EKS

At a glance: Connect your EKS clusters to OX Security so we can map your organization's security vulnerabilities from code to cloud.

Important! Your OX organization must be connected to AWS before connecting to EKS.

Overview

For the OX Attack Path feature to provide a full code-to-cloud map of your organization's security vulnerabilities, OX must be able to query individual Kubernetes clusters. To facilitate this integration for EKS, we have provided a Python utility (the OX EKS connector script) that executes the required conﬁguration processes.

Best practices for using the script

This article describes the steps for running the OX EKS connector script, which is downloadable from the OX platform. The script as provided is fully functional, but we recommend that you don’t run it “as-is.” Instead, provide it to your DevOps team to use as a reference for adapting the configuration to your environment or IaC (infrastructure as code) framework.

What does the OX EKS connector script do?

The script performs the following key operations:

Creates a dedicated namespace named oxsecurity.
Creates a service account named ox-service-account within the oxsecurity namespace.
Creates a read-only ClusterRole named ox-security-read-only.
Establishes a ClusterRoleBinding to link the ox-security-read-only role to the ox-service-account.
Updates the aws-auth conﬁgMap to ensure proper IAM identity mapping between the ox-security-read-only role and the ox-service-account.

Note that the script:

Does not install workloads into the cluster itself.
Requires separate execution on each cluster.

Running the script

Before you continue:

Ensure your OX organization is connected to AWS.
Install the following standard command-line utilities if they are not already installed:
- AWS CLI
- eksctl
- kubectl

Additional details about these utilities are available on the AWS documentation site.

Tip: The process for downloading and connecting using the OX EKS connector script includes steps in the OX platform and the AWS CLI. We recommend keeping both open as you complete the connection.

To run the OX EKS connector script:

Part 1: Download the script

From the OX side navigation menu, go to the Connectors page.
Search for EKS using the Search field in the upper-right corner of the page or scroll down to the Kubernetes section.
Click the EKS connector square .
In the Configure your EKS credentials dialog, click the button.

Part 2: Copy the AWS CLI command

In the same dialog, click INSTRUCTIONS: EKS CONNECTION.
In the instructions that open, scroll down to find the command to run in the AWS CLI.
- The command looks similar to the following: python eks_ox_onboarding.py --cluster {CLUSTER_NAME} --arn {YOUR_ORGANIZATION'S_ARN_VALUE} --region {REGION}
Copy the command to a code or text editor.
In the command you copied:
- Change {CLUSTER_NAME}and {REGION} to the correct values for the EKS cluster you're connecting.
- We've already provided the value for the --arn parameter based on your OX AWS connection, so you shouldn't need to change it except in the following circumstances:
  - Important! If your OX AWS connection was set up using the Organization option (see image below), replace the AWS Account ID in the provided --arn parameter with the AWS Account ID of the EKS cluster you are connecting.

Part 3: Connect your EKS clusters

From the AWS CLI command prompt, run the command you copied (as modified according to the instructions above).
Run the script individually for each EKS cluster you are connecting, making the appropriate changes each time to the {CLUSTER_NAME}and {REGION} values (and, if necessary, to the --arn parameter, as discussed above).

Part 4: Finalize the connection

Once you've run the script for all relevant EKS clusters, return to the Configure your EKS credentials dialog in the OX platform.
- If you've closed the dialog, reopen it by following steps 1-3 of Part 1, above.
Click the button.

Last updated 2 months ago