Auto-Discovery of EKS Clusters

Will Hallam
ServiceNow Employee
ServiceNow Employee

on ‎06-14-2022 01:34 PM

Discovery and Service Mapping Patterns version 1.0.90 and up includes support for automatically discovering Elastic Kubernetes Service (EKS) clusters running in your AWS account.  Here's an example of setting that up.

NOTE: This example comes with no support or warranty, explicit or implied.  Caveat emptor!

Platform Content

Ensure you have Discovery and Service Mapping Patterns (sn_itom_pattern) version 1.0.90 or higher installed.  After verifying that, for any platform version prior to Tokyo you need to install an update set from support.service-now.com -- the update set is found at https://support.servicenow.com/sys_attachment.do?sys_id=4d679daf1be689100ccc85176e4bcb2b.

MID Server Config

The MID server(s) used for discovering the AWS account(s) will need permission to read EKS objects and must have the AWS CLI installed.  In my example I ran my MID on an EC2 instance and assigned it an IAM role with the AWS-provided ViewOnlyAccess policy attached. 

find_real_file.png

 

find_real_file.png

find_real_file.png

Ensure you have a suitable MID Security Policy created which will allow connections to *.amazonaws.com

find_real_file.png

EKS Cluster Config

Each EKS cluster in the AWS account(s) must have the following:

- an IAM mapping between the MID server role and a Kubernetes user name, e.g. "servicenow-discovery"

eksctl create iamidentitymapping --cluster hallam-2 --arn arn:aws:iam::111111111111:role/sn-mid --username servicenow-discovery

- a cluster role which allows reading all config objects in the cluster

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: read-only
rules:
- apiGroups:
    - apps
    - extensions
    - "*"
    - ""
  resources: ["*"]
  verbs: ["get", "watch", "list"]

- a cluster role binding which ties the above cluster role to the user name assigned by the IAM mapping

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: discovery-global
subjects:
- kind: User
  name: servicenow-discovery
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: read-only
  apiGroup: rbac.authorization.k8s.io

Platform Properties

To enable EKS schedule creation from cloud discovery, the following system properties must be set in your instance (e.g. "sys_properties.list"):

- set sn_itom_pattern.k8s_midserver to the name of a MID which has the setup described above

- set sn_itom_pattern.k8s_create_schedule_enabled to "true"

find_real_file.png

Discovery Schedule

Create a discovery schedule which targets the AWS account which contains the EKS clusters.  Execute the schedule. 

find_real_file.png

After the AWS discovery schedule completes, you should see a new serverless schedule listed for each EKS cluster.  You should also see each EKS cluster listed in the Kubernetes Cluster CMDB table (e.g., "cmdb_ci_kubernetes_cluster.list").

find_real_file.png

The new serverless schedules will be scheduled to run on a staggered daily timeframe by default.  The Discovery documentation discusses how to adjust the scheduling algorithm with various properties.

find_real_file.png

 

 

 

 

Labels:
Preview file
119 KB
Preview file
61 KB
Preview file
123 KB
Preview file
177 KB
Preview file
74 KB
Preview file
85 KB
Preview file
168 KB
Preview file
168 KB
Preview file
46 KB
  • 6,074 Views
Version history
Last update:
‎06-14-2022 01:34 PM
Updated by:
ServiceNow Employee