If you have a Kubernetes cluster deployed using the kops option running on AWS EC2 instances instead of using Amazon EKS, your kubelet needs to have Webhook authorization mode enabled.
Let's follow these steps:
- Enable webhook authorization mode using the two following flags. The first flag allows a ServiceAccount token to be used to authenticate against the kubelet. The second flag that allows the kubelet to perform an RBAC request and decide if the requesting resource, Amazon CloudWatch in this case, is allowed to access a resource endpoint:
--authentication-token-webhook=true
--authorization-mode=Webhook
- You also need to add the necessary policy to the IAM role for your Kubernetes worker nodes. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- Under Resources, click on Running Instances:
- Select one of the worker node instances from the list of and choose the IAM role on the Description tab. In our example, eksctl-adorable-rainbow-157155665-NodeInstanceRole-MOT7WBCOOOHE is the IAM role:
- On the Permissions tab, click on the Attach policies button:
- Inside the search box, type CloudWatchAgentServerPolicy and select the policy:
- Click on the Attach Policy button to attach the policy to your IAM role:
Now you have successfully enabled Webhook authorization mode and added the required policies to the IAM role.