Create an integration to manage access to a Kubernetes cluster on AWS
With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.
Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.
Item
Description
Apono Connector
Apono Premium
Cluster Admin Access
EKS Cluster Name
AWS SSO | SAML Federation
Authentication for requester Security Assertion Markup Language (SAML) federation for authentication can be provided by providers such as Okta, Onelogin, Jumpcloud, and Ping Identity.
Authentication can be completed with an Identity and Access Management IAM user or an IAM role. To grant a user access to an EKS cluster, the IAM user or IAM role must be mapped with a specific user identifier, such as an email address.Apono supports this mapping with an IAM role through AWS SSO or SAML federation from any identity provider (IdP).
Follow these steps to create a new policy:
Under Access management on the Identity and Access Management (IAM) page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.
Replace the default policy with the following policy. Be sure to replace the placeholder.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.
Follow these steps to create the IAM role:
Under Access management on the Identity and Access Management (IAM) page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.
Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
<SAML_PROVIDER>
Identity provider name
Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter apono-k8s-access.
For the Description, enter required for k8s access managed by Apono.
Click Create role.
If an Overly permission trust policy popup window appears, click Continue.
Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.
Read Apply the aws-auth ConfigMap
to your cluster to learn more about editing the aws-auth ConfigMap
.
Follow these steps to authenticate the cluster:
Log into the EKS cluster with a user account that has the cluster admin permission.
Edit the aws-auth ConfigMap
to include the following mapRoles
entry. Be sure to replace the placeholder.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
Follow these steps to authenticate the cluster:
Change the authentication mode to EKS API.
For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
For the Username use apono:{{SessionName}}
.
Choose Cluster as the access scope.
Now, you can integrate with EKS.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.
Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono Connector for Kubernetes on an EKS cluster.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Server URL
(Optional) URL of the Kubernetes API server used to interact with the Kubernetes cluster
Certification Authority
(Optional) Certificate that ensures that the Kubernetes API server is trusted and authentic Leave this field empty if you want to connect the cluster where the connector is deployed.
EKS Cluster Name
Unique name of the cluster to integrate
AWS Role Name
(Optional) Role defined for the connector
Region
(Optional) Location where the AWS Elastic Kubernetes cluster is deployed
Click Next. The Secret Store section expands.
When the Apono connector is installed on the EKS cluster, you do not need to provide a secret.
(Optional) Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your Elastic Kubernetes Service cluster.
After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the apono-k8s-access
role.
The following table shows two approaches to assume this role.
AWS CLI
In the AWS CLI, run the aws sts assume-role
command. Be sure to replace the placeholders.
Config File
Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders.
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted
<EMAIL>
User email listed in the IdP
installed on the EKS cluster that serves as a bridge between the cluster and Apono
providing all available features and dedicated account support
Admin access to the cluster to integrate The cluster admin access can be the built-in role or equivalent permission level. Apono does not require admin permissions to the Kubernetes environment.
Unique to integrate
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :