Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Configuring an AWS Managed Collector scraper with an EKS cluster in API authentication mode

0

I have several active EKS clusters that are configured in API authentication mode in their access configuration. I'm trying to work out how to add an AWS Managed Collector for Amazon Managed Prometheus as per this guide but all the instructions relate to updating the cluster aws-auth ConfigMap to grant access to the collector, which isn't relevant in API authentication mode.

I have tried adding an EKS access entry instead, but the access entry refuses to create, giving the error (console or CLI):

The caller is not allowed to modify access entries with a principalArn value of a Service Linked Role

but unfortunately the service-linked role is the only role available when the managed collector is created. Is there a way to grant the necessary access to the collector? The cluster authentication mode is a one-way decision and can't be reverted to API and ConfigMap anymore. Updating the ConfigMap isn't going to have any effect as long as the authentication mode is locked to API.

Temas
Gestión y gobiernoContenedores
Etiquetas
Amazon PrometheusServicio Amazon Elastic Kubernetes
Idioma
English
Simon H
preguntada hace 2 meses355 visualizaciones
2 Respuestas
2
Respuesta aceptada

AMP managed scraping is not yet supported with EKS access entries. This is a WIP and coming soon.

AWS
mikestef9
respondido hace 2 meses
profile picture
EXPERTO
Oleksii Bebych
revisado hace un mes
0

Unfortunately modifying the ConfigMap will not grant the necessary access to the Amazon Managed Prometheus collector since it relies on a service-linked role.

Would you consider these options to troubleshoot ?

  • Switch the cluster authentication mode to use both API and Web ID token authentication. This will enable using the aws-auth ConfigMap again. However, changing the authentication mode is not reversible.
  • Check if the necessary permissions can be granted to the service-linked role directly using IAM policies.
  • Stand up a separate EKS cluster just for use with the Amazon Managed Prometheus collector to leverage the standard configuration using the aws-auth ConfigMap.

Here is a doc about a similar use case. Enjoy. https://docs.aws.amazon.com/prometheus/latest/userguide/using-service-linked-roles.html

profile picture
EXPERTO
Giovanni Lauria
respondido hace 2 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante