AWS EKS

the aws eks connector allows for seamless integration and management of kubernetes clusters via amazon eks, directly from within the swimlane platform aws eks is a fully managed kubernetes service that simplifies the process of running kubernetes on aws the aws eks connector for swimlane turbine allows users to automate the management of eks clusters, including creation, configuration, and deletion, without the need for manual intervention by integrating with aws eks, swimlane turbine users can enhance their security automation, streamline resource management, and ensure a robust security posture within their kubernetes environments this connector empowers security teams to focus on strategic tasks by reducing the complexity of kubernetes operations limitations none to date supported versions this connector supports the aws eks api version used by boto3 additional docs for more information, refer to the aws eks api documentation https //docs aws amazon com/eks/latest/apireference/ configuration prerequisites to utilize the aws eks connector within swimlane turbine, ensure you have the following aws authentication credentials access key your aws iam user's access key id secret key your aws iam user's secret access key region name the aws region where your eks clusters are deployed authentication methods this connector supports the following authentication methods aws eks authentication setup instructions obtaining aws credentials to use this integration, you will need to have an aws account and obtain the necessary aws credentials you can obtain these credentials by following the steps below log in to your aws account and navigate to the iam console in the left navigation pane, click on the "users" tab and select the user for which you want to create credentials click on the "security credentials" tab, and then click on "create access key" make sure to save the access key id and secret access key in a secure location, as you will not be able to see the secret access key again after this step if you want to use an aws iam role to access the secrets manager, you will need to have the arn of the role and an optional external id, if one was specified by the aws account administrator permissions open the iam management console navigate to the user or role that requires the permission click on the permissions tab and then click on the add permissions button at the right side top corner of the permissions block click on attach policies and search for secretsmanagerreadwrite permissions policies select the box of secretsmanagerreadwrite and then click on the add permissions button at the right side bottom corner troubleshooting tips verify that the provided credentials are correct and have the necessary permissions capabilities this connector provides the following capabilities create cluster delete cluster describe cluster list clusters create access entry register cluster update cluster config action 1 create cluster additional information creates an amazon eks control plane action 2 delete cluster additional information deletes an amazon eks cluster control plane action 3 describe cluster additional information describes an amazon eks cluster action 4 list clusters additional information lists the amazon eks clusters in your amazon web services account in the specified amazon web services region action 5 create access entry additional information creates an access entry action 6 register cluster additional information connects a kubernetes cluster to the amazon eks control plane action 7 update cluster config additional information updates an amazon eks cluster configuration your cluster continues to function during the update the response output includes an update id that you can use to track the status of your cluster update with describeupdate for more detailed information on each action, refer to the aws eks api documentation https //docs aws amazon com/eks/latest/apireference/ boto3 https //boto3 amazonaws com/v1/documentation/api/latest/reference/services/eks html configurations aws eks authentication authenticates using aws credentials configuration parameters parameter description type required access key aws access key string required secret key aws secret key string required region name the aws region where you want to create new connections string required role arn optional role arn to assume leave blank unless tasks need to assume a different role string optional external id external id to assume iam role optional value used for assuming roles can be added, or removed in trusted relationships of target role string optional session token use if a session token is provided when switching roles string optional role session name defaults to sessionfromswimlane \<hash> when no value is provide string optional actions create access entry creates an access entry in aws eks for a specified cluster and principal arn endpoint method post input argument name type required description clustername string required the name of your cluster principalarn string required the arn of the iam principal for the accessentry you can specify one arn for each access entry you cannot specify the same arn in more than one access entry this value cannot be changed after access entry creation kubernetesgroups array optional the value for name that you have specified for kind group as a subject in a kubernetes rolebinding or clusterrolebinding object amazon eks does not confirm that the value for name exists in any bindings on your cluster you can specify one or more names tags object optional metadata that assists with categorization and organization each tag consists of a key and an optional value you define both tags do not propagate to any other cluster or amazon web services resources string string optional one part of a key value pair that make up a tag a key is a general label that acts like a category for more specific tag values clientrequesttoken string optional a unique, case sensitive identifier that you provide to ensure the idempotency of the request this field is autopopulated if not provided username string optional the username to authenticate to kubernetes with we recommend not specifying a username and letting amazon eks specify it for you type string optional the type of the new access entry valid values are standard, fargate linux, ec2 linux, and ec2 windows output parameter type description accessentry object output field accessentry clustername string name of the resource principalarn string output field principalarn kubernetesgroups array output field kubernetesgroups accessentryarn string output field accessentryarn createdat string output field createdat modifiedat string output field modifiedat tags object output field tags string string output field string username string name of the resource type string type of the resource example \[ { "accessentry" { "clustername" "string", "principalarn" "string", "kubernetesgroups" \[], "accessentryarn" "string", "createdat" "2015 01 01t00 00 00", "modifiedat" "2015 01 01t00 00 00", "tags" {}, "username" "string", "type" "string" } } ] create cluster creates an amazon eks control plane with specified name, role arn, and vpc configuration endpoint method post input argument name type required description name string required the unique name to give to your cluster version string optional the desired kubernetes version for your cluster if not specified, the default version available in amazon eks is used rolearn string required the amazon resource name (arn) of the iam role that provides permissions for the kubernetes control plane to make calls to aws api operations on your behalf resourcesvpcconfig object required the vpc configuration that's used by the cluster control plane subnetids array optional a list of subnet ids securitygroupids array optional a list of security group ids endpointpublicaccess boolean optional indicates whether the endpoint is publicly accessible endpointprivateaccess boolean optional indicates whether the endpoint is privately accessible publicaccesscidrs array optional a list of cidr blocks for public access kubernetesnetworkconfig object optional the kubernetes network configuration for the cluster serviceipv4cidr string optional the cidr block for the kubernetes service ip addresses ipfamily string optional the ip family used for the cluster logging object optional enable or disable exporting the kubernetes control plane logs for your cluster to cloudwatch logs clusterlogging array optional the cluster logging configuration types array optional the types of logs to export enabled boolean optional indicates whether the logging is enabled clientrequesttoken string optional a unique, case sensitive identifier that you provide to ensure the idempotency of the request tags object optional metadata that assists with categorization and organization each tag consists of a key and an optional value string string optional the tag value encryptionconfig array optional the encryption configuration for the cluster resources array optional the resources to be encrypted provider object optional the encryption provider keyarn string optional the arn of the key outpostconfig object optional an object representing the configuration of your local amazon eks cluster on an aws outpost outpostarns array optional a list of outpost arns output parameter type description cluster object output field cluster name string name of the resource arn string output field arn createdat string output field createdat version string output field version endpoint string output field endpoint rolearn string output field rolearn resourcesvpcconfig object output field resourcesvpcconfig subnetids array unique identifier securitygroupids array unique identifier clustersecuritygroupid string unique identifier vpcid string unique identifier endpointpublicaccess boolean output field endpointpublicaccess endpointprivateaccess boolean output field endpointprivateaccess publicaccesscidrs array unique identifier kubernetesnetworkconfig object output field kubernetesnetworkconfig serviceipv4cidr string unique identifier serviceipv6cidr string unique identifier ipfamily string output field ipfamily logging object output field logging clusterlogging array output field clusterlogging types array type of the resource enabled boolean output field enabled identity object unique identifier oidc object unique identifier example \[ { "cluster" { "name" "string", "arn" "string", "createdat" "datetime(2015, 1, 1)", "version" "string", "endpoint" "string", "rolearn" "string", "resourcesvpcconfig" {}, "kubernetesnetworkconfig" {}, "logging" {}, "identity" {}, "status" "creating", "certificateauthority" {}, "clientrequesttoken" "string", "platformversion" "string", "tags" {} } } ] delete cluster removes an amazon eks cluster control plane by name, terminating all associated resources endpoint method delete input argument name type required description name string required the name of the cluster to delete output parameter type description cluster object output field cluster name string name of the resource arn string output field arn createdat string output field createdat version string output field version endpoint string output field endpoint rolearn string output field rolearn resourcesvpcconfig object output field resourcesvpcconfig subnetids array unique identifier securitygroupids array unique identifier clustersecuritygroupid string unique identifier vpcid string unique identifier endpointpublicaccess boolean output field endpointpublicaccess endpointprivateaccess boolean output field endpointprivateaccess publicaccesscidrs array unique identifier kubernetesnetworkconfig object output field kubernetesnetworkconfig serviceipv4cidr string unique identifier serviceipv6cidr string unique identifier ipfamily string output field ipfamily logging object output field logging clusterlogging array output field clusterlogging types array type of the resource enabled boolean output field enabled identity object unique identifier oidc object unique identifier example \[ { "cluster" { "name" "string", "arn" "string", "createdat" "datetime(2015, 1, 1)", "version" "string", "endpoint" "string", "rolearn" "string", "resourcesvpcconfig" {}, "kubernetesnetworkconfig" {}, "logging" {}, "identity" {}, "status" "creating", "certificateauthority" {}, "clientrequesttoken" "string", "platformversion" "string", "tags" {} } } ] describe cluster retrieve detailed information about an amazon eks cluster by specifying the cluster name endpoint method get input argument name type required description name string required the name of the amazon eks cluster to update output parameter type description cluster object output field cluster name string name of the resource arn string output field arn createdat string output field createdat version string output field version endpoint string output field endpoint rolearn string output field rolearn resourcesvpcconfig object output field resourcesvpcconfig subnetids array unique identifier securitygroupids array unique identifier clustersecuritygroupid string unique identifier vpcid string unique identifier endpointpublicaccess string output field endpointpublicaccess endpointprivateaccess string output field endpointprivateaccess publicaccesscidrs array unique identifier kubernetesnetworkconfig object output field kubernetesnetworkconfig serviceipv4cidr string unique identifier serviceipv6cidr string unique identifier ipfamily string output field ipfamily logging object output field logging clusterlogging array output field clusterlogging types array type of the resource enabled string output field enabled identity object unique identifier oidc object unique identifier example \[ { "cluster" { "name" "string", "arn" "string", "createdat" "datetime(2015, 1, 1)", "version" "string", "endpoint" "string", "rolearn" "string", "resourcesvpcconfig" {}, "kubernetesnetworkconfig" {}, "logging" {}, "identity" {}, "status" "creating|active|deleting|failed|updating|pending", "certificateauthority" {}, "clientrequesttoken" "string", "platformversion" "string", "tags" {} } } ] list clusters retrieves a list of amazon eks clusters available in the specified aws region within your account endpoint method get input argument name type required description maxresults number optional the maximum number of results, returned in paginated output you receive maxresults in a single page, along with a nexttoken response element you can see the remaining results of the initial request by sending another request with the returned nexttoken value this value can be between 1 and 100 if you don’t use this parameter, 100 results and a nexttoken value, if applicable, are returned nexttoken string optional the nexttoken value returned from a previous paginated request, where maxresults was used and the results exceeded the value of that parameter pagination continues from the end of the previous results that returned the nexttoken value this value is null when there are no more results to return note this token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes include array optional indicates whether external clusters are included in the returned list use ‘all’ to return connected clusters, or blank to return only amazon eks clusters ‘all’ must be in lowercase otherwise an error occurs output parameter type description clusters array output field clusters nexttoken string output field nexttoken example \[ { "clusters" \[ "string" ], "nexttoken" "string" } ] register cluster connects a kubernetes cluster to the amazon eks control plane, requiring the cluster name and connector configuration endpoint method post input argument name type required description name string required a unique name for this cluster in your aws region connectorconfig object required the configuration settings required to connect the kubernetes cluster to the amazon eks control plane rolearn string required the amazon resource name (arn) of the role to assume when connecting to the cluster provider string required the provider of the kubernetes cluster clientrequesttoken string optional a unique, case sensitive identifier that you provide to ensure the idempotency of the request tags object optional metadata that assists with categorization and organization each tag consists of a key and an optional value string string optional parameter for register cluster output parameter type description cluster object output field cluster name string name of the resource arn string output field arn createdat string output field createdat version string output field version endpoint string output field endpoint rolearn string output field rolearn resourcesvpcconfig object output field resourcesvpcconfig subnetids array unique identifier securitygroupids array unique identifier clustersecuritygroupid string unique identifier vpcid string unique identifier endpointpublicaccess boolean output field endpointpublicaccess endpointprivateaccess boolean output field endpointprivateaccess publicaccesscidrs array unique identifier kubernetesnetworkconfig object output field kubernetesnetworkconfig serviceipv4cidr string unique identifier serviceipv6cidr string unique identifier ipfamily string output field ipfamily logging object output field logging clusterlogging array output field clusterlogging types array type of the resource enabled boolean output field enabled identity object unique identifier oidc object unique identifier example \[ { "cluster" { "name" "string", "arn" "string", "createdat" "datetime(2015, 1, 1)", "version" "string", "endpoint" "string", "rolearn" "string", "resourcesvpcconfig" {}, "kubernetesnetworkconfig" {}, "logging" {}, "identity" {}, "status" "creating", "certificateauthority" {}, "clientrequesttoken" "string", "platformversion" "string", "tags" {} } } ] update cluster config updates an amazon eks cluster configuration, ensuring functionality during the process and providing an update id for status tracking endpoint method put input argument name type required description name string required the name of the amazon eks cluster to update resourcesvpcconfig object optional an object representing the vpc configuration to use for an amazon eks cluster subnetids array optional the subnets associated with your cluster securitygroupids array optional the security groups associated with your cluster endpointpublicaccess boolean optional indicates whether the amazon eks public api server endpoint is enabled endpointprivateaccess boolean optional indicates whether the amazon eks private api server endpoint is enabled publicaccesscidrs array optional the cidr blocks that are allowed access to your cluster's public api server endpoint logging object optional enable or disable exporting the kubernetes control plane logs for your cluster to cloudwatch logs clusterlogging array optional the cluster control plane logging configuration for your cluster types array optional the types of logs to enable enabled boolean optional indicates whether the logging types are enabled clientrequesttoken string optional a unique, case sensitive identifier that you provide to ensure the idempotency of the request accessconfig object optional the access configuration for the cluster authenticationmode string optional the authentication mode for the cluster upgradepolicy object optional you can enable or disable extended support for clusters currently on standard support supporttype string optional the support type for the cluster output parameter type description update object date value id string unique identifier status string status value type string type of the resource params array output field params type string type of the resource value string value for the parameter createdat string output field createdat errors array error message if any errorcode string error message if any errormessage string response message resourceids array unique identifier example \[ { "update" { "id" "string", "status" "inprogress", "type" "versionupdate", "params" \[], "createdat" "2015 01 01t00 00 00z", "errors" \[] } } ]