Amazon EKS-A

Amazon EKS Anywhere lets you create and operate Kubernetes clusters on your own infrastructure. Amazon EKS Anywhere builds on the strengths of Amazon EKS Distro and provides open-source software that’s up to date and patched so you can have an on-premises Kubernetes environment that’s more reliable than a self-managed Kubernetes offering. Kyverno, an open-source policy engine, enables policy-based security, governance, and compliance for Amazon EKS-A clusters. Using Kyverno, enterprise platform teams can deploy the necessary guardrails to ensure that deployed applications are secure, compliant, and follow Amazon EKS Best Practices.

Deploying Enterprise Kyverno on Amazon EKS-A cluster

Prerequisites

  • Request a Nirmata Enterprise Kyverno license from sales@nirmata.com
  • Install the following tools: kubectl, AWS CLI, and optionally eksctl
  • You have access to an Amazon EKS-A cluster
  • Follow these prerequisites here to install flux and external-secrets
  • Also create the secret (aws-secret) with AWS credentials to allow the AWS Secret to be retrieved
  • Add the Nirmata license to AWS Secrets Manager:
    • Create a Secret with the name ’nirmata-license-key’ and type “Other type of secret”
    • In Key/Value pairs, add the license as plaintext image
    • Next, create the ClusterSecretStore as follows:
cat <<EOF | kubectl apply -f - 
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: eksa-secret-store
spec:
  provider:
    aws:  # set secretStore provider to AWS.
      service: SecretsManager
      region: us-west-1  # Region where the secret is.
      auth:
        secretRef:
          accessKeyIDSecretRef: 
            name: aws-secret # References the secret we created
            namespace: default
            key: access-key  
          secretAccessKeySecretRef:
            name: aws-secret
            namespace: default
            key: secret
EOF

Deploy Enterprise Kyverno as an Amazon EKS-A add-on

Follow the instructions here to deploy Kyverno your Amazon EKS-A Cluster.

Nirmata Enterprise Kyverno Add-on repository is here.

The exact command to install the Kyverno add-on is:

flux create kustomization addons-kyverno --source=addons \
      --path="./eks-anywhere-common/Addons/Partner/Nirmata/Kyverno" \
      --prune=true  --interval=5m

Once the add-on is installed, you can verify that the Kyverno pods are running using the command:

kubectl get pods -n kyverno