Apono Connector for Kubernetes

How to install a Connector on a Kubernetes cluster to integrate Kubernetes with Apono

Overview

To integrate with Kubernetes and start managing JIT access to Kubernetes resources, you must first install a connector in your Kubernetes cluster.

This is can be done by one of the following methods:

  1. Helm
  2. Terraform

πŸ“˜

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

With Helm

An Apono connector is installed in the cloud platform managing your Kubernetes resource. The installation is made by running a Helm command with the necessary parameters.

Prerequisites

  • An existing Kubernetes project on one of the following platforms:
    • Google Kubernetes Engine (GKE)
    • Elastic Kubernetes Service (EKS)
    • Azure Kubernetes Engine (AKS)
    • Kubernetes (self-managed)
  • Helm
  • kubectl

Step-by-step guide

Find Your Integration Token

  1. Select any Kubernetes integration in the Catalog.

πŸ“˜

You can install a new connector from any Kubernetes New Integration form. Pick the one relevant to your network.

Connectors for EKS, GKE, AKS and self-managed Kubernetes work in the same way.

  1. From the drop-down list on the next page select Add a New Connector, and then select Help.
  2. Copy the token displayed toward the bottom of the page.

Install the Connector

Run the following Helm command in a terminal:

Without permissions

  • If you would like to install the connector in Kubernetes, but not grant Apono access to read or manage access to Kubernetes resources, use this code:
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=[APONO_TOKEN] \
    --set-string apono.connectorId=[CONNECTOR_NAME] \
    --set serviceAccount.manageClusterRoles=false \
    --namespace apono-connector \
    --create-namespace

With permissions

  • If you would like to install the connector in Kubernetes and grant Apono access to read and manage access to Kubernetes resources, use this code:
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=[APONO_TOKEN] \
    --set-string apono.connectorId=[CONNECTOR_NAME] \
    --set serviceAccount.manageClusterRoles=true \
    --namespace apono-connector \
    --create-namespace

Where:

  • [APONO_TOKEN] is the token copied from the integration page in the previous step.
  • [CONNECTOR_NAME] is any name you choose to give the connector.

Helm will finish with a message that the apono-connector has been installed.

πŸ‘

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Read more here.

Results and next steps

The Kubernetes Connector is now installed.

  1. Return to the Add new integration form from step 1 for EKS, GKE, AKS or self-managed Kubernetes.
  2. The Connector is found by the form, marked by a green checkmark

πŸ‘

You can now integrate Apono with your Kubernetes instance

Complete the integration with EKS, GKE, AKS or self-managed Kubernetes.

Troubleshooting

  • If you are managing more than one Kubernetes cluster, you must be certain that the current context points to the cluster into which the Apono connector is to be added.
    • Get the current context with kubectl config current-context
    • Set the current context with kubectl config use-context [clustername]

With Terraform

An Apono connector is installed in the cloud platform managing your Kubernetes resource. The installation is made by adding an Apono module to your Terraform configuration.

Prerequisites

  • A Kubernetes project on one of the following platforms:
    • Google Kubernetes Engine (GKE)
    • Elastic Kubernetes Service (EKS)
    • Azure Kubernetes Engine (AKS)
    • Kubernetes (self-managed)
  • Terraform with the following providers:
    • Helm
    • Kubernetes
    • AWS

Step-by-step guide

Find Your Integration Token

  1. Select any Kubernetes integration in the Catalog.

πŸ“˜

You can install a new connector from any Kubernetes New Integration form. Pick the one relevant to your network.

Connectors for EKS, GKE, AKS and self-managed Kubernetes work in the same way.

  1. From the drop-down list on the next page select Add a New Connector, and then select Terraform.
  2. Copy the token displayed toward the bottom of the page.

Edit the Terraform Configuration

  1. Add the following to your Terraform module.

Without permissions

  • If you would like to install the connector in Kubernetes, but not grant Apono access to read or manage access to Kubernetes resources, use this code:
module "connector" {
    source = "github.com/apono-io/terraform-modules/k8s/connector-without-permissions/stacks/apono-connector"
    aponoToken = [APONO_TOKEN]
    connectorId = [CONNECTOR_NAME] // choose connector name
}

With permissions

  • If you would like to install the connector in Kubernetes and grant Apono access to read and manage access to Kubernetes resources, use this code:
module "connector" {  
    source = "github.com/apono-io/terraform-modules/k8s/connector-with-permissions/stacks/apono-connector"  
    aponoToken = [APONO_TOKEN]  
    connectorId = [CONNECTOR_NAME] // choose connector name  
}

Where:

  • [APONO_TOKEN] is the token copied from the integration page in the previous step.
  • [CONNECTOR_NAME] is any name you choose to give the connector.
  1. Run terraform init. It will finish with the message:
    "Terraform has been successfully initialized!"
  2. Run terraform apply. It will finish with the message:
    "Apply complete! Resources: (N) added.."

Results and next steps

The Kubernetes Connector is now installed.

  1. Return to the Add new integration form from step 1 for EKS, GKE, AKS or self-managed Kubernetes.
  2. The Connector is found by the form, marked by a green checkmark

πŸ‘

You can now integrate Apono with your Kubernetes instance

Complete the integration with EKS, GKE, AKS or self-managed Kubernetes.

Next Steps

Return to the Catalog, and select one of the following Kubernetes integrations: