Unable to select active EKS cluster during enrollment despite API authentication mode enabled #49418

spiffaz · 2024-11-25T17:22:33Z

spiffaz
Nov 25, 2024

When attempting to enroll an EKS cluster through the Teleport Cloud portal, the cluster appears in the list as active but remains greyed out and unselectable. The cluster has API authentication mode enabled and all required IAM permissions are configured.
Relevant details:

Authentication modes: API, ConfigMap

IAM policy attached to role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:ListClusters", "eks:DescribeCluster", "eks:ListAccessEntries", "eks:CreateAccessEntry", "eks:DeleteAccessEntry", "eks:AssociateAccessPolicy", "eks:TagResource" ], "Resource": "*" } ] }

Teleport version is Teleport cloud

What could be missing and how can I fix this?

Answered by GavinFrazar

Nov 26, 2024

You have to hover over the EKS cluster to see a tooltip explaining why it's greyed out (we should make that tooltip more obvious).

That said, I'm guessing you need to enable public endpoint access.
Go to AWS console > EKS > your cluster > Networking, then:

Click "manage endpoint access"
select the "public and private" option
expand the "advanced settings"
click "add source"
add "0.0.0.0/0" as a source CIDR block
click "save changes"

This allows public API endpoint access from 0.0.0.0/0 (i.e anywhere, but still requires auth of course) so that your Teleport Cloud instance can reach it and install the Teleport kube agent (Teleport Cloud does not publish our IP ranges, that's why we say u…

View full answer

webvictim · 2024-11-26T12:27:27Z

webvictim
Nov 26, 2024
Collaborator

@GavinFrazar might be able to make a suggestion here.

1 reply

GavinFrazar Nov 26, 2024
Maintainer

You have to hover over the EKS cluster to see a tooltip explaining why it's greyed out (we should make that tooltip more obvious).

That said, I'm guessing you need to enable public endpoint access.
Go to AWS console > EKS > your cluster > Networking, then:

Click "manage endpoint access"
select the "public and private" option
expand the "advanced settings"
click "add source"
add "0.0.0.0/0" as a source CIDR block
click "save changes"

This allows public API endpoint access from 0.0.0.0/0 (i.e anywhere, but still requires auth of course) so that your Teleport Cloud instance can reach it and install the Teleport kube agent (Teleport Cloud does not publish our IP ranges, that's why we say use 0.0.0.0/0, sorry)

Once the Teleport kube agent is installed you don't need the public endpoint access anymore, so you can modify your cluster to only allow private API endpoint access again.

If you don't want to open up public endpoint access, then you have to install the teleport kube agent yourself with helm.
There's a guided enrollment wizard for that too, but it's called "Self-Hosted".

We also have a docs guide for doing it:
https://goteleport.com/docs/enroll-resources/kubernetes-access/register-clusters/iam-joining/

Answer selected by spiffaz

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to select active EKS cluster during enrollment despite API authentication mode enabled #49418

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Unable to select active EKS cluster during enrollment despite API authentication mode enabled #49418

spiffaz Nov 25, 2024

Replies: 1 comment · 1 reply

webvictim Nov 26, 2024 Collaborator

GavinFrazar Nov 26, 2024 Maintainer

spiffaz
Nov 25, 2024

Replies: 1 comment 1 reply

webvictim
Nov 26, 2024
Collaborator

GavinFrazar Nov 26, 2024
Maintainer