Install Veirox Connect on Amazon EKS

Applies to: EKS with managed node groups, EKS with Fargate, EKS on Outposts.
Kubernetes: 1.26+.


Prerequisites

  • EKS cluster: aws eks update-kubeconfig --name <cluster> --region <region>.
  • helm 3.9+.
  • If using the -cloud image tier: IRSA (IAM Roles for Service
    Accounts) configured on the cluster — verify with:
    bash aws eks describe-cluster --name <cluster> --query 'cluster.identity.oidc.issuer'
    If that returns a URL, IRSA is ready. If not, enable it:
    eksctl utils associate-iam-oidc-provider --cluster <cluster> --approve.

Install

kubectl create namespace veirox

# Mint enrollment token in the Veirox UI, then:
kubectl -n veirox create secret generic veirox-connector-token \
  --from-literal=token=veirox_enr_...

helm install veirox-connector \
  oci://ghcr.io/msrashed2018/charts/veirox-connector \
  --namespace veirox \
  --set backendUrl=https://www.veirox.com \
  --set rbacPreset=readOnly

IRSA — bind the agent's SA to an IAM role

If the -cloud image tier is in use and you need aws CLI to
authenticate as an IAM role (e.g., to read an S3 bucket), use IRSA:

1. Create the IAM role with a trust policy scoped to the SA

Save this as trust-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER_URL_WITHOUT_HTTPS>"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "<OIDC_PROVIDER_URL_WITHOUT_HTTPS>:sub": "system:serviceaccount:veirox:veirox-connector",
        "<OIDC_PROVIDER_URL_WITHOUT_HTTPS>:aud": "sts.amazonaws.com"
      }
    }
  }]
}
aws iam create-role --role-name veirox-connector-eks \
  --assume-role-policy-document file://trust-policy.json
aws iam attach-role-policy --role-name veirox-connector-eks \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess   # narrow this

2. Annotate the Helm-created ServiceAccount

# my-values.yaml
image:
  tag: 0.2.0-cloud
serviceAccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/veirox-connector-eks
helm upgrade veirox-connector oci://ghcr.io/msrashed2018/charts/veirox-connector \
  -n veirox -f my-values.yaml

Verify inside the pod:

kubectl -n veirox exec deploy/veirox-connector -- aws sts get-caller-identity
# → Arn: arn:aws:sts::<ACCOUNT_ID>:assumed-role/veirox-connector-eks/...

VPC CNI + Security Groups for Pods

If the cluster uses the AWS VPC CNI and Security Groups for Pods (SGP)
is enabled, the agent pod gets an ENI directly — you can pin an SG
that allows egress only to your Veirox backend:

# SecurityGroupPolicy (not part of this chart — apply separately)
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: veirox-connector-sgp
  namespace: veirox
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: veirox-connector
  securityGroups:
    groupIds: [sg-0abc123def4567890]   # SG allowing 443 egress to Veirox backend IPs

With SGP in place, you can relax the chart's NetworkPolicy (since SG
enforces at the VPC layer):

helm upgrade ... --set networkPolicy.enabled=false

Or keep both for defense-in-depth (recommended).


Private EKS API endpoint

If your cluster has private API server endpoint only, the cluster's
control plane
has no impact on the agent (it dials Veirox, not
the API). But kubectl from outside the VPC needs either:

  • A bastion inside the VPC, or
  • VPC peering / VPN from your workstation, or
  • A GitOps flow (ArgoCD / FluxCD) running inside the cluster

The agent itself still needs egress to veirox.com:
via NAT Gateway, VPC Endpoint (if your Veirox backend is in AWS
too), or a PrivateLink connection.


Fargate

Fargate profiles apply per-namespace. To run the agent on Fargate:

eksctl create fargateprofile \
  --cluster <cluster> \
  --name veirox-connector \
  --namespace veirox

Caveats:

  • Image pull time on Fargate is slow (~1-2 min). The agent's
    initialDelaySeconds: 30 liveness probe may need bumping if you
    see flapping — use --set livenessProbe.initialDelaySeconds=90.
  • No emptyDir persistence — every pod restart wipes the mTLS
    cert and forces re-enrollment (tokens are one-time, so you'll burn
    one per restart). Recommend: run the agent on managed node
    groups instead of Fargate until Phase 4 adds PVC support.

Verify the install

  1. Pod Ready=true in veirox namespace.
  2. Connector row at <veirox>/console/settings/connectors with
    type=k8s_pod, online=true.
  3. Run the verification checklist.

Uninstall

helm uninstall veirox-connector -n veirox
kubectl delete namespace veirox
kubectl get clusterrole,clusterrolebinding | grep veirox || echo "clean"

# Optionally: delete IAM role + policy if IRSA was used
aws iam detach-role-policy --role-name veirox-connector-eks \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
aws iam delete-role --role-name veirox-connector-eks