AWS Resource Reference
      Back to home
      1. Arpio Documentation
      2. Reference Guides
      3. AWS Resource Reference

      EKS

      EKS Resource Replication with Arpio

      EKS Cluster

      Arpio replicates EKS Clusters hosted inside AWS to your recovery environment.  Outpost clusters are not supported.

      The following EKS cluster attributes are translated when a cluster is replicated into the recovery environment:

      Attribute Translation

      EncryptionConfig

      Logging

      Name

      NetworkConfig

      OutpostConfig

      Tags

      VPC Config Private Access

      VPC Config Public Access

      VPC Config Public Access CIDRs

      VPC Config Security Group IDs

      Version

      These attributes are replicated to your recovery environment without translation.
      Role ARN

      Translated to role in recovery environment

      VPC Config Subnet IDs

      Translated to IDs from translating underlying VPC

      The following internal Kubernetes attributes are translated when a cluster is replicated into the recovery environment:

      Internal Attribute Translation

      IAM Roles in aws-auth configmap

      Translated to equivalent roles in recovery environment

      ECR Images owned by primary account

      Translated to replicated ECR repositories in recovery environment

      ECR Images owned by other accounts

      Replicated to recovery environment without translation

      DockerHub and other external Image references

      Replicated to recovery environment without translation

      eks.amazonaws.com/role-arn annotations

      Pointed to mirrored IAM roles

      EFS Volume IDs in PersistentVolumes

      Translated to replicated EFS volumes

      alb.ingress.kubernets.io annotations

      Translated to relevant ARNs/IDs in target

      Secret objects

      Untranslated. Encrypted in source account to target account key.

      EKS Addons

      The following attributes are translated when an addon is replicated into the recovery environment:

      Attribute

      Translation

      Configuration Values

      Name

      Resolve Conflicts

      Tags

      Version

      These attributes are replicated to your recovery environment without translation.

      Service Account Role ARN

      Translated to role in recovery environment

      EKS Fargate Profiles

      The following attributes are translated when a Fargate profile is replicated into the recovery environment:

      Attribute

      Translation

      Name

      Selectors

      Tags

      These attributes are replicated to your recovery environment without translation.

      Pod Execution Role

      Translated to role in recovery environment

      Subnets

      Translated to IDs from translating underlying VPC

      EKS Nodegroups

      The following attributes are translated when a nodegroup is replicated into the recovery environment:

      Attribute

      Translation

      AMI Type

      Capacity Type

      Disk Size

      Instance Types

      Labels

      Launch Template

      Name

      Release Version

      Remote Access SSH Key

      Scaling Config

      Tags

      Taints

      Update Config

      Version

      These attributes are replicated to your recovery environment without translation.

      Remote Access Security Groups

      Translated to equivalent security groups in recovery environment

      Subnets

      Translated to IDs from translating underlying VPC

      Supported Integrations

      Arpio will mirror IAM OIDC Provider configurations and the appropriate role configurations within a cluster such that controllers using/controlling AWS services will work.

      Method of Operation

      Arpio's Kubernetes delegate uses the official Kubernetes Python client's dynamic API to discover and replicate cluster resources available at the API level.  One delegate function is created per Arpio application to access that application's public access clusters.  One additional delegate function is created and attached to VPC subnets and the cluster security group for each private-only cluster to ensure connectivity to the Kubernetes control plane.  

      By using this dynamic API, Arpio can discover and protect most cluster resources automatically, even in versions of Kubernetes released after the Arpio Kubernetes delegates were configured. Most integrations should be replicated faithfully, but some may require additional introspection or translation.  Please contact us at support@arpio.io if any translated resources aren’t handled correctly.

      In the primary environment, Arpio requires permissions to call DescribeCluster, the KMS permissions required to encrypt the sensitive data, sign the whole resource set, read and write to a scratch S3 bucket, and maintain the ENIs required for delegate Lambda functions attached to VPCs.

      In the recovery environment, Arpio requires permissions to create new EKS clusters, the KMS permissions to validate the signature on and decrypt the configuration, read from the S3 bucket in which Arpio stores your cluster configurations, and read and write to a different scratch S3 bucket.  

      These primary and recovery environment permissions are configured for you automatically by the CloudFormation access stacks you create when you configure an Arpio application.

      Private Cluster Networking

      Arpio's Kubernetes delegate function needs to be able to contact the S3 service to get encrypted copies of configuration data in and out of your cluster.  If the subnets your EKS cluster is in do not have Internet access, you can use PrivateLink endpoints to allow the delegate function to access S3 without opening your cluster to the Internet.

      Configure the following endpoint types in VPC subnets containing private EKS clusters protected by Arpio: