# EKS Agentless Setup Sedai independently connects to each Elastic Kubernetes Service (EKS) cluster within an AWS account. EKS uses IAM for **authentication** and Kubernetes Role Based Access Control (RBAC) for **authorization**. To connect an EKS cluster to Sedai, follow these steps: 1. [Configure IAM](https://docs.sedai.io/get-started/onboarding/connect-aws-account#setup-iam-via-onboarding-wizard) 2. [Setup EKS API access](#step-2-set-up-eks-api-access) 3. [Setup Kubernetes RBAC](#setup-kubernetes-rbac) 4. [Fetch EKS cluster details](#fetch-eks-cluster-details) Once complete, you can [integrate the cluster](#how-to-integrate-cluster) within Sedai and connect its [monitoring data](https://docs.sedai.io/get-started/onboarding/autonomous-cloud-management/connect-monitoring-data). *** ### Step 1: Configure IAM AWS Identity and Access Management (IAM) authentication requires you to do the following: * Create your preferred Sedai[ IAM Policy](https://docs.sedai.io/get-started/onboarding/connect-aws-account#iam-policy-statements-for-sedai) * Create [IAM Role ](https://docs.sedai.io/get-started/onboarding/connect-aws-account#create-iam-role-recommended)(recommended) or [IAM User](https://docs.sedai.io/get-started/onboarding/connect-aws-account#create-iam-user) and attach the policy you create with Sedai's permissions. {% embed url="" %} ### Step 2: Set up EKS API access When you create a cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server that you can use to communicate with your cluster using Kubernetes management tools such as kubectl. By default, this API server endpoint is public, and access to the API server is secured using a combination of IAM and native Kubernetes Role Based Access Control (RBAC). You can enable private access to the Kubernetes API server so all communication between your nodes and the API server stays within your Virtual Private Cloud (VPC). You can also limit the IP addresses that can access your API server from the internet or completely disable internet access to the API server. Depending on your organization's setup, proceed with any of the following connectivity options: {% tabs %} {% tab title="Private Network / VPC peering (Recommended)" %} In this approach, you will establish a VPC peering connection from Sedai's environment to yours. Once the VPC peering and routing rules are in place, you can connect your EKS cluster via Private Network. 1. To initiate the VPC peering connection from Sedai, please contact **** and provide the following details: * [AWS Account ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html) * Deployment Region * [VPC ID](https://docs.aws.amazon.com/managedservices/latest/userguide/find-vpc.html) * [VPC Classless Inter-Domain Routing (CIDR)](https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html) 2. Our team will confirm with you once we initiate the VPC peering connection. Navigate to your [VPC peering section to accept the request](https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html#accept-vpc-peering-connection). 3. Once the VPC peering is in place, [update your VPC Route Tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) and add a routing entry to flow traffic to Sedai's VPC CIDR via VPC Peering Connection. 4. Navigate to Cluster > Configurations > Networking > Cluster Security Group to edit the **EKS Cluster Security Group**. Add a rule to allow HTTPS connections from Sedai's Subnets. {% hint style="info" %} Our team will provide VPC CIDR details and Security Group Rules during setup. {% endhint %} Learn more about VPC peering: {% embed url="" %} {% endtab %} {% tab title="Public Network" %} In this method, Sedai will connect to the EKS API Server Endpoint over the Public Network. {% hint style="warning" %} You can skip this step if your allow list is already open to public `(0.0.0.0/0)` {% endhint %} Navigate to EKS > Select Cluster > Configuration > Networking > API server endpoint access to update the **Public access source allowlist.** Add the following IP addresses to allow access from Sedai's environment: * **Sedai NAT Gateway (us-east-1 AZ01):** 18.204.62.170/32 * **Sedai NAT Gateway (us-east-1 AZ02):** 34.238.185.251/32 {% endtab %} {% endtabs %} ### Step 3: Set up Kubernetes RBAC Next, set up the Kubernetes RBAC for Authorization. Use the IAM User/Role created in [Step 1](#step-1-configure-iam). #### Create ClusterRole and ClusterRoleBinding Based on your [Sedai IAM Policy](https://docs.sedai.io/get-started/onboarding/connect-aws-account#iam-policy-statements-for-sedai) selection, download and apply the ClusterRole and ClusterRoleBindings: {% tabs %} {% tab title="Read-write" %} Confirm kubectl access to your cluster and apply the following ClusterRole and ClusterRoleBinding: ``` curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/eks/sedai-autonomous-mode-clusterrole.yaml ``` ``` kubectl apply -f sedai-autonomous-mode-clusterrole.yaml ``` {% endtab %} {% tab title="Read-only" %} Confirm kubectl access to your cluster and apply the following ClusterRole and ClusterRoleBinding: ``` curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/eks/sedai-readonly-mode-clusterrole.yaml ``` ``` kubectl apply -f sedai-readonly-mode-clusterrole.yaml ``` {% endtab %} {% endtabs %} #### Update EKS aws-auth ConfigMap The group name in the configuration from the previous step is `sedai-service-account`. Next you will map the IAM Role (or User) to this group by updating the aws-auth configMap. {% tabs %} {% tab title="IAM Role" %} Take the backup of your current ConfigMap: ``` kubectl -n kube-system get configmaps aws-auth -o yaml > aws-auth_before-sedai-integration-`date +%F`.yaml ``` Open aws-auth ConfigMap for editing: ``` kubectl -n kube-system edit configmaps aws-auth ``` Add the following snippet under **mapUsers** {% hint style="warning" %} Update the IAM Role ARN below (`1111222233`) to your unique Role ARN you created. {% endhint %} ``` mapRoles: | - rolearn: arn:aws:iam::111122223333:role/SedaiAWSIntegrationRole username: arn:aws:iam::111122223333:role/SedaiAWSIntegrationRole groups: - sedai-service-account ``` {% endtab %} {% tab title="IAM User" %} Take the backup of your current ConfigMap: ``` kubectl -n kube-system get configmaps aws-auth -o yaml > aws-auth_before-sedai-integration-date +%F.yaml ``` Open aws-auth ConfigMap for editing: ``` kubectl -n kube-system edit configmaps aws-auth ``` Add the following snippet under **mapUsers:** {% hint style="warning" %} Update the IAM User ARN below (`1111222233`) to your unique [User ARN](https://docs.sedai.io/get-started/onboarding/autonomous-cloud-management/connect-kubernetes-cluster/broken-reference) you created). {% endhint %} ``` mapUsers: | - userarn: arn:aws:iam::1111222233:user/sedai-service-account username: sedai-service-account groups: - sedai-service-account ``` {% endtab %} {% endtabs %} ### Step 4: Fetch EKS cluster details Access the following details to connect your EKS cluster to Sedai. When you're done, navigate to **Settings > Integrations** and select the **Add Cloud** button. Follow the prompts to add an EKS cluster. {% hint style="info" %} In the cluster integration screens, Sedai automatically generates Helm and kubectl commands to deploy the Smart Agent within your cluster. Underneath the commands is an option to switch to agentless setup. {% endhint %} {% tabs %} {% tab title="Via EKS Console" %} From your AWS Console, navigate to your EKS cluster and select **Configurations** to access the following details: * EKS Cluster Name * Region * Cluster URL (endpoint) * Cluster Authority Certificate {% endtab %} {% tab title="via AWS CLI" %} {% hint style="warning" %} Insert your profile into each of the following commands before executing. {% endhint %} List EKS Clusters ``` aws --profile eks list-clusters ``` Get **Cluster URL** ``` aws --profile eks describe-cluster --name --query "cluster.endpoint" ``` Get **Cluster Authority Certificate** ``` aws --profile eks describe-cluster --name --query "cluster.certificateAuthority.data" ``` {% endtab %} {% endtabs %}