EKS

At a glance: Connect your EKS clusters to OX Security so we can map your organization's security vulnerabilities from code to cloud.

Important! Your OX organization must be connected to AWS before connecting to EKS.

Overview

For the OX Attack Path feature to provide a full code-to-cloud map of your organization's security vulnerabilities, OX must be able to query individual Kubernetes clusters. To facilitate this integration for EKS, we have provided a Python utility (the OX EKS connector script) that executes the required configuration processes.

Best practices for using the script

This article describes the steps for running the OX EKS connector script, which is downloadable from the OX platform. The script as provided is fully functional, but we recommend that you don’t run it “as-is.” Instead, provide it to your DevOps team to use as a reference for adapting the configuration to your environment or IaC (infrastructure as code) framework.

What does the OX EKS connector script do?

The script performs the following key operations:

  • Creates a dedicated namespace named oxsecurity.

  • Creates a service account named ox-service-account within the oxsecurity namespace.

  • Creates a read-only ClusterRole named ox-security-read-only.​

  • Establishes a ClusterRoleBinding to link the ox-security-read-only role to the ox-service-account.

  • Updates the aws-auth configMap to ensure proper IAM identity mapping between the ox-security-read-only role and the ox-service-account.

Note that the script:

  • Does not install workloads into the cluster itself.

  • Requires separate execution on each cluster.

Running the script

Before you continue:

  1. Ensure your OX organization is connected to AWS.

  2. Install the following standard command-line utilities if they are not already installed:

    • AWS CLI

    • eksctl

    • kubectl

Additional details about these utilities are available on the AWS documentation site.

Tip: The process for downloading and connecting using the OX EKS connector script includes steps in the OX platform and the AWS CLI. We recommend keeping both open as you complete the connection.

To run the OX EKS connector script:

Part 1: Download the script

  1. From the OX side navigation menu, go to the Connectors page.

  2. Search for EKS using the Search field in the upper-right corner of the page or scroll down to the Kubernetes section.

Part 2: Copy the AWS CLI command

  1. In the same dialog, click INSTRUCTIONS: EKS CONNECTION.

    • The command looks similar to the following: python eks_ox_onboarding.py --cluster {CLUSTER_NAME} --arn {YOUR_ORGANIZATION'S_ARN_VALUE} --region {REGION}

  2. Copy the command to a code or text editor.

  3. In the command you copied:

    • Change {CLUSTER_NAME}and {REGION} to the correct values for the EKS cluster you're connecting.

    • We've already provided the value for the --arn parameter based on your OX AWS connection, so you shouldn't need to change it except in the following circumstances:

Part 3: Connect your EKS clusters

  1. From the AWS CLI command prompt, run the command you copied (as modified according to the instructions above).

  2. Run the script individually for each EKS cluster you are connecting, making the appropriate changes each time to the {CLUSTER_NAME}and {REGION} values (and, if necessary, to the --arn parameter, as discussed above).

Part 4: Finalize the connection

  1. Once you've run the script for all relevant EKS clusters, return to the Configure your EKS credentials dialog in the OX platform.

    • If you've closed the dialog, reopen it by following steps 1-3 of Part 1, above.

Last updated

Copyright ©2024 OX Security. All rights reserved.