cloudaware CMDB Navigator → select Amazon Web Services → Compute → EKS.

...