Control your EKS fleet with systems manager
How to use AWS Systems Manager to install agents or to configure your EKS worker nodes automatically.
Customers that run self-hosted EKS clusters may need a way to manage their worker nodes for compliance, security, or for operational reasons. For example, you may need to install a monitoring agent on the EKS worker nodes to validate system configuration or to run vulnerability scans on each physical node in the cluster.
Release installs the AWS Systems Manager Agent (SSM Agent) on each node in advance so new clusters and nodes are available in the Fleet Manager and Operations Management section of AWS Systems Manager.
The AWS SSM Agent is fully audited, logged, and configurable inside your AWS account. The Systems Manager creates an SSM document that defines the installation or configuration steps to execute on each node. The document can be associated to a node or nodes by tag, and executed ad hoc or on a recurring basis. Documents can be shared across accounts and regions. You can create and manage these documents via the AWS Console, AWS CLI, Terraform, or any other method.
To enable AWS SSM Agent on your nodes:
Create an SSM document to install or configure your nodes.
Create a fleet association to match nodes (or apply to all nodes).
Create a schedule to apply the document to your fleet at set intervals.
Example: Installing Vanta Agent
Here we install Vanta Agent on each node in a cluster. These directions are general and you can use them to start any configuration or installation.
1. Create an SSM document
The SSM document is a YAML or JSON file that describes parameters, steps, and configuration options to apply to nodes. Example SSM documents are available in AWS.
Here we use the AWS default document called AWS-RunRemoteScript
. This generic template is designed to download a script or file from GitHub or S3 and then execute it on either a Linux or Windows server.
For Linux, run the installation script from Github and supply an API key. For the Windows agent, download a signed version from the Vanta Agent website and store the binary in S3 for installation.
Specify the parameters of the source code that will be run in a later step.
Specify the command line that will be used in the Linux or Windows installation. The Vanta key can be pulled from parameter store or secrets manager when specified in the parameters section.
Set a temporary working folder for the installation.
The installation is executed for each distribution.
2. Create a Fleet Association
To associate the SSM document with nodes in your cluster, follow the association guide in the AWS documentation.
You can specify nodes by tag names and values as in the table below. The simplest choice is to select "all" instances, or you can choose Resource Groups (see the documentation). We don't recommend you choose them manually.
Here are some common tags for EKS clusters:
Any EKS worker node
alpha.eksctl.io/cluster-name
Only nodes in a specific cluster
alpha.eksctl.io/cluster-name
<your-cluster-name>
Nodes marked production
VantaOwner
admin@you.com
3. Create a Schedule
You can use a cron-style method to apply the State Manager association:
to any nodes added to your cluster,
if the application somehow uninstalls, or
if the application stops working.
This keeps all nodes up to date as they are added, removed, or changed.
Specify a logging bucket
You can log the output and executions in any logging bucket.
Check it's working
After a time you can inspect logs in an S3 bucket. You can also view progress and events in the SSM Inventory Dashboard or State Manager History section.
References
Last updated