AWS Resource Reference
      Back to home
      1. Arpio Documentation
      2. Reference Guides
      3. AWS Resource Reference

      Amazon Elastic Kubernetes Service (Amazon EKS)

      Amazon EKS Resource Replication with Arpio

      EKS Cluster

      Arpio replicates EKS Clusters hosted inside AWS to your recovery environment.  Outpost clusters are not supported.

      The following EKS cluster attributes are translated when a cluster is replicated into the recovery environment:

      Attribute Translation

      EncryptionConfig

      Logging

      Name

      NetworkConfig

      OutpostConfig

      Tags

      VPC Config Private Access

      VPC Config Public Access

      VPC Config Public Access CIDRs

      Version

      These attributes are replicated to your recovery environment without translation.
      Role ARN

      Translated to role in recovery environment

      VPC Config Subnet IDs

      Translated to IDs from translating underlying VPC

      VPC Config Security Group IDs

      Translated to IDs from translating referenced SG ID

      The following internal Kubernetes attributes are translated when a cluster is replicated into the recovery environment:

      Internal Attribute Translation

      IAM Roles in aws-auth configmap2

      Translated to equivalent roles in recovery environment

      ECR Images owned by primary accounts

      Translated to replicated ECR repositories in recovery environment

      ECR Images owned by other accounts

      Replicated to recovery environment without translation

      DockerHub and other external Image references

      Replicated to recovery environment without translation

      eks.amazonaws.com/role-arn annotations1,2

      Pointed to mirrored IAM roles

      EFS (and AP IDs)/EBS Volume IDs in PersistentVolumes1

      Translated to replicated EFS (and AP)/EBS volumes

      alb.ingress.kubernets.io annotations1,2

      Translated to relevant ARNs/IDs in target

      Secret objects1,2

      Encrypted in source account to target account key. Identifiers found in the source cluster will be translated in the recovery environment

      AWS Resource hostnames

      FQDNs that match other included resources are translated to target names

      AWS Resource Identifiers1

      Unique resource IDs belonging to reproduced resources are translated.  

      AWS Region ID references

      IDs that are not part of a larger string are translated from source to target region

      AWS Account IDs

      Stand alone references to accounts included in the source side of restores will be translated to the target of that sync pair

      AWS Availability Zone Ids/Names

      Base shared IDs along with account generic references will be translated.

      Bare AWS ARNs2

      Translated if referenced resource is also recovered

      1. AWS Resource Identifiers are known unique strings that are part of a resource’s state. Unambiguous AWS Resource Identifiers within a cluster typically qualify for translation. Learn more about how Arpio handles resource translation here.

      2. Bare ARNs are translated to match recovered resources in the cluster resource configuration.

      EKS Add-ons

      Because Arpio backs up and restores all resources within the EKS cluster, it is not necessary to separately restore add-ons, since the results of the add-ons being added in the primary environment are captured within the cluster resources.

      This ensures that the versions of all resources running in the recovery environment match the version that was running in the primary environment.

      EKS Fargate Profiles

      The following attributes are translated when a Fargate profile is replicated into the recovery environment:

      Attribute

      Translation

      Name

      Selectors

      Tags

      These attributes are replicated to your recovery environment without translation.

      Pod Execution Role

      Translated to role in recovery environment

      Subnets

      Translated to IDs from translating underlying VPC

      EKS Nodegroups

      The following attributes are translated when a nodegroup is replicated into the recovery environment:

      Attribute

      Translation

      AMI Type

      Capacity Type

      Disk Size

      Instance Types

      Labels

      Launch Template

      Name

      Release Version

      Scaling Config

      Tags

      Taints

      Update Config

      Version

      These attributes are replicated to your recovery environment without translation.

      Remote Access Security Groups

      Translated to equivalent security groups in recovery environment

      Subnets

      Translated to IDs from translating underlying VPC

      Remote Access SSH Key

      Untranslated, but will cause a failure if a key named the same in the target does not exist.

      Supported Integrations

      Arpio will mirror IAM OIDC Provider configurations and the appropriate role configurations within a cluster such that controllers using/controlling AWS services will work.

      Method of Operation

      Arpio's Kubernetes delegate uses the official Kubernetes Python client's dynamic API to discover and replicate cluster resources available at the API level.  One delegate function is created per Arpio application to access that application's public access clusters.  One additional delegate function is created and attached to Amazon VPC subnets and the cluster security group for each private-only cluster to ensure connectivity to the Kubernetes control plane.  

      By using this dynamic API, Arpio can discover and protect most cluster resources automatically, even in versions of Kubernetes released after the Arpio Kubernetes delegates were configured. Most integrations should be replicated faithfully, but some may require additional introspection or translation.

      Please contact us at support@arpio.io if any translated resources aren’t handled correctly.


      In the primary environment, Arpio requires permissions to call DescribeCluster, the KMS permissions required to encrypt the sensitive data, sign the whole resource set, read and write to a scratch S3 bucket, and maintain the ENIs required for delegate Lambda functions attached to VPCs.

      In the recovery environment, Arpio requires permissions to create new EKS clusters, the KMS permissions to validate the signature on and decrypt the configuration, read from the S3 bucket in which Arpio stores your cluster configurations, and read and write to a different scratch S3 bucket.  

      These primary and recovery environment permissions are configured for you automatically by the CloudFormation access stacks you create when you configure an Arpio application.

      Private Cluster Networking

      Arpio's Kubernetes delegate function needs to be able to contact the Amazon S3 service to get encrypted copies of configuration data in and out of your cluster.  If the subnets your EKS cluster is in do not have Internet access, you can use PrivateLink endpoints to allow the delegate function to access Amazon S3 without opening your cluster to the Internet.

      Configure the following endpoint types in VPC subnets containing private EKS clusters protected by Arpio: