Terraform Installation

How to install the P0 Kubernetes (EKS) integration using Terraform

This topic describes how to add and configure P0's Kubernetes integration for AWS EKS clusters using the P0 Terraform provider.

Use the P0 Terraform provider to configure integrations programmatically.

Check the provider documentation here.

For more information, see the P0 Terraform Provider documentation.

Prerequisites

Ensure you have the following before continuing:

An existing Amazon Web Services (AWS) account with an EKS cluster
The cluster-admin role in the target Kubernetes cluster
Terraform CLI installed
kubectl command-line tool
The P0 Terraform provider configured in your Terraform project

This resource currently only supports AWS EKS-based Kubernetes clusters.

Overview

The Terraform-based installation uses a two-resource workflow:

p0_kubernetes_staged — Stages the integration by providing your cluster details. P0 generates PKI materials (CA bundle, server certificate, and private key) needed to deploy the admission controller.
p0_kubernetes — Finalizes the installation by providing the service account token and public JWK from the deployed admission controller back to P0.

The p0_kubernetes resource must be applied after p0_kubernetes_staged, because it depends on the PKI outputs generated during staging.

Step 1: Stage the Kubernetes Integration

Use the p0_kubernetes_staged resource to register your EKS cluster with P0 and generate the required PKI materials:

resource "p0_kubernetes_staged" "my_cluster" {
  id                    = "my-eks-cluster"
  connectivity_type     = "proxy"
  hosting_type          = "aws"
  cluster_arn           = "arn:aws:eks:us-west-2:123456789012:cluster/my-eks-cluster"
  cluster_endpoint      = "https://ABCDEF1234567890.gr7.us-west-2.eks.amazonaws.com"
  certificate_authority = "LS0tLS1CRUdJTi..."
}

Inputs

Attribute

Description

id

The EKS cluster name

connectivity_type

The connectivity type for the cluster: public (direct Internet access) or proxy (P0 reverse HTTPS proxy for private networks)

hosting_type

The hosting type for the cluster (for example, aws)

cluster_arn

The ARN of the EKS cluster

cluster_endpoint

The EKS API server endpoint URL

certificate_authority

The base-64 encoded certificate authority for the cluster

Outputs

After applying, this resource exposes the following computed attributes:

Attribute

Description

ca_bundle

The generated certificate authority bundle for the admission controller

server_cert

The generated certificate for the admission controller

server_key

The generated private key for the admission controller

You can find the cluster_endpoint and certificate_authority values in the AWS EKS console under your cluster's Overview tab, or by running:

aws eks describe-cluster --name my-eks-cluster \
  --query 'cluster.{endpoint: endpoint, ca: certificateAuthority.data}'

Step 2: Deploy the Admission Controller

After staging, use the PKI outputs from p0_kubernetes_staged to deploy P0's admission controller to your Kubernetes cluster. This step occurs outside of the P0 Terraform provider (for example, using the kubernetes or helm Terraform providers, or kubectl).

The admission controller deployment requires the following values from the staged resource:

p0_kubernetes_staged.my_cluster.ca_bundle
p0_kubernetes_staged.my_cluster.server_cert
p0_kubernetes_staged.my_cluster.server_key

You must deploy the admission controller and retrieve the service account token and public JWK before applying the p0_kubernetes resource.

If you chose the proxy connectivity type, the system creates an additional deployment called braekhus, which acts as a proxy between P0 and the Kubernetes control plane. For more information, see the braekhus GitHub repo.

Step 3: Complete the Installation

Use the p0_kubernetes resource to complete the installation by providing the service account credentials from your deployed admission controller:

resource "p0_kubernetes" "my_cluster" {
  id         = p0_kubernetes_staged.my_cluster.id
  token      = var.p0_service_account_token
  public_jwk = var.p0_public_jwk

  connectivity_type     = "proxy"
  hosting_type          = "aws"
  cluster_arn           = "arn:aws:eks:us-west-2:123456789012:cluster/my-eks-cluster"
  cluster_endpoint      = "https://ABCDEF1234567890.gr7.us-west-2.eks.amazonaws.com"
  certificate_authority = "LS0tLS1CRUdJTi..."
}

Inputs

Attribute

Description

id

The EKS cluster name (should match the p0_kubernetes_staged resource)

token

The value of the p0-service-account-secret (sensitive, write-only)

public_jwk

The public JWK token of the Braekhus service

connectivity_type

The connectivity type for the cluster: public or proxy

hosting_type

The hosting type for the cluster (for example, aws)

cluster_arn

The ARN of the EKS cluster

cluster_endpoint

The EKS API server endpoint URL

certificate_authority

The base-64 encoded certificate authority for the cluster

Outputs

Attribute

Description

state

The install progress: stage (staged), configure (ready to configure), or installed (fully installed)

The token attribute is sensitive. Terraform does not display its value in plan output or state file exports. Consider using a secrets manager or Terraform variables to give this value.

Full Example

The following example shows the complete two-step workflow:

# Step 1: Stage the integration and generate PKI materials
resource "p0_kubernetes_staged" "my_cluster" {
  id                    = "my-eks-cluster"
  connectivity_type     = "proxy"
  hosting_type          = "aws"
  cluster_arn           = "arn:aws:eks:us-west-2:123456789012:cluster/my-eks-cluster"
  cluster_endpoint      = "https://ABCDEF1234567890.gr7.us-west-2.eks.amazonaws.com"
  certificate_authority = "LS0tLS1CRUdJTi..."
}

# Step 2: After deploying the admission controller using the PKI outputs above,
# finalize the installation with the service account credentials.
resource "p0_kubernetes" "my_cluster" {
  id         = p0_kubernetes_staged.my_cluster.id
  token      = var.p0_service_account_token
  public_jwk = var.p0_public_jwk

  connectivity_type     = p0_kubernetes_staged.my_cluster.connectivity_type
  hosting_type          = "aws"
  cluster_arn           = "arn:aws:eks:us-west-2:123456789012:cluster/my-eks-cluster"
  cluster_endpoint      = p0_kubernetes_staged.my_cluster.cluster_endpoint
  certificate_authority = p0_kubernetes_staged.my_cluster.certificate_authority
}

variable "p0_service_account_token" {
  type      = string
  sensitive = true
}

variable "p0_public_jwk" {
  type = string
}

Once the p0_kubernetes resource reaches the installed state, your EKS cluster is fully integrated with P0 and users can make access requests to it. See Requesting Access for more information.

Resource Reference

For detailed schema documentation, see the Terraform Registry:

For more information, see the P0 Terraform Provider documentation.

PreviousKubernetes NextRequesting Access

Last updated 7 days ago

hashtagPrerequisites

hashtagOverview

hashtagStep 1: Stage the Kubernetes Integration

hashtagInputs

hashtagOutputs

hashtagStep 2: Deploy the Admission Controller

hashtagStep 3: Complete the Installation

hashtagInputs

hashtagOutputs

hashtagFull Example

hashtagResource Reference

Prerequisites

Overview

Step 1: Stage the Kubernetes Integration

Inputs

Outputs

Step 2: Deploy the Admission Controller

Step 3: Complete the Installation

Inputs

Outputs

Full Example

Resource Reference