Kubernetes Integration

Auto-discover Kubernetes Applications and Resources running in EKS

Rapticore Integrates with Kubernetes environments in AWS EKS using readonly Cluster Role added to IAM Identity Mapping in customer AWS accounts.

📘

For more information on these roles and AWS integration, refer to our guide AWS integration reference.

Pre-requisistes

Ensure that you have already setup AWS Integration with Rapticore. For setting up AWS Integration, please refer to our AWS Integration. Please note the ARN of cross account as it will be required in steps below.

Setup

To simplify setup, we provide template in YAML format to facilitate Cluster Role Binding creation.

Setup involves:

  1. Configuring Cluster Role Binding for cluster role view in kubernetes
  2. Configuring IAM Identity mapping in EKS to map Rapticore cross account role created during AWS Integration.

Necessary privileges

  1. An IAM User or Role with privileges to create and update IAM Identity mapping in AWS.
  2. A User or Role with privileges to create Cluster Role Binding in Kubernetes

Kubernetes Configuration

  1. Download the Cluster Role Binding Template as viewer-role-binding.yml file
  2. Configure your AWS CLI and profiles for the accounts you wish to integrate with Rapticore.
  3. Configure the kubectl config to connect to EKS cluster. You may use command provided below
aws eks --region <region_name> update-kubeconfig --name <eks-cluster-name> --profile <aws-profile>
  1. Run kubectl get clusterroles and ensure the a cluster role named view exists.
kubectl get clusterroles | grep view
  1. Create the cluster role binding with group named viewer
kubectl apply -f viewer-role-binding.yml

Repeat the process for all the EKS clusters in AWS Accounts you wish to integrate with Rapticore.

IAM Identity mapping Configuration

  1. Ensure AWS CLI has been configured for the AWS account.
  2. Ensure eksctl has already been installed. You can install it using AWS Guide.
  3. Create IAM Identity for each EKS cluster using command provided below. Replace appropriate values for CLUSTER_NAME, REGION_NAME, AWS_PROFILE and RAPTICORE_CROSS_ACCOUNT_ARN. RAPTICORE_CROSS_ACCOUNT_ARN is the role ARN created in AWS Integration.
eksctl create iamidentitymapping \
    --cluster <CLUSTER_NAME> \
    --region=<REGION_NAME> \
    --arn <RAPTICORE_CROSS_ACCOUNT_ARN> \
    --group viewer \
    --no-duplicate-arns \
    --profile <AWS_PROFILE>

Decommissioning

Deleting the IAM Identiy mapping or Cluster role binding will stop Rapticore from viewing Kubernetes infrastructure.
Deleting an integrated AWS Account from Rapticore or deleting the IAM Role from the AWS account will stop Rapticore from monitoring that account.

📘

Data collected from the account will be archived and deleted by Rapticore after the retention period has expired.