Amazon EKS-A

Amazon EKS Anywhere lets you create and operate Kubernetes clusters on your own infrastructure. Amazon EKS Anywhere builds on the strengths of Amazon EKS Distro and provides open-source software that’s up to date and patched so you can have an on-premises Kubernetes environment that’s more reliable than a self-managed Kubernetes offering. Kyverno, an open source policy engine, enables policy-based security, governance and compliance for Amazon EKS-A clusters. Using Kyverno, enterprise platform teams can deploy the necessary guardrails to ensure that the deployed applications are secure, compliant and follow the Amazon EKS Best Practices.

Deploying the Enterprise Kyverno on Amazon EKS-A cluster

Prerequisites

  • Request a Nirmata Enterprise Kyverno license from sales@nirmata.com
  • Install the following tools: kubectl, AWS CLI, and optionally eksctl
  • You have access to an Amazon EKS-A cluster
  • Follow this prerequisites here to install flux and external-secrets. * Also create the secret (aws-secret) with the AWS credentials to allow the AWS Secret to be retrieved.
  • Add the Nirmata license to AWS Secrets Manager:
    • Create a Secret with the name ’nirmata-license-key’ and type “Other type of secret”
    • In Key/Value pairs, add the license as plaintext image
    • Next, create the ClusterSecretStore as follows:
cat <<EOF | kubectl apply -f - 
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: eksa-secret-store
spec:
  provider:
    aws:  # set secretStore provider to AWS.
      service: SecretsManager
      region: us-west-1  # Region where the secret is.
      auth:
        secretRef:
          accessKeyIDSecretRef: 
            name: aws-secret # References the secret we created
            namespace: default
            key: access-key  
          secretAccessKeySecretRef:
            name: aws-secret
            namespace: default
            key: secret
EOF

Deploy Enterprise Kyverno as an Amazon EKS-A add-on

Follow the instructions here to deploy Kyverno your Amazon EKS-A Cluster.

Nirmata Enterprise Kyverno Add-on repository is here.

The exact command to install the Kyverno add-on is:

flux create kustomization addons-kyverno --source=addons \
      --path="./eks-anywhere-common/Addons/Partner/Nirmata/Kyverno" \
      --prune=true  --interval=5m

Once the add-on is installed, you can verify that the Kyverno pods are running using the command:

kubectl get pods -n kyverno