Amazon Elastic Kubernetes Service integration
Scan clusters running in Amazon Elastic Kubernetes Service (EKS). This uses the Kubescape CLI to scan the clusters and run commands.
The Amazon Web Services (AWS) integration is based on the official AWS SDK for Go.
Set up authentication
Authentication must be defined in the local execution context of Kubescape.
If you use an Amazon Elastic Compute Cloud (EC2) instance, you can authenticate using an IAM role through the EC2 metadata service.
From the AWS Command Line Interface (AWS CLI), run the following commands:
- Configure AWS keys.
config AWS Access Key ID [****************XXXX]: config AWS Secret Access Key [****************XXXX]:
- Press Enter for approval.
- Ensure that the
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
are configured properly.cat ~/.aws/credentials
The Kubescape EKS integration works automatically from any shell where you access your cluster.
Set the cloud region
The KS_CLOUD_REGION
environment variable is required to get your cluster region. If this variable is not set, Kubescape tries to get the cluster region from the cluster's name.
We recommend setting the KS_CLOUD_PROVIDER
environment variable to eks
.
- Configure the region name.
config Default region name \[]: (cluster default region)
- Ensure that the region is configured.
\`cat ~/.aws/config
Verify your connection and IAM roles
Run the following to ensure that you have cluster access:
kubectl get nodes
Run the following command in the AWS CLI to verify your IAM permissions to your AWS cluster:
aws eks describe-cluster --name <cluster-name> --region <cluster region>
Integrate with the ARMO in-cluster microservice
Authorize ARMO in-cluster component to access Amazon Elastic Container Registry (ECR) for container vulnerability scanning and Amazon EKS for Kubernetes risk assessment. IAM roles for service accounts support both authorizations.
The script to set up AWS IAM authorization is provided in this recipe.
Updated 5 months ago