An AWS CloudFormation resource type that deploys Trend Micro Cloud One Container Security into EKS clusters using helm.
An IAM role is used by CloudFormation to execute this resource type handler code. A CloudFormation template to create the exeecution role is available here
EKS clusters use IAM to allow access to the kubernetes API, as the CloudFormation resource types in this project interact with the kubernetes API, the IAM execution role must be granted access to the kubernetes API. This can be done in one of two ways:
- Create the cluster using CloudFormation: Currently there is no native way to manage EKS auth using CloudFormation
(+1 this GitHub issue to help prioritize native support).
For this reason we have published
AWSQS::EKS::Cluster. Instructions on activation and usage can be found here. - Manually: to allow this resource type to access the kubernetes API, follow the
instructions in the EKS documentation adding
the IAM execution role created above to the
system:mastersgroup. (Note: you can scope this down if you plan to use the resource type to only perform specific operations on the kubernetes cluster)
Activation can be done in one of the following ways:
Note that this must be done in each region you plan to use this resource type in.
Properties and return values for the resource type are documented here.
Documentation for the helm chart and it's values are available here.
AWSTemplateFormatVersion: "2010-09-09"
Resources:
CloudOneHelmRelease:
Type: "TrendMicro::CloudOneContainer::Helm"
Properties:
ClusterID: my-cluster-name
Name: trendmicro-cloudone
Namespace: trendmicro-cloudone
Values:
cloudOne.admissionController.apiKey: {{resolve:secretsmanager:cloudone-api:SecretString:api-key}}
cloudOne.runtimeSecurity.apiKey: {{resolve:secretsmanager:cloudone-api:SecretString:api-key}}
cloudOne.runtimeSecurity.secret: {{resolve:secretsmanager:cloudone-api:SecretString:api-secret}}