EKS Agentless Setup
The following steps are required to agentlessly connect AWS Elastic Kubernetes Service to Sedai and must be completed in addition to configuring IAM.
Sedai uniquely connects to each Elastic Kubernetes Service (EKS) cluster in an AWS account. EKS uses IAM for authentication and Kubernetes Role Based Access Control (RBAC) for authorization.
To connect an EKS cluster to Sedai, follow these steps:
- 1.
- 5.Integrate the account directly within Sedai via initial onboarding, or go to Settings > Integrations > Add Integration > Connect Cloud.
- 6.Enter the Cluster Name, Cluster URL, Certifying Authority Certificate, and Region.
- 8.
When you create a cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server that you can use to communicate with your cluster using Kubernetes management tools such as kubectl.
By default, this API server endpoint is public to the internet, and access to the API server is secured using a combination of AWS Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (RBAC).
You can enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC.
You can limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server.
Depending on your organization's setup, proceed with any of the following connectivity options:
Private Network / VPC peering (Recommended)
Public Network
Private Links
In this approach, you will establish a Virtual Private Cloud (VPC) peering connection from Sedai's environment to yours. Once the VPC peering and routing rules are in place, you can connect your EKS cluster via Private Network.
- 1.To initiate the VPC peering connection from Sedai, please contact [email protected] and provide the following details:
- Deployment Region
- 2.Our team will confirm with you once we initiate the VPC peering connection. Navigate to your VPC peering section to accept the request.
- 3.Once the VPC peering is in place, update your VPC Route Tables and add a routing entry to flow traffic to Sedai's VPC CIDR via VPC Peering Connection.
- 4.Navigate to Cluster > Configurations > Networking > Cluster Security Group to edit the EKS Cluster Security Group. Add a rule to allow HTTPS connections from Sedai's Subnets.
Our team will provide VPC CIDR details and Security Group Rules during setup.
Learn more about VPC peering:
In this method, Sedai will connect to the EKS API Server Endpoint over the Public Network.
You can skip this step if your allow list is already open to public
(0.0.0.0/0)
Navigate to EKS > Select Cluster > Configuration > Networking > API server endpoint access to update the Public access source allowlist. Add the following IP addresses to allow access from Sedai's environment:
- Sedai NAT Gateway (us-east-1 AZ01): 18.204.62.170/32
- Sedai NAT Gateway (us-east-1 AZ02): 34.238.185.251/32
Coming soon...
The next step is to setup the Kubernetes RBAC for Authorization. We will use the IAM User/Role created in Configure IAM step.
Based on your Sedai IAM Policy selection, download and apply the ClusterRole and ClusterRoleBindings:
Autonomous
Read-only
Use the following commands if you configured IAM using Sedai's Autonomous Policy. This allows Sedai to act autonomously on your behalf to manage your cluster.
Confirm kubectl access to your cluster and apply the following ClusterRole and ClusterRoleBinding:
curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/eks/sedai-autonomous-mode-clusterrole.yaml
kubectl apply -f sedai-autonomous-mode-clusterrole.yaml
Use the following commands if you configured IAM using Sedai's Read-only Policy. This allows Sedai access to view your Kubernetes resources.
Confirm kubectl access to your cluster and apply the following ClusterRole and ClusterRoleBinding:
curl -O https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/eks/sedai-readonly-mode-clusterrole.yaml
kubectl apply -f sedai-readonly-mode-clusterrole.yaml
The group name in the configuration from the previous step is
sedai-service-account
. Next you will map either your IAM Role or User to this group by updating the aws-auth configMap.IAM Role
IAM User
Take the backup of your current ConfigMap:
kubectl -n kube-system get configmaps aws-auth -o yaml > aws-auth_before-sedai-integration-`date +%F`.yaml
Open aws-auth ConfigMap for editing:
kubectl -n kube-system edit configmaps aws-auth
Add the following snippet under mapUsers
mapRoles: |
- rolearn: arn:aws:iam::111122223333:role/SedaiAWSIntegrationRole
username: arn:aws:iam::111122223333:role/SedaiAWSIntegrationRole
groups:
- sedai-service-account
Take the backup of your current ConfigMap:
kubectl -n kube-system get configmaps aws-auth -o yaml > aws-auth_before-sedai-integration-date +%F.yaml
Open aws-auth ConfigMap for editing:
kubectl -n kube-system edit configmaps aws-auth
Add the following snippet under mapUsers (⚠️ update the IAM User ARN below (
1111222233
) to your unique User ARN you created):mapUsers: |
- userarn: arn:aws:iam::1111222233:user/sedai-service-account
username: sedai-service-account
groups:
- sedai-service-account
The following details are required to connect your EKS cluster to Sedai within the platform:
via EKS Console
via AWS CLI
From your AWS Console, navigate to your EKS cluster and select Configurations to access the following details:
- EKS Cluster Name
- Cluster URL (endpoint)
- Cluster Authority Certificate
Insert your profile into each of the following commands before executing.
List EKS Clusters
aws --profile <YOUR_PROFILE> eks list-clusters
Get Cluster URL
aws --profile <YOUR_PROFILE> eks describe-cluster --name <YOUR_CLUSTER> --query "cluster.endpoint"
Get Cluster Authority Certificate
aws --profile <YOUR_PROFILE> eks describe-cluster --name <YOUR_CLUSTER> --query "cluster.certificateAuthority.data"
For additional help, view AWS support documentation:
Last modified 9mo ago