The article explains how to provide access to Amazon EKS Cluster for Cloudaware to discover EKS resources (pods, nodes, etc) automatically. Read more
Cloudaware supports the following options of EKS access configuration:
Access entries
Use access entries to manage the Kubernetes permissions of IAM principals from outside the cluster.
Note that the cluster must meet one of the following requirements: a platform version that is equal to or later than listed in the table below, or a Kubernetes version that is equal to or newer than those listed. Otherwise, use aws-auth ConfigMap option. Read more
Kubernetes version | Platform version |
|---|---|
1.30 | eks.2 |
1.29 | eks.1 |
1.28 | eks.6 |
1.27 | eks.10 |
1.26 | eks.11 |
1.25 | eks.12 |
1.24 | eks.15 |
1.23 | eks.17 |
To begin using access entries, change the authentication mode of the cluster to either the API_AND_CONFIG_MAP or API modes. Note that once the access entry method is enabled, it cannot be disabled. Read more
Migrate existing aws-auth ConfigMap entries to access entries. Read more
aws-auth ConfigMap (legacy)
Use aws-auth ConfigMap to manage the Kubernetes permissions of IAM principals from inside the cluster. Provide Cloudaware with read access to Kubernetes API on a cluster level using the Cloudaware Collector IAM role.
Full access
1. Ensure that the AWS credentials that Kubectl is using are already authorized for your cluster (the IAM user who created the cluster has the required permissions by default). Open the aws-auth:
kubectl edit -n kube-system configmap/aws-auth
2. Add CloudAware IAM role to the ConfigMap.
2.1. To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin. Go to Amazon accounts → locate the AWS account where access to EKS should be granted → click SEE ALL in column 'Connected Identities':
2.2. To add an IAM role, add the role details to the mapRoles section of the ConfigMap under data. Use the section below if it is not present in the file:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: <CLOUDAWARE_ROLE_ARN>
username: cloudaware
groups:
- system:masters
WHERE
<CLOUDAWARE_ROLE_ARN> in rolearn - is a placeholder that needs to be replaced by your Cluster Role ARN
username - the username within Kubernetes to be mapped to the IAM role (doesn't require changes)
groups - a list of groups within Kubernetes where the role is mapped to (doesn't require changes). Check Default Roles and Role Bindings for more information
Read-only access
To grant read-only access for Cloudaware, allowing the creation of ClusterRole and ClusterRole Binding in Kubernetes:
1. Create cloudaware-rbac.yaml using the section below:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cloudaware-reader rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cloudaware-binding subjects: - kind: User name: cloudaware namespace: default apiGroup: "" roleRef: kind: ClusterRole name: cloudaware-reader apiGroup: ""
WHERE
ClusterRole cloudaware-reader grants read access to all resources within the cluster.
ClusterRoleBinding cloudaware-binding maps the aforementioned cluster role to Cloudaware User.
2. Run the following command:
kubectl create -f cloudaware-rbac.yaml
3. To map IAM users and roles to Kubernetes users in the EKS cluster, define them in the aws-auth ConfigMap which should exist after creation of your cluster. To add an IAM role to the cluster, modify this ConfigMap by adding the respective ARN and Kubernetes username value to the mapRole property as an array item. To perform the modification, run the following command:
kubectl -n kube-system edit configmap aws-auth
See the example below:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: <CLOUDAWARE_ROLE_ARN>
username: cloudaware
WHERE
<CLOUDAWARE_ROLE_ARN> in rolearn is a placeholder that needs to be replaced by your Cluster Role ARN.
To locate your CloudAware IAM role ARN, log in to your Cloudaware account → Admin (under your username in the upper right corner) → Amazon accounts → locate AWS account where the access to EKS should be granted → click SEE ALL in column 'Connected Identities':
Make sure to not remove the existing mappings in mapRoles and/or mapUsers sections. You only need to append a role for Cloudaware.
Further Configuration
If your Amazon EKS Cluster is running in a private network, check this guide to install Cloudaware Breeze agent for secure connection.