Amazon EKS

  1. Prerequisites: Have your AWS credentials ready, including access key and secret access key, with permissions to access the EKS_READER_ROLE.
  2. Configuring Playbooks: In the Playbooks dashboard, navigate to Integrations > AWS EKS. Enter your AWS access key ID, secret access key, specify the region of your EKS account and the EKS_READER_ROLE.
  3. Testing the Integration: Test the integration.

Note: For security reasons, it is recommended to create a new user with access attached to these permissions.

Steps to create a new user:

Step 1: Create a policy (AmazonEKSViewNodesAndWorkloadsPolicy) with this json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:AccessKubernetesApi",
                "ssm:GetParameter",
                "eks:ListUpdates",
                "eks:ListFargateProfiles"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "eks.amazonaws.com"
                }
            }
        }
    ]
}

Step 2: Create a role (eks-reader) with the above policy attached

Step 3: Create a another policy (AmazonEKSAssumeEKSReaderPolicy) in your IAM that allows assuming this role with the following json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::<aws_account_id>:role/eks-reader"
        }
    ]
}

Step 4: Create a new user in your IAM with the both the policies created above attached- AmazonEKSAssumeEKSReaderPolicy and AmazonEKSViewNodesAndWorkloadsPolicy.

You don't need to add any group to the user.

Step 5: Once the user is created, create an access key by going to "Security Credentials".

Step 4: Select "Third-party service" while creating the key.

Step 5: Copy paste the access key and secret key in Playbooks Integrations page .

Step 6: Now we will give eks-reader role the permission to query the cluster. We'll do that by creating a config map, a cluster role and a new role binding.

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <eks-reader-role-arn>
      username: eks-reader
      groups:
        - eks-read-only-group
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: eks-read-only
rules:
  - apiGroups: [""]
    resources: ["pods", "services", "namespaces"]
    verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: eks-readonly-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: eks-read-only
subjects:
  - kind: Group
    name: eks-read-only-group
    apiGroup: rbac.authorization.k8s.io

Run the following commands (using credentials of a user who has cluster admin privileges).

  • kubectl apply -f auth.yaml -n kube-system
  • kubectl apply -f role.yaml -n kube-system

Now, you should be able to query your cluster resources from the Playbook tasks within Doctor Droid.