Register AWS EKS Cluster

In case of gopaddle community edition, the installer automatically registers the local Kubernetes cluster in gopaddle. Upon upgrading the community edition to paid version, you can register additional clusters to gopaddle and start managing the clusters centrally from the gopaddle dashboard.

In case of SaaS or Enterprise edition, this section needs to be followed to register a cluster

In case of SaaS or Enterprise edition, this section needs to be followed to register a cluster

If you already have a managed Kubernetes cluster like Amazon EKS or Azure AKS or an on-premise Kubernetes cluster, you can register and manage the cluster in gopaddle.

Supported Kubernetes versions: v1.20, v1.20, v1.22

Currently gopaddle uses SSH tunnel via Bastion Host to connect to an all private Kubernetes access type. This requires the SSH port on Bastion Host to be opened to the public internet. In case of AWS EKS clusters, gopaddle is working on a Secure Systems Manager (SSM) session based tunnelling to connect to an all private EKS cluster. This is a work in progress and will be rolled out in future releases.

Registering an AWS EKS Cluster with gopaddle

  1. Create an IAM User with least privileges. Let's call this User as the - gopaddle IAM User whose credentials will be used to register the EKS cluster with gopaddle.

    1. Create an IAM policy with the least privileges as defined here;

    2. Create an IAM User with programmatic API access and associate the IAM policy defined.

    3. Grab the Access Key and the Secret Key of the IAM User. These credentials will be used to register the EKS Cluster in gopaddle.

  2. Connect to the Kubernetes API server in your local desktop environment and update the Kubernetes Role Based Access Control (RBAC) to allow the gopaddle IAM User to access the Kubernetes resources.

    1. Install AWS CLI in your local environment

    2. Install kubectl in your local environment

  3. Create a ClusterRole and a Cluster RoleBinding

    gopaddle IAM User needs a few permissions to discover and create Kubernetes resources.

    kubectl apply -f https://gp-cloudformation-roles.s3.amazonaws.com/gp-external-eks-cluster-role.yaml
    kubectl apply -f https://gp-cloudformation-roles.s3.amazonaws.com/gp-external-eks-cluster-rolebinding.yaml
  4. Update the aws-auth configMap with the ClusterRole and the gopaddle IAM User.

    kubectl edit cm aws-auth -n kube-system
  5. Edit the contents below to include the mapUsers section. Replace the AWS_ACCOUNT_ID with the EKS cluster Account ID and the GOPADDLE_IAM_USERNAME created in step (1).

    apiVersion: v1
    data:
    ...
      mapUsers: |
        - userarn: arn:aws:iam::<AWS_ACCOUNT_ID>:user/<GOPADDLE_IAM_USERNAME>
          username: <GOPADDLE_IAM_USERNAME>
          groups:
            - gopaddle
    kind: ConfigMap
  6. Register the cluster with gopaddle

    1. In the gopaddle UI, navigate to the Environments section

    2. Click on Add a Cluster and select Register an external Cluster

      In the General Step, ensure the Cluster Name is same as the EKS cluster name in the AWS Console and choose the Cluster Provider as AWS.

    3. In the Authentication Step, provide the gopaddle IAM User access credentials and the cluster access details.

      1. For an EKS cluster with public and public/private access endpoint - Provide the Certificate Authority data, the gopaddle IAM User credentials created in step 1, the EKS cluster endpoint and the ARN details.

      2. For an EKS cluster with private access endpoint - Skip TLS Verification and provide the gopaddle IAM User credentials created in step 1, the EKS cluster endpoint and the ARN details.

    4. In the Bastion Host Step, either skip or configure the bastion host details based on the EKS cluster access type.

      1. For an EKS cluster with public and public/private access endpoint - In the Bastion Host Step, skip the Use Bastion Host ? configuration and click on Finish.

      2. For an EKS cluster with private access endpoint - Provide the bastion host public IP, SSH port, upload the bastion host PEM file and click on Finish.

  7. (Optional) From the AWS Dashboard, open the firewall ports in the Cluster security group of the EKS cluster

Port

Destination

Purpose

32000

0.0.0.0/0 - If you are accessing the Grafana dashboard from a public network.

<VPN CIDR Range> - If you are access the Grafana dashboard from within your VPN.

Grafana Dashboard

Firewall Access

gopaddle connects with the Kubernetes cluster using the endpoint specified at the time of registration. Hence ensure that the INBOUND firewall ports are open for the kubernetes master IP and the port for INGRESS type for global CIDR (0.0.0.0/0).

In case of registering the cluster via Bastion Host, ensure that the SSH tunnel port is opened for the SSH server IP and port for INGRESS type for global CIDR (0.0.0.0/0).

Last updated