Sync Kubernetes Resources from AWS

Overview

QueryPie supports integration with AWS for enrolling and managing Kubernetes clusters. You can synchronize resources from AWS into clusters managed by QueryPie. Additionally, you can grant Kubernetes API access permissions to users and groups for synchronized clusters and configure policies accordingly.

Prerequisites

Ensure that the AWS IAM role assigned to the QueryPie instance has the necessary policy actions attached for synchronizing with AWS resources. The policy should include the following actions:

• eks:ListClusters

• eks:DescribeCluster

• eks:ListAccessEntries

• eks:DescribeAccessEntry

• eks:CreateAccessEntry

• eks:ListAssociatedAccessPolicies

• eks:AssociateAccessPolicy

Edit AWS EKS Cluster Authentication Mode

QueryPie utilizes the EKS access entry API for connecting to AWS EKS Kubernetes clusters during synchronization. Therefore, if your cluster's authentication mode is currently configured as "ConfigMap" only, it might encounter difficulties in establishing connections. To ensure smooth synchronization, it is recommended to modify the authentication mode in the AWS console beforehand.

1. Log in to the AWS Management Console with an account that has EKS administrator privileges.

2. Navigate to the Elastic Kubernetes Service (EKS) menu.

3. Select the AWS region where your target EKS cluster is located.

   • e.g.,

4. Choose the specific EKS cluster you want to manage.

5. Click on the Access tab to view the current access configuration.

6. If the Authentication mode is set to ”ConfigMap”, click the Manage access button on the right-hand side.

7. Select ”EKS API and ConfigMap” from the Cluster authentication mode.

8. Click Save changes to apply the modifications.

Registering AWS Credential in QueryPie

1. Navigate to the Administrator > Kubernetes > Connection Management > Cloud Providers menu.

2. Click the + Create Provider button located at the top right.

3. Name: Enter a name that distinguishes the provider.

4. Cloud Provider: Choose "Amazon Web Services".

5. Region: Select the region where you want to synchronize resources.

6. Credential: Enter the necessary credentials for resource synchronization.

   

   • Default Credentials : If QueryPie is installed within the same AWS account, it uses the IAM role assigned to the EC2 instance where QueryPie is deployed for synchronization within the same AWS account.

   • Cross Account Role : Create an IAM role to synchronize resources from a different AWS account. Follow the on-screen steps to create the necessary permissions and assign policies for synchronization.

7. Search Filter: Use this option to fetch a list of resource types you want to synchronize.

   • The search filter operates similarly to AWS search methods, allowing you to use values such as names and tags for filtering.

     • Enter the Key value → Select the search condition → Enter the Value

   • For more detailed usage instructions, refer to the User Guide for Linux Instances (AWS).

8. Replication Frequency: Choose how synchronization should occur:

   • Manual: Synchronize resources manually when needed.

   • Scheduling: Set up periodic synchronization using Cron Expressions.

9. (Dry Run: Click the Dry Run button to simulate synchronization without making actual changes.)

10. Click the Save button to store the Cloud Provider settings.

Q: I clicked the Save button, but I'm getting an error message saying "Already exists cloud provider."

A: If there is already a Cloud Provider registered with the same Region using Default Credentials, you cannot register another one due to duplication. To resolve this, please try registering with a different Region, and the save operation should proceed successfully.

Synchronizing and Managing AWS Cloud Providers

1. Navigate to the Administrator > Kubernetes > Connection Management > Cloud Providers menu.

2. Click on the registered Cloud Provider to access its detailed information screen.

3. Click the Synchronize button at the top right to synchronize resources from AWS.

   1. Refer to the definitions below for Dry Run/Synchronization Logs.

   2. You can monitor synchronization progress in the displayed Synchronization Log and also review synchronization history in Settings > Systems > Jobs menu.

4. Once a Cloud Provider is registered, certain provider details cannot be modified:

   • Name : Changeable

   • Cloud Provider : Not changeable

   • Region : Not changeable

   • Credential : Not changeable

   • Role ARN : Not changeable

   • Search Filter : Changeable

   • Replication Frequency : Changeable

Dry Run/Synchronization Logs

	Trigger	Statement
	Dry Run or Synchronize: Initiating synchronization	Cluster synchronization started.
	Completion of adding a new cluster	New Cluster is added: {Cluster Name} ({API URL}).
	Completion of updating existing cluster information	Cluster {Cluster Name} is updated
	Completion of removing an existing cluster	Cluster {Cluster Name} is removed
	Dry Run or Synchronize: Successfully completed synchronization	Cluster synchronization succeeded.
	Skipping synchronization if EKS cluster's authentication mode does not allow EKS API.	Skipping sync. Cluster {Cluster Name}'s authentication mode blocks EKS access entry API. To manage access, enable EKS API access.
	Failed synchronization due to duplicate cluster name already detected	Cluster synchronization failed. The cluster name “{Cluster Name}” is already in use by another cluster. To synchronize it, delete the existing cluster.
	Dry Run or Synchronize: Failed to complete synchronization	Cluster synchronization failed. + {additional statement}