Install the Snyk controller on Amazon Elastic Kubernetes Service (Amazon EKS)
Installing the Snyk controller enables you to import and test your running EKS workloads and identify vulnerabilities in their associated images and configurations that might make those workloads less secure. Once imported, Snyk continues to monitor those workloads, identifying additional security issues as new images are deployed and the workload configuration changes.
You have the option of deploying the Snyk controller for Amazon EKS as an official AWS Quick Start. This option eliminates the need for manual configuration. Deploying this Quick Start with default parameters into an existing Amazon EKS cluster builds the following environment.
There are three deployment options to match most common use cases. These are as follows:
1. If you already have an Amazon EKS cluster running in your AWS account
2. If you already have anAmazon Virtual Private Cloud (Amazon VPC) but need an Amazon EKS cluster with the Snyk controller deployed to the cluster
3. If you have neither an Amazon VPC or Amazon EKS cluster and need all services with the Snyk controller deployed to the cluster

Prerequisites

Feature availability This feature is available with all paid plans. See pricing plans for more details.
  • An administrator account for your Snyk organization.
  • A minimum of 50 GB of storage must be available in the form of an emptyDir on the cluster.
  • Your Kubernetes cluster needs to be able to communicate with Snyk outbound over HTTPS.
  • When configuring Snyk to integrate with an Amazon Elastic Kubernetes Services (EKS) cluster, if you wish to scan images hosted on your Amazon Elastic Container Registry (ECR), you may also deploy our Quick Start, Snyk Security on AWS to enable this integration.

Configure snyk-monitor to pull and scan images from ECR

For all the options above, add the IAM policy that can be found here to your EKS worker nodes in order for the snyk-monitor to pull private images when running on those worker nodes.
If you do not want to assign an IAM role to a Node Group, you can use the IAM role for Service Accounts and configure the snyk-monitor as follows:
  • Setting an IAM role for a service account: IAM role for a Service Accounts
  • Modify the fsGroup of the mounted EKS credentials in snyk-monitor to the user nobody (uid 65534)
  • Annotate the snyk-monitor service account with the IAM role
1
helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
2
--namespace snyk-monitor \
3
--set securityContext.fsGroup=65534 \
4
--set rbac.serviceAccount.annotations."eks.amazonaws.com/role-arn"="<iam role name>" \
5
--set volumes.projected.serviceAccountToken=true
Copied!
NOTE: Please review the parameter reference prior to deployment.
Last modified 7d ago