DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Amazon EKS (Kubernetes)

Overview

DivvyCloud is pleased to include support for Kubernetes (K8s) — the world’s leading open-source container-orchestration system for automating deployment, scaling, and management of containerized applications. This page includes instructions for adding one or more Amazon EKS clusters to DivvyCloud using the steps detailed below

Steps for Adding an Amazon EKS Cluster

📘

Installation Notes

These instructions assume that you are connecting to your K8s environment from a system where ‘kubectl’ is installed, with access to EKS cluster.

Important Note: For customers attempting to onboard an EKS cluster to DivvyCloud with an EKS cluster that is configured on a private IP address, you must validate that the cluster has VPC Peering/Transit Gateway configured and enabled in the same environment as your DivvyCloud installation. This ensures that the EKS server endpoint is accessible to DivvyCloud. If you have questions or concerns about your configuration reach out to us at [email protected]

1. Download the YAML/configuration that will allow our workers to join the cluster:
curl -O https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2018-08-30/aws-auth-cm.yaml

2. Go to your EKS console and grab the role ARN for your cluster:

3. Update the YAML file you just downloaded (aws-auth-cm.yaml) with the ARN from Step 2.

apiVersion: v 1 kind: ConfigMap metadata:
   name: aws-auth
   namespace: kube-system
 data:
   mapRoles: |
     - rolearn: <Role ARN for the Cluster(highlighted in step 2)>
      username: system:node:{{EC2PrivateDNSName}}
       groups:
         - system:bootstrappers
         - system:nodes

4. Apply the updated YAML to the cluster:
kubectl apply -f aws-auth-cm.yaml

Expected output:
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
configmap/aws-auth configured

5. Download the ‘create_admin.sh’ script:
curl -sO http://get.divvycloud.com/kubernetes/create_admin.sh

❗️

For non-Ubuntu Linux

The script is made to run on Ubuntu. If you're running on another flavor of Linux, please run

sed -i s/"base64 -D"/"base64 -d"/g ./create_admin.sh

base64 has a different case preference for the -d flag in the OSs.

6. Run the script to connect to your EKS cluster and generate the YAML/configuration needed to add the cluster to DivvyCloud.

Usage: sh ./create_admin.sh kube-system
For you can pick anything. 'divvycloud' is recommended:

sh ./create_admin.sh divvycloud kube-system

Expected output:

$> sh ./create_admin.sh divvycloud kube-system

Creating target directory to hold files in /tmp/kube...done Creating a service account: <username> on namespace: kube-system serviceaccount  "divvycloud"  created
Getting secret of service account <username>-kube-system Secret name: <username>-token -2 p 7 fx
 Extracting ca.crt from secret...done
 Getting user token from secret...done
 Setting current context to: aws
 Cluster name: kubernetes
Endpoint: https:// 978 A 955 EE 0 F 90 F 7059 AD 9670 DF 329 A 8 A.sk 1 .us-east -1. eks.amazonaws.com
Preparing k 8 s-<username>-kube-system-conf
Setting a cluster entry in kubeconfig...Cluster  "kubernetes"  set. Setting token credentials entry in kubeconfig...User "<username>-kube-system-kubernetes"  set.
Setting a context entry in kubeconfig...Context "<username>-kube-system-kubernetes"  created.
Setting the current-context in the kubeconfig file...Switched to context "<username>-kube-system-kubernetes" .
All done! Test with:
KUBECONFIG=/tmp/kube/k 8 s-<username>-kube-system-conf kubectl get pods
you should not have any permissions by default - you have just created the authentication part
You will need to create RBAC permissions
Error from server (Forbidden): pods is forbidden: User

"system:serviceaccount:kube-system:divvycloud"  cannot list pods in the namespace  "kube-system"

❗️

The above error (lines 18-20) is expected.

Error from server (Forbidden): pods is forbidden: User
"system:serviceaccount:kube-system:divvycloud" cannot list pods in the namespace "kube-system"

7. Apply a role to the user we’ve just created. Download the roles.yml config file:
curl -sO http://get.divvycloud.com/kubernetes/role.yaml

8. Update role.yaml to substitute YOUR-USERNAME-HERE with the username you used in Step 6 (e.g., 'divvycloud').

apiVersion: rbac.authorization.k 8 s.io/v 1 beta 1 kind: ClusterRoleBinding
metadata:
   name: YOUR-USERNAME-HERE
 roleRef:
apiGroup: rbac.authorization.k 8 s.io kind: ClusterRole
name: cluster-admin
 subjects:
 - kind: ServiceAccount
   name: YOUR-USERNAME-HERE
   namespace: kube-system

9. Use the ‘role.yaml’ file to modify the permissions for the previously created user:
kubectl apply -f role.yaml

Expected output:
$> kubectl apply -f role.yaml
clusterrolebinding.rbac.authorization.k 8 s.io divvycloud created

10. A temp config file was created during the create_admin script. Copy it to your current config directory.
Usage: cp /tmp/kube/k8s--kube-system-conf ~/.kube/config

cp /tmp/kube/k8s-divvycloud-kube-system-conf ~/.kube/config

11. Verify connectivity to the cluster:
kubectl get all

Expected sample output (if there are no errors):
$> kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.100.0.1 443 /TCP 29 m

12. Use the verified ‘~/.kube/config’ configuration above as the YAML input for DivvyCloud in the steps below:
cat ~/.kube/config

Steps for Setup in DivvyCloud

Once you have your config file, you'll need to add it to DivvyCloud in the K8s onboarding page

1. Go to your DivvyCloud account.
2. Navigate to Clouds under Cloud on the left-side navigation menu. Click on Add Cloud in the upper right.

3. Enter your Kubernetes Information

  • Select Kubernetes in the Select Technology dropbox.
  • Name your Kubernetes cluster.
  • Paste in Kubernetes your configuration. Note configuration must be in yaml format.
  • Click Submit.

4. Confirm

You should see a screen that indicates you have successfully added a cloud account. DivvyCloud will begin harvesting immediately and the data should start to surface after five minutes or so depending upon the size of your Kubernetes cluster.

Updated 2 months ago


Amazon EKS (Kubernetes)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.