Synchronizing Kubernetes Resources from AWS

Overview

QueryPie supports AWS integration for Kubernetes cluster registration and management. You can synchronize resources within AWS, register them as clusters managed by QueryPie, and grant Kubernetes API access permissions and set policies for users and groups on the synchronized clusters.

Prerequisites

To synchronize with AWS resources, ensure that the necessary policy actions have been attached to the AWS IAM role assigned to the QueryPie instance. The policy must include all of the following actions:

eks:ListClusters
eks:DescribeCluster
eks:ListAccessEntries
eks:DescribeAccessEntry
eks:CreateAccessEntry
eks:ListAssociatedAccessPolicies
eks:AssociateAccessPolicy

Modifying AWS EKS Authentication Mode

QueryPie utilizes the EKS access entry API during synchronization for AWS EKS Kubernetes cluster connections. Therefore, if the cluster authentication mode is set to ConfigMap only, there may be connection difficulties, and we recommend changing the mode in the AWS console in advance for smooth synchronization.

AWS Console > EKS > Clusters > {cluster} > Access > Access configuration > Manage access — AWS Console > EKS > Clusters > `{cluster}` > Access > Access configuration > Manage access

Access AWS Console with an account that has EKS administrator privileges.
Navigate to the Elastic Kubernetes Service (EKS) menu.
Move to the region where the target EKS cluster is located.
- Example:
Select the target EKS cluster to move to the detailed page.
Click the Access tab to view the Access configuration status.
If the Authentication mode is “ConfigMap”, click the Manage access button on the right.
Change the Cluster authentication mode to “EKS API and ConfigMap”.
Click Save changes to save the changes.

Registering AWS Integration Information in QueryPie

Administrator > Kubernetes > Connection Management > Cloud Providers > Create Provider

Navigate to Administrator > Kubernetes > Connection Management > Cloud Providers menu.
Click the + Create Provider button in the top right.
Enter a name that can distinguish this provider in the Name field.
Select Amazon Web Services from the Cloud Provider field.
Select the region of the resources you want to synchronize from the Region field.
Enter the Credential information required to synchronize resources.
1. Default Credentials : If the QueryPie server is installed in the same AWS account, you can assign an IAM role to the EC2 instance where QueryPie is installed to synchronize resources within the same AWS.
2. Cross Account Role : You can create an IAM role to synchronize resources from other AWS accounts. Please create permissions for synchronization and assign policies according to the steps displayed on the screen.
You can use Search Filter to retrieve a list of some types of resources you want to synchronize.
1. Search Filter works the same way as AWS search. You can use values such as names and tags as filters, and you can conveniently enter search conditions and filters using the Enter key in the following order.
  1. Enter Key value and press Enter → Select search condition and press Enter → Enter Value value and press Enter
2. For more detailed usage, please refer to User Guide for Linux Instances (AWS) .
Select the synchronization method from the Replication Frequency field.
1. Manual : A method that synchronizes manually only when you want to synchronize.
2. Scheduling : A method that synchronizes resources through periodic scheduling. Cron Expressions are provided.
(You can click the Dry Run button to check in advance if there will be any problems with synchronization.)
Click the Save button to save the Cloud Provider.

Q. I clicked the Save button but got an error saying “Already exists cloud provider.” A. If there is already a Cloud Provider registered with Default Credentials as Credential and the same Region, duplicate registration is not possible. In this case, you can register normally by selecting a different Region.

Synchronizing and Managing Registered AWS Cloud Provider

Administrator > Kubernetes > Connection Management > Cloud Providers > List Details

Navigate to Administrator > Kubernetes > Connection Management > Cloud Providers menu.
Click on the registered Cloud Provider to enter the detailed information screen.
Click the Synchronize button in the top right to synchronize resources from AWS.
1. Please refer to Dry Run/Synchronization Log notation below for the definition of notation.
2. You can check the synchronization progress in the displayed Synchronization Log, and you can also check the synchronization history in Settings > Systems > Jobs menu.
Once a Cloud Provider is registered, some information of the Provider cannot be changed.
1. Name : Can be changed
2. Cloud Provider : Cannot be changed
3. Region : Cannot be changed
4. Credential : Cannot be changed
5. Role ARN : Cannot be changed
6. Search Filter : Can be changed
7. Replication Frequency : Can be changed

Dry Run/Synchronization Log Notation

	Occurrence Time	Text
:check_mark:	Dry Run or Synchronize synchronization start	Cluster synchronization started.
:check_mark:	New cluster addition completed	New Cluster is added: `{Cluster Name}` (`{API URL}`).
:check_mark:	Existing cluster information update completed	Cluster `{Cluster Name}` is updated
:check_mark:	Existing cluster removal completed	Cluster `{Cluster Name}` is removed
:check_mark:	Dry Run or Synchronize synchronization successfully completed	Cluster synchronization succeeded.
	Synchronization skipped when EKS cluster authentication mode does not allow EKS API. Need to change from ConfigMap mode to allow EKS API.	Skipping sync. Cluster `{Cluster Name}`’s authentication mode blocks EKS access entry API. To manage access, enable EKS API access.
:cross_mark:	Synchronization failed due to duplicate cluster name already confirmed	Cluster synchronization failed. The cluster name “`{Cluster Name}`” is already in use by another cluster. To synchronize it, delete the existing cluster.
:cross_mark:	Dry Run or Synchronize synchronization failed	Cluster synchronization failed. + `{additional statement}`