Mini-tutorial for AWS EKS CNI

docs/quick-tutorials/aws-eks-cni-mini.mdx

@@ -0,0 +1,164 @@
+---
+sidebar_position: 8
+title: AWS EKS CNI Mini-tutorial
+---
+import CodeBlock from "@theme/CodeBlock";
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+Running the AWS VPC CNI plugin on EKS with Otterize. This mini-tutorial shows how to run the AWS VPC CNI plugin on EKS with Otterize.
+
+## Prerequisites
+
+* An EKS cluster with the AWS VPC CNI plugin installed. See [Installing the AWS VPC CNI plugin](https://docs.aws.amazon.com/eks/latest/userguide/pod-networking.html) for more information.
+* An Otterize account. See [Getting Started](https://docs.otterize.com/getting-started) for more information.
+* The [Otterize CLI](https://docs.otterize.com/cli/installation).
+* The [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).
+* The [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) command-line tool.
+
+## Step one: Create an AWS EKS cluster with the AWS VPC CNI plugin
+
+### Prepare a Kubernetes cluster
+
+Before you start, you'll need an AWS Kubernetes cluster. Having a cluster with a [CNI](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that supports [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is required for this tutorial.
+
+Save this `yaml` as `sample-config-file.yaml`:
+
+```yaml
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: np-ipv4-127
+  region: us-west-2
+  version: "1.27"
+
+kubernetesNetworkConfig:
+  ipFamily: IPv4
+
+managedNodeGroups:
+  - name: np-ipv4-127-nodegroup
+    instanceType: t3.medium
+    desiredCapacity: 3
+    ssh:
+      enableSsm: true
+    iam:
+      withAddonPolicies:
+        albIngress: true
+
+addons:
+  - name: vpc-cni
+    version: v1.12.6-eksbuild.2 # optional
+  - name: coredns
+    version: v1.10.1-eksbuild.1 # optional
+```
+
+Then run the following command to create your AWS cluster:
+
+```shell
+eksctl create cluster -f sample-config-file.yaml
+```
+
+Once everything is up and running from the AWS EKS side, so you can install the Otterize agents, and some pods to test the network policy creation.
+
+## Step two: Install the Otterize agents
+
+### Install the Otterize agent on your cluster
+
+You can now install Otterize in your cluster, and optionally connect to Otterize Cloud. Connecting to Cloud lets you see what's happening visually in your browser, through the "access graph".
+
+So either forego browser visualization and:
+
+<details>
+<summary>Install Otterize in your cluster with the Kafka watcher component enabled, <b>without</b> Otterize Cloud</summary>
+
+```
+helm repo add otterize https://helm.otterize.com
+helm repo update
+helm install otterize otterize/network-mapper -n otterize-system --create-namespace \
+--set kafkawatcher.enable=true \
+--set kafkawatcher.kafkaServers={"kafka-0.kafka"}
+```
+
+</details>
+
+Or choose to include browser visualization and:
+
+<details>
+<summary>Install Otterize in your cluster, <b>with</b> Otterize Cloud</summary>
+
+####  Create an Otterize Cloud account
+
+{@include: ../_common/create-account.md}
+
+#### Install Otterize OSS, connected to Otterize Cloud
+
+{@include: ../_common/install-otterize-from-cloud-with-enforcement-and-kafka-watcher.md}
+
+</details>
+
+Finally, you'll need to install the Otterize CLI (if you haven't already) to interact with the network mapper:
+
+<details>
+<summary>Install the Otterize CLI</summary>
+
+{@include: ../_common/install-otterize-cli.md}
+
+</details>
+
+### Install the Otterize ecom demo application
+
+So that we have some pods to look at (and protect), you can install our E-commerce Demo application, or you can deploy your own application to see hwo this would work with your app.
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/otterize/ecom-demo/master/ecom-demo.yaml
+```
+
+Once you have that installed and running your Otterize access graph should look something like this:
+
+![Access Graph](/img/quick-tutorials/aws-eks-mini/access-graph.png)
+
+## Step three: Create an intent
+
+Now that you have the Otterize agents installed, you can create an intent to make sure that, when you apply security, your service isn't blocked to the `frontend` service.
+
+```shell
+otterize network-mapper export --server frontend.otterize-ecom-demo | kubectl apply -f -
+```
+
+At which point you should see that the `frontend` service is ready to be protected:
+
+![One intent applied](/img/quick-tutorials/aws-eks-mini/one-intent.png)
+
+And you can then protect the `frontend` service by applying the following `yaml` file:
+
+```yaml
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ProtectedService
+metadata:
+  name: frontend
+  namespace: otterize-ecom-demo
+spec:
+  name: frontend
+```
+Save that to a file called `protect-frontendservice.yaml` and then run:
+
+```shell
+% kubectl apply -f protect-frontendservice.yaml
+```
+And you should see your access graph showing the service as protected:
+
+![Protected Service](/img/quick-tutorials/aws-eks-mini/protected.png)
+
+## What's next
+
+Have a look at the [Guide](https://docs.otterize.com/guides/protect-1-service-network-policies) on how to proceed through all of the remaining services and protect them one at a time.
+
+## Teardown
+
+To remove the deployed examples run:
+```bash
+helm uninstall otterize -n otterize-system
+helm uninstall otterize-ecom-demo -n otterize-ecom-demo
+helm delete ns otterize-ecom-demo
+```