The following steps describe how to connect an on-premises Amazon EKS Anywhere cluster that is deployed with PowerFlex storage to the AWS EKS Connector.
Before getting started the EKS Connector registration, the necessary roles and policies in AWS IAM need to be created.
i Service-linked role for Amazon EKS
ii EKS-Connector-agent role
Service-linked role – This role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other AWS services.
EKS-connector-agent Role – This IAM role allows the EKS connector agent to interact with AWS Systems Manager Agent (SSM) service. This IAM role is used by the EKS Connector agent on the Kubernetes cluster to connect to the SSM service on AWS.
For more information about creating the role and policy, see the appendix section.
The cluster registration process involves two steps:
Run the following command to apply the downloaded eks-connector.yaml.
$ kubectl apply -f eks-connector.yaml
The EKS Connector runs as a StatefulSet on your Kubernetes cluster. It establishes a connection and proxies the communication between the API server of your EKS Anywhere cluster and Amazon Web Services. It does this connection to display cluster data in the Amazon EKS console until you disconnect the cluster from AWS.
The manifest file that is generated from registering a cluster contains the following components:
InitContainer: This container registers the EKS Connector agent with the Systems Manager control plane service and persists the registration information in the Kubernetes backend data store. InitContainer mounts this data to the EKS Connector agent volume when it is recycled. This eliminates the need for registration whenever a pod is recycled.
EKS Connector agent: This is an agent based on the SSM agent, running in container mode. This agent creates an outbound connection from the Kubernetes cluster to the AWS network. All subsequent requests from AWS are performed using the connection channels that are established by the EKS Connector agent.
Connector proxy: This agent acts as a proxy between the EKS Connector agent and Kubernetes API Server. This proxy agent uses the Kubernetes service account to impersonate the IAM user that accesses the console and fetches information from the Kubernetes API Server.
The EKS connector agent interacts with the SSM service, which in turn interacts with EKS service using EventBridge. To facilitate these interactions, the EKS connector agent role is required with appropriate permissions to create, open, and control the SSM channels.
Upon successful registration, the changes can be seen in the AWS EventBridge services. A new event rule with the pattern of registration and deregistration is created under the default event bus.
This is a YAML consisting of cluster roles and bindings for the cluster to be registered. It gives access to all namespaces and resources that can be visualized in the console.
Download and apply the eks-connector-console-dashboard-full-access.yaml file:
$ curl -o eks-connector-console-dashboard-full-access-group.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/eks-connector/manifests/eks-connector-console-roles/eks-connector-console-dashboard-full-access-group.yaml
$ kubectl apply -f eks-connector-console-dashboard-full-access.yaml
This is a YAML consisting of cluster roles and bindings for the cluster to be registered.
Download and apply eks-connector-clusterrole:
$ curl -o eks-connector-clusterrole.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/eks-connector/manifests/eks-connector-console-roles/eks-connector-clusterrole.yaml
$ kubectl apply -f eks-connector-clusterrole.yaml
Dashboard: After the Kubernetes cluster has been registered successfully with the EKS Connector, the EKS Cluster Overview section shows all the Cluster resources. All the objects are read-only and the user cannot edit or delete an object in the registered cluster. The following figure shows the dashboard of the EKS console:
Compute: The Compute section shows all the Node resources in the EKS Anywhere Cluster as shown in the following figure:
Workloads: The Workloads section displays all objects of Type: Deployment, DaemonSet, and StatefulSet. Users can select these objects to select a pod-level overview as shown in the following figure: