LogoLogo
  • ABOUT
    • πŸ‘‹Introduction
    • πŸ”Safety & Security
    • ♾️CI/CD
    • 🏁Start Here
      • What to Expect
      • Setup Checklist
      • Understanding Operation Modes
  • Get Started
    • Autonomous Cloud Management
      • Connect AWS account
      • Connect Azure account
      • Connect GCP account
      • Connect Kubernetes cluster
        • πŸ€–Sedai Smart Agent
        • EKS Agentless Setup
        • AKS Agentless Setup
        • GKE Agentless Setup
      • Connect Monitoring Data
    • Augmented FinOps
      • Connect AWS Billing Account
      • Connect Azure Billing Account
  • Platform
    • βš™οΈSettings
      • Features
        • Optimization
        • Availability
        • Tag Configuration
      • Groups
      • Schedules
    • πŸ”„Optimization
      • AWS
        • Lambda
        • ECS
        • EC2
        • Storage
      • Kubernetes
      • Azure
        • Azure VMs
      • GCP
        • Dataflow
    • πŸ’‘Release Intelligence
    • πŸ‘οΈActivity
    • 🎯Service Level Objectives
    • 🌐Integrations
      • πŸ–₯️Infrastructure as Code (IaC)
        • Resource to IaC File Mapping
      • πŸ””Notifications
      • 🎫Ticketing & Service Management
    • πŸ”‘Single Sign-On / RBAC
  • Help
    • ❓Technical FAQ
    • Contact support@sedai.io
    • Schedule onboarding call
Powered by GitBook
On this page
  • Step 1: Configure IAM
  • Step 2: Set up EKS API access
  • Step 3: Set up Kubernetes RBAC
  • Step 4: Fetch EKS cluster details

Was this helpful?

  1. Get Started
  2. Autonomous Cloud Management
  3. Connect Kubernetes cluster

EKS Agentless Setup

Last updated 5 months ago

Was this helpful?

Sedai independently connects to each Elastic Kubernetes Service (EKS) cluster within an AWS account. EKS uses IAM for authentication and Kubernetes Role Based Access Control (RBAC) for authorization.

To connect an EKS cluster to Sedai, follow these steps:

Once complete, you can within Sedai and connect its .


Step 1: Configure IAM

AWS Identity and Access Management (IAM) authentication requires you to do the following:

  • Create your preferred Sedai

  • Create (recommended) or and attach the policy you create with Sedai's permissions.

Step 2: Set up EKS API access

When you create a cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server that you can use to communicate with your cluster using Kubernetes management tools such as kubectl.

By default, this API server endpoint is public, and access to the API server is secured using a combination of IAM and native Kubernetes Role Based Access Control (RBAC).

You can enable private access to the Kubernetes API server so all communication between your nodes and the API server stays within your Virtual Private Cloud (VPC). You can also limit the IP addresses that can access your API server from the internet or completely disable internet access to the API server.

Depending on your organization's setup, proceed with any of the following connectivity options:

In this approach, you will establish a VPC peering connection from Sedai's environment to yours. Once the VPC peering and routing rules are in place, you can connect your EKS cluster via Private Network.

  1. To initiate the VPC peering connection from Sedai, please contact support@sedai.io and provide the following details:

    • Deployment Region

  2. Navigate to Cluster > Configurations > Networking > Cluster Security Group to edit the EKS Cluster Security Group. Add a rule to allow HTTPS connections from Sedai's Subnets.

Our team will provide VPC CIDR details and Security Group Rules during setup.

Learn more about VPC peering:

In this method, Sedai will connect to the EKS API Server Endpoint over the Public Network.

You can skip this step if your allow list is already open to public (0.0.0.0/0)

Navigate to EKS > Select Cluster > Configuration > Networking > API server endpoint access to update the Public access source allowlist. Add the following IP addresses to allow access from Sedai's environment:

  • Sedai NAT Gateway (us-east-1 AZ01): 18.204.62.170/32

  • Sedai NAT Gateway (us-east-1 AZ02): 34.238.185.251/32

Step 3: Set up Kubernetes RBAC

Create ClusterRole and ClusterRoleBinding

Confirm kubectl access to your cluster and apply the following ClusterRole and ClusterRoleBinding:

curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/eks/sedai-autonomous-mode-clusterrole.yaml
kubectl apply -f sedai-autonomous-mode-clusterrole.yaml

Confirm kubectl access to your cluster and apply the following ClusterRole and ClusterRoleBinding:

curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/eks/sedai-readonly-mode-clusterrole.yaml
kubectl apply -f sedai-readonly-mode-clusterrole.yaml

Update EKS aws-auth ConfigMap

The group name in the configuration from the previous step is sedai-service-account. Next you will map the IAM Role (or User) to this group by updating the aws-auth configMap.

Take the backup of your current ConfigMap:

kubectl -n kube-system get configmaps aws-auth -o yaml > aws-auth_before-sedai-integration-`date +%F`.yaml

Open aws-auth ConfigMap for editing:

kubectl -n kube-system edit configmaps aws-auth

Add the following snippet under mapUsers

Update the IAM Role ARN below (1111222233) to your unique Role ARN you created.

mapRoles: | 
- rolearn: arn:aws:iam::111122223333:role/SedaiAWSIntegrationRole
  username: arn:aws:iam::111122223333:role/SedaiAWSIntegrationRole
  groups:
    - sedai-service-account

Take the backup of your current ConfigMap:

kubectl -n kube-system get configmaps aws-auth -o yaml > aws-auth_before-sedai-integration-date +%F.yaml

Open aws-auth ConfigMap for editing:

kubectl -n kube-system edit configmaps aws-auth

Add the following snippet under mapUsers:

Update the IAM User ARN below (1111222233) to your unique User ARN you created).

mapUsers: | 
- userarn: arn:aws:iam::1111222233:user/sedai-service-account 
  username: sedai-service-account 
  groups: 
    - sedai-service-account

Step 4: Fetch EKS cluster details

Access the following details to connect your EKS cluster to Sedai. When you're done, navigate to Settings > Integrations and select the Add Cloud button. Follow the prompts to add an EKS cluster.

In the cluster integration screens, Sedai automatically generates Helm and kubectl commands to deploy the Smart Agent within your cluster. Underneath the commands is an option to switch to agentless setup.

From your AWS Console, navigate to your EKS cluster and select Configurations to access the following details:

  • EKS Cluster Name

  • Region

  • Cluster URL (endpoint)

  • Cluster Authority Certificate

Insert your profile into each of the following commands before executing.

List EKS Clusters

aws --profile <YOUR_PROFILE> eks list-clusters

Get Cluster URL

aws --profile <YOUR_PROFILE> eks describe-cluster --name <YOUR_CLUSTER> --query "cluster.endpoint"

Get Cluster Authority Certificate

aws --profile <YOUR_PROFILE> eks describe-cluster --name <YOUR_CLUSTER> --query "cluster.certificateAuthority.data"

Our team will confirm with you once we initiate the VPC peering connection. Navigate to your .

Once the VPC peering is in place, and add a routing entry to flow traffic to Sedai's VPC CIDR via VPC Peering Connection.

Next, set up the Kubernetes RBAC for Authorization. Use the IAM User/Role created in .

Based on your selection, download and apply the ClusterRole and ClusterRoleBindings:

AWS Account ID
VPC ID
VPC Classless Inter-Domain Routing (CIDR)
VPC peering section to accept the request
update your VPC Route Tables
Step 1
monitoring data
Setup EKS API access
Setup Kubernetes RBAC
Fetch EKS cluster details
integrate the cluster
Enabling IAM user and role access to your cluster - Amazon EKSAmazon EKS
Logo
What is VPC peering? - Amazon Virtual Private CloudAmazon Virtual Private Cloud
Logo
Configure IAM
IAM Policy
IAM Role
IAM User
Sedai IAM Policy