icon-zwp.svg
Posture Control (ZPC)

Onboarding an Amazon Elastic Kubernetes Service Cluster

ZPC offers insight into your Amazon Elastic Kubernetes Service (EKS) public and hybrid clusters. ZPC provides a script for you to download and run on your EKS clusters. The script enables ZPC APIs to access and collect EKS cluster configuration metadata. The script:

  1. Updates the publicAccessCidr property of the hybrid (public and private) clusters with ZPC IP addresses.
  2. Creates a cluster role binding within Kubernetes.
  3. Creates an IAM identity mapping.

Prerequisites

Before you onboard EKS clusters, you need to:

  • Make sure the AWS cloud accounts that contain the clusters are onboarded to ZPC. To learn how to onboard an AWS account, see Onboarding an Amazon Web Services Account.
  • Make sure you are a Kubernetes Cluster Admin.
  • Have permissions to:
    • Update aws-auth configmap in the kube-system namespace.
    • Create, update, and delete the cluster role and the cluster role binding.
  • Have the following additional permissions for hybrid clusters:
    • UpdateClusterConfig
    • DescribeCluster

To learn more, see the AWS documentation.

Onboarding EKS Clusters in a Single AWS account

To onboard EKS clusters in a single AWS account on ZPC:

  1. In the ZPC Admin Portal, go to Administration > Cloud Accounts.
  2. Click the Accounts tab.
  3. Click the Actions icon, then select the Add Kubernetes Cluster button for an AWS account.

  1. On the Cluster Selection page, you can view and search for the following EKS cluster details available in the selected AWS account:

    • Cluster Name: Name of the EKS cluster.
    • Region: Region of the EKS cluster.
    • Kubernetes Version: Current Kubernetes version running on the cluster.
    • Endpoint Access: View the endpoint access type.
    • Status: Onboarding status of the cluster (Success, Pending, or Failure).

    ZPC cannot onboard clusters with private-only endpoint access. ZPC also needs you to allowlist your CloudShell IP address if you're onboarding a public and private cluster.

  2. Select clusters you want to onboard, then click Next.

  1. On the Cluster Access page, click Download the bash script.
  2. Click Log in to the AWS cloud console and execute the bash script.
  3. After the script is deployed, in the ZPC Admin Portal, click Finish.

Onboarding EKS clusters in an AWS organization

You can choose to onboard EKS clusters from multiple accounts belonging to a single AWS organization. To onboard EKS clusters in an AWS organization on ZPC:

  1. On the ZPC Admin Portal, go to Administration > Cloud Accounts.
  2. Click the Organizations tab.
  3. Click the Actions icon, then select the Add Kubernetes Cluster button for an AWS organization.

  1. On the Cluster Selection page, you can view and search for the following EKS cluster details available on the selected AWS organization:

    • Cluster Name: Name of the EKS cluster.
    • Region: Region of the EKS cluster.
    • Kubernetes Version: Current Kubernetes version running on the cluster.
    • Endpoint Access: View the endpoint access type.
    • Status: Onboarding status of the cluster (Success, Pending, or Failure).

    ZPC cannot onboard clusters with private-only endpoint access. ZPC also needs you to allowlist your CloudShell IP address if you're onboarding a public and private cluster.

  2. Select clusters you want to onboard, then click Next.

  1. On the Cluster Access page, click Download the bash script.
  2. Click Log in to the AWS cloud console and execute the bash script.
  3. After the script is deployed, in the ZPC Admin Portal, click Finish.

Related Articles
Onboarding an Amazon Web Services AccountConfiguring CloudTrail S3 Buckets for AWS OrganizationConfiguring Write Access for an AWS Cloud AccountOnboarding an Amazon Elastic Kubernetes Service Cluster