How to test EKS discoverySummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This KB shows how to run Amazon Elastic Kubernetes Service (EKS) discovery step by step. This helps you to test EKS discovery.Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Instance installed Discovery plugin (Discovery and Service Mapping Patterns application).Note: This test was done on Discovery and Service Mapping Patterns application version 1.15.1Instructions<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Prerequsite You have an AWS account.Create two IAM users.- User 1 (for local PC): Assign the AdministratorAccess policy for EKS cluster creation.- User 2 (for MID Server / ServiceNow instance): Assign the ReadOnlyAccess policy for Discovery. Note: This user will also be used for Kubernetes cluster settings, so make sure to note the ARN (arn:aws:iam::<account-id>:user/<user-name>).Generate access keys for both IAM users. Note: It is recommended to download the CSV file when creating the access keys.Install AWS CLI on your local PC and configure the permissions for User 1.Log in to the OS with the service account for the MID Server (the OS user used by the MID Server), install AWS CLI, and configure permissions for IAM User 2.Note: Reference for AWS CLI permission configuration $ aws configure AWS Access Key ID []: <IAM user access key> AWS Secret Access Key []: <IAM user secret key> Default region name [None]: <press Enter> Default output format [None]: <press Enter> Disable certificate checks for *.amazonaws.com in the MID Security Policy. See image below.Install eksctl and kubectl on your local PC.Ensure the following settings in the system properties (sys_properties) of the instance. sn_itom_pattern.k8s_midserver: <MID Server name> sn_itom_pattern.k8s_create_schedule_enabled: true sn_itom_pattern.k8s_aws_cli_to_generate_token: true Create Discovery Credential for IAM User 2. See https://docs.servicenow.com/bundle/washingtondc-it-operations-management/page/product/it-operations-management/task/aws-create-creds-cloud-mgt.htmlPlace cluster_role.yaml and cluster_role_binding.yaml attached on this KB in your current directory. (Change file extension from .txt to .yaml) Cluster Creation for Discovery and Verification Procedure Note: All commands will be executed on your local PC. Create an EKS cluster using the following command. This may take about 10-20 minutes. eksctl create cluster --name <cluster-name> --region <region-name> --fargateCommand Example: eksctl create cluster --name my-cluster --region ap-northeast-1 --fargateResult Example: 2024-07-11 10:48:40 [ℹ] eksctl version 0.185.02024-07-11 10:48:40 [ℹ] using region ap-northeast-12024-07-11 10:48:41 [ℹ] setting availability zones to [ap-northeast-1d ap-northeast-1c ap-northeast-1a]2024-07-11 10:48:41 [ℹ] subnets for ap-northeast-1d - public:192.168.0.0/19 private:192.168.96.0/192024-07-11 10:48:41 [ℹ] subnets for ap-northeast-1c - public:192.168.32.0/19 private:192.168.128.0/192024-07-11 10:48:41 [ℹ] subnets for ap-northeast-1a - public:192.168.64.0/19 private:192.168.160.0/192024-07-11 10:48:41 [ℹ] using Kubernetes version 1.302024-07-11 10:48:41 [ℹ] creating EKS cluster "my-cluster" in "ap-northeast-1" region with Fargate profile2024-07-11 10:48:41 [ℹ] if you encounter any issues, check CloudFormation console or try 'eksctl utils describe-stacks --region=ap-northeast-1 --cluster=my-cluster'2024-07-11 10:48:41 [ℹ] Kubernetes API endpoint access will use default of {publicAccess=true, privateAccess=false} for cluster "my-cluster" in "ap-northeast-1"2024-07-11 10:48:41 [ℹ] CloudWatch logging will not be enabled for cluster "my-cluster" in "ap-northeast-1"2024-07-11 10:48:41 [ℹ] you can enable it with 'eksctl utils update-cluster-logging --enable-types={SPECIFY-YOUR-LOG-TYPES-HERE (e.g. all)} --region=ap-northeast-1 --cluster=my-cluster'2024-07-11 10:48:41 [ℹ] default addons vpc-cni, kube-proxy, coredns were not specified, will install them as EKS addons2024-07-11 10:48:41 [ℹ] 2 sequential tasks: { create cluster control plane "my-cluster", 3 sequential sub-tasks: { 1 task: { create addons }, wait for control plane to become ready, create fargate profiles, } }2024-07-11 10:48:41 [ℹ] building cluster stack "eksctl-my-cluster-cluster"2024-07-11 10:48:42 [ℹ] deploying stack "eksctl-my-cluster-cluster"2024-07-11 10:49:12 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:49:42 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:50:43 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:51:43 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:52:44 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:53:44 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:54:45 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:55:45 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:56:45 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:57:46 [ℹ] waiting for CloudFormation stack "eksctl-my-cluster-cluster"2024-07-11 10:57:50 [!] recommended policies were found for "vpc-cni" addon, but since OIDC is disabled on the cluster, eksctl cannot configure the requested permissions; the recommended way to provide IAM permissions for "vpc-cni" addon is via pod identity associations; after addon creation is completed, add all recommended policies to the config file, under `addon.PodIdentityAssociations`, and run `eksctl update addon`2024-07-11 10:57:50 [ℹ] creating addon2024-07-11 10:57:50 [ℹ] successfully created addon2024-07-11 10:57:51 [ℹ] creating addon2024-07-11 10:57:51 [ℹ] successfully created addon2024-07-11 10:57:51 [ℹ] creating addon2024-07-11 10:57:52 [ℹ] successfully created addon2024-07-11 10:59:53 [ℹ] creating Fargate profile "fp-default" on EKS cluster "my-cluster"2024-07-11 11:02:04 [ℹ] created Fargate profile "fp-default" on EKS cluster "my-cluster"2024-07-11 11:02:34 [ℹ] "coredns" is now schedulable onto Fargate2024-07-11 11:03:38 [ℹ] "coredns" is now scheduled onto Fargate2024-07-11 11:03:38 [ℹ] "coredns" pods are now scheduled onto Fargate2024-07-11 11:03:38 [ℹ] waiting for the control plane to become ready2024-07-11 11:03:39 [✔] saved kubeconfig as "/Users/user.name/.kube/config"2024-07-11 11:03:39 [ℹ] no tasks2024-07-11 11:03:39 [✔] all EKS cluster resources for "my-cluster" have been created2024-07-11 11:03:39 [✔] created 0 nodegroup(s) in cluster "my-cluster"2024-07-11 11:03:39 [✔] created 0 managed nodegroup(s) in cluster "my-cluster"2024-07-11 11:03:41 [ℹ] kubectl command should work with "/Users/user.name/.kube/config", try 'kubectl get nodes'2024-07-11 11:03:41 [✔] EKS cluster "my-cluster" in "ap-northeast-1" region is ready Verify that the URL of the control plane is displayed using the following command. kubectl cluster-info Result Example: Kubernetes control plane is running at https://27D20BEAFD04D6E91301994B1BDEFC12.gr7.ap-northeast-1.eks.amazonaws.com CoreDNS is running at https://27D20BEAFD04D6E91301994B1BDEFC12.gr7.ap-northeast-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy Create a role with permissions for Discovery on the cluster using the following command.kubectl apply -f cluster_role.yamlResult Example: clusterrole.rbac.authorization.k8s.io/cluster-read-only-role createdLink the role created in step 3 with the user for the cluster using the following command. kubectl apply -f cluster_role_binding.yaml Result Example: clusterrolebinding.rbac.authorization.k8s.io/cluster-read-only-role-binding createdLink the IAM user with the cluster user using the following command. eksctl create iamidentitymapping --cluster <cluster-name> --region=<region-name> --arn <IAM user ARN> --username discovery-read-only-user --no-duplicate-arns Command Example: eksctl create iamidentitymapping --cluster my-cluster --region=ap-northeast-1 --arn arn:aws:iam::123456789012:user/servicenow --username discovery-read-only-user --no-duplicate-arnsResult Example: 2024-07-11 11:09:31 [ℹ] checking arn arn:aws:iam::123456789012:user/servicenow against entries in the auth ConfigMap2024-07-11 11:09:31 [ℹ] adding identity "arn:aws:iam::123456789012:user/servicenow" to auth ConfigMapCreate and execute a Cloud Discovery schedule in the AWS environment. See https://docs.servicenow.com/bundle/washingtondc-it-operations-management/page/product/discovery/concept/cloud-discovery-setup-workspace.html or https://docs.servicenow.com/bundle/washingtondc-it-operations-management/page/product/discovery/concept/discovery-manager.htmlThe EKS cluster Discovery schedule will be automatically created and executed. Verify the results. Note: You can run Discovery to the cluster by "Discover Now" on Discovery schedule from here on.Delete EKS cluster using the following command.eksctl delete cluster --name <cluster-name> --region <region-name>Command Example: eksctl delete cluster --name my-cluster --region ap-northeast-1Note: Leaving EKS cluster might cause high charge. I recommend to delete cluster once test has been done. Sample Discovered Resources Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } eksctl official document https://eksctl.io/kubectl official document https://kubernetes.io/docs/reference/kubectl/AWS CommandLine Interface User Guide https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.htmlGetting started with Amazon EKS – eksctl https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html