To use a self-service cluster on AWS, perform additional configuration steps, including configuring cluster authentication and setting the hop limit.
Configure cluster authentication
When you create a self-service cluster on AWS, you can use the AWS CLI to allow the Secure Agent to authenticate to the cluster. Before you configure cluster authentication, ensure that the AWS CLI is installed on the Secure Agent machine.
Specify the AWS credentials in the kubeconfig file using the AWS CLI. Use the AWS CLI to define the appropriate profile to use. The environment variables that you set in the exec flow take precedence over the environment variables that are configured in your environment.
The following sample command demonstrates how to set up kubectl to use authentication tokens provided by AWS CLI authentication:
You can also authenticate a self-service cluster on AWS using Kubernetes client certificates and service account tokens. For more information about Kubernetes authentication strategies, see the Kubernetes documentation.
Note: In a cluster that uses AWS CLI authentication, a mapping might fail if it runs longer than the duration of the credentials. To avoid this, switch the authentication mechanism to service account token authenticator and run the mapping again.
Configure cluster nodes with IMDSv2
When you configure a self-service cluster on AWS with nodes that use Instance Metadata Service Version 2 (IMDSv2), ensure that the hop limit is 2 on the cluster nodes.
When you create a self-service cluster on Amazon EKS, cluster nodes have a hop limit of 2 by default.
For more information, refer to the AWS documentation.