Some of the K8s clusters are not accessible to Orca with the default Orca role permissions (granted when onboarding the account). To scan the cluster control plane inventory, some user actions are needed. This article will describe those actions and guide you through onboarding your EKS cluster.
Grant the needed permissions to the Orca role
Run the following commands on the AWS cloud shell to map the Orca role and create a service account with "read" permissions (you might need to install the eksctl utility):
1. Create a k8s user and map it to the orca scanner role
eksctl create iamidentitymapping --cluster <cluster-name> --region <region> --profile <aws-cli-profile> --username orca-scanner --arn arn:aws:iam::<account-id>:role/<role-id>
2. Check that you are in the context of the wanted cluster:
kubectl config current-context
If your cluster name is "onboarding2" a response can look like this:
3. Create the k8s role and the binding object between it and the user you created:
kubectl create clusterrolebinding orca-scanner-cluster-role-binding --clusterrole=orca-scanner-role --user=orca-scanner --namespace=orca-security
kubectl create clusterrole orca-scanner-role --verb=get,list --resource="*.*"
Click the image below to see the access path diagram.
Configure the network policy
Add Orca external IP to the public access source allowlist. By default, traffic is allowed from anywhere (0.0.0.0), in this case, no action is required.
If the list is limited, please add the following IP to the allowlist:
Connect the cluster to Orca
The request body should be:
put the "cloud-account-ID" collected before.
2. Verify that the onboarding was successful using this GET endpoint:
The response should look like this:
That's it, the cluster is now onboarded. You'll see the new inventory on the next scan.