Integrate with EKS

Overview

With a connector installed on your Kubernetes platform, the next step is setting permissions for Apono to manage access control.

Prerequisites

  • An Apono Kubernetes connector installed on the EKS cluster you want to integrate
  • Cluster Admin permission to the EKS cluster
  • AWS SSO or some SAML federation for authentication (like Okta, Onelogin, Jumpcloud, Ping Identity, etc.) for requesters

🚧

Please note! If you installed the Apono connector on the cluster, there is no need to provide the secret in the Add Integration form in the UI.

The connector already handles the secret ;)

Integrate Apono with EKS

1. Integrate EKS with AWS SSO or SAML Federation

In AWS, user authentication can be done with an IAM user or IAM role, and not with the user email. To allow users to access an EKS cluster, Apono must map the IAM user or IAM role to a user identifier, like the user email.

Apono supports this mapping with an IAM role via AWS SSO or with SAML federation from any IdP of your choice.

Create the IAM role in AWS

Create an IAM role in the AWS account of the EKS cluster and map it into the cluster via auth-config

  1. In the AWS Admin Portal, Go to AWS IAM
  2. Click Roles
  3. Click Create Role
  4. Select trusted entity: Custom trust policy
  5. Insert the Trust Policy as appears below then follow steps 6-17
    1. If you are using AWS SSO, follow this section
    2. If you are using a SAML Federation, follow this section

With AWS SSO

Set the following Assume Role Policy Document for the created role

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Principal": {
				"AWS": "*"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEqualsIgnoreCase": {
					"sts:RoleSessionName": "${SAML:sub}"
				},
				"ArnLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
            "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
          ]
        }
			}
		}
	]
}

Where:

AWS_ACCOUNT_ID is your the AWS account ID where the EKS is hosted

With SAML Federation

Set the following Assume Role Policy Document for the created role

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
			},
			"Action": "sts:AssumeRoleWithSAML",
			"Condition": {
				"StringEquals": {
					"SAML:aud": "https://signin.aws.amazon.com/saml"
				}
			}
		}
	]
}

Where:

AWS_ACCOUNT_ID is your the AWS account ID where the EKS is hosted

SAML_PROVIDER is your IdP name

Continue to steps 6-17

  1. Click Next
  2. Under Add permissions, click Create Policy
  3. Click JSON
  4. Paste the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
        }
    ]
}

Where: AWS_ACCOUNT_ID is your the AWS account ID where the EKS is hosted

  1. Click Next
  2. Give the Policy a name of your choosing
  3. Click Create policy
  4. Return to the Add permissions page
  5. From the table, choose the Apono policy you just created
  6. Click Next
  7. Complete the following params:
  • Role name: apono-k8s-access
  • Optional: Set description: required for k8s access managed by Apono
  1. Click Create role

2. Map the IAM Role to K8s identities

Map the IAM Role to K8s identities using the aws-auth ConfigMap

πŸ“˜

Visit the AWS guide to learn more about editing the aws-auth ConfigMap here

  1. Log into your EKS with Cluster Admin permission
  2. Edit the aws-auth ConfigMap to include the following mapRoles entry
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
  username: "{{SessionNameRaw}}"

Where:AWS_ACCOUNT_ID is your the AWS account ID where the EKS is hosted

3. In Apono, create a new EKS integration

  1. In the Apono app, Select Elastic Kubernetes Service (EKS) from the Integrations Catalog.
  2. On the next page, select an existing connector from the drop-down list.
  3. Click Next to view the EKS integration form.

4. Complete the Integration Form

  1. Integration name: Give the integration a name.
  2. If you installed the Apono connector on the EKS cluster, ignore the optional params and the secret
    1. Cluster name: The unique name of the cluster you are integrating

Results

Integration of Apono with EKS is now complete.

Next Steps

  1. Manage users and groups. If you have and IdP set up, for example Okta or Azure AD, you may want to integrate Apono in order to sync users and groups.
  2. You can now control access to this resource by defining Access Flows.
  3. Make it easy for your users to request access by integrating your Slack or Teams organization with Apono.

Using the Apono access details to log into EKS

When users request and are granted JIT access to an EKS resource (like cluster, namespace, pod, deployment, secret, etc.), they need to authenticate with the cluster.

To authenticate, the user needs to assume the apono-k8s-access role admins created in step 1 in one of the following ways:

  • Use the aws sts assume-role command in the AWS CLI:
aws sts assume-role --role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access --role-session-name <EMAIL> --duration-seconds 3600

Where:

ACCOUNT_IDis your the AWS account ID where the EKS is hosted

EMAIL is the user email as listed in the IdP

  • Edit the ~/.aws/config file to contain the following profile:
[profile apono-k8s-access]
role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access
role_session_name = <EMAIL>
source_profile = default

Where:

ACCOUNT_IDis your the AWS account ID where the EKS is hosted

EMAIL is the user email as listed in the IdP