How to Register the Kubernetes You Need to Protect
November 29, 2024
Curious?
Reveal the Magic!
Please fill out the form to unlock your exclusive content!
Overview
This tutorial explains how to synchronize Kubernetes clusters using the cloud synchronization feature or manually register clusters for management.
Synchronizing Kubernetes Resources via AWS Integration
Preconditions
- To synchronize Kubernetes resources, ensure the following policies are assigned:
- eks:ListClusters
- eks:DescribeCluster
- eks:ListAccessEntries
- eks:DescribeAccessEntry
- eks:CreateAccessEntry
- eks:ListAssociatedAccessPolicies
- eks:AssociateAccessPolicy
- Additionally, update the AWS EKS Authentication Mode:
- Synchronization uses the EKS access entry API. To ensure smooth synchronization, it’s recommended to set the authentication mode to EKS API and ConfigMap.
STEP 1 In the Cloud Provider menu, click the Create Provider button and enter the following details:
- Name: A unique name to identify the provider
- Cloud Provider: Amazon Web Services
- Region: The region of the resources to be synchronized
- Credential
- Default Credential: Assign IAM policies to the EC2 instance where QueryPie is installed to synchronize resources within the same AWS account
- Cross Account Role: Create an IAM role to synchronize resources from another AWS account
- Search Filter: Filter specific types of resources to synchronize
- It works the same way as AWS's search mechanism.
- You can use filters such as name, host, OS, and tags. Enter the filters in the following order:
Key -> Press Enter -> Select a search condition -> Press Enter -> Enter the value -> Press Enter
- Replication Frequency: Method of synchronization
- Manual: Synchronize only when manually triggered
- Scheduling: Synchronize periodically using a schedule. Cron Expressions are supported.
STEP 2 Select the provider you created in the Cloud Provider menu.
STEP 3 Click the Synchronize button to sync AWS resources.
STEP 4 Go to the Clusters menu to view the synchronized resources.
Manually Registering a Kubernetes Cluster
STEP 1 In the Clusters menu, click the Create Cluster button and enter the following details:
- Name: A unique name to identify the cluster
- Version: Detailed version information for the cluster
- API URL: The API URL of the Kubernetes cluster to receive API requests
STEP 2 Click the download and run this script button to download the script.
STEP 3 Run the downloaded script on the target cluster, and enter the following information from the script’s output:
- Service Account Token: The Kubernetes service account token used by QueryPie Proxy to make API calls
- Certificate Authority: The CA certificate used by QueryPie to verify the Kubernetes API server
STEP 4 Click Verify Credential to ensure the connection is valid.
STEP 5 Configure the logging options for the cluster:
- Request Audit: Enable logging of Kubernetes API call history for the cluster
- Request Audit Types: Select the types of API verbs to be logged
- Pod Session Recording: Enable recording of sessions opened via
Pod execcommands within the cluster- To enable this option, Request Audit must be turned on, and the
createandgetverbs must be selected under Request Audit Types.
- To enable this option, Request Audit must be turned on, and the
STEP 6 Click the Save button to successfully register the cluster.