Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 18 Next »

The article instructs on how to provide access to Amazon EKS Cluster resources for Cloudaware to discover EKS resources automatically.

1. Ensure that the AWS credentials that kubectl is using are already authorized for your cluster (the IAM user that created the cluster has required permissions by default).


1.1. Open the aws-auth ConfigMap:

kubectl edit -n kube-system configmap/aws-auth

1.2 Add CloudAware IAM role to the ConfigMap.

a. To locate CloudAware IAM role ARN, log in to your Cloudaware account → Admin (under your username in the upper right corner) → Amazon accounts → locate AWS account where the access to EKS should be granted → click SEE ALL in column 'Connected Identities':

b. To add an IAM role: add the role details to the mapRoles section of the ConfigMap under data. Use the section below if it is not present in the file: 

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:masters

WHERE

rolearn - the ARN of the IAM role to be added

username - the username within Kubernetes to be mapped to the IAM role

groups - a list of groups within Kubernetes where the role is mapped to. Read Default Roles and Role Bindings in the Kubernetes documentation for more information.

2. In case you would like to grant the read-only access for Cloudaware allowing creation of ClusterRole and ClusterRole Binding in Kubernetes, run the following command:

kubectl create -f cloudaware-rbac.yaml

Use the section below:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudaware-reader
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudaware-binding
subjects:
- kind: User
  name: cloudaware
  namespace: default
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: cloudaware-reader
  apiGroup: ""

ClusterRole cloudaware-reader grants read access to all resources within the cluster. ClusterRoleBinding cloudaware-binding maps the aforementioned cluster role to Cloudaware User.

To map IAM users and roles to Kubernetes users in the EKS cluster, define them in the aws-auth ConfigMap which should exist after creation of your cluster. To add an IAM role to the cluster, modify this ConfigMap by adding the respective ARN and Kubernetes username value to the mapRole property as an array item. To perform the modification, run the following command:

kubectl -n kube-system edit configmap aws-auth

See the example below:

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: cloudaware

WHERE

CLOUDAWARE_ROLE_ARN - is a placeholder that needs to be replaced by your Cluster Role ARN

Make sure to not remove the existing mappings in mapRoles and/or mapUsers sections. You only need to append a role for Cloudaware.

If your Amazon EKS Cluster is running in a private network, check this guide to install Cloudaware Breeze agent for secure connection.

  • No labels