Your Browser is Out of Date

Nytro.ai uses technology that works best in other browsers.
For a full experience use one of the browsers below
Amazon Elastic Kubernetes Service Anywhere Bare Metal on Dell PowerFlex
Introduction PowerFlex product overview Solution architecture Installing an Amazon EKS Anywhere Bare Metal cluster on Dell PowerFlex Creating an Amazon EKS Anywhere Bare Metal cluster Validating the cluster deployment Installing the PowerFlex CSI driver Deployment tests and validation Amazon EKS Connector
Overview
Connecting an EKS Anywhere cluster to AWS EKS Connector
Amazon EKS Connector troubleshooting
Amazon EKS Connector Appendix
Conclusion Hardware qualification details References

Amazon EKS Connector Appendix

Amazon EKS Connector Appendix

  • Create the following IAM Role and Policy:

    EKS external cluster management role: This role is used by the EKS control plane to manage the AWS resources on behalf of the customer.

    Define the trust policySteps to define the trust policy:

    1. Define the policy document.

    $ cat <<EOF > integration-trust-policy.json

    {

     "Version": "2012-10-17",

     "Statement": [

     {

     "Sid": "EKSConnectorAccess",

     "Effect": "Allow",

     "Principal": {

     "Service": [

     "eks-connector.amazonaws.com",

     "eks.amazonaws.com"

     ]

     },

     "Action": "sts:AssumeRole"

     }

     ]

    }

    EOF

     

    $ cat <<EOF > integration-policy-document.json

    {

     "Version": "2012-10-17",

     "Statement": [

     {

     "Sid": "AccessSSMService",

     "Effect": "Allow",

     "Action": [

     "ssm:CreateActivation",

     "ssm:DescribeInstanceInformation",

     "ssm:DeleteActivation"

     ],

     "Resource": "*"

     },

     {

     "Sid": "ConnectorAgentStartSession",

     "Effect": "Allow",

     "Action": [

     "ssm:StartSession"

     ],

     "Resource": [

     "arn:aws:eks:*:*:cluster/*"

    "arn:aws:ssm:*::document/AmazonECS-ExecuteInteractiveCommand",

    "arn:aws:ssm:*::document/AmazonEKS-ExecuteNonInteractiveCommand"

     ]

     },

     {

     "Sid": "ConnectorAgentDeregister",

     "Effect": "Allow",

     "Action": [

     "ssm:DeregisterManagedInstance"

     ],

     "Resource": [

     "arn:aws:eks:*:*:cluster/*"

     ]

     },

     {

     "Sid": "PassAnyRoleToSsm",

     "Effect": "Allow",

     "Action": [

     "iam:PassRole"

     ],

     "Resource": "*",

     "Condition": {

     "StringEquals": {

     "iam:PassedToService": [

     "ssm.amazonaws.com"

     ]

     }

     }

     }

     ]

    }

    EOF

     

    1. Create the IAM role:

    $ aws iam create-role \

     --role-name eks-external-cluster-integration \

     --assume-role-policy-document file://integration-trust-policy.json

    1. Attach the policy to the role:

    $ aws iam put-role-policy \

     --role-name eks-external-cluster-integration \

     --policy-name eks-connector-policy \

     --policy-document file://integration-policy-document.json

     

    1. Define the Amazon EKS Connector agent role:

             This role is used by the EKS connector agent to communicate back to AWS from the Kubernetes cluster.

             Define the trust policy:

    $ cat <<EOF > agent-trust-policy.json

    {

     "Version": "2012-10-17",

     "Statement": [

     {

     "Sid": "SSMAccess",

     "Effect": "Allow",

     "Principal": {

     "Service": [

     "ssm.amazonaws.com"

     ]

     },

     "Action": "sts:AssumeRole"

     }

     ]

    }

    EOF

     

    1.  Define the policy document:

    $ cat <<EOF > agent-policy-document.json

    {

     "Version": "2012-10-17",

     "Statement": [

     {

     "Sid": "SsmControlChannel",

     "Effect": "Allow",

     "Action": [

     "ssmmessages:CreateControlChannel"

     ],

     "Resource": "arn:aws:eks:*:*:cluster/*"

     },

     {

     "Sid": "ssmDataplaneOperations",

     "Effect": "Allow",

     "Action": [

     "ssmmessages:CreateDataChannel",

     "ssmmessages:OpenDataChannel",

     "ssmmessages:OpenControlChannel"

     ],

     "Resource": "*"

     }

     ]

    }

    EOF

     

    1. Create the Amazon EKS Connector agent role:

    $ aws iam create-role \

     --role-name eks-connector-agent \

     --assume-role-policy-document file://agent-trust-policy.json

     

    1. Attach the policy to the Amazon EKS Connector agent role:

    $ aws iam put-role-policy \

     --role-name eks-connector-agent \

     --policy-name eks-connector-agent-policy \

     --policy-document file://agent-policy-document.json