Kubernetes Integration
Auto-discover Kubernetes Applications and Resources running in EKS
Rapticore Integrates with Kubernetes environments in AWS EKS using readonly Cluster Role added to IAM Identity Mapping in customer AWS accounts.
For more information on these roles and AWS integration, refer to our guide AWS integration reference.
Pre-requisistes
Ensure that you have already setup AWS Integration with Rapticore. For setting up AWS Integration, please refer to our AWS Integration. Please note the ARN of cross account as it will be required in steps below.
Setup
To simplify setup, we provide template in YAML format to facilitate Cluster Role Binding creation.
Setup involves:
- Configuring Cluster Role Binding for cluster role
view
in kubernetes - Configuring IAM Identity mapping in EKS to map Rapticore cross account role created during AWS Integration.
Necessary privileges
- An IAM User or Role with privileges to create and update IAM Identity mapping in AWS.
- A User or Role with privileges to create Cluster Role Binding in Kubernetes
Kubernetes Configuration
- Download the Cluster Role Binding Template as
viewer-role-binding.yml
file - Configure your AWS CLI and profiles for the accounts you wish to integrate with Rapticore.
- Configure the
kubectl
config to connect to EKS cluster. You may use command provided below
aws eks --region <region_name> update-kubeconfig --name <eks-cluster-name> --profile <aws-profile>
- Run
kubectl get clusterroles
and ensure the a cluster role namedview
exists.
kubectl get clusterroles | grep view
- Create the cluster role binding with group named
viewer
kubectl apply -f viewer-role-binding.yml
Repeat the process for all the EKS clusters in AWS Accounts you wish to integrate with Rapticore.
IAM Identity mapping Configuration
- Ensure AWS CLI has been configured for the AWS account.
- Ensure
eksctl
has already been installed. You can install it using AWS Guide. - Create IAM Identity for each EKS cluster using command provided below. Replace appropriate values for CLUSTER_NAME, REGION_NAME, AWS_PROFILE and RAPTICORE_CROSS_ACCOUNT_ARN. RAPTICORE_CROSS_ACCOUNT_ARN is the role ARN created in AWS Integration.
eksctl create iamidentitymapping \
--cluster <CLUSTER_NAME> \
--region=<REGION_NAME> \
--arn <RAPTICORE_CROSS_ACCOUNT_ARN> \
--group viewer \
--no-duplicate-arns \
--profile <AWS_PROFILE>
Decommissioning
Deleting the IAM Identiy mapping or Cluster role binding will stop Rapticore from viewing Kubernetes infrastructure.
Deleting an integrated AWS Account from Rapticore or deleting the IAM Role from the AWS account will stop Rapticore from monitoring that account.
Data collected from the account will be archived and deleted by Rapticore after the retention period has expired.
Updated almost 2 years ago