Integrate with EKS

With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.

Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.

Prerequisites

Item	Description
Apono Connector	Connection installed on the EKS cluster that serves as a bridge between the cluster and Apono
Apono Premium	Apono plan providing all available features and dedicated account support
Cluster Admin Access	Admin access to the cluster to integrate The cluster admin access can be the built-in cluster-admin role or equivalent permission level. Apono does not require admin permissions to the Kubernetes environment.
EKS Cluster Name	Unique name of the cluster to integrate
AWS SSO \| SAML Federation	Authentication for requester Security Assertion Markup Language (SAML) federation for authentication can be provided by providers such as Okta, Onelogin, Jumpcloud, and Ping Identity.

Configure user authentication

Authentication can be completed with an Identity and Access Management IAM user or an IAM role. To grant a user access to an EKS cluster, the IAM user or IAM role must be mapped with a specific user identifier, such as an email address.

Apono supports this mapping with an IAM role through AWS SSO or SAML federation from any identity provider (IdP).

Create a new policy

Follow these steps to create a new policy:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.

Replace the default policy with the following policy. Be sure to replace the placeholder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
        }
    ]
}

Placeholder	Description
<AWS_ACCOUNT_ID>	AWS account ID where the EKS is hosted

Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.

Create the IAM role

Follow these steps to create the IAM role:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.

Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "sts:RoleSessionName": "${SAML:sub}"
                },
                "ArnLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
                    ]
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

Placeholder	Description
<AWS_ACCOUNT_ID>	AWS account ID where the EKS is hosted
<SAML_PROVIDER>	Identity provider name

Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter apono-k8s-access.
For the Description, enter required for k8s access managed by Apono.
Click Create role.

ℹ️
If an Overly permission trust policy popup window appears, click Continue.

Authenticate the EKS cluster

Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.

ConfigMap

💡
Read Apply the aws-auth ConfigMap to your cluster to learn more about editing the aws-auth ConfigMap.

Follow these steps to authenticate the cluster:

Log in to the EKS cluster with a user account that has the cluster admin permission.
Edit the aws-auth ConfigMap to include the following mapRoles entry. Be sure to replace the placeholder.
```
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
  username: "{{SessionNameRaw}}"
```
Placeholder Description
<AWS_ACCOUNT_ID> AWS account ID where the EKS is hosted

EKS API

Follow these steps to authenticate the cluster:

Change the authentication mode to EKS API.
Create the access entry:
- For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
- For the Username use {{SessionName}}.
- Choose Cluster as the access scope.

Now, you can integrate with EKS.

Integrate with Elastic Kubernetes Service (EKS)

Follow these steps to complete the integration:

On the Catalog tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
ℹ️
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.
Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.
💡
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono Connector for Kubernetes on an EKS cluster.
Click Next. The Integration Config section expands.

Define the Integration Config settings.

ℹ️
When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields.

Setting	Description
Integration Name	Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Server URL	(Optional) URL of the Kubernetes API server used to interact with the Kubernetes cluster
Certification Authority	(Optional) Certificate that ensures that the Kubernetes API server is trusted and authentic Leave this field empty if you want to connect the cluster where the connector is deployed.
EKS Cluster Name	Unique name of the cluster to integrate
AWS Role Name	(Optional) Role defined for the connector
Region	(Optional) Location where the AWS Elastic Kubernetes cluster is deployed

Click Next. The Secret Store section expands.
ℹ️
When the Apono connector is installed on the EKS cluster, you do not need to provide a secret.
(Optional) Associate the secret or credentials:
- AWS
- Kubernetes
- Apono
Click Next. The Get more with Apono section expands.

Define the Get more with Apono settings.

Setting	Description
Custom Access Details	(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview. NOTE: You can also add the `custom_access_details` parameter to the `apono_integration` schema using Terraform. For more information, learn how to integrate with Apono in the Terraform Registry.
Integration Owner	(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners: From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform. From the Value dropdown menu, select one or multiple users or groups. NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner	(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners: Enter a Key name. This value is the name of the tag created in your cloud environment. From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono. NOTE: When this setting is defined, an Integration Owner must also be defined.

Click Confirm.

Now that you have completed this integration, you can create access flows that grant permission to your Elastic Kubernetes Service cluster.

Log in to EKS with Apono access details

After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the apono-k8s-access role .

The following table shows two approaches to assume this role.

Approach Details

Approach	Details
AWS CLI	In the AWS CLI, run the `aws sts assume-role` command. Be sure to replace the placeholders. `aws sts assume-role \ --role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access \ --role-session-name <EMAIL> \ --duration-seconds 3600`
Config File	Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders. `[profile apono-k8s-access] role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access role_session_name = <EMAIL> source_profile = default`

AWS CLI

In the AWS CLI, run the aws sts assume-role command. Be sure to replace the placeholders.

aws sts assume-role \
  --role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access \
  --role-session-name <EMAIL> \
  --duration-seconds 3600

Config File

Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders.

[profile apono-k8s-access]
role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access
role_session_name = <EMAIL>
source_profile = default

Placeholder	Description
<AWS_ACCOUNT_ID>	AWS account ID where the EKS is hosted
<EMAIL>	User email listed in the IdP