Access Modes

Introduction

Scoutflo offers multiple access modes of operation for managing and monitoring your AWS EKS clusters. In the Cluster Connect Access Mode, Scoutflo requires a specific set of AWS IAM permissions tailored to your operational needs. This ensures that Scoutflo can efficiently perform tasks such as monitoring, diagnostics, and management without exceeding the necessary scope of access, maintaining the security and integrity of your infrastructure.

Read Permissions:

  • Overview: Grants Scoutflo permission to observe and analyze your cluster without making changes. This mode is ideal for users who want insights and diagnostics without altering their environment.

  • What Scoutflo Does:

    • Monitoring: Continuously pulls metrics (e.g., CPU/memory usage) and logs from CloudWatch, building a real-time view of cluster performance.

    • Diagnostics: Analyzes cluster events, pod statuses, and resource usage to identify issues like CrashLoopBackOff or node failures.

    • Reporting: Generates detailed reports and recommendations in the Scoutflo UI, accessible under My Cluster.

    • Example: Detects a pod stuck in Pending state due to insufficient CPU and suggests scaling the node group.

  • Unlocked Features:

    • View cluster topology (nodes, pods, services).

    • Access historical logs and metrics.

    • Receive AI-generated insights and alerts.

  • IAM Permissions Required:

    Service
    Actions
    Purpose

    CloudWatch

    Describe*, Get*, List*

    Fetch logs and metrics

    ECR

    Describe*, Get*, List*

    Inspect container images

    EC2

    Describe*

    Retrieve node/instance details

    EKS

    Describe*, List*

    Query cluster and node group info

    IAM

    Get*, List*

    Validate roles and policies

    SecretsManager

    Describe*, Get*, List*

    Read secrets for authentication

    S3

    Get*, List*

    Access configuration backups

  • Why These Permissions?: Scoutflo needs read-only access to gather data for analysis without risking modifications to your infrastructure.

Write Permissions:

  • Overview: Allows Scoutflo to actively manage and modify your cluster, enabling automation and real-time issue resolution. This mode suits users who want Scoutflo to take full control of cluster operations.

  • What Scoutflo Does:

    • Remediation: Applies fixes like restarting pods (pods_delete), scaling resources (resources_patch), or updating configurations.

    • Deployment: Syncs GitOps applications (e.g., via, via argocd_sync_application), ensuring deployments align with your repository.

    • Automation: Configures monitoring stacks (e.g., Prometheus, Grafana) and sets up alerting rules automatically.

    • Example: Detects a memory leak, adjusts pod resource limits, and notifies you of the action taken.

  • Unlocked Features:

    • Automated issue resolution.

    • GitOps-driven deployments.

    • Dynamic cluster scaling and access management.

  • IAM Permissions Required:

    Service
    Actions
    Purpose

    EKS

    UpdateClusterConfig, CreateAccessEntry, AssociateAccessPolicy

    Modify cluster settings and access

    Route53

    ChangeResourceRecordSets, GetChange

    Update DNS for services

    SecretsManager

    PutSecretValue, UpdateSecret

    Manage secrets for deployments

    IAM

    CreateServiceLinkedRole, DeleteRole, DeletePolicy

    Handle roles/policies

  • Why These Permissions?: Write access enables Scoutflo to execute changes, ensuring your cluster remains optimized and responsive.

Configuring Permissions

To enable these modes, attach the following IAM policy to your AWS credentials. This JSON policy combines read and write permissions for maximum flexibility:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadAccess",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "ecr:Describe*",
        "ecr:Get*",
        "ecr:List*",
        "ec2:Describe*",
        "eks:Describe*",
        "eks:List*",
        "iam:Get*",
        "iam:List*",
        "secretsmanager:Describe*",
        "secretsmanager:Get*",
        "secretsmanager:List*",
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "WriteAccess",
      "Effect": "Allow",
      "Action": [
        "eks:UpdateClusterConfig",
        "eks:CreateAccessEntry",
        "eks:AssociateAccessPolicy",
        "route53:ChangeResourceRecordSets",
        "route53:GetChange",
        "secretsmanager:PutSecretValue",
        "secretsmanager:UpdateSecret",
        "iam:CreateServiceLinkedRole",
        "iam:DeleteRole",
        "iam:DeletePolicy"
      ],
      "Resource": "*"
    },
    {
      "Sid": "KubernetesAPI",
      "Effect": "Allow",
      "Action": "eks:AccessKubernetesApi",
      "Resource": "*"
    }
  ]
}

  • How Scoutflo Uses This Policy:

    • Read Actions: Queries AWS services to build a detailed cluster profile.

    • Write Actions: Executes changes to maintain cluster health and deploy resources.

    • Kubernetes API Access: Interacts directly with your cluster’s control plane for real-time management.

Choosing Your Mode

  • Read-Only: Select this in the Scoutflo UI during Step 4 if you want insights without changes. Scoutflo will limit its actions to observation and reporting.

  • Read-Write: Enable this for full automation and management. Scoutflo will request additional permissions during connection to ensure it can act on your behalf.

By configuring the appropriate mode, you tailor Scoutflo’s interaction with your cluster to match your operational goals, from passive monitoring to proactive optimization.

PreviousCluster Add on SetupNextCreate a New Cluster

Last updated