Amazon CloudWatch
User Guide

Verify Prerequisites

Before you install Container Insights on Amazon EKS or Kubernetes, verify the following:

  • You have a functional Amazon EKS or Kubernetes cluster with nodes attached in one of the Regions that supports the Container Insights for Amazon EKS and Kubernetes. For the list of supported Regions, see Using Container Insights.

  • You have kubectl installed and running. For more information, see Installing kubectl in the Amazon EKS User Guide.

  • If you're using Kubernetes running on AWS instead of using Amazon EKS, the following prerequisites are also necessary:

    • Be sure that your Kubernetes cluster has enabled role-based access control (RBAC). For more information, see Using RBAC Authorization in the Kubernetes Reference.

    • Your kubelet has enabled Webhook authorization mode. For more information, see Kubelet authentication/authorization in the Kubernetes Reference.

    • Your container runtime is Docker.

You must also attach a policy to the IAM role of your Amazon EKS worker nodes to enable them to send metrics and logs to CloudWatch.

To add the necessary policy to the IAM role for your worker nodes

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Select one of the worker node instances and choose the IAM role in the description.

  3. On the IAM role page, choose Attach policies.

  4. In the list of policies, select the check box next to CloudWatchAgentServerPolicy. If necessary, use the search box to find this policy.

  5. Choose Attach policies.

If you're running a Kubernetes cluster outside Amazon EKS, you might not already have an IAM role attached to your worker nodes. If not, you must first attach an IAM role to the instance and then add the policy as explained in the previous steps. For more information on attaching a role to an instance, see Attaching an IAM Role to an Instance in the Amazon EC2 User Guide for Windows Instances.

If you're running a Kubernetes cluster outside Amazon EKS and you want to collect EBS volume IDs in the metrics, you must add another policy to the IAM role attached to the instance. Add the following as an inline policy. For more information, see Adding and Removing IAM Identity Permissions in the IAM User Guide.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeVolumes" ], "Resource": "*", "Effect": "Allow" } ] }