Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

The article instructs on how to provide Cloudaware with read-only access to Amazon EKS Cluster resources so that Cloudaware is able to discover EKS resources automatically.

1. Check to see if you have already applied the aws-auth ConfigMap. 

kubectl describe configmap -n kube-system aws-auth

1.1 Download, edit, and apply the AWS authenticator configuration map.

a. Download the configuration map

curl -o aws-auth-cm.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/aws-auth-cm.yaml

b. Open the file with a text editor. Replace <ARN of instance role (not instance profile)> with the Amazon Resource Name (ARN) of the IAM role associated with your nodes, and save the file. Do not modify any other lines in this file.

The role ARN cannot include a path. The format of the role ARN must be arn:aws:iam::<123456789012>:role/<role-name>. For more information, see aws-auth ConfigMap does not grant access to the cluster.

2. Ensure that the AWS credentials that kubectl is using are already authorized for your cluster. The IAM user that created the cluster has these permissions by default.


2.1. Open the aws-auth ConfigMap:

kubectl edit -n kube-system configmap/aws-auth

Sample ConfigMap:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF
      username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
  creationTimestamp: "2020-09-30T21:09:18Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1021"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: dcc31de5-3838-11e8-af26-02e00430057c

2.2 Add CloudAware IAM role to the configMap.

a. To locate CloudAware IAM role, log in to your Cloudaware account → Admin → Amazon accounts → locate AWS account where the access to EKS should be granted → click SEE ALL in column ‘Connected Identities’

b. To add an IAM role (for example, for federated users): add the role details to the mapRoles section of the ConfigMap, under data. Use the section below if it does not already exist in the file. 

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:masters

WHERE

rolearn - the ARN of the IAM role to add

username - the user name within Kubernetes to map to the IAM role

groups - a list of groups within Kubernetes to which the role is mapped. Read Default Roles and Role Bindings in the Kubernetes documentation for more information

  • No labels