Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

The article instructs on how to grant Cloudaware with read-only access to Amazon EKS Cluster resources so that Cloudaware for auto-discovers EKS resources.

1. Check to see if you have already applied the aws-auth ConfigMap. (тут ссылка на доку, типа если у вас нету, то пиздуйте в доку и делайте по ней).

1.1 Download, edit, and apply the AWS authenticator configuration map. и блла бла бла из доки2. Ensure that the AWS credentials that kubectl is using are already authorized for your cluster. The IAM user that created the cluster has these permissions by default.
2.1. Open the aws-auth ConfigMap.

kubectl edit -n kube-system configmap/aws-auth

Sample ConfigMap:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF
      username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
  creationTimestamp: "2020-09-30T21:09:18Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1021"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: dcc31de5-3838-11e8-af26-02e00430057c

2.2 Add CloudAware IAM role to the configMap.
To add an IAM role (for example, for federated users): add the role details to the mapRoles section of the ConfigMap, under data. Add this section if it does not already exist in the file. Each entry supports the following parameters:

  • rolearn: The ARN of the IAM role to add.

  • username: The user name within Kubernetes to map to the IAM role.

  • groups: A list of groups within Kubernetes to which the role is mapped. For more information, see Default Roles and Role Bindings in the Kubernetes documentation.

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:masters

  • No labels