awsdocs
diff --git a/‎latest/ug/networking/cni-increase-ip-addresses.adoc‎
Lines changed: 1 addition & 2 deletions b/‎latest/ug/networking/cni-increase-ip-addresses.adoc‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎latest/ug/security/cert-signing.adoc‎
Lines changed: 140 additions & 0 deletions b/‎latest/ug/security/cert-signing.adoc‎
Lines changed: 140 additions & 0 deletions
diff --git a/‎latest/ug/security/compliance.adoc‎
Lines changed: 0 additions & 4 deletions b/‎latest/ug/security/compliance.adoc‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎latest/ug/security/configuration-vulnerability-analysis.adoc‎
Lines changed: 0 additions & 7 deletions b/‎latest/ug/security/configuration-vulnerability-analysis.adoc‎
Lines changed: 0 additions & 7 deletions
diff --git a/‎latest/ug/security/default-roles-users.adoc‎
Lines changed: 193 additions & 0 deletions b/‎latest/ug/security/default-roles-users.adoc‎
Lines changed: 193 additions & 0 deletions
@@ -1,3 +1,4 @@
+//!!NODE_ROOT <section>
 [.topic]
 [[cni-increase-ip-addresses,cni-increase-ip-addresses.title]]
 = Assign more IP addresses to Amazon EKS nodes with prefixes
@@ -61,5 +62,3 @@ Consider the following when you use this feature:
 If you're also using <<security-groups-for-pods,security groups for Pods>>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used.
 
 
-[.topic]
-
@@ -0,0 +1,140 @@
+//!!NODE_ROOT <section>
+[.topic]
+[[cert-signing,cert-signing.title]]
+= Secure workloads with [.noloc]`Kubernetes` certificates
+:info_titleabbrev: Certificate signing
+
+include::../attributes.txt[]
+
+[abstract]
+--
+Learn how to request and obtain X.509 certificates from the Certificate Authority (CA) using Certificate Signing Requests (CSRs) in Amazon EKS, including details on migrating from legacy signers, generating CSRs, approving requests, and handling certificate signing considerations before upgrading to Kubernetes 1.24.
+--
+
+The [.noloc]`Kubernetes` Certificates API automates https://www.itu.int/rec/T-REC-X.509[X.509] credential provisioning. The API features a command line interface for [.noloc]`Kubernetes` API clients to request and obtain https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/[X.509 certificates] from a Certificate Authority (CA). You can use the `CertificateSigningRequest` (CSR) resource to request that a denoted signer sign the certificate. Your requests are either approved or denied before they're signed. [.noloc]`Kubernetes` supports both built-in signers and custom signers with well-defined behaviors. This way, clients can predict what happens to their CSRs. To learn more about certificate signing, see https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/[signing requests].
+
+One of the built-in signers is `kubernetes.io/legacy-unknown`. The `v1beta1` API of CSR resource honored this legacy-unknown signer. However, the stable `v1` API of CSR doesn't allow the `signerName` to be set to `kubernetes.io/legacy-unknown`.
+
+Amazon EKS version `1.21` and earlier allowed the `legacy-unknown` value as the `signerName` in `v1beta1` CSR API. This API enables the Amazon EKS Certificate Authority (CA) to generate certificates. However, in [.noloc]`Kubernetes` version `1.22`, the `v1beta1` CSR API was replaced by the `v1` CSR API. This API doesn't support the signerName of "`legacy-unknown.`" If you want to use Amazon EKS CA for generating certificates on your clusters, you must use a custom signer. It was introduced in Amazon EKS version `1.22`. To use the CSR `v1` API version and generate a new certificate, you must migrate any existing manifests and API clients. Existing certificates that were created with the existing `v1beta1` API are valid and function until the certificate expires. This includes the following:
+
+
+
+* Trust distribution: None. There's no standard trust or distribution for this signer in a [.noloc]`Kubernetes` cluster.
+* Permitted subjects: Any
+* Permitted x509 extensions: Honors subjectAltName and key usage extensions and discards other extensions
+* Permitted key usages: Must not include usages beyond ["key encipherment", "digital signature", "server auth"]
++
+NOTE: Client certificate signing is not supported.
+* Expiration/certificate lifetime: 1 year (default and maximum) 
+* CA bit allowed/disallowed: Not allowed
+
+
+[[csr-example,csr-example.title]]
+== Example CSR generation with signerName
+
+These steps shows how to generate a serving certificate for DNS name `myserver.default.svc` using `signerName: beta.eks.amazonaws.com/app-serving`. Use this as a guide for your own environment.
+
+. Run the `openssl genrsa -out myserver.key 2048` command to generate an RSA private key.
++
+[source,bash,subs="verbatim,attributes"]
+----
+openssl genrsa -out myserver.key 2048
+----
+. Run the following command to generate a certificate request.
++
+[source,bash,subs="verbatim,attributes"]
+----
+openssl req -new -key myserver.key -out myserver.csr -subj "/CN=myserver.default.svc"
+----
+. Generate a `base64` value for the CSR request and store it in a variable for use in a later step.
++
+[source,bash,subs="verbatim,attributes"]
+----
+base_64=$(cat myserver.csr | base64 -w 0 | tr -d "
+")
+----
+. Run the following command to create a file named `mycsr.yaml`. In the following example, `beta.eks.amazonaws.com/app-serving` is the `signerName`.
++
+[source,yaml,subs="verbatim,attributes"]
+----
+cat >mycsr.yaml <<EOF
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: myserver
+spec:
+  request: $base_64
+  signerName: beta.eks.amazonaws.com/app-serving
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+EOF
+----
+. Submit the CSR.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl apply -f mycsr.yaml
+----
+. Approve the serving certificate.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl certificate approve myserver
+----
+. Verify that the certificate was issued.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl get csr myserver
+----
++
+An example output is as follows.
++
+[source,bash,subs="verbatim,attributes"]
+----
+NAME       AGE     SIGNERNAME                           REQUESTOR          CONDITION
+myserver   3m20s   beta.eks.amazonaws.com/app-serving   kubernetes-admin   Approved,Issued
+----
+. Export the issued certificate.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl get csr myserver -o jsonpath='{.status.certificate}'| base64 -d > myserver.crt
+----
+
+
+[[csr-considerations,csr-considerations.title]]
+== Certificate signing considerations before upgrading your cluster to [.noloc]`Kubernetes` 1.24
+
+In [.noloc]`Kubernetes` `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. The SANs are omitted from the provisioned certificate. In `1.24` and later clusters, `kubelet` serving certificates aren't issued if a SAN can't be verified. This prevents the `kubectl exec` and `kubectl logs` commands from working.
+
+Before upgrading your cluster to `1.24`, determine whether your cluster has certificate signing requests (CSR) that haven't been approved by completing the following steps:
+
+. Run the following command.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl get csr -A
+----
++
+An example output is as follows.
++
+[source,bash,subs="verbatim,attributes"]
+----
+NAME        AGE   SIGNERNAME                      REQUESTOR                                                  REQUESTEDDURATION   CONDITION
+csr-7znmf   90m   kubernetes.io/kubelet-serving   system:node:ip-192-168-42-149.region.compute.internal      <none>              Approved
+csr-9xx5q   90m   kubernetes.io/kubelet-serving   system:node:ip-192-168-65-38.region.compute.internal      <none>              Approved, Issued
+----
++
+If the returned output shows a CSR with a https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers[kubernetes.io/kubelet-serving] signer that's `Approved` but not `Issued` for a node, then you need to approve the request.
+. Manually approve the CSR. Replace `csr-[.replaceable]``7znmf``` with your own value.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl certificate approve csr-7znmf
+----
+
+To auto-approve CSRs in the future, we recommend that you write an approving controller that can automatically validate and approve CSRs that contain IP or DNS SANs that Amazon EKS can't verify.
+
@@ -5,10 +5,6 @@
 :info_doctype: section
 :info_title: Compliance validation for Amazon EKS clusters
 :info_titleabbrev: Validate compliance
-:info_abstract: Discover compliance resources and services for Amazon Elastic Kubernetes Service \
-                to help secure your {aws} workloads, meet regulatory requirements like HIPAA, and \
-                validate adherence to security standards like NIST, PCI, and ISO using {aws} Config, \
-                Security Hub, GuardDuty, and Audit Manager.
 
 include::../attributes.txt[]
 
 
@@ -2,14 +2,7 @@
 [.topic]
 [[configuration-vulnerability-analysis,configuration-vulnerability-analysis.title]]
 = Analyze vulnerabilities in Amazon EKS
-:info_doctype: section
-:info_title: Analyze vulnerabilities \
-             in Amazon EKS
 :info_titleabbrev: Analyze vulnerabilities
-:info_abstract: Learn how to analyze the security configuration and vulnerabilities of your Amazon EKS \
-                clusters and resources using tools like the CIS EKS Benchmark, platform \
-                versions, vulnerability lists, Amazon Inspector, and Amazon GuardDuty for \
-                comprehensive threat detection and protection.
 
 include::../attributes.txt[]
 
 
@@ -0,0 +1,193 @@
+//!!NODE_ROOT <section>
+[.topic]
+[[default-roles-users,default-roles-users.title]]
+= Understand Amazon EKS created RBAC roles and users
+:info_titleabbrev: Default roles and users
+
+include::../attributes.txt[]
+
+[abstract]
+--
+Learn about the Kubernetes roles and users that Amazon EKS creates for cluster components and add-ons. Amazon EKS uses these role-based authorization control (RBAC) identities to operate the cluster.
+--
+
+When you create a [.noloc]`Kubernetes` cluster, several default [.noloc]`Kubernetes` identities are created on that cluster for the proper functioning of [.noloc]`Kubernetes`. Amazon EKS creates [.noloc]`Kubernetes` identities for each of its default components. The identities provide [.noloc]`Kubernetes` role-based authorization control (RBAC) for the cluster components. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation.  
+
+When you install optional <<eks-add-ons,add-ons>> to your cluster, additional [.noloc]`Kubernetes` identities might be added to your cluster. For more information about identities not addressed by this topic, see the documentation for the add-on.
+
+You can view the list of Amazon EKS created [.noloc]`Kubernetes` identities on your cluster using the {aws-management-console} or `kubectl` command line tool. All of the user identities appear in the `kube` audit logs available to you through Amazon CloudWatch.
+
+
+
+*{aws-management-console}*::
+
+.Prerequisite
+The  link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use must have the permissions described in <<view-kubernetes-resources-permissions,Required permissions>>.
++
+.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"].
+.. In the *Clusters* list, choose the cluster that contains the identities that you want to view.
+.. Choose the *Resources* tab.
+.. Under *Resource types*, choose  *Authorization*.
+.. Choose, *ClusterRoles*,  *ClusterRoleBindings*,  *Roles*, or  *RoleBindings*. All resources prefaced with  *eks* are created by Amazon EKS. Additional Amazon EKS created identity resources are:
++
+*** The *ClusterRole* and  *ClusterRoleBinding* named  *aws-node*. The  *aws-node* resources support the  <<managing-vpc-cni,Amazon VPC CNI plugin for Kubernetes>>, which Amazon EKS installs on all clusters. 
+*** A *ClusterRole* named  *vpc-resource-controller-role* and a  *ClusterRoleBinding* named  *vpc-resource-controller-rolebinding*. These resources support the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. 
+
++
+In addition to the resources that you see in the console, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration:
++
+*** *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap.
+*** *`eks:support-engineer`* – Used for cluster management operations.
+.. Choose a specific resource to view details about it. By default, you're shown information in *Structured view*. In the top-right corner of the details page you can choose  *Raw view* to see all information for the resource.
+
+
+*Kubectl*::
+
+.Prerequisite
+The entity that you use ({aws} Identity and Access Management (IAM) or [.noloc]`OpenID Connect` ([.noloc]`OIDC`)) to list the [.noloc]`Kubernetes` resources on the cluster must be authenticated by IAM or your [.noloc]`OIDC` identity provider. The entity must be granted permissions to use the [.noloc]`Kubernetes` `get` and `list` verbs for the `Role`, `ClusterRole`, `RoleBinding`, and `ClusterRoleBinding` resources on your cluster that you want the entity to work with. For more information about granting IAM entities access to your cluster, see <<grant-k8s-access>>. For more information about granting entities authenticated by your own [.noloc]`OIDC` provider access to your cluster, see <<authenticate-oidc-identity-provider>>.
+.To view Amazon EKS created identities using `kubectl`
+Run the command for the type of resource that you want to see. All returned resources that are prefaced with *eks* are created by Amazon EKS. In addition to the resources returned in the output from the commands, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration:
++
+** *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap.
+** *`eks:support-engineer`* – Used for cluster management operations.
++
+*ClusterRoles* – `ClusterRoles` are scoped to your cluster, so any permission granted to a role applies to resources in any [.noloc]`Kubernetes` namespace on the cluster.
++
+The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoles` on your cluster.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl get clusterroles | grep eks
+----
++
+In addition to the `ClusterRoles` returned in the output that are prefaced with, the following `ClusterRoles` exist.
++
+** *`aws-node`* – This `ClusterRole` supports the <<managing-vpc-cni,Amazon VPC CNI plugin for Kubernetes>>, which Amazon EKS installs on all clusters.
+** *`vpc-resource-controller-role`* – This `ClusterRole` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. 
+
++
+To see the specification for a `ClusterRole`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `ClusterRole` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `ClusterRole`.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl describe clusterrole eks:k8s-metrics
+----
++
+An example output is as follows.
++
+[source,bash,subs="verbatim,attributes"]
+----
+Name:         eks:k8s-metrics
+Labels:       <none>
+Annotations:  <none>
+PolicyRule:
+  Resources         Non-Resource URLs  Resource Names  Verbs
+  ---------         -----------------  --------------  -----
+                    [/metrics]         []              [get]
+  endpoints         []                 []              [list]
+  nodes             []                 []              [list]
+  pods              []                 []              [list]
+  deployments.apps  []                 []              [list]
+----
++
+*ClusterRoleBindings* – `ClusterRoleBindings` are scoped to your cluster. 
++
+The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoleBindings` on your cluster.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl get clusterrolebindings | grep eks
+----
++
+In addition to the `ClusterRoleBindings` returned in the output, the following `ClusterRoleBindings` exist.
++
+** *`aws-node`* – This `ClusterRoleBinding` supports the <<managing-vpc-cni,Amazon VPC CNI plugin for Kubernetes>>, which Amazon EKS installs on all clusters. 
+** *`vpc-resource-controller-rolebinding`* – This `ClusterRoleBinding` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. 
+
++
+To see the specification for a `ClusterRoleBinding`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `ClusterRoleBinding` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `ClusterRoleBinding`.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl describe clusterrolebinding eks:k8s-metrics
+----
++
+An example output is as follows.
++
+[source,bash,subs="verbatim,attributes"]
+----
+Name:         eks:k8s-metrics
+Labels:       <none>
+Annotations:  <none>
+Role:
+  Kind:  ClusterRole
+  Name:  eks:k8s-metrics
+Subjects:
+  Kind  Name             Namespace
+  ----  ----             ---------
+  User  eks:k8s-metrics
+----
++
+*Roles* – `Roles` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `Roles` are scoped to the `kube-system` namespace.
++
+The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `Roles` on your cluster.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl get roles -n kube-system | grep eks
+----
++
+To see the specification for a `Role`, replace [.replaceable]`eks:k8s-metrics` in the following command with the name of a `Role` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `Role`.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl describe role eks:k8s-metrics -n kube-system
+----
++
+An example output is as follows.
++
+[source,bash,subs="verbatim,attributes"]
+----
+Name:         eks:k8s-metrics
+Labels:       <none>
+Annotations:  <none>
+PolicyRule:
+  Resources         Non-Resource URLs  Resource Names             Verbs
+  ---------         -----------------  --------------             -----
+  daemonsets.apps   []                 [aws-node]                 [get]
+  deployments.apps  []                 [vpc-resource-controller]  [get]
+----
++
+*RoleBindings* – `RoleBindings` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `RoleBindings` are scoped to the `kube-system` namespace.
++
+The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `RoleBindings` on your cluster.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl get rolebindings -n kube-system | grep eks
+----
++
+To see the specification for a `RoleBinding`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `RoleBinding` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `RoleBinding`.
++
+[source,bash,subs="verbatim,attributes"]
+----
+kubectl describe rolebinding eks:k8s-metrics -n kube-system
+----
++
+An example output is as follows.
++
+[source,bash,subs="verbatim,attributes"]
+----
+Name:         eks:k8s-metrics
+Labels:       <none>
+Annotations:  <none>
+Role:
+  Kind:  Role
+  Name:  eks:k8s-metrics
+Subjects:
+  Kind  Name             Namespace
+  ----  ----             ---------
+  User  eks:k8s-metrics
+----
+
+