Skip to content

Add Amazon EKS clusters

You can add Amazon Elastic Kubernetes Service (EKS) clusters to AWS accounts you've added to Sophos Cloud Optix.

Restriction

Sophos Cloud Optix doesn't support private EKS clusters.

When you add an AWS environment, Sophos Cloud Optix automatically detects Amazon Elastic Kubernetes Service (Amazon EKS) clusters and does the following:

  • Populates the inventory with cluster and node group information about your EKS deployment.
  • Runs EKS-specific security checks based on Sophos's best practice policy for AWS.

You can add your EKS clusters using the additional script if you want the following additional benefits:

  • Full comprehensive EKS resource inventory, including pods, containers, services, network policies, and RBAC roles.
  • EKS nodes identified on AWS Network Visualization pages in Sophos Cloud Optix.

Although there are several ways to add environments to Sophos Cloud Optix, using the script is the only way to get these additional features for EKS clusters.

Before you start

Before you can add EKS clusters to your environments, you need to do as follows:

  • Install AWS CLI (version 1.16.96 or later) on a Mac or Linux computer. See Installing the AWS CLI
  • Install AWS IAM Authenticator for Kubernetes for authentication to your EKS cluster. See Installing aws-iam-authenticator
  • Install the kubectl utility to communicate with the cluster API server (select the version that corresponds to your EKS cluster). See Installing kubectl
  • Ensure that the AWS account you're using to add the cluster to Sophos Cloud Optix has permissions in the EKS cluster.
  • Ensure that Endpoint Public Access is turned on, which is the default for new EKS clusters. Public Access must be turned on so that Sophos Cloud Optix can communicate with your EKS cluster's API server. We recommend restricting this access to specific Sophos Cloud Optix IP addresses (currently 184.169.234.229 and 52.52.72.162). You can modify your cluster API server endpoint access using the AWS Management Console or AWS CLI. See Amazon EKS Cluster Endpoint Access Control

Running the script

Running the Sophos script creates a read-only service account in your EKS cluster and adds the cluster to your Sophos Cloud Optix account.

To add your cluster, do as follows:

  1. Click Environments.
  2. Find the AWS environment that has your Amazon EKS cluster.
  3. Under Actions click the Kubernetes icon Kubernetes settings icon. to find EKS clusters in your cloud.
  4. Select the EKS cluster you want to add.
  5. Download the Sophos Cloud Optix script.
  6. Run the script.