Amazon EKS-A
Amazon EKS Anywhere lets you create and operate Kubernetes clusters on your own infrastructure. Amazon EKS Anywhere builds on the strengths of Amazon EKS Distro and provides open-source software that’s up to date and patched so you can have an on-premises Kubernetes environment that’s more reliable than a self-managed Kubernetes offering. Kyverno, an open-source policy engine, enables policy-based security, governance, and compliance for Amazon EKS-A clusters. Using Kyverno, enterprise platform teams can deploy the necessary guardrails to ensure that deployed applications are secure, compliant, and follow Amazon EKS Best Practices.
Deploying Enterprise Kyverno on Amazon EKS-A cluster
Prerequisites
- Request a Nirmata Enterprise Kyverno license from sales@nirmata.com
- Install the following tools: kubectl, AWS CLI, and optionally eksctl
- You have access to an Amazon EKS-A cluster
- Follow these prerequisites here to install flux and external-secrets
- Also create the secret (aws-secret) with AWS credentials to allow the AWS Secret to be retrieved
- Add the Nirmata license to AWS Secrets Manager:
- Create a Secret with the name ’nirmata-license-key’ and type “Other type of secret”
- In Key/Value pairs, add the license as plaintext
- Next, create the ClusterSecretStore as follows:
cat <<EOF | kubectl apply -f -
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: eksa-secret-store
spec:
provider:
aws: # set secretStore provider to AWS.
service: SecretsManager
region: us-west-1 # Region where the secret is.
auth:
secretRef:
accessKeyIDSecretRef:
name: aws-secret # References the secret we created
namespace: default
key: access-key
secretAccessKeySecretRef:
name: aws-secret
namespace: default
key: secret
EOF
Deploy Enterprise Kyverno as an Amazon EKS-A add-on
Follow the instructions here to deploy Kyverno your Amazon EKS-A Cluster.
Nirmata Enterprise Kyverno Add-on repository is here.
The exact command to install the Kyverno add-on is:
flux create kustomization addons-kyverno --source=addons \
--path="./eks-anywhere-common/Addons/Partner/Nirmata/Kyverno" \
--prune=true --interval=5m
Once the add-on is installed, you can verify that the Kyverno pods are running using the command:
kubectl get pods -n kyverno