From 1058b1353ad7aabbbabea928eb18e34bea3776d6 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Thu, 26 Oct 2023 18:16:55 -0700
Subject: [PATCH 01/28] Revise steps

---
 .../clusters/public-cloud/aws/eks.md          | 100 ++++++++++++++----
 1 file changed, 78 insertions(+), 22 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 6a11072921..892708e1b8 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -18,7 +18,7 @@ The following prerequisites must be met before deploying a cluster to AWS:
 - Palette integration with AWS account. Review [Add AWS Account](add-aws-accounts.md) for guidance.
 - An infrastructure cluster profile for AWS EKS. Review [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md) for guidance.
 - An [EC2 Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) in the target region.
-- Palette creates compute, network, and storage resources in AWS during the provisioning of Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region for the creation of the following resources:
+- Palette creates compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region for the creation of the following resources:
     - vCPU
     - VPC
     - Elastic IP
@@ -43,53 +43,109 @@ Use the following steps to provision a new AWS EKS cluster:
 
 1. Ensure you are in the correct project scope.
 
+2. From the left **Main Menu**, select **Clusters** and click on the **Add New Cluster** button.
 
-2. Navigate to the left **Main Menu** and click on **Clusters**
+3. Click on **Deploy New Cluster** on the next page Palette displays. This will allow you to deploy a cluster using your own cloud account. 
 
+4. Select **AWS** and click on the **Start AWS Configuration** button.
 
-3. Click on **Add New Cluster**
+5. Fill out the following input values, and click on **Next** to continue.
 
+  | **Field** | **Description** |
+  |-----------|-----------------|
+  | **Name**| A custom name for the cluster. |
+  | **Description**| Use the description to provide context about the cluster.|
+  | **Tags**| Assign any desired cluster tags. Tags on a cluster are propagated to the Virtual Machines (VMs) deployed to the target environments. Example: `zone` or `region`.|
+  | **Cloud Account** | If you already have an AWS account, add the AWS cloud account name. If you do not have an account, click on **Add New Account** to a add one. |
 
-4. You will receive a prompt asking you if you want to deploy a new cluster or import an existing cluster. Click on **Deploy New Cluster**
+7. On the AWS cloud account form that displays, provide your AWS account name. You can add an optional description to provide context about the account.
 
+8. Select **AWS** from the **drop-down Menu**. <<< Note: check prod to see if AWS US Gov is listed >>
 
-5. Select **AWS** and click on **Start AWS Configuration**
+9. If you use **Credentials**, provide these in the Access Key and Secret access key fields. To use Security Token Service, review the guidance in the right panel that displays when you select **STS**. 
+<<< The following needs different formatting - not sure it works as a tab because it would be only one. maybe the info is mentioned in prereqs? Maybe in a different doc? >>>
+    STS requires you to create the following IAM policies with the listed permissions within your AWS account:
 
+  | **Policy** | **Permissions** |
+  |-----------|-----------------|
+  | `PaletteControllerPolicy`| Controller Policy |
+  | `PaletteControlPlanePolicy`| Control Plane Policy|
+  | `PaletteNodesPolicy`| Nodes Policy|
+  | `PaletteDeploymentPolicy` | Deployment Policy |
 
-6. Populate the wizard page with the following information: name, description, tags and AWS account. Tags on a cluster are propagated to the VMs deployed to the target environments. Click on **Next** after you have filled out all the required information.
 
-7. Selected **Managed Kubernetes** and click on your cluster profile that supports AWS EKS. Click on **Next**.
+STS also requires you to create an IAM Role using the following options:
 
+   - Trusted Entity Type: Specify another AWS account
 
-8. Review and customize pack parameters, as desired. By default, parameters for all packs are set with values, defined in the cluster profile. Click on **Next**.
+   - Account ID: Copy this from the panel that displays when you select **STS**.
 
+   - Require External ID: **Enable**
 
-9. Provide the AWS cloud account and placement information.
+   - External ID: Copy this from the panel that displays when you select **STS**
+
+   - Permissions Policy: These are the four policies you added, which are listed in the above table.
+
+
+10. In the AWS Console, browse to the role details page and copy the Role ARN and paste it in the **ARN** field.
+
+11. Click the **Validate** button. If the credentials you provided are correct, a Credentials validated success message with a green check is displayed.
+
+11. Click the **Validate** button. If the ARN you provided is correct, a Credentials validated success message with a green check is displayed.
+
+12. Toggle the **Connect Private Cloud Gateway** ... <<< why does user do this?? >>>
+
+13. When you have completed inputting values and credentials are validated, click **Confirm**.
+
+
+
+
+14. Under **Managed Kubernetes**, select **EKS**. Select the EKS cluster profile you created and click on **Next**.
+
+15. Review and customize parameters as desired in the YAML files for each cluster profile layer. Click on **Next** when you are done.
+
+
+16. Provide the following and placement information and click on **Next** to continue. 
 
     |**Parameter**| **Description**|
     |-------------|---------------|
-    |**Cloud Account** | Select the desired cloud account. AWS cloud accounts with AWS credentials need to be pre-configured in project settings.|
-    |**Static Placement** | By default, Palette uses dynamic placement, wherein a new VPC with a public and private subnet is created to place cluster resources for every cluster. <br /> These resources are fully managed by Palette and deleted, when the corresponding cluster is deleted. Turn on the **Static Placement** option if it's desired to place resources into preexisting VPCs and subnets.|
-    |**Region** | Choose the preferred AWS region where you would like the clusters to be provisioned.|
-    |**SSH Key Pair Name** | Choose the desired SSH Key pair. SSH key pairs need to be pre-configured on AWS for the desired regions. The selected key is inserted into the VMs provisioned.|
-    |**Cluster Endpoint Access**| Select Private, Public or Private & Public, in order to control communication with the Kubernetes API endpoint. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. :::caution If you set the cluster endpoint to Public, specify `0.0.0.0/0` in the Public Access CIDR field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely.  :::|
-    |**Public Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.| 
-    |**Enable Encryption**|The user can enable secret encryption by toggling **Enable Encryption**. Provide the provider KMS key ARN to complete the wizard. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
-    |**Worker Pool Update**|Optionally enable the option to update the worker pool in parallel.|
-    
+    <!-- |**Cloud Account** | Select the desired cloud account. AWS cloud accounts with AWS credentials need to be pre-configured in project settings.| -->
+    |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) in which cluster resources for each cluster will be placed. Palette manages these resources and deletes them when the corresponding cluster is deleted. <br /><br /> Enable the **Static Placement** option if you want to place resources into preexisting VPCs and subnets. You will need to provide the VPCID.|
+    |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
+    |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The selected key is inserted into the provisioned VMs.|
+    |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+    |**Public Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+    |**Private Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+    |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN** <<< for the cluster? >>>. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
+    |**Update worker pools in parallel**|This option allows the simultaneous update of nodes in the worker pool.| <<<  Any advantages/disadvantages in doicng this?? >>>
+
+    :::caution
 
-10. Make the choice of updating the worker pool in parallel, if required. Click on **Next**.
+    If you set the cluster endpoint to Public, ensure you specify `0.0.0.0/0` in the Public Access CIDR field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely. We recommend specifying the **Private & Public** option to cover all the possibilities. <<< verify this >>>
 
+    :::
+<<< In a managed environment, do we still have a control plance?? >>>
 
-11. Configure the master and worker node pools. A single master and a worker node pool are configured by default. This is the section where you can specify the availability zones (AZ), instance types, [instance cost type](architecture#spot-instances), disk size, and the number of nodes. Use the following tables to better understand the available input options.
+11. Configure the worker node pools. A single master and a worker node pool are configured by default. This is the section where you can specify the availability zones (AZ), instance types, [instance cost type](architecture#spot-instances), disk size, and the number of nodes. Use the following tables to better understand the available input options.
 
     |**Parameter**| **Description**|
     |-------------|----------------|
-    |**Name** | A descriptive name for the node pool.|
+    |**Node pool name** | A descriptive name for the node pool.|
+    |**Number of nodes in the pool** | Specify the number of nodes.|
+    |**Additional Labels** | ??       |
+    |**Taints** | To control which workloads are placed on nodes in the pool. Toggle **Taints** on and specify a key and value. Use the **drop-down Menu** to choose the **Effect**: **NoSchedule**, **PreferNoSchedule**, or **NoExecute**. | 
+    | **Instance Option** | Choose the pricing method: **On-Demand** instances provide stable and uninterrupted compute capacity - usually at a higher cost. **Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
+    |**Instance Type** | Select the AWS instance type to be used for all nodes in the node pool.|
+    |**Enable Nodepool Customization** | <<< Start here >>> AMI ID (optional) toggle. When this option is enabled, AMI ID, Root Disk Size, Disk Type fields are displayed. |
+    |**Fargate Profiles** | <<< ??? >>> |
+
+    <<< Check out tables below that separate out options. See how this publishes to determine which format to use. >>>
+
+
     |**Size** | Make your choice of minimum, maximum and desired sizes for the worker pool. The size of the worker pool will scale between the minimum and maximum size under varying workload conditions. Review the [AWS Instance Type and Pod Capacity](architecture#formula-for-pod-calculation) documentation for help in determining the proper instance type and size. |
     |[Taints](../../cluster-management/taints.md#taints): |Optionally enable node affinity optionally to attracts pods to a set of nodes| 
     |[Labels](../../cluster-management/taints.md#labels): |Optionally enable labels to constrain a pod to only run on a particular set of nodes|
-    |**Instance Type** | Select the AWS instance type to be used for all nodes in the node pool.|
+    
     
   * Cloud Configuration settings:
 

From 409c9a705e3274e2a841dff280d379004bb1cfb0 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 30 Oct 2023 08:43:45 -0700
Subject: [PATCH 02/28] Fixed tables

---
 .../clusters/public-cloud/aws/eks.md          | 66 ++++++++++---------
 1 file changed, 34 insertions(+), 32 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 892708e1b8..809eddbfa7 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -107,44 +107,46 @@ STS also requires you to create an IAM Role using the following options:
 
 16. Provide the following and placement information and click on **Next** to continue. 
 
-    |**Parameter**| **Description**|
-    |-------------|---------------|
-    <!-- |**Cloud Account** | Select the desired cloud account. AWS cloud accounts with AWS credentials need to be pre-configured in project settings.| -->
-    |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) in which cluster resources for each cluster will be placed. Palette manages these resources and deletes them when the corresponding cluster is deleted. <br /><br /> Enable the **Static Placement** option if you want to place resources into preexisting VPCs and subnets. You will need to provide the VPCID.|
-    |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
-    |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The selected key is inserted into the provisioned VMs.|
-    |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-    |**Public Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-    |**Private Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-    |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN** <<< for the cluster? >>>. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
-    |**Update worker pools in parallel**|This option allows the simultaneous update of nodes in the worker pool.| <<<  Any advantages/disadvantages in doicng this?? >>>
+  |**Parameter**| **Description**|
+  |-------------|---------------|
+  |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) in which cluster resources for each cluster will be placed. Palette manages these resources and deletes them when the corresponding cluster is deleted. <br /><br /> Enable the **Static Placement** option if you want to place resources into preexisting VPCs and subnets. You will need to provide the VPCID.|
+  |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
+  |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The selected key is inserted into the provisioned VMs.|
+  |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Public Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Private Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN** <<< for the cluster? >>>. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
+  |**Update worker pools in parallel**|This option allows the simultaneous update of nodes in the worker pool.| 
+  
+  <<<  Any advantages/disadvantages in doing this?? >>>
+
+  :::caution
 
-    :::caution
+  If you set the cluster endpoint to Public, ensure you specify `0.0.0.0/0` in the Public Access CIDR field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely. We recommend specifying the **Private & Public** option to cover all the possibilities. <<< verify this >>>
 
-    If you set the cluster endpoint to Public, ensure you specify `0.0.0.0/0` in the Public Access CIDR field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely. We recommend specifying the **Private & Public** option to cover all the possibilities. <<< verify this >>>
+  :::
 
-    :::
-<<< In a managed environment, do we still have a control plance?? >>>
+<<< In a managed environment, do we still have a control plance - (no) ?? >>>
 
 11. Configure the worker node pools. A single master and a worker node pool are configured by default. This is the section where you can specify the availability zones (AZ), instance types, [instance cost type](architecture#spot-instances), disk size, and the number of nodes. Use the following tables to better understand the available input options.
 
-    |**Parameter**| **Description**|
-    |-------------|----------------|
-    |**Node pool name** | A descriptive name for the node pool.|
-    |**Number of nodes in the pool** | Specify the number of nodes.|
-    |**Additional Labels** | ??       |
-    |**Taints** | To control which workloads are placed on nodes in the pool. Toggle **Taints** on and specify a key and value. Use the **drop-down Menu** to choose the **Effect**: **NoSchedule**, **PreferNoSchedule**, or **NoExecute**. | 
-    | **Instance Option** | Choose the pricing method: **On-Demand** instances provide stable and uninterrupted compute capacity - usually at a higher cost. **Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
-    |**Instance Type** | Select the AWS instance type to be used for all nodes in the node pool.|
-    |**Enable Nodepool Customization** | <<< Start here >>> AMI ID (optional) toggle. When this option is enabled, AMI ID, Root Disk Size, Disk Type fields are displayed. |
-    |**Fargate Profiles** | <<< ??? >>> |
-
-    <<< Check out tables below that separate out options. See how this publishes to determine which format to use. >>>
-
-
-    |**Size** | Make your choice of minimum, maximum and desired sizes for the worker pool. The size of the worker pool will scale between the minimum and maximum size under varying workload conditions. Review the [AWS Instance Type and Pod Capacity](architecture#formula-for-pod-calculation) documentation for help in determining the proper instance type and size. |
-    |[Taints](../../cluster-management/taints.md#taints): |Optionally enable node affinity optionally to attracts pods to a set of nodes| 
-    |[Labels](../../cluster-management/taints.md#labels): |Optionally enable labels to constrain a pod to only run on a particular set of nodes|
+  |**Parameter**| **Description**|
+  |-------------|----------------|
+  |**Node pool name** | A descriptive name for the node pool.|
+  |**Number of nodes in the pool** | Specify the number of nodes.|
+  |**Additional Labels** | ??       |
+  |**Taints** | Taints are used to control which workloads are placed on nodes in the pool. Toggle **Taints** on and specify a key and value. Use the **drop-down Menu** to choose the **Effect**: **NoSchedule**, **PreferNoSchedule**, or **NoExecute**. | 
+  | **Instance Option** | Choose the pricing method: **On-Demand** instances provide stable and uninterrupted compute capacity - usually at a higher cost. **Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
+  |**Instance Type** | Select the AWS instance type to be used for all nodes in the node pool.|
+  |**Enable Nodepool Customization** | <<< Start here >>> AMI ID (optional) toggle. When this option is enabled, AMI ID, Root Disk Size, Disk Type fields are displayed. |
+  |**Fargate Profiles** | <<< ??? >>> |
+
+  <<< Check out tables below that separate out options. See how this publishes to determine which format to use. >>>
+
+
+  |**Size** | Make your choice of minimum, maximum and desired sizes for the worker pool. The size of the worker pool will scale between the minimum and maximum size under varying workload conditions. Review the [AWS Instance Type and Pod Capacity](architecture#formula-for-pod-calculation) documentation for help in determining the proper instance type and size. |
+  |[Taints](../../cluster-management/taints.md#taints): |Optionally enable node affinity optionally to attracts pods to a set of nodes| 
+  |[Labels](../../cluster-management/taints.md#labels): |Optionally enable labels to constrain a pod to only run on a particular set of nodes|
     
     
   * Cloud Configuration settings:

From 7f48f312c46b5e42655a37773c192fdb7c7603b2 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 30 Oct 2023 14:06:38 -0700
Subject: [PATCH 03/28] Clean up steps, improve flow

---
 .../clusters/public-cloud/aws/eks.md          | 223 ++++++++++--------
 1 file changed, 126 insertions(+), 97 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 809eddbfa7..7a94f4c324 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -1,7 +1,7 @@
 ---
 sidebar_label: "Create and Manage AWS EKS Cluster"
 title: "Create and Manage AWS EKS Cluster"
-description: "Learn how to deploy and manage AWS EKS clusters with Palette"
+description: "Learn how to deploy and manage AWS EKS clusters with Palette."
 hide_table_of_contents: false
 tags: ["public cloud", "aws"]
 sidebar_position: 30
@@ -14,11 +14,11 @@ Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clus
 
 The following prerequisites must be met before deploying a cluster to AWS:
 
-- Access to an AWS cloud account 
+- Access to an AWS cloud account. 
 - Palette integration with AWS account. Review [Add AWS Account](add-aws-accounts.md) for guidance.
 - An infrastructure cluster profile for AWS EKS. Review [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md) for guidance.
-- An [EC2 Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) in the target region.
-- Palette creates compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region for the creation of the following resources:
+- An [EC2 Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) for the target region.
+- Palette creates compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources:
     - vCPU
     - VPC
     - Elastic IP
@@ -39,86 +39,126 @@ The following tags should be added to the virtual private network (VPC) public s
 
 ## Deploy an AWS Cluster
 
-Use the following steps to provision a new AWS EKS cluster:
+Use the following steps to deploy an AWS cluster in which to provision an EKS cluster.
 
-1. Ensure you are in the correct project scope.
+1. Log in to [Palette](https://console.spectrocloud.com/).
 
-2. From the left **Main Menu**, select **Clusters** and click on the **Add New Cluster** button.
+2. Ensure you are in the correct project scope.
 
-3. Click on **Deploy New Cluster** on the next page Palette displays. This will allow you to deploy a cluster using your own cloud account. 
+3. From the left **Main Menu** select **Clusters**, and click on the **Add New Cluster** button.
 
-4. Select **AWS** and click on the **Start AWS Configuration** button.
+4. From the left **Main Menu**, select **Clusters** .
 
-5. Fill out the following input values, and click on **Next** to continue.
+5. Click on **Deploy New Cluster** on the next page Palette displays. This will allow you to deploy a cluster using your own cloud account. 
+
+6. Select **AWS** and click on the **Start AWS Configuration** button.
+
+7. Fill out the following input values, and click on **Next Step** to continue.
 
   | **Field** | **Description** |
   |-----------|-----------------|
-  | **Name**| A custom name for the cluster. |
+  | **Cluster Name**| A custom name for the cluster. |
   | **Description**| Use the description to provide context about the cluster.|
   | **Tags**| Assign any desired cluster tags. Tags on a cluster are propagated to the Virtual Machines (VMs) deployed to the target environments. Example: `zone` or `region`.|
-  | **Cloud Account** | If you already have an AWS account, add the AWS cloud account name. If you do not have an account, click on **Add New Account** to a add one. |
+  | **AWS Account** | If you already added your AWS account in Palette, select it from the **drop-down Menu**. Otherwise, click on **Add New Account** and add your AWS account information.  |
 
-7. On the AWS cloud account form that displays, provide your AWS account name. You can add an optional description to provide context about the account.
+  If you already have an AWS account, skip to section...
 
-8. Select **AWS** from the **drop-down Menu**. <<< Note: check prod to see if AWS US Gov is listed >>
+### Add AWS Account
 
-9. If you use **Credentials**, provide these in the Access Key and Secret access key fields. To use Security Token Service, review the guidance in the right panel that displays when you select **STS**. 
-<<< The following needs different formatting - not sure it works as a tab because it would be only one. maybe the info is mentioned in prereqs? Maybe in a different doc? >>>
-    STS requires you to create the following IAM policies with the listed permissions within your AWS account:
+Follow the steps below if you have not previously added your AWS account in Palette and created an EKS cluster. If you already added an account, Palette displays it in the Cloud Account **drop-down Menu**. Choose the account and skip to [Create an EKS Cluster](#create-an-eks-cluster).
 
-  | **Policy** | **Permissions** |
-  |-----------|-----------------|
-  | `PaletteControllerPolicy`| Controller Policy |
-  | `PaletteControlPlanePolicy`| Control Plane Policy|
-  | `PaletteNodesPolicy`| Nodes Policy|
-  | `PaletteDeploymentPolicy` | Deployment Policy |
+1. On the AWS cloud account form that displays, provide your AWS account name. You can add an optional description to provide context about the account.
+
+2. Select **AWS** from the **drop-down Menu**.
+
+3. If you use **Credentials**, provide these in the **Access Key** and **Secret access key** fields. To use Security Token Service, review the guidance in the right panel that displays when you select **STS**. 
+  
+  Select the tab below that applies to the authentication method you will use to configure your AWS account.
+  
+<Tabs groupId="authentication">
+
+<TabItem label="Credentials" value="Credentials">
+
+4. Specify the account name. 
 
+5. Add an optional description to give the account some context.
 
-STS also requires you to create an IAM Role using the following options:
+6. In the **Partition** field, select **AWS** in the **drop-down Menu**.
 
-   - Trusted Entity Type: Specify another AWS account
+7. From your AWS console, copy the access key and secret key.
 
-   - Account ID: Copy this from the panel that displays when you select **STS**.
+8. In Palette, paste the keys in the **Access key** and **Secret access key** fields.
 
-   - Require External ID: **Enable**
+9. Click the **Validate button**.  If the credentials you provided are correct, a *Credentials validated* success message with a green check is displayed.
 
-   - External ID: Copy this from the panel that displays when you select **STS**
+10. To use a Private Cloud Gateway (PCG) that you installed, toggle the **Connect Private Cloud Gateway** button and select the PCG from the **drop-down Menu**.
 
-   - Permissions Policy: These are the four policies you added, which are listed in the above table.
+11. When you have completed inputting values and credentials are validated, click **Confirm**.
 
+</TabItem>
 
-10. In the AWS Console, browse to the role details page and copy the Role ARN and paste it in the **ARN** field.
+<TabItem label="STS" value="STS">
+
+
+4. Specify the account name. An optional description gives the account some context.
+
+5. In the **Partition** field, select **AWS** in the **drop-down Menu**.
+
+6. If you have not already created the following IAM policies with the permissions listed in the table, go ahead and create them.
+
+  | **Policy** | **Permission** |
+  |-----------|-----------------|
+  | `PaletteControllerPolicy`| Controller Policy |
+  | `PaletteControlPlanePolicy`| Control Plane Policy|
+  | `PaletteNodesPolicy`| Nodes Policy|
+  | `PaletteDeploymentPolicy` | Deployment Policy |
+
+7. Create an IAM Role that uses the following rules and options.
+
+  | **Rule** | **Option** |
+  |-----------|-----------------|
+  | **Trusted Entity Type**| Controller Policy |
+  | **Account ID** | In Palette, copy this from the right panel that displays when you select **STS**.|
+  | **Require External ID** | **Enable**|
+  | **External ID** | In Palette, copy this from the right panel that displays when you select **STS**. |
+  | **Permissions Policy** | Search and select the four policies you added in step 12. |
+  | **Role Name** | Provide `SpectroCloudRole` as the role name. |
 
-11. Click the **Validate** button. If the credentials you provided are correct, a Credentials validated success message with a green check is displayed.
+8. In the AWS Console, browse to the role details page and copy the Role ARN. 
 
-11. Click the **Validate** button. If the ARN you provided is correct, a Credentials validated success message with a green check is displayed.
+9. Paste the ARN in the **ARN** field.
 
-12. Toggle the **Connect Private Cloud Gateway** ... <<< why does user do this?? >>>
+10. Click the **Validate** button. If the ARN you provided is correct, a Credentials validated success message with a green check is displayed.
 
-13. When you have completed inputting values and credentials are validated, click **Confirm**.
+11. To use a Private Cloud Gateway (PCG) that you installed, toggle the **Connect Private Cloud Gateway** button and select the PCG from the **drop-down Menu**.
 
+12. When you have completed inputting values and credentials are validated, click **Confirm**.
 
 
+</TabItem>
+</Tabs>
 
-14. Under **Managed Kubernetes**, select **EKS**. Select the EKS cluster profile you created and click on **Next**.
+### Create an EKS Cluster
 
-15. Review and customize parameters as desired in the YAML files for each cluster profile layer. Click on **Next** when you are done.
+Use the following steps to provision a new EKS cluster.
 
+1. Select **EKS** as the **Infrastructure Provider**. Select the EKS cluster profile you created and click on **Next**.
 
-16. Provide the following and placement information and click on **Next** to continue. 
+2. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer. Click on **Next** when you are done.
+
+3. Provide the following node configuration information and click on **Next** to continue. 
 
   |**Parameter**| **Description**|
   |-------------|---------------|
-  |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) in which cluster resources for each cluster will be placed. Palette manages these resources and deletes them when the corresponding cluster is deleted. <br /><br /> Enable the **Static Placement** option if you want to place resources into preexisting VPCs and subnets. You will need to provide the VPCID.|
+  |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) in which resources for each cluster will be placed. Palette manages these resources and deletes them when the corresponding cluster is deleted. <br /><br /> Enable the **Static Placement** option if you want to place resources into pre-existing VPCs and subnets. You will need to provide the VPCID.|
   |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
-  |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The selected key is inserted into the provisioned VMs.|
+  |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs.|
   |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Public Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Private Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN** <<< for the cluster? >>>. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
-  |**Update worker pools in parallel**|This option allows the simultaneous update of nodes in the worker pool.| 
-  
-  <<<  Any advantages/disadvantages in doing this?? >>>
+  |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN**. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
+  |**Update worker pools in parallel**| This option allows the simultaneous update of nodes in the worker pool.| 
 
   :::caution
 
@@ -126,89 +166,77 @@ STS also requires you to create an IAM Role using the following options:
 
   :::
 
-<<< In a managed environment, do we still have a control plance - (no) ?? >>>
-
-11. Configure the worker node pools. A single master and a worker node pool are configured by default. This is the section where you can specify the availability zones (AZ), instance types, [instance cost type](architecture#spot-instances), disk size, and the number of nodes. Use the following tables to better understand the available input options.
+4. Configure the worker node pool and provide cloud configuration information. Palette configures a single worker node pool by default. This is the section where you can specify the availability zones (AZ) ??, instance types, [instance cost type](architecture#spot-instances), disk size, and the number of nodes. Use the following table to better understand the available input options. Click **Next** to continue.
 
   |**Parameter**| **Description**|
   |-------------|----------------|
   |**Node pool name** | A descriptive name for the node pool.|
-  |**Number of nodes in the pool** | Specify the number of nodes.|
-  |**Additional Labels** | ??       |
-  |**Taints** | Taints are used to control which workloads are placed on nodes in the pool. Toggle **Taints** on and specify a key and value. Use the **drop-down Menu** to choose the **Effect**: **NoSchedule**, **PreferNoSchedule**, or **NoExecute**. | 
-  | **Instance Option** | Choose the pricing method: **On-Demand** instances provide stable and uninterrupted compute capacity - usually at a higher cost. **Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
-  |**Instance Type** | Select the AWS instance type to be used for all nodes in the node pool.|
-  |**Enable Nodepool Customization** | <<< Start here >>> AMI ID (optional) toggle. When this option is enabled, AMI ID, Root Disk Size, Disk Type fields are displayed. |
-  |**Fargate Profiles** | <<< ??? >>> |
+  |**Number of nodes in the pool** | Specify the number of nodes in the worker pool.|
+  |**Additional Labels** | Optionally, you can add labels for cluster resources in key-value format. |
+  |**Taints** | You can apply optional taint labels to a node pool during the cluster creation or edit taint labels on an existing cluster. Review the [Node Pool](../../cluster-management/node-pool.md) management page to learn more. Toggle the **Taint** button to create a label. If tainting is enabled, you need to provide a custom key-value pair and use the **drop-down Menu** to choose **Effect**:<br /><br /> - **NoSchedule**: Pods are not scheduled onto nodes with this taint.<br /><br />- **PreferNoSchedule**: Kubernetes attempts to avoid scheduling pods onto nodes with this taint, but scheduling is not prohibited.<br /><br />- **NoExecute**: Existing pods on nodes with this taint are evicted.  | 
+  | **Instance Option** | Choose the pricing method: **On-Demand** instances provide stable and uninterrupted compute capacity at a higher cost. **Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
+  |**Instance Type** | Select the instance type to be used for all nodes in the node pool.|
+  |**Enable Nodepool Customization** | Toggle this option on to use a pre-configured VM image and provide the Amazon Machine Image (AMI) ID, in the **AMI ID** field. the disk type for AMI ID (optional) toggle. When this option is enabled, you can use the **drop-down Menu** in the **Disk Type** field to specify the disk type to use. By default, the **Root Disk size** is |
+  |**Root Disk size** | By default, the **Root Disk size** is `60`. You can change this size. |
+  |**Fargate Profiles** | An AWS feature that allows you to run containers without the need for EC2 instances. With Fargate, you do not provision or manage the cloud infrastructure. |
 
-  <<< Check out tables below that separate out options. See how this publishes to determine which format to use. >>>
+<<< Ask eng. about Fargate Profiles that displays in the Node pools configuration for EKS. There are no options - it should be removed because it causes confusion. >>>
 
+:::info
 
-  |**Size** | Make your choice of minimum, maximum and desired sizes for the worker pool. The size of the worker pool will scale between the minimum and maximum size under varying workload conditions. Review the [AWS Instance Type and Pod Capacity](architecture#formula-for-pod-calculation) documentation for help in determining the proper instance type and size. |
-  |[Taints](../../cluster-management/taints.md#taints): |Optionally enable node affinity optionally to attracts pods to a set of nodes| 
-  |[Labels](../../cluster-management/taints.md#labels): |Optionally enable labels to constrain a pod to only run on a particular set of nodes|
-    
-    
-  * Cloud Configuration settings:
+You can add new worker pools if you need to customize certain worker nodes to run specialized workloads. As an example, the default worker pool may be configured with the m3.large instance types for general-purpose workloads, and another worker pool with instance type g2.2xlarge can be configured to run GPU workloads.
 
-     |**Parameter**| **Description**|
-     |-------------|----------------|
-     |**Instance Option**:| Choose between on-demand or spot instances|
-     |**Instance Type**:| Choose an instance type |
-     |**Availability Zones**:|Select at least one availability zone within the VPC|
-     |**Disk Size**|Make the choice of disk size as per requirement|
+:::
 
- *  You can create one or more Fargate profiles for the EKS cluster to use. 
-    
-    |**Parameter**| **Description**|
-    |-------------|---------------|
-    |**Name** |Provide a name for the Fargate profile.|
-    |**Subnets** |Pods running on Fargate Profiles are not assigned public IP addresses, so only private subnets (with no direct route to an Internet Gateway) are accepted for this parameter. For dynamic provisioning, this input is not required and subnets are automatically selected.|
-    |**Selectors** |Define pod selector by providing a target namespace and optionally labels. Pods with matching namespace and app labels are scheduled to run on dynamically provisioned compute nodes.<br /> You can have up to five selectors in a Fargate profile and a pod only needs to match one selector to run using the Fargate profile.|
+<!-- ### Optional Cluster Settings -->
 
-:::info
+5. Specify your preferred **OS Patching Schedule** for EKS-managed machines.
 
-You can add new worker pools if you need to customize certain worker nodes to run specialized workloads. As an example, the default worker pool may be configured with the m3.large instance types for general-purpose workloads, and another worker pool with instance type g2.2xlarge can be configured to run GPU workloads.
+6. Enable any scan options you want Palette to perform, and select a scan schedule. Palette provides support for Kubernetes configuration security, penetration testing, or conformance testing.
 
-:::
+7. Schedule any backups you want Palette to perform. Review [Backup and Restore](../../cluster-management/backup-restore/backup-restore.md) for more information.
 
-12. An optional taint label can be applied to a node pool during the cluster creation. For a an existing cluster, the taint label can be edited, review the [Node Pool](../../cluster-management/node-pool.md) management page to learn more. Toggle the **Taint** button to create a label.
+8. RBAC configuration is required for OIDC.
 
+9. Click on the **Validate** button and review the cluster configuration. 
 
-13. Enable or disable node pool taints. If tainting is enabled then you need provide values for the following parameters:
-    
-    |**Parameter**| **Description**|
-    |-------------|---------------|
-    |**Key**      |Custom key for the taint.|
-    |**Value**    | Custom value for the taint key.|
-    | **Effect**  | Make the choice of effect from the drop-down menu. Review the effect table bellow for more details. |
+10. Review the settings summary and click **Finish Configuration** to deploy the cluster. 
+
+  The cluster details page of the cluster contains the status and details of the deployment. Use this page to track the deployment progress.
+
+:::info
+
+Provisioning an AWS EKS clusters can take several minutes.
+
+:::
   
-    #### Effect Table
     
-    |**Parameter**| **Description**|
-    |-------------|---------------|
-    | **NoSchedule**|  A pod that cannot tolerate the node taint and should not be scheduled to the node. 
-    | **PreferNoSchedule**| The system will avoid placing a non-tolerant pod to the tainted node but is not guaranteed.
-    | **NoExecute**|  New pods will not be scheduled on the node, and existing pods on the node if any on the node will be evicted they do not tolerate the taint. |
+<!-- 5. Configure optional cluster settings for an OS patching schedule, security scans, backup settings, and set up role based access control (RBAC), 
 
-14. Click on **Next**.  
-    
-15. The settings page is where you can configure patching schedule, security scans, backup settings, setup role based access control (RBAC), and enable [Palette Virtual Clusters](../../../devx/palette-virtual-clusters/palette-virtual-clusters.md). Review the settings and make changes if needed. Click on **Validate**.
+ Review the settings and make changes if needed. Click on **Validate**.
 
 16. Review the settings summary and click on **Finish Configuration** to deploy the cluster. Be aware that provisioning an AWS EKS clusters can take several minutes.
 
-The cluster details page of the cluster contains the status and details of the deployment. Use this page to track the deployment progress.
+The cluster details page of the cluster contains the status and details of the deployment. Use this page to track the deployment progress. -->
 
 
 ## Validate
 
-You can validate your cluster is up and running by reviewing the cluster details page. Navigate to the left **Main Menu** and click on **Clusters**. The **Clusters** page contains a list of all available clusters managed by Palette. Click on the row for the cluster you wish to review its details page. Ensure the **Cluster Status** field contains the value **Running**.
+You can validate your cluster is up and running.
+
+1. Log in to [Palette](https://console.spectrocloud.com/).
+
+2. Navigate to the left **Main Menu** and select **Clusters**. The **Clusters** page displays a list of all available clusters managed by Palette. 
+
+3. Click on the cluster you created to view its details page.
+
+4. Ensure the **Cluster Status** field contains the value **Running**.
 
 
 ## EKS Cluster Secrets Encryption
 
 Palette encourages using AWS Key Management Service (KMS) to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS) clusters. This encryption is 
-a defense-in-depth security strategy to protect sensitive data such as passwords, docker registry credentials, and TLS keys stored as [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
+a defense-in-depth security strategy to protect sensitive data such as passwords, docker registry credentials, and Transport Layer Security (TLS) keys stored as [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
 ### Prerequisites
 
@@ -218,7 +246,7 @@ a defense-in-depth security strategy to protect sensitive data such as passwords
 
 ### Configure KMS
 
-The IAM User or IAM role that Palette is using must have the following IAM permissions.
+The IAM user or IAM role that Palette is using must have the following IAM permissions.
 
 ```json hideClipboard
 kms:CreateGrant,
@@ -227,4 +255,5 @@ kms:ListKeys,
 kms:DescribeKeys
 ```
 Ensure the IAM role or IAM user can perform the required IAM permissions on the KMS key that will be used for EKS.
+
 You can enable secret encryption during the EKS cluster creation process by toggling the encryption button providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page.

From f106bb223094602a81ccc9e82aa5ac22738e6b44 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 30 Oct 2023 14:39:46 -0700
Subject: [PATCH 04/28] Add info based on prototype.

---
 .../clusters/public-cloud/aws/eks.md          | 29 +++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 7a94f4c324..d07236d91c 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -53,7 +53,7 @@ Use the following steps to deploy an AWS cluster in which to provision an EKS cl
 
 6. Select **AWS** and click on the **Start AWS Configuration** button.
 
-7. Fill out the following input values, and click on **Next Step** to continue.
+7. Fill out the following basic information, and click on **Next Step** to continue.
 
   | **Field** | **Description** |
   |-----------|-----------------|
@@ -64,6 +64,31 @@ Use the following steps to deploy an AWS cluster in which to provision an EKS cl
 
   If you already have an AWS account, skip to section...
 
+8. Select a full or infrastructure cluster profile. To learn more about profiles, review [Cluster Profiles](../../../profiles/cluster-profiles/cluster-profiles.md).
+
+9. Review profile layers... Click **Next Step**.
+
+10. Provide the following cluster configuration information and click on **Next** to continue. 
+
+  |**Parameter**| **Description**|
+  |-------------|---------------|
+  |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
+  |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs.|
+  |**Enable static placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) in which resources for each cluster will be placed. Palette manages these resources and deletes them when the corresponding cluster is deleted.<br /><br /> Enable the **Static Placement** option if you want to place resources into pre-existing VPCs and subnets. You will need to provide the VPCID.|
+  |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**.<br /><br />**Private & Public** allows external access to the cluster endpoint while keeping worker node traffic within your VPC for balanced accessibility and security. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Public Access CIDRs** (not in protoype) |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Private Access CIDRs** (not in protoype) |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.<<< Currently, new design doesn't show Private Access CIDRs.>>> |
+  |**Enable key encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN**. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
+  |**Update worker pools in parallel**| This option allows the simultaneous update of nodes in the worker pool. This is an efficient way to manage various types of workloads. | 
+
+  :::caution
+
+  If you set the cluster endpoint to Public, ensure you specify `0.0.0.0/0` in the Public Access CIDR field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely. We recommend specifying the **Private & Public** option to cover all the possibilities. <<< verify this >>>
+
+  :::
+
+<<< Prototype stops here >>>
+
 ### Add AWS Account
 
 Follow the steps below if you have not previously added your AWS account in Palette and created an EKS cluster. If you already added an account, Palette displays it in the Cloud Account **drop-down Menu**. Choose the account and skip to [Create an EKS Cluster](#create-an-eks-cluster).
@@ -158,7 +183,7 @@ Use the following steps to provision a new EKS cluster.
   |**Public Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Private Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN**. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
-  |**Update worker pools in parallel**| This option allows the simultaneous update of nodes in the worker pool.| 
+  |**Update worker pools in parallel**| This option allows the simultaneous update of nodes in the worker pool. This is an efficient way to manage various types of workloads. | 
 
   :::caution
 

From 59b230d13f539c3b9a1b9020ef8230d392ef7ac1 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 30 Oct 2023 17:18:29 -0700
Subject: [PATCH 05/28] Verify steps, add resources

---
 .../clusters/public-cloud/aws/eks.md          | 135 +++++++++---------
 1 file changed, 64 insertions(+), 71 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index d07236d91c..38968bc8d7 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -12,19 +12,17 @@ Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clus
 
 ## Prerequisites
 
-The following prerequisites must be met before deploying a cluster to AWS:
-
 - Access to an AWS cloud account. 
 - Palette integration with AWS account. Review [Add AWS Account](add-aws-accounts.md) for guidance.
 - An infrastructure cluster profile for AWS EKS. Review [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md) for guidance.
 - An [EC2 Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) for the target region.
 - Palette creates compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources:
-    - vCPU
-    - VPC
+    - Virtual CPU (vCPU)
+    - Virtual Private Cloud (VPC)
     - Elastic IP
     - Internet Gateway
     - Elastic Load Balancers
-    - NAT Gateway
+    - Network Address Translation (NAT) Gateway
 
 
 :::info
@@ -47,59 +45,34 @@ Use the following steps to deploy an AWS cluster in which to provision an EKS cl
 
 3. From the left **Main Menu** select **Clusters**, and click on the **Add New Cluster** button.
 
-4. From the left **Main Menu**, select **Clusters** .
-
-5. Click on **Deploy New Cluster** on the next page Palette displays. This will allow you to deploy a cluster using your own cloud account. 
+4. Select **Deploy New Cluster** on the next page Palette displays. This will allow you to deploy a cluster using your own cloud account. 
 
-6. Select **AWS** and click on the **Start AWS Configuration** button.
+5. Select **AWS** and click on the **Start AWS Configuration** button.
 
-7. Fill out the following basic information, and click on **Next Step** to continue.
+6. Fill out the following basic information, and click on **Next Step** to continue.
 
   | **Field** | **Description** |
   |-----------|-----------------|
   | **Cluster Name**| A custom name for the cluster. |
   | **Description**| Use the description to provide context about the cluster.|
   | **Tags**| Assign any desired cluster tags. Tags on a cluster are propagated to the Virtual Machines (VMs) deployed to the target environments. Example: `zone` or `region`.|
-  | **AWS Account** | If you already added your AWS account in Palette, select it from the **drop-down Menu**. Otherwise, click on **Add New Account** and add your AWS account information.  |
+  | **Cloud Account** | If you already added your AWS account in Palette, select it from the **drop-down Menu**. Otherwise, click on **Add New Account** and add your AWS account information.  |
 
-  If you already have an AWS account, skip to section...
+  If you already have an AWS account, skip to the [Create an EKS Cluster](#create-an-eks-cluster) section. To add a cloud account, continue to the [Add Cloud Account](#add-aws-cloud-account) section.
 
-8. Select a full or infrastructure cluster profile. To learn more about profiles, review [Cluster Profiles](../../../profiles/cluster-profiles/cluster-profiles.md).
+### Add Cloud Account
 
-9. Review profile layers... Click **Next Step**.
+Follow the steps below if you have not previously added your AWS cloud account in Palette.
 
-10. Provide the following cluster configuration information and click on **Next** to continue. 
+1. At the Basic Information step in the wizard, click on the **drop-down Menu** in the **Cloud Account** field and click **Add New Account**.
 
-  |**Parameter**| **Description**|
-  |-------------|---------------|
-  |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
-  |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs.|
-  |**Enable static placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) in which resources for each cluster will be placed. Palette manages these resources and deletes them when the corresponding cluster is deleted.<br /><br /> Enable the **Static Placement** option if you want to place resources into pre-existing VPCs and subnets. You will need to provide the VPCID.|
-  |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**.<br /><br />**Private & Public** allows external access to the cluster endpoint while keeping worker node traffic within your VPC for balanced accessibility and security. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Public Access CIDRs** (not in protoype) |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Private Access CIDRs** (not in protoype) |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.<<< Currently, new design doesn't show Private Access CIDRs.>>> |
-  |**Enable key encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN**. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
-  |**Update worker pools in parallel**| This option allows the simultaneous update of nodes in the worker pool. This is an efficient way to manage various types of workloads. | 
+2. On the form that displays, provide your AWS account name and an optional description to provide context about the account.
 
-  :::caution
+3. In the **Partition** field, select **AWS** from the **drop-down Menu**.
 
-  If you set the cluster endpoint to Public, ensure you specify `0.0.0.0/0` in the Public Access CIDR field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely. We recommend specifying the **Private & Public** option to cover all the possibilities. <<< verify this >>>
+Creating the account is different depending on the authentication type you choose. Select the tab below that applies to the authentication method you will use to configure your AWS account.
 
-  :::
-
-<<< Prototype stops here >>>
-
-### Add AWS Account
-
-Follow the steps below if you have not previously added your AWS account in Palette and created an EKS cluster. If you already added an account, Palette displays it in the Cloud Account **drop-down Menu**. Choose the account and skip to [Create an EKS Cluster](#create-an-eks-cluster).
-
-1. On the AWS cloud account form that displays, provide your AWS account name. You can add an optional description to provide context about the account.
-
-2. Select **AWS** from the **drop-down Menu**.
-
-3. If you use **Credentials**, provide these in the **Access Key** and **Secret access key** fields. To use Security Token Service, review the guidance in the right panel that displays when you select **STS**. 
-  
-  Select the tab below that applies to the authentication method you will use to configure your AWS account.
+<!-- If you use **Credentials**, provide these in the **Access Key** and **Secret access key** fields. To use Security Token Service, review the guidance in the right panel that displays when you select **STS**.  -->
   
 <Tabs groupId="authentication">
 
@@ -126,11 +99,13 @@ Follow the steps below if you have not previously added your AWS account in Pale
 <TabItem label="STS" value="STS">
 
 
-4. Specify the account name. An optional description gives the account some context.
+4. Specify the account name.
+
+5. Add an optional description to give the account some context.
 
-5. In the **Partition** field, select **AWS** in the **drop-down Menu**.
+6. In the **Partition** field, select **AWS** in the **drop-down Menu**.
 
-6. If you have not already created the following IAM policies with the permissions listed in the table, go ahead and create them.
+7. If you have not already created the following IAM policies with the permissions listed in the table, go ahead and create them.
 
   | **Policy** | **Permission** |
   |-----------|-----------------|
@@ -139,7 +114,7 @@ Follow the steps below if you have not previously added your AWS account in Pale
   | `PaletteNodesPolicy`| Nodes Policy|
   | `PaletteDeploymentPolicy` | Deployment Policy |
 
-7. Create an IAM Role that uses the following rules and options.
+8. Create an IAM Role that uses the following rules and options.
 
   | **Rule** | **Option** |
   |-----------|-----------------|
@@ -150,9 +125,7 @@ Follow the steps below if you have not previously added your AWS account in Pale
   | **Permissions Policy** | Search and select the four policies you added in step 12. |
   | **Role Name** | Provide `SpectroCloudRole` as the role name. |
 
-8. In the AWS Console, browse to the role details page and copy the Role ARN. 
-
-9. Paste the ARN in the **ARN** field.
+9. In the AWS Console, browse to the role details page and copy the Role ARN and paste it in the **ARN** field in Palette. 
 
 10. Click the **Validate** button. If the ARN you provided is correct, a Credentials validated success message with a green check is displayed.
 
@@ -160,7 +133,6 @@ Follow the steps below if you have not previously added your AWS account in Pale
 
 12. When you have completed inputting values and credentials are validated, click **Confirm**.
 
-
 </TabItem>
 </Tabs>
 
@@ -168,11 +140,18 @@ Follow the steps below if you have not previously added your AWS account in Pale
 
 Use the following steps to provision a new EKS cluster.
 
-1. Select **EKS** as the **Infrastructure Provider**. Select the EKS cluster profile you created and click on **Next**.
+1. Select **EKS** as the **Managed Kubernetes**. 
+
+2. Select the EKS cluster profile you created and click on **Next**.
 
-2. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer. Click on **Next** when you are done.
+3. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer. 
 
-3. Provide the following node configuration information and click on **Next** to continue. 
+4. To configure OIDC, select the Kubernetes layer and edit the Kubernetes YAML file.
+
+
+Click on **Next** when you are done.
+
+5. Provide the following cluster configuration information and click on **Next** to continue. 
 
   |**Parameter**| **Description**|
   |-------------|---------------|
@@ -180,29 +159,31 @@ Use the following steps to provision a new EKS cluster.
   |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
   |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs.|
   |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Public Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Private Access CIDR** |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Public Access CIDRs** |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Private Access CIDRs** |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN**. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
   |**Update worker pools in parallel**| This option allows the simultaneous update of nodes in the worker pool. This is an efficient way to manage various types of workloads. | 
 
   :::caution
 
-  If you set the cluster endpoint to Public, ensure you specify `0.0.0.0/0` in the Public Access CIDR field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely. We recommend specifying the **Private & Public** option to cover all the possibilities. <<< verify this >>>
+  If you set the cluster endpoint to Public, ensure you specify `0.0.0.0/0` in the Public Access CIDR field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely. We recommend specifying the **Private & Public** option to cover all the possibilities.
 
   :::
 
-4. Configure the worker node pool and provide cloud configuration information. Palette configures a single worker node pool by default. This is the section where you can specify the availability zones (AZ) ??, instance types, [instance cost type](architecture#spot-instances), disk size, and the number of nodes. Use the following table to better understand the available input options. Click **Next** to continue.
+6. Provide the following node pool and cloud configuration information. Click on **Next** to continue.  
+
+<!-- Configure the worker node pool and provide cloud configuration information. Palette configures a single worker node pool by default.  [instance cost type](architecture#spot-instances) Use the following table to better understand the available input options. Click **Next** to continue. -->
 
   |**Parameter**| **Description**|
   |-------------|----------------|
   |**Node pool name** | A descriptive name for the node pool.|
   |**Number of nodes in the pool** | Specify the number of nodes in the worker pool.|
-  |**Additional Labels** | Optionally, you can add labels for cluster resources in key-value format. |
-  |**Taints** | You can apply optional taint labels to a node pool during the cluster creation or edit taint labels on an existing cluster. Review the [Node Pool](../../cluster-management/node-pool.md) management page to learn more. Toggle the **Taint** button to create a label. If tainting is enabled, you need to provide a custom key-value pair and use the **drop-down Menu** to choose **Effect**:<br /><br /> - **NoSchedule**: Pods are not scheduled onto nodes with this taint.<br /><br />- **PreferNoSchedule**: Kubernetes attempts to avoid scheduling pods onto nodes with this taint, but scheduling is not prohibited.<br /><br />- **NoExecute**: Existing pods on nodes with this taint are evicted.  | 
-  | **Instance Option** | Choose the pricing method: **On-Demand** instances provide stable and uninterrupted compute capacity at a higher cost. **Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
-  |**Instance Type** | Select the instance type to be used for all nodes in the node pool.|
-  |**Enable Nodepool Customization** | Toggle this option on to use a pre-configured VM image and provide the Amazon Machine Image (AMI) ID, in the **AMI ID** field. the disk type for AMI ID (optional) toggle. When this option is enabled, you can use the **drop-down Menu** in the **Disk Type** field to specify the disk type to use. By default, the **Root Disk size** is |
-  |**Root Disk size** | By default, the **Root Disk size** is `60`. You can change this size. |
+  |**Additional Labels** | Optionally, you can add labels to nodes in key-value format. For more information about applying labels, review [Apply Labels to Nodes](../../cluster-management/taints.md/#apply-labels-to-nodes).  Example: `"environment": "production"` |
+  |**Taints** | You can apply optional taint labels to a node pool during the cluster creation or edit taint labels on an existing cluster. Review the [Node Pool](../../cluster-management/node-pool.md) management page to learn more. Toggle the **Taint** button to create a label. If tainting is enabled, you need to provide a custom key-value pair and use the **drop-down Menu** to choose **Effect**:<br />**NoSchedule**: Pods are not scheduled onto nodes with this taint.<br />**PreferNoSchedule**: Kubernetes attempts to avoid scheduling pods onto nodes with this taint, but scheduling is not prohibited.<br />**NoExecute**: Existing pods on nodes with this taint are evicted.  | 
+  | **Instance Option** | Choose the pricing method:<br />**On-Demand** instances provide stable and uninterrupted compute capacity at a higher cost.<br />**Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
+  |**Instance Type** | Select the instance type to use for all nodes in the node pool.|
+  |**Enable Nodepool Customization** | Toggle this option on to use a pre-configured VM image and provide the Amazon Machine Image (AMI) ID. When this option is enabled, you can use the **drop-down Menu** to specify the disk type to use. |
+  |**Root Disk size** | By default, the **Root Disk size** is `60`, which you can change. |
   |**Fargate Profiles** | An AWS feature that allows you to run containers without the need for EC2 instances. With Fargate, you do not provision or manage the cloud infrastructure. |
 
 <<< Ask eng. about Fargate Profiles that displays in the Node pools configuration for EKS. There are no options - it should be removed because it causes confusion. >>>
@@ -213,19 +194,17 @@ You can add new worker pools if you need to customize certain worker nodes to ru
 
 :::
 
-<!-- ### Optional Cluster Settings -->
+7. Specify your preferred **OS Patching Schedule** for EKS-managed machines.
 
-5. Specify your preferred **OS Patching Schedule** for EKS-managed machines.
+8. Enable any scan options you want Palette to perform, and select a scan schedule. Palette provides support for Kubernetes configuration security, penetration testing, and conformance testing.
 
-6. Enable any scan options you want Palette to perform, and select a scan schedule. Palette provides support for Kubernetes configuration security, penetration testing, or conformance testing.
+9. Schedule any backups you want Palette to perform. Review [Backup and Restore](../../cluster-management/backup-restore/backup-restore.md) for more information.
 
-7. Schedule any backups you want Palette to perform. Review [Backup and Restore](../../cluster-management/backup-restore/backup-restore.md) for more information.
+10. RBAC configuration is required for OIDC.
 
-8. RBAC configuration is required for OIDC.
+11. Click on the **Validate** button and review the cluster configuration. 
 
-9. Click on the **Validate** button and review the cluster configuration. 
-
-10. Review the settings summary and click **Finish Configuration** to deploy the cluster. 
+12. Review the settings summary and click **Finish Configuration** to deploy the cluster. 
 
   The cluster details page of the cluster contains the status and details of the deployment. Use this page to track the deployment progress.
 
@@ -282,3 +261,17 @@ kms:DescribeKeys
 Ensure the IAM role or IAM user can perform the required IAM permissions on the KMS key that will be used for EKS.
 
 You can enable secret encryption during the EKS cluster creation process by toggling the encryption button providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page.
+
+## Resources
+
+- [Add AWS Account](add-aws-accounts.md)
+
+- [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md)
+
+- [EC2 Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html)  
+
+- [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html)
+
+- [EKS Cluster Encryption](#eks-cluster-secrets-encryption)
+
+- [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
\ No newline at end of file

From 97aeb8986a3b69cfe3fc9ebbc00e265f3ae679f7 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Tue, 31 Oct 2023 14:39:57 -0700
Subject: [PATCH 06/28] Several small changes

---
 .../clusters/public-cloud/aws/eks.md          | 71 +++++++++++++------
 1 file changed, 51 insertions(+), 20 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 38968bc8d7..c1b7bc4d5b 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -12,10 +12,18 @@ Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clus
 
 ## Prerequisites
 
-- Access to an AWS cloud account. 
+- Access to an AWS cloud account.
+
 - Palette integration with AWS account. Review [Add AWS Account](add-aws-accounts.md) for guidance.
+
+<!-- - A Virtual Private Cloud (VPC) with at least two subnets in different Availability Zones (AZs). Palette requires two AZs within the VPC that you specify when creating the EKS cluster. -->
+
 - An infrastructure cluster profile for AWS EKS. Review [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md) for guidance.
-- An [EC2 Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) for the target region.
+
+- An [EC2 key pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) for the target region that provides a secure connection to your EC2 instances.
+
+- kubelogin installed. This is a kubectl plugin for Kubernetes OIDC authentication, also known as `kubectl oidc-login`.
+
 - Palette creates compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources:
     - Virtual CPU (vCPU)
     - Virtual Private Cloud (VPC)
@@ -27,7 +35,9 @@ Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clus
 
 :::info
 
-The following tags should be added to the virtual private network (VPC) public subnets to enable automatic subnet discovery for integration with AWS load balancer service. Replace the value `yourClusterName` with your cluster's name.
+To enable automatic subnet discovery for integration with AWS load balancer service, you need to add tags to the the Virtual Private Cloud (VPC) public subnets. Use the AWS [Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name.
+
+<!-- The following tags should be added to the virtual private network (VPC) public subnets to enable automatic subnet discovery for integration with AWS load balancer service. Replace the value `yourClusterName` with your cluster's name. -->
 - `kubernetes.io/role/elb = 1`
 - `sigs.k8s.io/cluster-api-provider-aws/role = public`
 - `kubernetes.io/cluster/[yourClusterName] = shared` 
@@ -58,7 +68,7 @@ Use the following steps to deploy an AWS cluster in which to provision an EKS cl
   | **Tags**| Assign any desired cluster tags. Tags on a cluster are propagated to the Virtual Machines (VMs) deployed to the target environments. Example: `zone` or `region`.|
   | **Cloud Account** | If you already added your AWS account in Palette, select it from the **drop-down Menu**. Otherwise, click on **Add New Account** and add your AWS account information.  |
 
-  If you already have an AWS account, skip to the [Create an EKS Cluster](#create-an-eks-cluster) section. To add a cloud account, continue to the [Add Cloud Account](#add-aws-cloud-account) section.
+  If you already have an AWS cloud account, you can skip to the [Create an EKS Cluster](#create-an-eks-cluster) section.
 
 ### Add Cloud Account
 
@@ -155,7 +165,7 @@ Click on **Next** when you are done.
 
   |**Parameter**| **Description**|
   |-------------|---------------|
-  |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) in which resources for each cluster will be placed. Palette manages these resources and deletes them when the corresponding cluster is deleted. <br /><br /> Enable the **Static Placement** option if you want to place resources into pre-existing VPCs and subnets. You will need to provide the VPCID.|
+  |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two required subnets in different Availability Zones (AZs). This is an EKS cluster requirement. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.<br /><br />If you want to place resources into pre-existing VPCs and subnets, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled.|
   |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
   |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs.|
   |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
@@ -170,23 +180,30 @@ Click on **Next** when you are done.
 
   :::
 
-6. Provide the following node pool and cloud configuration information. Click on **Next** to continue.  
-
 <!-- Configure the worker node pool and provide cloud configuration information. Palette configures a single worker node pool by default.  [instance cost type](architecture#spot-instances) Use the following table to better understand the available input options. Click **Next** to continue. -->
 
-  |**Parameter**| **Description**|
-  |-------------|----------------|
-  |**Node pool name** | A descriptive name for the node pool.|
-  |**Number of nodes in the pool** | Specify the number of nodes in the worker pool.|
-  |**Additional Labels** | Optionally, you can add labels to nodes in key-value format. For more information about applying labels, review [Apply Labels to Nodes](../../cluster-management/taints.md/#apply-labels-to-nodes).  Example: `"environment": "production"` |
-  |**Taints** | You can apply optional taint labels to a node pool during the cluster creation or edit taint labels on an existing cluster. Review the [Node Pool](../../cluster-management/node-pool.md) management page to learn more. Toggle the **Taint** button to create a label. If tainting is enabled, you need to provide a custom key-value pair and use the **drop-down Menu** to choose **Effect**:<br />**NoSchedule**: Pods are not scheduled onto nodes with this taint.<br />**PreferNoSchedule**: Kubernetes attempts to avoid scheduling pods onto nodes with this taint, but scheduling is not prohibited.<br />**NoExecute**: Existing pods on nodes with this taint are evicted.  | 
-  | **Instance Option** | Choose the pricing method:<br />**On-Demand** instances provide stable and uninterrupted compute capacity at a higher cost.<br />**Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
-  |**Instance Type** | Select the instance type to use for all nodes in the node pool.|
-  |**Enable Nodepool Customization** | Toggle this option on to use a pre-configured VM image and provide the Amazon Machine Image (AMI) ID. When this option is enabled, you can use the **drop-down Menu** to specify the disk type to use. |
-  |**Root Disk size** | By default, the **Root Disk size** is `60`, which you can change. |
-  |**Fargate Profiles** | An AWS feature that allows you to run containers without the need for EC2 instances. With Fargate, you do not provision or manage the cloud infrastructure. |
-
-<<< Ask eng. about Fargate Profiles that displays in the Node pools configuration for EKS. There are no options - it should be removed because it causes confusion. >>>
+6. Provide the following node pool and cloud configuration information. Click on **Next** to continue.
+
+    - **Node Configuration Settings**
+    
+    |**Parameter**| **Description**|
+    |-------------|----------------|
+    |**Node pool name** | A descriptive name for the node pool.|
+    |**Number of nodes in the pool** | Specify the number of nodes in the worker pool.|
+    |**Additional Labels** | Optionally, you can add labels to nodes in key-value format. For more information about applying labels, review [Apply Labels to Nodes](../../cluster-management/taints.md/#apply-labels-to-nodes).  Example: `"environment": "production"` |
+    |**Taints** | You can apply optional taint labels to a node pool during cluster creation or edit taint labels on an existing cluster. Review the [Node Pool](../../cluster-management/node-pool.md) management page to learn more. Toggle the **Taint** button to create a label. If tainting is enabled, you need to provide a custom key-value pair. Use the **drop-down Menu** to choose one of the following options for **Effect**:<br />**NoSchedule** - Pods are not scheduled onto nodes with this taint.<br />**PreferNoSchedule** - Kubernetes attempts to avoid scheduling pods onto nodes with this taint, but scheduling is not prohibited.<br />**NoExecute** - Existing pods on nodes with this taint are evicted.| 
+    
+    - **Cloud Configuration settings**
+    
+    |**Parameter**| **Description**|
+    |-------------|----------------|
+    | **Instance Option** | Choose the pricing method:<br />**On-Demand** instances provide stable and uninterrupted compute capacity at a higher cost.<br />**Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
+    |**Instance Type** | Select the instance type to use for all nodes in the node pool.|
+    |**Enable Nodepool Customization** | To use a pre-configured VM image, toggle this option on and provide the Amazon Machine Image (AMI) ID. When this option is enabled, you can use the **drop-down Menu** to specify the disk type to use. |
+    |**Root Disk size** | You can choose disk size based on your requirements. The default size is `60`. |
+    |**Fargate Profiles** | Fargate allows running containers without the need for EC2 instances.  As an administrator, you can use Fargate profiles to specify which pods run on Fargate. Click **Add Fargate Profile** and specify subnets. Use selectors to specify the namespace that contains the pod you want to use, and add a selector for each pod. For more information about Fargate, refer to [AWS Fargate](https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html). |
+
+<!-- With Fargate, you do not provision or manage the cloud infrastructure. -->
 
 :::info
 
@@ -262,6 +279,20 @@ Ensure the IAM role or IAM user can perform the required IAM permissions on the
 
 You can enable secret encryption during the EKS cluster creation process by toggling the encryption button providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page.
 
+
+## Connect to EKS Cluster with kubectl
+
+To connect to the EKS cluster with kubectl, use the `SpectroCloudRole` IAM role. Or does it need to be another user?
+
+1. Install aws-iam-authenticator.
+
+2. <<< What else? see Nic V. >>>
+
+3. attach a policy to the user so the user can assume the role `SpectroCloudRole`.
+new policy is assumeSpectroCloudRole. Make it a trusted entity.
+
+
+
 ## Resources
 
 - [Add AWS Account](add-aws-accounts.md)

From e28de570771f2ad1979ce5916446e70ff0832262 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Tue, 31 Oct 2023 15:51:06 -0700
Subject: [PATCH 07/28] Add links to existing OIDC documentation

---
 .../clusters/public-cloud/aws/eks.md          | 68 +++++++++++--------
 1 file changed, 40 insertions(+), 28 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index c1b7bc4d5b..7702b73550 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -35,7 +35,7 @@ Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clus
 
 :::info
 
-To enable automatic subnet discovery for integration with AWS load balancer service, you need to add tags to the the Virtual Private Cloud (VPC) public subnets. Use the AWS [Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name.
+To enable automatic subnet discovery for integration with AWS load balancer service, you need to add tags to the the Virtual Private Cloud (VPC) public subnets. Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. Refer to [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) for more information.
 
 <!-- The following tags should be added to the virtual private network (VPC) public subnets to enable automatic subnet discovery for integration with AWS load balancer service. Replace the value `yourClusterName` with your cluster's name. -->
 - `kubernetes.io/role/elb = 1`
@@ -115,14 +115,14 @@ Creating the account is different depending on the authentication type you choos
 
 6. In the **Partition** field, select **AWS** in the **drop-down Menu**.
 
-7. If you have not already created the following IAM policies with the permissions listed in the table, go ahead and create them.
+7. Create the following IAM policies using the [Required IAM Policies](required-iam-policies.md) reference. 
 
-  | **Policy** | **Permission** |
-  |-----------|-----------------|
-  | `PaletteControllerPolicy`| Controller Policy |
-  | `PaletteControlPlanePolicy`| Control Plane Policy|
-  | `PaletteNodesPolicy`| Nodes Policy|
-  | `PaletteDeploymentPolicy` | Deployment Policy |
+    - `PaletteControllerPolicy`
+    - `PaletteControlPlanePolicy`
+    - `PaletteNodesPolicy`
+    - `PaletteDeploymentPolicy`
+
+    EKS requires an additional `PaletteControllersEKSPolicy` policy. To learn how to create it, review [Controllers EKS Policy](./required-iam-policies.md#controllers-eks-policy).
 
 8. Create an IAM Role that uses the following rules and options.
 
@@ -182,7 +182,7 @@ Click on **Next** when you are done.
 
 <!-- Configure the worker node pool and provide cloud configuration information. Palette configures a single worker node pool by default.  [instance cost type](architecture#spot-instances) Use the following table to better understand the available input options. Click **Next** to continue. -->
 
-6. Provide the following node pool and cloud configuration information. Click on **Next** to continue.
+6. Provide the following node pool and cloud configuration information, and click on **Next** to continue.
 
     - **Node Configuration Settings**
     
@@ -201,9 +201,17 @@ Click on **Next** when you are done.
     |**Instance Type** | Select the instance type to use for all nodes in the node pool.|
     |**Enable Nodepool Customization** | To use a pre-configured VM image, toggle this option on and provide the Amazon Machine Image (AMI) ID. When this option is enabled, you can use the **drop-down Menu** to specify the disk type to use. |
     |**Root Disk size** | You can choose disk size based on your requirements. The default size is `60`. |
-    |**Fargate Profiles** | Fargate allows running containers without the need for EC2 instances.  As an administrator, you can use Fargate profiles to specify which pods run on Fargate. Click **Add Fargate Profile** and specify subnets. Use selectors to specify the namespace that contains the pod you want to use, and add a selector for each pod. For more information about Fargate, refer to [AWS Fargate](https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html). |
 
-<!-- With Fargate, you do not provision or manage the cloud infrastructure. -->
+    - **Fargate Profiles**
+
+    You can create one or more Fargate profiles for the EKS cluster to use. Click **Add Fargate Profile**. For more information about Fargate profiles, refer to [AWS Fargate](https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html).
+    
+    |**Parameter**| **Description**|
+    |-------------|---------------|
+    |**Name** |A custom name for the Fargate profile.|
+    |**Subnets** |Pods running on Fargate Profiles are not assigned public IP addresses, so only private subnets (with no direct route to an Internet Gateway) are accepted for this parameter. For dynamic provisioning, this input is not required and subnets are automatically selected.|
+    |**Selectors** |Define a pod selector by providing a target namespace and option labels. Pods with matching namespace and app labels are scheduled to run on dynamically provisioned compute nodes.<br /> You can have up to five selectors in a Fargate profile and a pod only needs to match one selector to run using the Fargate profile.|
+
 
 :::info
 
@@ -230,18 +238,9 @@ You can add new worker pools if you need to customize certain worker nodes to ru
 Provisioning an AWS EKS clusters can take several minutes.
 
 :::
-  
-    
-<!-- 5. Configure optional cluster settings for an OS patching schedule, security scans, backup settings, and set up role based access control (RBAC), 
-
- Review the settings and make changes if needed. Click on **Validate**.
-
-16. Review the settings summary and click on **Finish Configuration** to deploy the cluster. Be aware that provisioning an AWS EKS clusters can take several minutes.
 
-The cluster details page of the cluster contains the status and details of the deployment. Use this page to track the deployment progress. -->
 
-
-## Validate
+### Validate
 
 You can validate your cluster is up and running.
 
@@ -251,7 +250,7 @@ You can validate your cluster is up and running.
 
 3. Click on the cluster you created to view its details page.
 
-4. Ensure the **Cluster Status** field contains the value **Running**.
+4. Ensure the **Cluster Status** field displays **Running**.
 
 
 ## EKS Cluster Secrets Encryption
@@ -277,19 +276,28 @@ kms:DescribeKeys
 ```
 Ensure the IAM role or IAM user can perform the required IAM permissions on the KMS key that will be used for EKS.
 
-You can enable secret encryption during the EKS cluster creation process by toggling the encryption button providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page.
+You can enable secret encryption during the EKS cluster creation process by toggling the **Enable Encryption** button on and providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page.
+
+
+## Configure OIDC for EKS Clusters
 
+You manage OpenID Connect (OIDC) at the Kubernetes layer. To configure OIDC for managed EKS clusters, follow steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide. 
 
-## Connect to EKS Cluster with kubectl
+:::caution
 
-To connect to the EKS cluster with kubectl, use the `SpectroCloudRole` IAM role. Or does it need to be another user?
+Configuring OIDC requires you to map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to Create Role Bindings. Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
+
+:::
+
+
+<!-- To connect to the EKS cluster with kubectl, use the `SpectroCloudRole` IAM role. Or does it need to be another user?
 
 1. Install aws-iam-authenticator.
 
-2. <<< What else? see Nic V. >>>
+2. <<< What else? . >>>
 
 3. attach a policy to the user so the user can assume the role `SpectroCloudRole`.
-new policy is assumeSpectroCloudRole. Make it a trusted entity.
+new policy is assumeSpectroCloudRole. Make it a trusted entity. -->
 
 
 
@@ -305,4 +313,8 @@ new policy is assumeSpectroCloudRole. Make it a trusted entity.
 
 - [EKS Cluster Encryption](#eks-cluster-secrets-encryption)
 
-- [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
\ No newline at end of file
+- [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
+
+- [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc)
+
+- [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc)
\ No newline at end of file

From 9a8fba1dee3ee91dd3f6a72894e7e332f6a1340d Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Wed, 1 Nov 2023 08:58:32 -0700
Subject: [PATCH 08/28] Add links to other docs

---
 .../clusters/public-cloud/aws/eks.md          | 107 +++---------------
 1 file changed, 13 insertions(+), 94 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 7702b73550..71488b3fee 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -8,7 +8,7 @@ sidebar_position: 30
 ---
 
 
-Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clusters deployed to an AWS account. This section guides you on how to create an AWS EKS cluster in AWS that is managed by Palette.
+Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clusters deployed to an AWS account. This section guides you on how to create an EKS cluster in AWS that Palette manages.
 
 ## Prerequisites
 
@@ -18,9 +18,9 @@ Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clus
 
 <!-- - A Virtual Private Cloud (VPC) with at least two subnets in different Availability Zones (AZs). Palette requires two AZs within the VPC that you specify when creating the EKS cluster. -->
 
-- An infrastructure cluster profile for AWS EKS. Review [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md) for guidance.
+- An infrastructure cluster profile for AWS EKS. When you create the profile, ensure you choose Managed Kubernetes **EKS** as the cloud type. Review [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md) for guidance.
 
-- An [EC2 key pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) for the target region that provides a secure connection to your EC2 instances.
+- An EC2 key pair for the target region that provides a secure connection to your EC2 instances. To learn how to create a key pair, refer to the [Amazon EC2 key pairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) resource.
 
 - kubelogin installed. This is a kubectl plugin for Kubernetes OIDC authentication, also known as `kubectl oidc-login`.
 
@@ -68,83 +68,8 @@ Use the following steps to deploy an AWS cluster in which to provision an EKS cl
   | **Tags**| Assign any desired cluster tags. Tags on a cluster are propagated to the Virtual Machines (VMs) deployed to the target environments. Example: `zone` or `region`.|
   | **Cloud Account** | If you already added your AWS account in Palette, select it from the **drop-down Menu**. Otherwise, click on **Add New Account** and add your AWS account information.  |
 
-  If you already have an AWS cloud account, you can skip to the [Create an EKS Cluster](#create-an-eks-cluster) section.
+  To learn how to add an AWS account, review [Add an AWS Account to Palette](add-aws-accounts.md).
 
-### Add Cloud Account
-
-Follow the steps below if you have not previously added your AWS cloud account in Palette.
-
-1. At the Basic Information step in the wizard, click on the **drop-down Menu** in the **Cloud Account** field and click **Add New Account**.
-
-2. On the form that displays, provide your AWS account name and an optional description to provide context about the account.
-
-3. In the **Partition** field, select **AWS** from the **drop-down Menu**.
-
-Creating the account is different depending on the authentication type you choose. Select the tab below that applies to the authentication method you will use to configure your AWS account.
-
-<!-- If you use **Credentials**, provide these in the **Access Key** and **Secret access key** fields. To use Security Token Service, review the guidance in the right panel that displays when you select **STS**.  -->
-  
-<Tabs groupId="authentication">
-
-<TabItem label="Credentials" value="Credentials">
-
-4. Specify the account name. 
-
-5. Add an optional description to give the account some context.
-
-6. In the **Partition** field, select **AWS** in the **drop-down Menu**.
-
-7. From your AWS console, copy the access key and secret key.
-
-8. In Palette, paste the keys in the **Access key** and **Secret access key** fields.
-
-9. Click the **Validate button**.  If the credentials you provided are correct, a *Credentials validated* success message with a green check is displayed.
-
-10. To use a Private Cloud Gateway (PCG) that you installed, toggle the **Connect Private Cloud Gateway** button and select the PCG from the **drop-down Menu**.
-
-11. When you have completed inputting values and credentials are validated, click **Confirm**.
-
-</TabItem>
-
-<TabItem label="STS" value="STS">
-
-
-4. Specify the account name.
-
-5. Add an optional description to give the account some context.
-
-6. In the **Partition** field, select **AWS** in the **drop-down Menu**.
-
-7. Create the following IAM policies using the [Required IAM Policies](required-iam-policies.md) reference. 
-
-    - `PaletteControllerPolicy`
-    - `PaletteControlPlanePolicy`
-    - `PaletteNodesPolicy`
-    - `PaletteDeploymentPolicy`
-
-    EKS requires an additional `PaletteControllersEKSPolicy` policy. To learn how to create it, review [Controllers EKS Policy](./required-iam-policies.md#controllers-eks-policy).
-
-8. Create an IAM Role that uses the following rules and options.
-
-  | **Rule** | **Option** |
-  |-----------|-----------------|
-  | **Trusted Entity Type**| Controller Policy |
-  | **Account ID** | In Palette, copy this from the right panel that displays when you select **STS**.|
-  | **Require External ID** | **Enable**|
-  | **External ID** | In Palette, copy this from the right panel that displays when you select **STS**. |
-  | **Permissions Policy** | Search and select the four policies you added in step 12. |
-  | **Role Name** | Provide `SpectroCloudRole` as the role name. |
-
-9. In the AWS Console, browse to the role details page and copy the Role ARN and paste it in the **ARN** field in Palette. 
-
-10. Click the **Validate** button. If the ARN you provided is correct, a Credentials validated success message with a green check is displayed.
-
-11. To use a Private Cloud Gateway (PCG) that you installed, toggle the **Connect Private Cloud Gateway** button and select the PCG from the **drop-down Menu**.
-
-12. When you have completed inputting values and credentials are validated, click **Confirm**.
-
-</TabItem>
-</Tabs>
 
 ### Create an EKS Cluster
 
@@ -154,12 +79,17 @@ Use the following steps to provision a new EKS cluster.
 
 2. Select the EKS cluster profile you created and click on **Next**.
 
-3. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer. 
+3. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.
 
-4. To configure OIDC, select the Kubernetes layer and edit the Kubernetes YAML file.
+  You can configure OpenID Connect (OIDC) at the Kubernetes layer. To configure OIDC for managed EKS clusters, follow steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide.
 
+  :::caution
 
-Click on **Next** when you are done.
+  Configuring OIDC requires you to map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to Create Role Bindings. Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
+
+  :::
+
+4. Click on **Next** to continue.
 
 5. Provide the following cluster configuration information and click on **Next** to continue. 
 
@@ -176,7 +106,7 @@ Click on **Next** when you are done.
 
   :::caution
 
-  If you set the cluster endpoint to Public, ensure you specify `0.0.0.0/0` in the Public Access CIDR field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely. We recommend specifying the **Private & Public** option to cover all the possibilities.
+  If you set the cluster endpoint to **Public**, ensure you specify `0.0.0.0/0` in the **Public Access CIDR** field to open it to all possible IP addresses. Otherwise, Palette will not open it up entirely. We recommend specifying the **Private & Public** option to cover all the possibilities.
 
   :::
 
@@ -279,17 +209,6 @@ Ensure the IAM role or IAM user can perform the required IAM permissions on the
 You can enable secret encryption during the EKS cluster creation process by toggling the **Enable Encryption** button on and providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page.
 
 
-## Configure OIDC for EKS Clusters
-
-You manage OpenID Connect (OIDC) at the Kubernetes layer. To configure OIDC for managed EKS clusters, follow steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide. 
-
-:::caution
-
-Configuring OIDC requires you to map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to Create Role Bindings. Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
-
-:::
-
-
 <!-- To connect to the EKS cluster with kubectl, use the `SpectroCloudRole` IAM role. Or does it need to be another user?
 
 1. Install aws-iam-authenticator.

From 0bae33a512fdf48ceb0bfbca04586d5651f56f50 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Wed, 1 Nov 2023 11:29:58 -0700
Subject: [PATCH 09/28] Last changes from final workflow walkthrough

---
 .../clusters/public-cloud/aws/eks.md          | 95 ++++++++++---------
 1 file changed, 52 insertions(+), 43 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 71488b3fee..4fb4f6244b 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -18,11 +18,11 @@ Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clus
 
 <!-- - A Virtual Private Cloud (VPC) with at least two subnets in different Availability Zones (AZs). Palette requires two AZs within the VPC that you specify when creating the EKS cluster. -->
 
-- An infrastructure cluster profile for AWS EKS. When you create the profile, ensure you choose Managed Kubernetes **EKS** as the cloud type. Review [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md) for guidance.
+- An infrastructure cluster profile for AWS EKS. When you create the profile, ensure you choose **EKS** as the **Managed Kubernetes** cloud type. Review [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md) for guidance.
 
 - An EC2 key pair for the target region that provides a secure connection to your EC2 instances. To learn how to create a key pair, refer to the [Amazon EC2 key pairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) resource.
 
-- kubelogin installed. This is a kubectl plugin for Kubernetes OIDC authentication, also known as `kubectl oidc-login`.
+- kubelogin installed. This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as `kubectl oidc-login`.
 
 - Palette creates compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources:
     - Virtual CPU (vCPU)
@@ -59,16 +59,16 @@ Use the following steps to deploy an AWS cluster in which to provision an EKS cl
 
 5. Select **AWS** and click on the **Start AWS Configuration** button.
 
-6. Fill out the following basic information, and click on **Next Step** to continue.
+6. Fill out the following basic information, and click **Next** to continue.
 
   | **Field** | **Description** |
   |-----------|-----------------|
   | **Cluster Name**| A custom name for the cluster. |
   | **Description**| Use the description to provide context about the cluster.|
-  | **Tags**| Assign any desired cluster tags. Tags on a cluster are propagated to the Virtual Machines (VMs) deployed to the target environments. Example: `zone` or `region`.|
-  | **Cloud Account** | If you already added your AWS account in Palette, select it from the **drop-down Menu**. Otherwise, click on **Add New Account** and add your AWS account information.  |
+  | **Tags**| Assign any desired cluster tags. Tags on a cluster are propagated to the Virtual Machines (VMs) deployed to the target environments. Example: `region:us-east-1a` or `zone:vpc-private-us-east-1a`.|
+  | **Cloud Account** | If you already added your AWS account in Palette, select it from the **drop-down Menu**. Otherwise, click on **Add New Account** and add your AWS account information. |
 
-  To learn how to add an AWS account, review [Add an AWS Account to Palette](add-aws-accounts.md).
+  To learn how to add an AWS account, review the [Add an AWS Account to Palette](add-aws-accounts.md) guide.
 
 
 ### Create an EKS Cluster
@@ -77,7 +77,7 @@ Use the following steps to provision a new EKS cluster.
 
 1. Select **EKS** as the **Managed Kubernetes**. 
 
-2. Select the EKS cluster profile you created and click on **Next**.
+2. Select the EKS cluster profile you created and click on **Next**. Palette displays the cluster profile layers.
 
 3. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.
 
@@ -85,7 +85,7 @@ Use the following steps to provision a new EKS cluster.
 
   :::caution
 
-  Configuring OIDC requires you to map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to Create Role Bindings. Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
+  Configuring OIDC requires you to map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings). Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
 
   :::
 
@@ -95,14 +95,13 @@ Use the following steps to provision a new EKS cluster.
 
   |**Parameter**| **Description**|
   |-------------|---------------|
-  |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two required subnets in different Availability Zones (AZs). This is an EKS cluster requirement. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.<br /><br />If you want to place resources into pre-existing VPCs and subnets, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled.|
+  |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.<br /><br />If you want to place resources into pre-existing VPCs and subnets, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. You will need to specify two subnets in different Availability Zones (AZs). |
   |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
   |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs.|
   |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Public Access CIDRs** |This setting controls which IP address CIDR range can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Private Access CIDRs** |This setting controls which IP address CIDR range can access the cluster. To restrict network access, enter the IP address CIDR range that will provide access to the cluster. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Public Access CIDRs** |This setting controls which IP address CIDR ranges can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Private Access CIDRs** |This setting controls which private IP address CIDR ranges can access the cluster. Private CIDRs provide a way to specify private, self-hosted, and air-gapped networks or Private Cloud Gateway (PCG) that may be located in other VPCs connected to the VPC hosting the cluster endpoint.<br /><br />To restrict network access, enter the IP address CIDR range that will provide access to the cluster. Although `0.0.0.0/0` is pre-populated in this field, Palette ensures the only IPs that can reach the private endpoint are those within the VPC or any other connected VPCs. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN**. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
-  |**Update worker pools in parallel**| This option allows the simultaneous update of nodes in the worker pool. This is an efficient way to manage various types of workloads. | 
 
   :::caution
 
@@ -112,62 +111,63 @@ Use the following steps to provision a new EKS cluster.
 
 <!-- Configure the worker node pool and provide cloud configuration information. Palette configures a single worker node pool by default.  [instance cost type](architecture#spot-instances) Use the following table to better understand the available input options. Click **Next** to continue. -->
 
-6. Provide the following node pool and cloud configuration information, and click on **Next** to continue.
+6. Provide the following node pool and cloud configuration information. If you will be using Fargate profiles, you can add them here.
 
-    - **Node Configuration Settings**
+    - Node Configuration Settings
     
     |**Parameter**| **Description**|
     |-------------|----------------|
     |**Node pool name** | A descriptive name for the node pool.|
     |**Number of nodes in the pool** | Specify the number of nodes in the worker pool.|
-    |**Additional Labels** | Optionally, you can add labels to nodes in key-value format. For more information about applying labels, review [Apply Labels to Nodes](../../cluster-management/taints.md/#apply-labels-to-nodes).  Example: `"environment": "production"` |
-    |**Taints** | You can apply optional taint labels to a node pool during cluster creation or edit taint labels on an existing cluster. Review the [Node Pool](../../cluster-management/node-pool.md) management page to learn more. Toggle the **Taint** button to create a label. If tainting is enabled, you need to provide a custom key-value pair. Use the **drop-down Menu** to choose one of the following options for **Effect**:<br />**NoSchedule** - Pods are not scheduled onto nodes with this taint.<br />**PreferNoSchedule** - Kubernetes attempts to avoid scheduling pods onto nodes with this taint, but scheduling is not prohibited.<br />**NoExecute** - Existing pods on nodes with this taint are evicted.| 
+    |**Additional Labels** | You can add optional labels to nodes in key-value format. For more information about applying labels, review [Apply Labels to Nodes](../../cluster-management/taints.md/#apply-labels-to-nodes).  Example: `"environment": "production"` |
+    |**Taints** | You can apply optional taint labels to a node pool during cluster creation or edit taint labels on an existing cluster. Review the [Node Pool](../../cluster-management/node-pool.md) management page and [Apply Taints to Nodes](../../cluster-management/taints.md/#apply-taints-to-nodes) page to learn more. Toggle the **Taint** button to create a taint label. When tainting is enabled, you need to provide a custom key-value pair. Use the **drop-down Menu** to choose one of the following **Effect** options:<br />**NoSchedule** - Pods are not scheduled onto nodes with this taint.<br />**PreferNoSchedule** - Kubernetes attempts to avoid scheduling pods onto nodes with this taint, but scheduling is not prohibited.<br />**NoExecute** - Existing pods on nodes with this taint are evicted.| 
     
-    - **Cloud Configuration settings**
+    - Cloud Configuration settings
     
     |**Parameter**| **Description**|
     |-------------|----------------|
-    | **Instance Option** | Choose the pricing method:<br />**On-Demand** instances provide stable and uninterrupted compute capacity at a higher cost.<br />**Spot** instances allow you to bid for unused EC2 capacity at a lower cost. We recommend you base your choice on your application's requirements. | 
+    | **Instance Option** | Choose a pricing method:<br />**On-Demand** instances provide stable and uninterrupted compute capacity at a higher cost.<br />**Spot** instances allow you to bid for unused EC2 capacity at a lower cost.<br />We recommend you base your choice on your application's requirements. | 
     |**Instance Type** | Select the instance type to use for all nodes in the node pool.|
     |**Enable Nodepool Customization** | To use a pre-configured VM image, toggle this option on and provide the Amazon Machine Image (AMI) ID. When this option is enabled, you can use the **drop-down Menu** to specify the disk type to use. |
     |**Root Disk size** | You can choose disk size based on your requirements. The default size is `60`. |
 
-    - **Fargate Profiles**
+    - Fargate Profiles
 
-    You can create one or more Fargate profiles for the EKS cluster to use. Click **Add Fargate Profile**. For more information about Fargate profiles, refer to [AWS Fargate](https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html).
+    You can create one or more Fargate profiles for the EKS cluster to use. Click **+ Add Fargate Profile**. For more information about Fargate profiles, refer to the [AWS Fargate](https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html) reference guide.
     
     |**Parameter**| **Description**|
     |-------------|---------------|
     |**Name** |A custom name for the Fargate profile.|
     |**Subnets** |Pods running on Fargate Profiles are not assigned public IP addresses, so only private subnets (with no direct route to an Internet Gateway) are accepted for this parameter. For dynamic provisioning, this input is not required and subnets are automatically selected.|
-    |**Selectors** |Define a pod selector by providing a target namespace and option labels. Pods with matching namespace and app labels are scheduled to run on dynamically provisioned compute nodes.<br /> You can have up to five selectors in a Fargate profile and a pod only needs to match one selector to run using the Fargate profile.|
-
-
-:::info
-
-You can add new worker pools if you need to customize certain worker nodes to run specialized workloads. As an example, the default worker pool may be configured with the m3.large instance types for general-purpose workloads, and another worker pool with instance type g2.2xlarge can be configured to run GPU workloads.
+    |**Selectors** |Define a pod selector by providing a target namespace and optional labels. Pods with a matching namespace and app labels are scheduled to run on dynamically provisioned compute nodes.<br /> You can have up to five selectors in a Fargate profile, and a pod only needs to match one selector to run using the Fargate profile.|
+    
+    :::info
+    
+    You can add new worker pools if you need to customize certain worker nodes to run specialized workloads. As an example, the default worker pool may be configured with the m3.large instance types for general-purpose workloads, and another worker pool with instance type g2.2xlarge can be configured to run GPU workloads.
+    
+    :::
 
-:::
+7. Click on **Next** to continue.
 
-7. Specify your preferred **OS Patching Schedule** for EKS-managed machines.
+8. Specify your preferred **OS Patching Schedule** for EKS-managed machines.
 
-8. Enable any scan options you want Palette to perform, and select a scan schedule. Palette provides support for Kubernetes configuration security, penetration testing, and conformance testing.
+9. Enable any scan options you want Palette to perform, and select a scan schedule. Palette provides support for Kubernetes configuration security, penetration testing, and conformance testing.
 
-9. Schedule any backups you want Palette to perform. Review [Backup and Restore](../../cluster-management/backup-restore/backup-restore.md) for more information.
+10. Schedule any backups you want Palette to perform. Review [Backup and Restore](../../cluster-management/backup-restore/backup-restore.md) for more information.
 
-10. RBAC configuration is required for OIDC.
+11. RBAC configuration is required when you configure OIDC. You must map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings). Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
 
-11. Click on the **Validate** button and review the cluster configuration. 
+12. Click on the **Validate** button and review the cluster configuration and settings summary. 
 
-12. Review the settings summary and click **Finish Configuration** to deploy the cluster. 
+13. Click **Finish Configuration** to deploy the cluster. 
 
   The cluster details page of the cluster contains the status and details of the deployment. Use this page to track the deployment progress.
-
-:::info
-
-Provisioning an AWS EKS clusters can take several minutes.
-
-:::
+  
+  :::info
+  
+  Provisioning an AWS EKS clusters can take several minutes.
+  
+  :::
 
 
 ### Validate
@@ -176,7 +176,7 @@ You can validate your cluster is up and running.
 
 1. Log in to [Palette](https://console.spectrocloud.com/).
 
-2. Navigate to the left **Main Menu** and select **Clusters**. The **Clusters** page displays a list of all available clusters managed by Palette. 
+2. Navigate to the left **Main Menu** and select **Clusters**. The **Clusters** page displays a list of all available clusters that Palette manages. 
 
 3. Click on the cluster you created to view its details page.
 
@@ -206,7 +206,8 @@ kms:DescribeKeys
 ```
 Ensure the IAM role or IAM user can perform the required IAM permissions on the KMS key that will be used for EKS.
 
-You can enable secret encryption during the EKS cluster creation process by toggling the **Enable Encryption** button on and providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page.
+You can enable secret encryption during the EKS cluster creation process by toggling the **Enable Encryption** button on and providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.
+
 
 
 <!-- To connect to the EKS cluster with kubectl, use the `SpectroCloudRole` IAM role. Or does it need to be another user?
@@ -226,14 +227,22 @@ new policy is assumeSpectroCloudRole. Make it a trusted entity. -->
 
 - [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md)
 
-- [EC2 Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html)  
+- [EC2 Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) 
+
+- [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html)
 
 - [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html)
 
 - [EKS Cluster Encryption](#eks-cluster-secrets-encryption)
 
+- [AWS Fargate](https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html)
+
 - [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
 
 - [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc)
 
-- [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc)
\ No newline at end of file
+- [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings).
+
+- [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc)
+
+- [EKS Cluster Encryption](#eks-cluster-secrets-encryption) 
\ No newline at end of file

From 06bd7611f1f2ff8f82e7da70764cdb83c4ee6456 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Wed, 1 Nov 2023 12:08:51 -0700
Subject: [PATCH 10/28] Updates for internal style, grammar: add aws acct

---
 .../public-cloud/aws/add-aws-accounts.md      | 106 ++++++++++--------
 1 file changed, 60 insertions(+), 46 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
index 5a18387b51..662a45010b 100644
--- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
+++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
@@ -21,17 +21,17 @@ Palette supports integration with AWS Cloud Accounts. This also includes support
 
 ## AWS Account
 
-<br />
+This section provides guidance in creating an AWS account that uses static or dynamic access credentials.
 
 ### Static Access Credentials
 
-To add an AWS cloud account using static access credentials follow these steps:
+Use the steps below to add an AWS cloud account using static access credentials.
 
 #### Prerequisites
 
 - An AWS account
 - Sufficient access to create an IAM role or IAM user.
-- Palette IAM policies. Please review the [Required IAM Policies](required-iam-policies.md) section for guidance.
+- Palette IAM policies. Review the [Required IAM Policies](required-iam-policies.md) section for guidance.
 
 
 #### Add AWS Account to Palette
@@ -40,65 +40,71 @@ To add an AWS cloud account using static access credentials follow these steps:
     - [IAM User creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html).
 
 
-2. In the AWS console, assign the Palette required IAM policies to the role or the IAM user that Palette will use.
+2. In the AWS console, assign the Palette-required IAM policies to the IAM role or the IAM user that Palette will use.
 
 
-3. Log in to [Palette](https://console.spectrocloud.com) as Tenant admin.
+3. Log in to [Palette](https://console.spectrocloud.com) as tenant admin.
 
 
-4. Go to **Tenant Settings** > **Cloud Accounts** and click **+Add AWS Account**.
+4. From the left **Main Menu**, click on **Tenant Settings**. 
 
 
-5. In the cloud account creation wizard provide the following information:
+5. Select **Cloud Accounts**, and click **+Add AWS Account**.
+
+
+6. In the cloud account creation wizard provide the following information:
    * **Account Name:** Custom name for the cloud account.
 
    * **Description:** Optional description for the cloud account.
-   * **Partition:** Choose **AWS** from the drop-down menu.
+   * **Partition:** Choose **AWS** from the **drop-down Menu**.
 
    * **Credentials:**
        * AWS Access key
        * AWS Secret access key
 
 
-6. Click the **Validate** button to validate the credentials. 
+7. Click the **Validate** button to validate the credentials. 
 
-7. Once the credentials are validated, the **Add IAM Policies** toggle displays. Toggle **Add IAM Policies** on.
+8. Once the credentials are validated, the **Add IAM Policies** toggle displays. Toggle **Add IAM Policies** on.
 
-8. A drop-down menu displays a lists of available AWS IAM policies in your AWS account. Select any desired IAM policies you want to assign to Palette IAM role or IAM user.
+9. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to Palette IAM role or IAM user.
 
 
 #### Validate
 
-You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your newly added AWS cloud account is listed under the AWS sections.
+You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts, navigate to the left **Main Menu** and click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your newly added AWS cloud account is listed under the AWS section.
 
 
 
 ### Dynamic Access Credentials
 
-To add an AWS cloud account using STS credentials follow the steps below:
+Use the steps below to add an AWS cloud account using Security token service (STS) credentials.
 
 #### Prerequisites
 
-- An AWS account
+- An AWS account.
 - Sufficient access to create an IAM role or IAM user.
-- Palette IAM policies. Please review the [Required IAM Policies](required-iam-policies.md) section for guidance.
+- Palette IAM policies. Review the [Required IAM Policies](required-iam-policies.md) section for guidance.
 
 
 #### Add AWS Account to Palette
 
-1. Log in to [Palette](https://console.spectrocloud.com) as Tenant admin.
+1. Log in to [Palette](https://console.spectrocloud.com) as tenant admin.
 
 
-2. Go to **Tenant Settings** > **Cloud Accounts** and click **+Add AWS Account**.
+2. From the left **Main Menu**, click on **Tenant Settings**.
 
 
-3. In the cloud account creation wizard give the following information:
-   * **Account Name**
-   * **Description**
-   * Select **STS** authentication for validation:
+3. Select **Cloud Accounts**, and click **+Add AWS Account**.
+
+
+4. In the cloud account creation wizard give the following information:
+   * **Account Name**:  Custom name for the cloud account.
+   * **Description**: Optional description for the cloud account.
+   * Select **STS** authentication for validation.
 
 
-4. You will be provided with information on the right hand-side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists out the information provided by the wizard after your selects **STS**.
+5. You will be provided with information on the right side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists the information provided by the wizard after your select **STS**.
 
     |**Parameter**|**Description**|
     |---------|---------------|
@@ -106,29 +112,29 @@ To add an AWS cloud account using STS credentials follow the steps below:
     |**Account ID**|Copy the Account ID displayed on the UI|
     |**Require External ID**| Enable|
     |**External ID**|Copy the External ID displayed on the UI|
-    |**Permissions Policy**|Search and select the 4 policies added in step #2|
+    |**Permissions Policy**|Search and select the 4 policies added in step 2|
     |**Role Name**|SpectroCloudRole|
 
-5. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help.
+6. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help.
     - [IAM Role creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html).
     - [IAM User creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html).
 
 
-6. In the AWS console, assign the [Palette required IAM policies](required-iam-policies.md) to the role that Palette will use.
+7. In the AWS console, assign the [Palette required IAM policies](required-iam-policies.md) to the role that Palette will use.
     
 
-7. In the AWS console, browse to the **Role Details** page and copy the Amazon Resource Name (ARN) for the role.
+8. In the AWS console, browse to the **Role Details** page and copy the Amazon Resource Name (ARN) for the role.
 
 
-8. In Palette, paste the role ARN into the **ARN** input box. 
+9. In Palette, paste the role ARN into the **ARN** input box. 
 
 
-9. Click the **Validate** button to validate the credentials.
+10. Click the **Validate** button to validate the credentials.
 
 
 #### Validate
 
-You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your newly added AWS cloud account is listed under the AWS sections.
+You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your newly added AWS cloud account is listed under the AWS section.
 
 
 
@@ -137,11 +143,13 @@ You can validate the account is available in Palette by reviewing the list of cl
 
 ## AWS GovCloud Account
 
-Palette supports integration with [AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc). Using Palette you can deploy Kubernetes clusters to your AWS GovCloud account. To get started with AWS GovCloud and Palette, use the following steps.
-<br />
+Palette supports integration with [AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc). Using Palette you can deploy Kubernetes clusters to your AWS GovCloud account. This section provides guidance in creating an AWS GovCloud account that uses static or dynamic access credentials.
 
 ### Static Access Credentials
 
+Use the steps below to add an AWS cloud account using static access credentials.
+
+
 #### Prerequisites
 
 - An AWS account
@@ -161,10 +169,13 @@ Palette supports integration with [AWS GovCloud (US)](https://aws.amazon.com/gov
 3. Log in to [Palette](https://console.spectrocloud.com) as Tenant admin.
 
 
-4. Go to **Tenant Settings** > **Cloud Accounts** and click **+Add AWS Account**.
+4. From the left **Main Menu**, click on **Tenant Settings**.
+
+
+5. Select **Cloud Accounts**, and click **+Add AWS Account**.
 
 
-5. In the cloud account creation wizard provide the following information:
+6. In the cloud account creation wizard provide the following information:
    * **Account Name:** Custom name for the cloud account.
 
    * **Description:** Optional description for the cloud account.
@@ -175,20 +186,20 @@ Palette supports integration with [AWS GovCloud (US)](https://aws.amazon.com/gov
        * AWS Secret access key
 
 
-6. Click the **Validate** button to validate the credentials. 
+7. Click on the **Validate** button to validate the credentials. 
 
-7. Once the credentials are validated, the **Add IAM Policies** toggle displays. Toggle **Add IAM Policies** on.
+8. Once the credentials are validated, the **Add IAM Policies** toggle displays. Toggle **Add IAM Policies** on.
 
-8. A drop-down menu displays a lists of available AWS IAM policies in your AWS account. Select any desired IAM policies you want to assign to Palette IAM role or IAM user.
+9. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to Palette IAM role or IAM user.
 
 
 #### Validate
 
-You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click **Cloud Accounts**. Your newly added AWS cloud account is listed under the AWS sections.
+You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click **Cloud Accounts**. Your newly added AWS cloud account is listed under the AWS section.
 
 ### Dynamic Access Credentials
 
-To add an AWS GovCloud cloud account using STS credentials follow the steps below:
+Use the steps below to add an AWS cloud account using STS credentials.
 
 #### Prerequisites
 
@@ -202,16 +213,19 @@ To add an AWS GovCloud cloud account using STS credentials follow the steps belo
 1. Log in to [Palette](https://console.spectrocloud.com) as Tenant admin.
 
 
-2. Go to **Tenant Settings** > **Cloud Accounts** and click **+Add AWS Account**.
+2. From the left **Main Menu**, click on **Tenant Settings**.
+
+
+3. Select **Cloud Accounts**, and click **+Add AWS Account**.
 
 
-3. In the cloud account creation wizard give the following information:
+4. In the cloud account creation wizard give the following information:
    * **Account Name**
    * **Description**
    * Select **STS** authentication for validation:
 
 
-4. You will be provided with information on the right hand-side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists out the information provided by the wizard after you selects **STS**.
+5. You will be provided with information on the right side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists the information provided by the wizard after you select **STS**.
 
     |**Parameter**|**Description**|
     |---------|---------------|
@@ -222,21 +236,21 @@ To add an AWS GovCloud cloud account using STS credentials follow the steps belo
     |**Permissions Policy**|Search and select the 4 policies added in step #2|
     |**Role Name**|SpectroCloudRole|
 
-5. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help.
+6. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help.
     - [IAM Role creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html).
     - [IAM User creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html).
 
 
-6. In the AWS console, assign the [Palette required IAM policies](required-iam-policies.md) to the role that Palette will use.
+7. In the AWS console, assign the [Palette required IAM policies](required-iam-policies.md) to the role that Palette will use.
     
 
-7. In the AWS console, browse to the **Role Details** page and copy the Amazon Resource Name (ARN) for the role.
+8. In the AWS console, browse to the **Role Details** page and copy the Amazon Resource Name (ARN) for the role.
 
 
-8. In Palette, paste the role arn into the **ARN** input box. 
+9. In Palette, paste the role ARN into the **ARN** input box. 
 
 
-9. Click the **Validate** button to validate the credentials.
+10. Click on the **Validate** button to validate the credentials.
 
 
 #### Validate

From 626c2a6e8850c5baf465ec494748188cb804d93c Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Wed, 1 Nov 2023 12:34:00 -0700
Subject: [PATCH 11/28] Fix repeated 'the'

---
 docs/docs-content/clusters/public-cloud/aws/eks.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 4fb4f6244b..dfd2ecd63c 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -35,7 +35,7 @@ Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clus
 
 :::info
 
-To enable automatic subnet discovery for integration with AWS load balancer service, you need to add tags to the the Virtual Private Cloud (VPC) public subnets. Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. Refer to [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) for more information.
+To enable automatic subnet discovery for integration with AWS load balancer service, you need to add tags to the Virtual Private Cloud (VPC) public subnets. Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. Refer to [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) for more information.
 
 <!-- The following tags should be added to the virtual private network (VPC) public subnets to enable automatic subnet discovery for integration with AWS load balancer service. Replace the value `yourClusterName` with your cluster's name. -->
 - `kubernetes.io/role/elb = 1`

From 125956743ecbc154224bc7e19b43820fa824a307 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Wed, 1 Nov 2023 12:36:50 -0700
Subject: [PATCH 12/28] Vale fixes

---
 docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
index 662a45010b..c9eb3df36e 100644
--- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
+++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
@@ -104,7 +104,7 @@ Use the steps below to add an AWS cloud account using Security token service (ST
    * Select **STS** authentication for validation.
 
 
-5. You will be provided with information on the right side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists the information provided by the wizard after your select **STS**.
+5. You will be provided with information on the right side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists the information provided by the wizard after you select **STS**.
 
     |**Parameter**|**Description**|
     |---------|---------------|

From 8954d439dfeb468948e7a5bd3f82c29b8bb5c63c Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Wed, 1 Nov 2023 14:37:10 -0700
Subject: [PATCH 13/28] Incorporate first comments

---
 .../public-cloud/aws/add-aws-accounts.md      |  2 +-
 .../clusters/public-cloud/aws/eks.md          | 30 ++++++-------------
 2 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
index c9eb3df36e..f921baea0c 100644
--- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
+++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
@@ -78,7 +78,7 @@ You can validate the account is available in Palette by reviewing the list of cl
 
 ### Dynamic Access Credentials
 
-Use the steps below to add an AWS cloud account using Security token service (STS) credentials.
+Use the steps below to add an AWS cloud account using Security Token Service (STS) credentials.
 
 #### Prerequisites
 
diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index dfd2ecd63c..11a6b67d3a 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -3,12 +3,12 @@ sidebar_label: "Create and Manage AWS EKS Cluster"
 title: "Create and Manage AWS EKS Cluster"
 description: "Learn how to deploy and manage AWS EKS clusters with Palette."
 hide_table_of_contents: false
-tags: ["public cloud", "aws"]
+tags: ["public cloud", "aws", "eks"]
 sidebar_position: 30
 ---
 
 
-Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clusters deployed to an AWS account. This section guides you on how to create an EKS cluster in AWS that Palette manages.
+Palette supports creating and managing Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) clusters deployed to an AWS account. This section guides you on how to create an EKS cluster in AWS that Palette manages.
 
 ## Prerequisites
 
@@ -35,7 +35,7 @@ Palette supports creating and managing AWS Elastic Kubernetes Service (EKS) clus
 
 :::info
 
-To enable automatic subnet discovery for integration with AWS load balancer service, you need to add tags to the Virtual Private Cloud (VPC) public subnets. Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. Refer to [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) for more information.
+To enable automated subnet discovery for integration with AWS load balancer service, you need to add tags to the Virtual Private Cloud (VPC) public subnets. Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. Refer to [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) for more information.
 
 <!-- The following tags should be added to the virtual private network (VPC) public subnets to enable automatic subnet discovery for integration with AWS load balancer service. Replace the value `yourClusterName` with your cluster's name. -->
 - `kubernetes.io/role/elb = 1`
@@ -47,7 +47,7 @@ To enable automatic subnet discovery for integration with AWS load balancer serv
 
 ## Deploy an AWS Cluster
 
-Use the following steps to deploy an AWS cluster in which to provision an EKS cluster.
+Use the following steps to deploy an EKS cluster on AWS.
 
 1. Log in to [Palette](https://console.spectrocloud.com/).
 
@@ -75,13 +75,13 @@ Use the following steps to deploy an AWS cluster in which to provision an EKS cl
 
 Use the following steps to provision a new EKS cluster.
 
-1. Select **EKS** as the **Managed Kubernetes**. 
+1. Select **EKS** listed under **Managed Kubernetes**. 
 
 2. Select the EKS cluster profile you created and click on **Next**. Palette displays the cluster profile layers.
 
 3. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.
 
-  You can configure OpenID Connect (OIDC) at the Kubernetes layer. To configure OIDC for managed EKS clusters, follow steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide.
+  You can configure OpenID Connect (OIDC) at the Kubernetes layer. To configure OIDC for managed EKS clusters, follow the steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide.
 
   :::caution
 
@@ -95,12 +95,12 @@ Use the following steps to provision a new EKS cluster.
 
   |**Parameter**| **Description**|
   |-------------|---------------|
-  |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.<br /><br />If you want to place resources into pre-existing VPCs and subnets, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. You will need to specify two subnets in different Availability Zones (AZs). |
+  |**Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.<br /><br />If you want to place resources into pre-existing VPCs, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. You will need to specify two subnets in different Availability Zones (AZs). |
   |**Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster.|
   |**SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs.|
   |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Public Access CIDRs** |This setting controls which IP address CIDR ranges can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Private Access CIDRs** |This setting controls which private IP address CIDR ranges can access the cluster. Private CIDRs provide a way to specify private, self-hosted, and air-gapped networks or Private Cloud Gateway (PCG) that may be located in other VPCs connected to the VPC hosting the cluster endpoint.<br /><br />To restrict network access, enter the IP address CIDR range that will provide access to the cluster. Although `0.0.0.0/0` is pre-populated in this field, Palette ensures the only IPs that can reach the private endpoint are those within the VPC or any other connected VPCs. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
+  |**Private Access CIDRs** |This setting controls which private IP address CIDR ranges can access the cluster. Private CIDRs provide a way to specify private, self-hosted, and air-gapped networks or Private Cloud Gateway (PCG) that may be located in other VPCs connected to the VPC hosting the cluster endpoint.<br /><br />To restrict network access, enter the IP address CIDR range that will provide access to the cluster. Although `0.0.0.0/0` is pre-populated in this field, only IPs that can reach the private endpoint are those within the VPC or any other connected VPCs. For example, while using `0.0.0.0/0` would allow traffic throughout the VPC and all peered VPCs, specifying the VPC CIDR `10.0.0.0/16` would limit traffic to an individual VPC. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN**. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
 
   :::caution
@@ -172,7 +172,7 @@ Use the following steps to provision a new EKS cluster.
 
 ### Validate
 
-You can validate your cluster is up and running.
+You can validate your cluster is up and in **Running** state.
 
 1. Log in to [Palette](https://console.spectrocloud.com/).
 
@@ -209,18 +209,6 @@ Ensure the IAM role or IAM user can perform the required IAM permissions on the
 You can enable secret encryption during the EKS cluster creation process by toggling the **Enable Encryption** button on and providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.
 
 
-
-<!-- To connect to the EKS cluster with kubectl, use the `SpectroCloudRole` IAM role. Or does it need to be another user?
-
-1. Install aws-iam-authenticator.
-
-2. <<< What else? . >>>
-
-3. attach a policy to the user so the user can assume the role `SpectroCloudRole`.
-new policy is assumeSpectroCloudRole. Make it a trusted entity. -->
-
-
-
 ## Resources
 
 - [Add AWS Account](add-aws-accounts.md)

From 09756d71b163db69b2d0b32bedf4f988d6286e34 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Wed, 1 Nov 2023 14:54:52 -0700
Subject: [PATCH 14/28] Revise info block, add link

---
 docs/docs-content/clusters/public-cloud/aws/eks.md | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 11a6b67d3a..b94f3066d6 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -16,8 +16,6 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
 
 - Palette integration with AWS account. Review [Add AWS Account](add-aws-accounts.md) for guidance.
 
-<!-- - A Virtual Private Cloud (VPC) with at least two subnets in different Availability Zones (AZs). Palette requires two AZs within the VPC that you specify when creating the EKS cluster. -->
-
 - An infrastructure cluster profile for AWS EKS. When you create the profile, ensure you choose **EKS** as the **Managed Kubernetes** cloud type. Review [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md) for guidance.
 
 - An EC2 key pair for the target region that provides a secure connection to your EC2 instances. To learn how to create a key pair, refer to the [Amazon EC2 key pairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) resource.
@@ -35,9 +33,8 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
 
 :::info
 
-To enable automated subnet discovery for integration with AWS load balancer service, you need to add tags to the Virtual Private Cloud (VPC) public subnets. Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. Refer to [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) for more information.
+To enable automated subnet discovery to create external load balancers, you need to add tags to the Virtual Private Cloud (VPC) public subnets. For more information about tagging VPC networks, refer to the AWS [EKS VPC Subnet Discovery](https://repost.aws/knowledge-center/eks-vpc-subnet-discovery) reference guide.  Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. To learn more about the Tag Editor, refer to the [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) reference guide.
 
-<!-- The following tags should be added to the virtual private network (VPC) public subnets to enable automatic subnet discovery for integration with AWS load balancer service. Replace the value `yourClusterName` with your cluster's name. -->
 - `kubernetes.io/role/elb = 1`
 - `sigs.k8s.io/cluster-api-provider-aws/role = public`
 - `kubernetes.io/cluster/[yourClusterName] = shared` 
@@ -109,8 +106,6 @@ Use the following steps to provision a new EKS cluster.
 
   :::
 
-<!-- Configure the worker node pool and provide cloud configuration information. Palette configures a single worker node pool by default.  [instance cost type](architecture#spot-instances) Use the following table to better understand the available input options. Click **Next** to continue. -->
-
 6. Provide the following node pool and cloud configuration information. If you will be using Fargate profiles, you can add them here.
 
     - Node Configuration Settings

From ea289f879814fa1188b446b48185586e85108c80 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Thu, 2 Nov 2023 17:55:02 -0700
Subject: [PATCH 15/28] Added review comments

---
 .../clusters/public-cloud/aws/eks.md          | 49 +++++++------------
 1 file changed, 18 insertions(+), 31 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index b94f3066d6..8af98ddfdf 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -20,9 +20,9 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
 
 - An EC2 key pair for the target region that provides a secure connection to your EC2 instances. To learn how to create a key pair, refer to the [Amazon EC2 key pairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) resource.
 
-- kubelogin installed. This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as `kubectl oidc-login`.
+- kubelogin installed. This is a [kubectl plugin](https://github.com/int128/kubelogin) for Kubernetes OpenID Connect (OIDC) authentication, also known as `kubectl oidc-login`.
 
-- Palette creates compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources:
+- If you do not provide your own Virtual Private Cloud (VPC), Palette creates one for you with compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources:
     - Virtual CPU (vCPU)
     - Virtual Private Cloud (VPC)
     - Elastic IP
@@ -30,6 +30,8 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
     - Elastic Load Balancers
     - Network Address Translation (NAT) Gateway
 
+    Palette does not create these resources if you specify an existing VPC.
+
 
 :::info
 
@@ -42,8 +44,6 @@ To enable automated subnet discovery to create external load balancers, you need
 
 :::
 
-## Deploy an AWS Cluster
-
 Use the following steps to deploy an EKS cluster on AWS.
 
 1. Log in to [Palette](https://console.spectrocloud.com/).
@@ -67,16 +67,13 @@ Use the following steps to deploy an EKS cluster on AWS.
 
   To learn how to add an AWS account, review the [Add an AWS Account to Palette](add-aws-accounts.md) guide.
 
+<!-- Use the following steps to provision a new EKS cluster. -->
 
-### Create an EKS Cluster
-
-Use the following steps to provision a new EKS cluster.
+7. Select **EKS** listed under **Managed Kubernetes**. 
 
-1. Select **EKS** listed under **Managed Kubernetes**. 
+8. Select the EKS cluster profile you created and click on **Next**. Palette displays the cluster profile layers.
 
-2. Select the EKS cluster profile you created and click on **Next**. Palette displays the cluster profile layers.
-
-3. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.
+9. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.
 
   You can configure OpenID Connect (OIDC) at the Kubernetes layer. To configure OIDC for managed EKS clusters, follow the steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide.
 
@@ -86,9 +83,9 @@ Use the following steps to provision a new EKS cluster.
 
   :::
 
-4. Click on **Next** to continue.
+10. Click on **Next** to continue.
 
-5. Provide the following cluster configuration information and click on **Next** to continue. 
+11. Provide the following cluster configuration information and click on **Next** to continue. 
 
   |**Parameter**| **Description**|
   |-------------|---------------|
@@ -106,7 +103,7 @@ Use the following steps to provision a new EKS cluster.
 
   :::
 
-6. Provide the following node pool and cloud configuration information. If you will be using Fargate profiles, you can add them here.
+12. Provide the following node pool and cloud configuration information. If you will be using Fargate profiles, you can add them here.
 
     - Node Configuration Settings
     
@@ -142,19 +139,19 @@ Use the following steps to provision a new EKS cluster.
     
     :::
 
-7. Click on **Next** to continue.
+13. Click on **Next** to continue.
 
-8. Specify your preferred **OS Patching Schedule** for EKS-managed machines.
+14. Specify your preferred **OS Patching Schedule** for EKS-managed machines.
 
-9. Enable any scan options you want Palette to perform, and select a scan schedule. Palette provides support for Kubernetes configuration security, penetration testing, and conformance testing.
+15. Enable any scan options you want Palette to perform, and select a scan schedule. Palette provides support for Kubernetes configuration security, penetration testing, and conformance testing.
 
-10. Schedule any backups you want Palette to perform. Review [Backup and Restore](../../cluster-management/backup-restore/backup-restore.md) for more information.
+16. Schedule any backups you want Palette to perform. Review [Backup and Restore](../../cluster-management/backup-restore/backup-restore.md) for more information.
 
-11. RBAC configuration is required when you configure OIDC. You must map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings). Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
+17. RBAC configuration is required when you configure OIDC. You must map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings). Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
 
-12. Click on the **Validate** button and review the cluster configuration and settings summary. 
+18. Click on the **Validate** button and review the cluster configuration and settings summary. 
 
-13. Click **Finish Configuration** to deploy the cluster. 
+19. Click **Finish Configuration** to deploy the cluster. 
 
   The cluster details page of the cluster contains the status and details of the deployment. Use this page to track the deployment progress.
   
@@ -210,18 +207,8 @@ You can enable secret encryption during the EKS cluster creation process by togg
 
 - [Create an Infrastructure Profile](../../../profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md)
 
-- [EC2 Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) 
-
-- [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html)
-
-- [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html)
-
 - [EKS Cluster Encryption](#eks-cluster-secrets-encryption)
 
-- [AWS Fargate](https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html)
-
-- [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
-
 - [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc)
 
 - [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings).

From 88d67510f068338bd274647d2130f5f514bfa8d4 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Fri, 3 Nov 2023 10:15:00 -0700
Subject: [PATCH 16/28] Fix typo in policy name

---
 .../clusters/public-cloud/aws/required-iam-policies.md       | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md
index bf627ba61b..7f78bc475a 100644
--- a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md
+++ b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md
@@ -11,15 +11,12 @@ Palette requires proper Amazon Web Services (AWS) permissions to operate and per
 The following policies include all the permissions needed for cluster provisioning with Palette.
  <br />
 
-* **PaletteControllersPolicy**
-
+* **PaletteControllerPolicy**
 
 * **PaletteControlPlanePolicy**
 
-
 * **PaletteNodesPolicy**
 
-
 * **PaletteDeploymentPolicy**
 
 Additional IAM policies may be required depending on the use case. For example, AWS Elastic Kubernetes Service (EKS) requires the **PaletteControllersEKSPolicy**. Check out the [Controllers EKS Policy](#controllers-eks-policy) section to review the IAM policy.

From 42c154520cc89d757bb4db8788b2564d76341d58 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Fri, 3 Nov 2023 17:48:51 -0700
Subject: [PATCH 17/28] Revised KMS key creation section

---
 .../clusters/public-cloud/aws/eks.md          | 96 ++++++++++++++-----
 .../public-cloud/aws/required-iam-policies.md |  1 -
 2 files changed, 74 insertions(+), 23 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 8af98ddfdf..0c89c83c20 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -22,7 +22,9 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
 
 - kubelogin installed. This is a [kubectl plugin](https://github.com/int128/kubelogin) for Kubernetes OpenID Connect (OIDC) authentication, also known as `kubectl oidc-login`.
 
-- If you do not provide your own Virtual Private Cloud (VPC), Palette creates one for you with compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources:
+- To use secrets encryption during EKS cluster creation, you must have created an AWS Key Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](#enable-secrets-encryption-for-eks-cluster) for guidance.  
+
+- If you do not provide your own Virtual Private Cloud (VPC), Palette creates one for you with compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources. Note that Palette does not create these resources if you specify an existing VPC. 
     - Virtual CPU (vCPU)
     - Virtual Private Cloud (VPC)
     - Elastic IP
@@ -30,9 +32,7 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
     - Elastic Load Balancers
     - Network Address Translation (NAT) Gateway
 
-    Palette does not create these resources if you specify an existing VPC.
-
-
+    
 :::info
 
 To enable automated subnet discovery to create external load balancers, you need to add tags to the Virtual Private Cloud (VPC) public subnets. For more information about tagging VPC networks, refer to the AWS [EKS VPC Subnet Discovery](https://repost.aws/knowledge-center/eks-vpc-subnet-discovery) reference guide.  Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. To learn more about the Tag Editor, refer to the [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) reference guide.
@@ -95,7 +95,7 @@ Use the following steps to deploy an EKS cluster on AWS.
   |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Public Access CIDRs** |This setting controls which IP address CIDR ranges can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Private Access CIDRs** |This setting controls which private IP address CIDR ranges can access the cluster. Private CIDRs provide a way to specify private, self-hosted, and air-gapped networks or Private Cloud Gateway (PCG) that may be located in other VPCs connected to the VPC hosting the cluster endpoint.<br /><br />To restrict network access, enter the IP address CIDR range that will provide access to the cluster. Although `0.0.0.0/0` is pre-populated in this field, only IPs that can reach the private endpoint are those within the VPC or any other connected VPCs. For example, while using `0.0.0.0/0` would allow traffic throughout the VPC and all peered VPCs, specifying the VPC CIDR `10.0.0.0/16` would limit traffic to an individual VPC. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Enable Encryption**| To enable secret encryption, toggle the **Enable Encryption** option and use the **drop-down Menu** to the select the AWS Key Managment Service (KMS) key **ARN**. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.|
+  |**Enable Encryption**| Use this option for secrets encryption. You must have an existing AWS Key Managment Service (KMS) key you can use. Toggle the **Enable encryption** option and use the **drop-down Menu** in the **ARN** field to select the KMS key ARN.<br /><br />If you do not have a KMS key and want to create one to use this option, review [Enable Secrets Encryption for EKS Cluster](#enable-secrets-encryption-for-eks-cluster). Once your KMS key is created, return to this Cluster Config step to enable secrets encryption and specify the KMS key ARN. |
 
   :::caution
 
@@ -162,6 +162,8 @@ Use the following steps to deploy an EKS cluster on AWS.
   :::
 
 
+You can access your Kubernetes cluster by using the kubectl CLI. Refer to the [Kubectl](../../cluster-management/palette-webctl.md) guide for more information.
+
 ### Validate
 
 You can validate your cluster is up and in **Running** state.
@@ -174,31 +176,83 @@ You can validate your cluster is up and in **Running** state.
 
 4. Ensure the **Cluster Status** field displays **Running**.
 
+<br />
 
-## EKS Cluster Secrets Encryption
+## Enable Secrets Encryption for EKS Cluster
 
 Palette encourages using AWS Key Management Service (KMS) to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS) clusters. This encryption is 
 a defense-in-depth security strategy to protect sensitive data such as passwords, docker registry credentials, and Transport Layer Security (TLS) keys stored as [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
+You can enable secrets encryption when you create an EKS cluster by toggling the **Enable encryption** button and providing the Amazon Resource Name (ARN) of the KMS key. The **Enable encryption** option is available on the cluster creation wizard's **Cluster Config** page for EKS.
+
 ### Prerequisites
 
-* KMS key created in the AWS account.
-* KMS key is of the type symmetric.
-* KMS key policy permits the following actions; encrypt and decrypt.
+- An AWS account added to Palette. Review [Add AWS Account](add-aws-accounts.md) for guidance.
+
+- IAM user or role has attached policies listed in [Required IAM Policies](required-iam-policies.md).
+
+- A **PaletteControllersEKSPolicy** created in AWS and attached to the IAM user or role that Palette is using. To create this policy, refer to [Controllers EKS Policy](required-iam-policies.md#controllers-eks-policy).
+
+
+### Configure KMS Key
+
+Use the following steps to configure a KMS key.
+
+1. In AWS, locate the Key Management Service. 
+
+2. Select the region where your Palette EKS cluster is deployed.
 
-### Configure KMS
+:::caution
 
-The IAM user or IAM role that Palette is using must have the following IAM permissions.
+Ensure you create the KMS key in the same region as your Palette EKS cluster. Alternatively, you can create a multi-region KMS key that can be used across different regions. To learn how to create a multi-region key, review Amazon’s [Multi-Region Keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) reference guide.
 
-```json hideClipboard
-kms:CreateGrant,
-kms:ListAliases,
-kms:ListKeys,
-kms:DescribeKeys
-```
-Ensure the IAM role or IAM user can perform the required IAM permissions on the KMS key that will be used for EKS.
+::: 
 
-You can enable secret encryption during the EKS cluster creation process by toggling the **Enable Encryption** button on and providing the Amazon Resource Name (ARN) of the encryption key. The encryption option is available on the cluster creation wizard's **Cluster Config** page. Review [EKS Cluster Encryption](#eks-cluster-secrets-encryption) for more details.
+3. Create a key of type **Symmetric** and with usage **Encrypt and decrypt**.
+
+4. Ensure the IAM user or role that Palette is using has a policy attached with the following required IAM permissions. 
+
+  ```json hideClipboard
+  kms:CreateGrant,
+  kms:ListAliases,
+  kms:ListKeys,
+  kms:DescribeKeys
+  ```
+   
+   Example:
+
+   ```json
+   {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Statement1",
+            "Effect": "Allow",
+            "Action": [
+                "kms:ListKeys",
+                "kms:ListAliases",
+                "kms:DescribeKey",
+                "kms:CreateGrant"
+            ],
+            "Resource": "*"
+        }
+    ]
+  }
+   ```
+  
+If you need more guidance creating a KMS key, review the AWS [Creating KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) reference guide.
+
+### Validate
+
+You can verify the KMS key is integrated with Palette. When you deploy an EKS cluster on AWS and toggle the **Enable encryption** option at the Cluster Config step in the wizard, the KMS key ARN displays in the **drop-down Menu**. 
+
+<!-- You can verify the KMS key is integrated with Palette. 
+
+1. In Palette, return to the Cluster Config step in the wizard and toggle the **Enable encryption** option. Palette displays the **ARN** field. 
+
+2. Use the **drop-down Menu** to select the KMS key ARN.
+
+3. Continue configuring your EKS cluster. -->
 
 
 ## Resources
@@ -213,6 +267,4 @@ You can enable secret encryption during the EKS cluster creation process by togg
 
 - [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings).
 
-- [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc)
-
-- [EKS Cluster Encryption](#eks-cluster-secrets-encryption) 
\ No newline at end of file
+- [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc)
\ No newline at end of file
diff --git a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md
index 7f78bc475a..0857294a90 100644
--- a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md
+++ b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md
@@ -9,7 +9,6 @@ sidebar_position: 40
 
 Palette requires proper Amazon Web Services (AWS) permissions to operate and perform actions on your behalf.
 The following policies include all the permissions needed for cluster provisioning with Palette.
- <br />
 
 * **PaletteControllerPolicy**
 

From 64369d0bbe36152aaed51859306089cb2ebefdb8 Mon Sep 17 00:00:00 2001
From: Rita Watson <117382432+ritawatson@users.noreply.github.com>
Date: Mon, 6 Nov 2023 10:01:51 -0800
Subject: [PATCH 18/28] Apply suggestions from code review

Co-authored-by: Karl Cardenas <karl@spectrocloud.com>
---
 docs/docs-content/clusters/public-cloud/aws/eks.md | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 0c89c83c20..3e899a0570 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -180,7 +180,7 @@ You can validate your cluster is up and in **Running** state.
 
 ## Enable Secrets Encryption for EKS Cluster
 
-Palette encourages using AWS Key Management Service (KMS) to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS) clusters. This encryption is 
+We encourage using AWS Key Management Service (KMS) to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS) clusters. This encryption is 
 a defense-in-depth security strategy to protect sensitive data such as passwords, docker registry credentials, and Transport Layer Security (TLS) keys stored as [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
 You can enable secrets encryption when you create an EKS cluster by toggling the **Enable encryption** button and providing the Amazon Resource Name (ARN) of the KMS key. The **Enable encryption** option is available on the cluster creation wizard's **Cluster Config** page for EKS.
@@ -198,19 +198,21 @@ You can enable secrets encryption when you create an EKS cluster by toggling the
 
 Use the following steps to configure a KMS key.
 
-1. In AWS, locate the Key Management Service. 
+1. Log in to AWS console and navigateto the Key Management Service. 
 
-2. Select the region where your Palette EKS cluster is deployed.
+2. Select the region where your KMS key policy is created.
 
 :::caution
 
-Ensure you create the KMS key in the same region as your Palette EKS cluster. Alternatively, you can create a multi-region KMS key that can be used across different regions. To learn how to create a multi-region key, review Amazon’s [Multi-Region Keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) reference guide.
+Ensure you create the KMS key in the same region as you intend to deploy EKS clusters through Palette. Alternatively, you can create a multi-region KMS key that can be used across different regions. To learn how to create a multi-region key, review Amazon’s [Multi-Region Keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) reference guide.
+
 
 ::: 
 
 3. Create a key of type **Symmetric** and with usage **Encrypt and decrypt**.
 
-4. Ensure the IAM user or role that Palette is using has a policy attached with the following required IAM permissions. 
+4. Ensure the IAM user or role that Palette is using has a policy attached with the following required IAM permissions.  Replace the account ID and `REPLACE_ME` with the name of IAM User. If you are using an IAM role, change the ARN to end with `:role/REPLACE_ME`.
+
 
   ```json hideClipboard
   kms:CreateGrant,

From cd858a91c871095c33e109cad1f13ad273e1d763 Mon Sep 17 00:00:00 2001
From: Rita Watson <117382432+ritawatson@users.noreply.github.com>
Date: Mon, 6 Nov 2023 10:02:51 -0800
Subject: [PATCH 19/28] Apply suggestions from code review

Co-authored-by: Karl Cardenas <karl@spectrocloud.com>
---
 .../clusters/public-cloud/aws/eks.md          | 38 +++++++++++--------
 1 file changed, 22 insertions(+), 16 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 3e899a0570..290e28eb9e 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -224,24 +224,30 @@ Ensure you create the KMS key in the same region as you intend to deploy EKS clu
    Example:
 
    ```json
-   {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "Statement1",
-            "Effect": "Allow",
-            "Action": [
-                "kms:ListKeys",
-                "kms:ListAliases",
-                "kms:DescribeKey",
-                "kms:CreateGrant"
-            ],
-            "Resource": "*"
-        }
-    ]
-  }
+  {
+      "Sid": "Allow Palette use of the KMS key",
+      "Effect": "Allow",
+      "Principal": {
+          "AWS": "arn:aws:iam::123456789:user/REPLACE_ME"
+      },
+      "Action": [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+      ],
+      "Resource": "*"
+  },
    ```
+
+  :::info 
   
+  If you are using IAM to delegate access to the KMS key, you can continue to do so without modifying the KMS key 
+  policy. Ensure the Palette IAM User or role have the proper custom IAM policy attached that grants it access to the 
+  KMS key. Refer to the [Using IAM policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html) to learn more about managing KMS key with IAM policies. 
+  :::  
+
 If you need more guidance creating a KMS key, review the AWS [Creating KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) reference guide.
 
 ### Validate

From 61e5463d0e112c3f8db52b2fcd08533bd41f9e9d Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 6 Nov 2023 10:45:13 -0800
Subject: [PATCH 20/28] Incorporate review comments for KMS key

---
 .../clusters/public-cloud/aws/eks.md          | 37 ++++++++++---------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 290e28eb9e..2b593c964f 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -164,7 +164,7 @@ Use the following steps to deploy an EKS cluster on AWS.
 
 You can access your Kubernetes cluster by using the kubectl CLI. Refer to the [Kubectl](../../cluster-management/palette-webctl.md) guide for more information.
 
-### Validate
+## Validate
 
 You can validate your cluster is up and in **Running** state.
 
@@ -183,7 +183,7 @@ You can validate your cluster is up and in **Running** state.
 We encourage using AWS Key Management Service (KMS) to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS) clusters. This encryption is 
 a defense-in-depth security strategy to protect sensitive data such as passwords, docker registry credentials, and Transport Layer Security (TLS) keys stored as [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
-You can enable secrets encryption when you create an EKS cluster by toggling the **Enable encryption** button and providing the Amazon Resource Name (ARN) of the KMS key. The **Enable encryption** option is available on the cluster creation wizard's **Cluster Config** page for EKS.
+Palette provides an **Enable encryption** option, which is only available during the cluster creation process. You can enable secrets encryption when you create an EKS cluster by toggling the **Enable encryption** button and providing the Amazon Resource Name (ARN) of the KMS key. The **Enable encryption** option is available on the cluster creation wizard's **Cluster Config** page for EKS.
 
 ### Prerequisites
 
@@ -193,18 +193,30 @@ You can enable secrets encryption when you create an EKS cluster by toggling the
 
 - A **PaletteControllersEKSPolicy** created in AWS and attached to the IAM user or role that Palette is using. To create this policy, refer to [Controllers EKS Policy](required-iam-policies.md#controllers-eks-policy).
 
+- An AWS KMS key created in the AWS region you intend to deploy cluster to with Palette.
+
+- Ensure the KMS key policy allows the IAM user or role Palette usage of the KMS key. The KMS key policy must allowed the IAM role or IAM user the following actions:
+
+      - "kms:Encrypt",
+      - "kms:Decrypt",
+      - "kms:ReEncrypt*",
+      - "kms:GenerateDataKey*",
+      - "kms:DescribeKey"
+
+  Check out the [Create a KMS Key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) guide for more information on key policies.
+
 
 ### Configure KMS Key
 
 Use the following steps to configure a KMS key.
 
-1. Log in to AWS console and navigateto the Key Management Service. 
+1. Log in to AWS console and navigate to the Key Management Service. 
 
 2. Select the region where your KMS key policy is created.
 
 :::caution
 
-Ensure you create the KMS key in the same region as you intend to deploy EKS clusters through Palette. Alternatively, you can create a multi-region KMS key that can be used across different regions. To learn how to create a multi-region key, review Amazon’s [Multi-Region Keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) reference guide.
+Ensure you create the KMS key in the same region that you intend to deploy EKS clusters through Palette. Alternatively, you can create a multi-region KMS key that can be used across different regions. To learn how to create a multi-region key, review Amazon’s [Multi-Region Keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) reference guide.
 
 
 ::: 
@@ -241,12 +253,11 @@ Ensure you create the KMS key in the same region as you intend to deploy EKS clu
   },
    ```
 
-  :::info 
+:::info 
   
-  If you are using IAM to delegate access to the KMS key, you can continue to do so without modifying the KMS key 
-  policy. Ensure the Palette IAM User or role have the proper custom IAM policy attached that grants it access to the 
-  KMS key. Refer to the [Using IAM policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html) to learn more about managing KMS key with IAM policies. 
-  :::  
+If you are using IAM to delegate access to the KMS key, you can continue to do so without modifying the KMS key policy. Ensure the Palette IAM User or role have the proper custom IAM policy attached that grants it access to the KMS key. Refer to the [Using IAM policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html) to learn more about managing KMS keys with IAM policies. 
+  
+:::  
 
 If you need more guidance creating a KMS key, review the AWS [Creating KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) reference guide.
 
@@ -254,14 +265,6 @@ If you need more guidance creating a KMS key, review the AWS [Creating KMS Keys]
 
 You can verify the KMS key is integrated with Palette. When you deploy an EKS cluster on AWS and toggle the **Enable encryption** option at the Cluster Config step in the wizard, the KMS key ARN displays in the **drop-down Menu**. 
 
-<!-- You can verify the KMS key is integrated with Palette. 
-
-1. In Palette, return to the Cluster Config step in the wizard and toggle the **Enable encryption** option. Palette displays the **ARN** field. 
-
-2. Use the **drop-down Menu** to select the KMS key ARN.
-
-3. Continue configuring your EKS cluster. -->
-
 
 ## Resources
 

From 6dbe303c0e5d887cf38232ab53ee09cd26a27190 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 6 Nov 2023 11:21:23 -0800
Subject: [PATCH 21/28] Fix typo

---
 docs/docs-content/clusters/public-cloud/aws/eks.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 2b593c964f..627b662939 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -195,13 +195,13 @@ Palette provides an **Enable encryption** option, which is only available during
 
 - An AWS KMS key created in the AWS region you intend to deploy cluster to with Palette.
 
-- Ensure the KMS key policy allows the IAM user or role Palette usage of the KMS key. The KMS key policy must allowed the IAM role or IAM user the following actions:
+- Ensure the KMS key policy allows the IAM user or role Palette usage of the KMS key. The KMS key policy must allow the IAM role or IAM user the following actions:
 
-      - "kms:Encrypt",
-      - "kms:Decrypt",
-      - "kms:ReEncrypt*",
-      - "kms:GenerateDataKey*",
-      - "kms:DescribeKey"
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
 
   Check out the [Create a KMS Key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) guide for more information on key policies.
 

From 0c01a03ad94b5773db00554441471040820f4589 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 6 Nov 2023 16:44:58 -0800
Subject: [PATCH 22/28] Create new page for KMS key

---
 .../clusters/public-cloud/aws/eks.md          | 22 +++--
 .../aws/enable-secrets-encryption-kms-key.md  | 95 +++++++++++++++++++
 2 files changed, 110 insertions(+), 7 deletions(-)
 create mode 100644 docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 627b662939..1fa9429708 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -22,7 +22,7 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
 
 - kubelogin installed. This is a [kubectl plugin](https://github.com/int128/kubelogin) for Kubernetes OpenID Connect (OIDC) authentication, also known as `kubectl oidc-login`.
 
-- To use secrets encryption during EKS cluster creation, you must have created an AWS Key Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](#enable-secrets-encryption-for-eks-cluster) for guidance.  
+- To use secrets encryption during EKS cluster creation, you must have created an AWS Key Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md) for guidance.  
 
 - If you do not provide your own Virtual Private Cloud (VPC), Palette creates one for you with compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources. Note that Palette does not create these resources if you specify an existing VPC. 
     - Virtual CPU (vCPU)
@@ -75,7 +75,7 @@ Use the following steps to deploy an EKS cluster on AWS.
 
 9. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.
 
-  You can configure OpenID Connect (OIDC) at the Kubernetes layer. To configure OIDC for managed EKS clusters, follow the steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide.
+  You can configure custom OpenID Connect (OIDC) for EKS clusters at the Kubernetes layer. To do this, follow the steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide. Alternatively, if you want to use AWS Identity and Access Management (IAM) for authentication, you will need to download the `aws-iam-authenticator` plugin. Review [Access EKS Cluster](#access-eks-cluster) for more information.
 
   :::caution
 
@@ -83,6 +83,7 @@ Use the following steps to deploy an EKS cluster on AWS.
 
   :::
 
+
 10. Click on **Next** to continue.
 
 11. Provide the following cluster configuration information and click on **Next** to continue. 
@@ -95,7 +96,7 @@ Use the following steps to deploy an EKS cluster on AWS.
   |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Public Access CIDRs** |This setting controls which IP address CIDR ranges can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Private Access CIDRs** |This setting controls which private IP address CIDR ranges can access the cluster. Private CIDRs provide a way to specify private, self-hosted, and air-gapped networks or Private Cloud Gateway (PCG) that may be located in other VPCs connected to the VPC hosting the cluster endpoint.<br /><br />To restrict network access, enter the IP address CIDR range that will provide access to the cluster. Although `0.0.0.0/0` is pre-populated in this field, only IPs that can reach the private endpoint are those within the VPC or any other connected VPCs. For example, while using `0.0.0.0/0` would allow traffic throughout the VPC and all peered VPCs, specifying the VPC CIDR `10.0.0.0/16` would limit traffic to an individual VPC. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Enable Encryption**| Use this option for secrets encryption. You must have an existing AWS Key Managment Service (KMS) key you can use. Toggle the **Enable encryption** option and use the **drop-down Menu** in the **ARN** field to select the KMS key ARN.<br /><br />If you do not have a KMS key and want to create one to use this option, review [Enable Secrets Encryption for EKS Cluster](#enable-secrets-encryption-for-eks-cluster). Once your KMS key is created, return to this Cluster Config step to enable secrets encryption and specify the KMS key ARN. |
+  |**Enable Encryption**| Use this option for secrets encryption. You must have an existing AWS Key Managment Service (KMS) key you can use. Toggle the **Enable encryption** option and use the **drop-down Menu** in the **ARN** field to select the KMS key ARN.<br /><br />If you do not have a KMS key and want to create one to use this option, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md). Once your KMS key is created, return to this Cluster Config step to enable secrets encryption and specify the KMS key ARN. |
 
   :::caution
 
@@ -147,7 +148,7 @@ Use the following steps to deploy an EKS cluster on AWS.
 
 16. Schedule any backups you want Palette to perform. Review [Backup and Restore](../../cluster-management/backup-restore/backup-restore.md) for more information.
 
-17. RBAC configuration is required when you configure OIDC. You must map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings). Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
+17. RBAC configuration is required when you configure custom OIDC. You must map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings). Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
 
 18. Click on the **Validate** button and review the cluster configuration and settings summary. 
 
@@ -162,7 +163,8 @@ Use the following steps to deploy an EKS cluster on AWS.
   :::
 
 
-You can access your Kubernetes cluster by using the kubectl CLI. Refer to the [Kubectl](../../cluster-management/palette-webctl.md) guide for more information.
+For information on how to access your cluster using the kubectl CLI, review [Access EKS Cluster](#access-eks-cluster).
+
 
 ## Validate
 
@@ -178,7 +180,13 @@ You can validate your cluster is up and in **Running** state.
 
 <br />
 
-## Enable Secrets Encryption for EKS Cluster
+## Access EKS Cluster
+
+You can access your Kubernetes cluster by using the kubectl CLI. To learn how to set up kubectl, refer to the [Kubectl](../../cluster-management/palette-webctl.md) guide for more information.
+
+You must also ...
+
+<!-- ## Enable Secrets Encryption for EKS Cluster
 
 We encourage using AWS Key Management Service (KMS) to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS) clusters. This encryption is 
 a defense-in-depth security strategy to protect sensitive data such as passwords, docker registry credentials, and Transport Layer Security (TLS) keys stored as [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
@@ -263,7 +271,7 @@ If you need more guidance creating a KMS key, review the AWS [Creating KMS Keys]
 
 ### Validate
 
-You can verify the KMS key is integrated with Palette. When you deploy an EKS cluster on AWS and toggle the **Enable encryption** option at the Cluster Config step in the wizard, the KMS key ARN displays in the **drop-down Menu**. 
+You can verify the KMS key is integrated with Palette. When you deploy an EKS cluster on AWS and toggle the **Enable encryption** option at the Cluster Config step in the wizard, the KMS key ARN displays in the **drop-down Menu**.  -->
 
 
 ## Resources
diff --git a/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md b/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md
new file mode 100644
index 0000000000..32abbd0bbc
--- /dev/null
+++ b/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md
@@ -0,0 +1,95 @@
+---
+sidebar_label: "Enable Secrets Encryption for EKS Cluster"
+title: "Enable Secrets Encryption for EKS Cluster"
+description: "Learn how to create an AWS KMS key to encrypt Kubernetes secrets for EKS Clusters."
+hide_table_of_contents: false
+tags: ["public cloud", "aws", "eks"]
+sidebar_position: 40
+---
+
+
+
+We encourage using AWS Key Management Service (KMS) to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS) clusters. This encryption is 
+a defense-in-depth security strategy to protect sensitive data such as passwords, docker registry credentials, and Transport Layer Security (TLS) keys stored as [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
+
+Palette provides an **Enable encryption** option, which is only available during the cluster creation process. You can enable secrets encryption when you create an EKS cluster by toggling the **Enable encryption** button and providing the Amazon Resource Name (ARN) of the KMS key. The **Enable encryption** option is available on the cluster creation wizard's **Cluster Config** page for EKS.
+
+## Prerequisites
+
+- An AWS account added to Palette. Review [Add AWS Account](add-aws-accounts.md) for guidance.
+
+- IAM user or role has attached policies listed in [Required IAM Policies](required-iam-policies.md).
+
+- A **PaletteControllersEKSPolicy** created in AWS and attached to the IAM user or role that Palette is using. To create this policy, refer to [Controllers EKS Policy](required-iam-policies.md#controllers-eks-policy).
+
+- An AWS KMS key created in the AWS region you intend to deploy cluster to with Palette.
+
+- Ensure the KMS key policy allows the IAM user or role Palette usage of the KMS key. The KMS key policy must allow the IAM role or IAM user the following actions:
+
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+
+  Check out the [Create a KMS Key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) guide for more information on key policies.
+
+
+## Create KMS Key
+
+Use the following steps to configure a KMS key.
+
+1. Log in to AWS console and navigate to the Key Management Service. 
+
+2. Select the region where your KMS key policy is created.
+
+:::caution
+
+Ensure you create the KMS key in the same region that you intend to deploy EKS clusters through Palette. Alternatively, you can create a multi-region KMS key that can be used across different regions. To learn how to create a multi-region key, review Amazon’s [Multi-Region Keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) reference guide.
+
+
+::: 
+
+3. Create a key of type **Symmetric** and with usage **Encrypt and decrypt**.
+
+4. Ensure the IAM user or role that Palette is using has a policy attached with the following required IAM permissions.  Replace the account ID and `REPLACE_ME` with the name of IAM User. If you are using an IAM role, change the ARN to end with `:role/REPLACE_ME`.
+
+
+  ```json hideClipboard
+  kms:CreateGrant,
+  kms:ListAliases,
+  kms:ListKeys,
+  kms:DescribeKeys
+  ```
+   
+   Example:
+
+   ```json
+  {
+      "Sid": "Allow Palette use of the KMS key",
+      "Effect": "Allow",
+      "Principal": {
+          "AWS": "arn:aws:iam::123456789:user/REPLACE_ME"
+      },
+      "Action": [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+      ],
+      "Resource": "*"
+  },
+   ```
+
+:::info 
+  
+If you are using IAM to delegate access to the KMS key, you can continue to do so without modifying the KMS key policy. Ensure the Palette IAM User or role have the proper custom IAM policy attached that grants it access to the KMS key. Refer to the [Using IAM policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html) to learn more about managing KMS keys with IAM policies. 
+  
+:::  
+
+If you need more guidance creating a KMS key, review the AWS [Creating KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) reference guide.
+
+### Validate
+
+You can verify the KMS key is integrated with Palette. When you deploy an EKS cluster on AWS and toggle the **Enable encryption** option at the Cluster Config step in the wizard, the KMS key ARN displays in the **drop-down Menu**. 

From bf6f844d61dcae9629ca338ca92a779ae2c8bd82 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 6 Nov 2023 17:41:22 -0800
Subject: [PATCH 23/28] Add Access EKS Cluster section

---
 docs/docs-content/clusters/public-cloud/aws/eks.md | 14 ++++++++++----
 .../aws/enable-secrets-encryption-kms-key.md       |  2 +-
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 1fa9429708..8544b909c3 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -22,7 +22,7 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
 
 - kubelogin installed. This is a [kubectl plugin](https://github.com/int128/kubelogin) for Kubernetes OpenID Connect (OIDC) authentication, also known as `kubectl oidc-login`.
 
-- To use secrets encryption during EKS cluster creation, you must have created an AWS Key Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md) for guidance.  
+- To use secrets encryption, which is available only during EKS cluster creation, you must have created an AWS Key Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md) for guidance.  
 
 - If you do not provide your own Virtual Private Cloud (VPC), Palette creates one for you with compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources. Note that Palette does not create these resources if you specify an existing VPC. 
     - Virtual CPU (vCPU)
@@ -75,7 +75,7 @@ Use the following steps to deploy an EKS cluster on AWS.
 
 9. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.
 
-  You can configure custom OpenID Connect (OIDC) for EKS clusters at the Kubernetes layer. To do this, follow the steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide. Alternatively, if you want to use AWS Identity and Access Management (IAM) for authentication, you will need to download the `aws-iam-authenticator` plugin. Review [Access EKS Cluster](#access-eks-cluster) for more information.
+  You can configure custom OpenID Connect (OIDC) for EKS clusters at the Kubernetes layer. To do this, follow the steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide. Alternatively, if you want to use AWS Identity and Access Management (IAM) for authentication, you will need to download the `aws-iam-authenticator` plugin. Review the [Access EKS Cluster](#access-eks-cluster) section for more information.
 
   :::caution
 
@@ -182,9 +182,15 @@ You can validate your cluster is up and in **Running** state.
 
 ## Access EKS Cluster
 
-You can access your Kubernetes cluster by using the kubectl CLI. To learn how to set up kubectl, refer to the [Kubectl](../../cluster-management/palette-webctl.md) guide for more information.
+You can access your Kubernetes cluster by using the kubectl CLI. Palette automatically generates a kubeconfig file for your cluster that you can download and use to connect with your host cluster. To learn how to set up kubectl, check out the [Kubectl](../../cluster-management/palette-webctl.md) guide.
 
-You must also ...
+If you will be using AWS Identity and Access Management (IAM) for authentication, you will need to do the following: 
+
+- Install the `aws-iam-authenticator` plugin. Refer to the [Install aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html) reference guide.
+
+- Link your AWS credentials locally to the EKS cluster. Refer to the [Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) reference guide. 
+
+- Install and configure the AWS CLI. Refer to [Install or Update the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) reference guides.
 
 <!-- ## Enable Secrets Encryption for EKS Cluster
 
diff --git a/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md b/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md
index 32abbd0bbc..0751b1f8d9 100644
--- a/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md
+++ b/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md
@@ -3,7 +3,7 @@ sidebar_label: "Enable Secrets Encryption for EKS Cluster"
 title: "Enable Secrets Encryption for EKS Cluster"
 description: "Learn how to create an AWS KMS key to encrypt Kubernetes secrets for EKS Clusters."
 hide_table_of_contents: false
-tags: ["public cloud", "aws", "eks"]
+tags: ["public cloud", "aws", "eks", "kms"]
 sidebar_position: 40
 ---
 

From f2d8e039257a8f1fe5ab284b746f41a4338db9f4 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 6 Nov 2023 17:51:29 -0800
Subject: [PATCH 24/28] Minor change to Access EKS Cluster

---
 .../clusters/public-cloud/aws/eks.md          | 93 +------------------
 1 file changed, 4 insertions(+), 89 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 8544b909c3..0bbb7c66dc 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -75,7 +75,7 @@ Use the following steps to deploy an EKS cluster on AWS.
 
 9. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.
 
-  You can configure custom OpenID Connect (OIDC) for EKS clusters at the Kubernetes layer. To do this, follow the steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide. Alternatively, if you want to use AWS Identity and Access Management (IAM) for authentication, you will need to download the `aws-iam-authenticator` plugin. Review the [Access EKS Cluster](#access-eks-cluster) section for more information.
+  You can configure custom OpenID Connect (OIDC) for EKS clusters at the Kubernetes layer. To do this, follow the steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide. 
 
   :::caution
 
@@ -83,6 +83,8 @@ Use the following steps to deploy an EKS cluster on AWS.
 
   :::
 
+  Alternatively, to use AWS Identity and Access Management (IAM) for authentication, you will need to install the AWS IAM Authenticator. Review the [Access EKS Cluster](#access-eks-cluster) section for more information.
+
 
 10. Click on **Next** to continue.
 
@@ -190,94 +192,7 @@ If you will be using AWS Identity and Access Management (IAM) for authentication
 
 - Link your AWS credentials locally to the EKS cluster. Refer to the [Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) reference guide. 
 
-- Install and configure the AWS CLI. Refer to [Install or Update the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) reference guides.
-
-<!-- ## Enable Secrets Encryption for EKS Cluster
-
-We encourage using AWS Key Management Service (KMS) to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS) clusters. This encryption is 
-a defense-in-depth security strategy to protect sensitive data such as passwords, docker registry credentials, and Transport Layer Security (TLS) keys stored as [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
-
-Palette provides an **Enable encryption** option, which is only available during the cluster creation process. You can enable secrets encryption when you create an EKS cluster by toggling the **Enable encryption** button and providing the Amazon Resource Name (ARN) of the KMS key. The **Enable encryption** option is available on the cluster creation wizard's **Cluster Config** page for EKS.
-
-### Prerequisites
-
-- An AWS account added to Palette. Review [Add AWS Account](add-aws-accounts.md) for guidance.
-
-- IAM user or role has attached policies listed in [Required IAM Policies](required-iam-policies.md).
-
-- A **PaletteControllersEKSPolicy** created in AWS and attached to the IAM user or role that Palette is using. To create this policy, refer to [Controllers EKS Policy](required-iam-policies.md#controllers-eks-policy).
-
-- An AWS KMS key created in the AWS region you intend to deploy cluster to with Palette.
-
-- Ensure the KMS key policy allows the IAM user or role Palette usage of the KMS key. The KMS key policy must allow the IAM role or IAM user the following actions:
-
-      "kms:Encrypt",
-      "kms:Decrypt",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:DescribeKey"
-
-  Check out the [Create a KMS Key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) guide for more information on key policies.
-
-
-### Configure KMS Key
-
-Use the following steps to configure a KMS key.
-
-1. Log in to AWS console and navigate to the Key Management Service. 
-
-2. Select the region where your KMS key policy is created.
-
-:::caution
-
-Ensure you create the KMS key in the same region that you intend to deploy EKS clusters through Palette. Alternatively, you can create a multi-region KMS key that can be used across different regions. To learn how to create a multi-region key, review Amazon’s [Multi-Region Keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) reference guide.
-
-
-::: 
-
-3. Create a key of type **Symmetric** and with usage **Encrypt and decrypt**.
-
-4. Ensure the IAM user or role that Palette is using has a policy attached with the following required IAM permissions.  Replace the account ID and `REPLACE_ME` with the name of IAM User. If you are using an IAM role, change the ARN to end with `:role/REPLACE_ME`.
-
-
-  ```json hideClipboard
-  kms:CreateGrant,
-  kms:ListAliases,
-  kms:ListKeys,
-  kms:DescribeKeys
-  ```
-   
-   Example:
-
-   ```json
-  {
-      "Sid": "Allow Palette use of the KMS key",
-      "Effect": "Allow",
-      "Principal": {
-          "AWS": "arn:aws:iam::123456789:user/REPLACE_ME"
-      },
-      "Action": [
-          "kms:Encrypt",
-          "kms:Decrypt",
-          "kms:ReEncrypt*",
-          "kms:GenerateDataKey*",
-          "kms:DescribeKey"
-      ],
-      "Resource": "*"
-  },
-   ```
-
-:::info 
-  
-If you are using IAM to delegate access to the KMS key, you can continue to do so without modifying the KMS key policy. Ensure the Palette IAM User or role have the proper custom IAM policy attached that grants it access to the KMS key. Refer to the [Using IAM policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html) to learn more about managing KMS keys with IAM policies. 
-  
-:::  
-
-If you need more guidance creating a KMS key, review the AWS [Creating KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) reference guide.
-
-### Validate
-
-You can verify the KMS key is integrated with Palette. When you deploy an EKS cluster on AWS and toggle the **Enable encryption** option at the Cluster Config step in the wizard, the KMS key ARN displays in the **drop-down Menu**.  -->
+- If you do not already have the AWS CLI installed and configured, you will need do this. Refer to [Install or Update the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) reference guides.
 
 
 ## Resources

From c55dc72939d747d112d33588cde6c6b1b1e49593 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Mon, 6 Nov 2023 18:06:22 -0800
Subject: [PATCH 25/28] Replace kubelogin prereq w. aws-iam-authenticator

---
 docs/docs-content/clusters/public-cloud/aws/eks.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 0bbb7c66dc..aa0e50ce8c 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -20,7 +20,9 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
 
 - An EC2 key pair for the target region that provides a secure connection to your EC2 instances. To learn how to create a key pair, refer to the [Amazon EC2 key pairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) resource.
 
-- kubelogin installed. This is a [kubectl plugin](https://github.com/int128/kubelogin) for Kubernetes OpenID Connect (OIDC) authentication, also known as `kubectl oidc-login`.
+- aws-iam-authenticator installed if you want to use AWS Identity and Access Management (IAM) to authenticate with your EKS cluster. For more information review the [Access EKS Cluster](#access-eks-cluster) section.
+
+<!-- - kubelogin installed. This is a [kubectl plugin](https://github.com/int128/kubelogin) for Kubernetes OpenID Connect (OIDC) authentication, also known as `kubectl oidc-login`. -->
 
 - To use secrets encryption, which is available only during EKS cluster creation, you must have created an AWS Key Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md) for guidance.  
 

From f992abb86de4115602cf79e26461051757fd108a Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Tue, 7 Nov 2023 17:50:21 -0800
Subject: [PATCH 26/28] Revised Access EKS Cluster, step 9, prereqs

---
 .../clusters/public-cloud/aws/eks.md          | 53 +++++++++++++------
 .../integrations/kubernetes-generic.md        | 14 +++--
 2 files changed, 45 insertions(+), 22 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index aa0e50ce8c..19a3e60249 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -20,9 +20,11 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
 
 - An EC2 key pair for the target region that provides a secure connection to your EC2 instances. To learn how to create a key pair, refer to the [Amazon EC2 key pairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) resource.
 
-- aws-iam-authenticator installed if you want to use AWS Identity and Access Management (IAM) to authenticate with your EKS cluster. For more information review the [Access EKS Cluster](#access-eks-cluster) section.
+- To access your EKS cluster using kubectl, you will need one of the following plugins. For guidance, review the [Access EKS Cluster](#access-eks-cluster) section. 
 
-<!-- - kubelogin installed. This is a [kubectl plugin](https://github.com/int128/kubelogin) for Kubernetes OpenID Connect (OIDC) authentication, also known as `kubectl oidc-login`. -->
+  - [aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html) to use default AWS authentication.
+
+  - [kubelogin](https://github.com/int128/kubelogin), also known as `kubectl oidc-login`, to configure custom OpenID Connect (OIDC) authentication in Palette. 
 
 - To use secrets encryption, which is available only during EKS cluster creation, you must have created an AWS Key Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md) for guidance.  
 
@@ -75,18 +77,7 @@ Use the following steps to deploy an EKS cluster on AWS.
 
 8. Select the EKS cluster profile you created and click on **Next**. Palette displays the cluster profile layers.
 
-9. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.
-
-  You can configure custom OpenID Connect (OIDC) for EKS clusters at the Kubernetes layer. To do this, follow the steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes.md/#configure-custom-oidc) guide. 
-
-  :::caution
-
-  Configuring OIDC requires you to map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings). Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
-
-  :::
-
-  Alternatively, to use AWS Identity and Access Management (IAM) for authentication, you will need to install the AWS IAM Authenticator. Review the [Access EKS Cluster](#access-eks-cluster) section for more information.
-
+9. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer. You can configure custom OpenID Connect (OIDC) for EKS clusters at the Kubernetes layer. Check out [Access EKS Cluster](#access-eks-cluster) if you need more guidance.
 
 10. Click on **Next** to continue.
 
@@ -186,16 +177,44 @@ You can validate your cluster is up and in **Running** state.
 
 ## Access EKS Cluster
 
-You can access your Kubernetes cluster by using the kubectl CLI. Palette automatically generates a kubeconfig file for your cluster that you can download and use to connect with your host cluster. To learn how to set up kubectl, check out the [Kubectl](../../cluster-management/palette-webctl.md) guide.
+You can access your Kubernetes cluster by using the kubectl CLI, which requires authentication. Depending on how you will authenticate to your EKS cluster, you need to install the appropriate plugin. The table lists the plugin required for two EKS deployment scenarios.  
+
+| **Scenario**                              | **Plugin**                              |
+| ----------------------------------------- | --------------------------------------- |
+| Deploy EKS cluster with custom OIDC       | kubelogin                               |
+| Deploy EKS cluster access with default AWS authentication | aws-iam-authenticator   |
+
+For guidance in setting up kubectl, review the [Kubectl](../../cluster-management/palette-webctl.md) guide. Select the appropriate tab for your deployment.
 
-If you will be using AWS Identity and Access Management (IAM) for authentication, you will need to do the following: 
+<Tabs queryString="oidc-authentication">
 
-- Install the `aws-iam-authenticator` plugin. Refer to the [Install aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html) reference guide.
+<TabItem label="AWS IAM" value="AWS IAM">
+
+To use AWS Identity and Access Management (IAM), you need to do the following: 
+
+- Install [aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html).
 
 - Link your AWS credentials locally to the EKS cluster. Refer to the [Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) reference guide. 
 
 - If you do not already have the AWS CLI installed and configured, you will need do this. Refer to [Install or Update the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) reference guides.
 
+</TabItem>
+
+<TabItem label="Custom OIDC" value="Custom OIDC">
+
+To use custom OIDC, you need to do the following:
+
+- Install [kubelogin](https://github.com/int128/kubelogin). We recommend kubelogin for its ease of authentication. For more information and to learn about other available helper applications, you can visit [OIDC Identity Provider authentication for Amazon EKS](https://aws.amazon.com/blogs/containers/introducing-oidc-identity-provider-authentication-amazon-eks/). 
+
+- Configure OIDC in the Kubernetes pack YAML file. Refer to steps for Amazon EKS in the [Configure Custom OIDC](../../../integrations/kubernetes-generic.md/#configure-custom-oidc) guide.
+
+- Map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings). Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
+
+</TabItem>
+
+</Tabs>
+
+<br />
 
 ## Resources
 
diff --git a/docs/docs-content/integrations/kubernetes-generic.md b/docs/docs-content/integrations/kubernetes-generic.md
index a4afb3b603..ffe7f339d1 100644
--- a/docs/docs-content/integrations/kubernetes-generic.md
+++ b/docs/docs-content/integrations/kubernetes-generic.md
@@ -153,7 +153,7 @@ OIDC requires a *RoleBinding* for the users or groups you want to provide cluste
 
 The custom method to configure OIDC and apply RBAC for an OIDC provider can be used for all cloud services except Amazon Elastic Kubernetes Service (EKS) and [Azure-AKS](../clusters/public-cloud/azure/aks.md#configure-an-azure-active-directory).
 
-<Tabs>
+<Tabs queryString="oidc-mode">
 
 <TabItem label="Custom OIDC Setup" value="Custom OIDC Setup">
 
@@ -202,7 +202,6 @@ Follow these steps to configure a third-party OIDC IDP. You can apply these step
 
 Follow these steps to configure OIDC for managed EKS clusters.
 
-<br />
 
 1. In the Kubernetes pack, uncomment the lines in the `oidcIdentityProvider` parameter section of the Kubernetes pack, and enter your third-party provider details.
 
@@ -230,6 +229,8 @@ clientConfig:
 
 3. Provide third-party OIDC IDP details.
 
+Alternatively, to use AWS Identity and Access Management (IAM) for authentication, refer to [Access EKS Cluster](../clusters/public-cloud/aws/eks.md/#access-eks-cluster).
+
 </TabItem>
 </Tabs>
 
@@ -362,7 +363,7 @@ OIDC requires a *RoleBinding* for the users or groups you want to provide cluste
 
 The custom method to configure OIDC and apply RBAC for an OIDC provider can be used for all cloud services except Amazon Elastic Kubernetes Service (EKS) and [Azure-AKS](../clusters/public-cloud/azure/aks.md#configure-an-azure-active-directory).
 
-<Tabs>
+<Tabs queryString="oidc-mode">
 
 <TabItem label="Custom OIDC Setup" value="Custom OIDC Setup">
 
@@ -438,6 +439,8 @@ clientConfig:
 
 3. Provide third-party OIDC IDP details.
 
+Alternatively, to use AWS Identity and Access Management (IAM) for authentication, refer to [Access EKS Cluster](../clusters/public-cloud/aws/eks.md/#access-eks-cluster).
+
 </TabItem>
 </Tabs>
 
@@ -569,7 +572,7 @@ OIDC requires a *RoleBinding* for the users or groups you want to provide cluste
 
 The custom method to configure OIDC and apply RBAC for an OIDC provider can be used for all cloud services except Amazon Elastic Kubernetes Service (EKS) and [Azure-AKS](../clusters/public-cloud/azure/aks.md#configure-an-azure-active-directory).
 
-<Tabs>
+<Tabs queryString="oidc-mode">
 
 <TabItem label="Custom OIDC Setup" value="Custom OIDC Setup">
 
@@ -618,7 +621,6 @@ Follow these steps to configure a third-party OIDC IDP. You can apply these step
 
 Follow these steps to configure OIDC for managed EKS clusters.
 
-<br />
 
 1. In the Kubernetes pack, uncomment the lines in the `oidcIdentityProvider` parameter section of the Kubernetes pack, and enter your third-party provider details.
 
@@ -650,6 +652,8 @@ Follow these steps to configure OIDC for managed EKS clusters.
 
 3. Provide third-party OIDC IDP details.
 
+Alternatively, to use AWS Identity and Access Management (IAM) for authentication, refer to [Access EKS Cluster](../clusters/public-cloud/aws/eks.md/#access-eks-cluster).
+
 </TabItem>
 </Tabs>
 

From 9148df857f6699bc89e3c0d30b6a555b9b84631f Mon Sep 17 00:00:00 2001
From: Karl Cardenas <karl@spectrocloud.com>
Date: Wed, 8 Nov 2023 10:21:24 -0700
Subject: [PATCH 27/28] docs: updates and clarifications

---
 .../clusters/public-cloud/aws/eks.md          | 52 ++++++++-----
 .../aws/enable-secrets-encryption-kms-key.md  | 77 +++++++++++--------
 .../public-cloud/aws/required-iam-policies.md |  2 +-
 .../integrations/kubernetes-generic.md        | 14 +++-
 4 files changed, 89 insertions(+), 56 deletions(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index 19a3e60249..a8a2f51b53 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -20,11 +20,8 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
 
 - An EC2 key pair for the target region that provides a secure connection to your EC2 instances. To learn how to create a key pair, refer to the [Amazon EC2 key pairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) resource.
 
-- To access your EKS cluster using kubectl, you will need one of the following plugins. For guidance, review the [Access EKS Cluster](#access-eks-cluster) section. 
+- To access your EKS cluster using kubectl, you will need the [aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html) plugin installed. If you are using a custom OIDC provider, you will need the [kubelogin](https://github.com/int128/kubelogin) plugin installed. Refer to the [Access EKS Cluster](#access-eks-cluster) section for more information.
 
-  - [aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html) to use default AWS authentication.
-
-  - [kubelogin](https://github.com/int128/kubelogin), also known as `kubectl oidc-login`, to configure custom OpenID Connect (OIDC) authentication in Palette. 
 
 - To use secrets encryption, which is available only during EKS cluster creation, you must have created an AWS Key Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md) for guidance.  
 
@@ -36,17 +33,18 @@ Palette supports creating and managing Amazon Web Services (AWS) Elastic Kuberne
     - Elastic Load Balancers
     - Network Address Translation (NAT) Gateway
 
-    
-:::info
+  <br />
 
-To enable automated subnet discovery to create external load balancers, you need to add tags to the Virtual Private Cloud (VPC) public subnets. For more information about tagging VPC networks, refer to the AWS [EKS VPC Subnet Discovery](https://repost.aws/knowledge-center/eks-vpc-subnet-discovery) reference guide.  Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. To learn more about the Tag Editor, refer to the [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) reference guide.
+  :::info
 
-- `kubernetes.io/role/elb = 1`
-- `sigs.k8s.io/cluster-api-provider-aws/role = public`
-- `kubernetes.io/cluster/[yourClusterName] = shared` 
-- `sigs.k8s.io/cluster-api-provider-aws/cluster/[yourClusterName] = owned`
+  To enable automated subnet discovery to create external load balancers, you need to add tags to the Virtual Private Cloud (VPC) public subnets. For more information about tagging VPC networks, refer to the AWS [EKS VPC Subnet Discovery](https://repost.aws/knowledge-center/eks-vpc-subnet-discovery) reference guide.  Use the AWS Tag Editor and specify the region and resource type. Then, add the following tags. Replace the value `yourClusterName` with your cluster's name. To learn more about the Tag Editor, refer to the [AWS Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) reference guide.
 
-:::
+  - `kubernetes.io/role/elb = 1`
+  - `sigs.k8s.io/cluster-api-provider-aws/role = public`
+  - `kubernetes.io/cluster/[yourClusterName] = shared` 
+  - `sigs.k8s.io/cluster-api-provider-aws/cluster/[yourClusterName] = owned`
+
+  :::
 
 Use the following steps to deploy an EKS cluster on AWS.
 
@@ -177,26 +175,30 @@ You can validate your cluster is up and in **Running** state.
 
 ## Access EKS Cluster
 
-You can access your Kubernetes cluster by using the kubectl CLI, which requires authentication. Depending on how you will authenticate to your EKS cluster, you need to install the appropriate plugin. The table lists the plugin required for two EKS deployment scenarios.  
+You can access your Kubernetes cluster by using the kubectl CLI, which requires authentication. Depending on how you will authenticate to your EKS cluster, you need to install the appropriate plugin. The table below lists the plugin required for two EKS deployment scenarios.  
 
 | **Scenario**                              | **Plugin**                              |
 | ----------------------------------------- | --------------------------------------- |
-| Deploy EKS cluster with custom OIDC       | kubelogin                               |
-| Deploy EKS cluster access with default AWS authentication | aws-iam-authenticator   |
+| Deploy EKS cluster with custom OIDC       | [kubelogin](https://github.com/int128/kubelogin)                               |
+| Deploy EKS cluster access with default AWS authentication | [aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html)   |
+
+
+ Select the appropriate tab for your deployment.
 
-For guidance in setting up kubectl, review the [Kubectl](../../cluster-management/palette-webctl.md) guide. Select the appropriate tab for your deployment.
 
 <Tabs queryString="oidc-authentication">
 
 <TabItem label="AWS IAM" value="AWS IAM">
 
-To use AWS Identity and Access Management (IAM), you need to do the following: 
+To access an EKS cluster with default AWS authentication, you need to do the following: 
 
 - Install [aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html).
 
-- Link your AWS credentials locally to the EKS cluster. Refer to the [Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) reference guide. 
+- Configure your AWS credentials. The aws-iam-authenticator plugin requires AWS credentials to access the cluster. Refer to the [Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) reference guide. 
+
+
+- Download the kubeconfig file from the cluster details page. Refer to the [Kubectl](../../cluster-management/palette-webctl.md) guide for more information.
 
-- If you do not already have the AWS CLI installed and configured, you will need do this. Refer to [Install or Update the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) reference guides.
 
 </TabItem>
 
@@ -210,11 +212,21 @@ To use custom OIDC, you need to do the following:
 
 - Map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to [Create Role Bindings](../../cluster-management/cluster-rbac.md/#create-role-bindings). Refer to [Use RBAC with OIDC](../../../integrations/kubernetes.md/#use-rbac-with-oidc) for an example.
 
+
+- Download the kubeconfig file from the cluster details page. Refer to the [Kubectl](../../cluster-management/palette-webctl.md) guide for more information.
+
 </TabItem>
 
 </Tabs>
 
-<br />
+
+Once you have the required plugin installed and kubeconfig file downloaded, you can use kubectl to access your cluster.
+
+:::tip
+
+For guidance in setting up kubectl, review the [Kubectl](../../cluster-management/palette-webctl.md) guide.
+
+:::
 
 ## Resources
 
diff --git a/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md b/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md
index 0751b1f8d9..d13f374ca6 100644
--- a/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md
+++ b/docs/docs-content/clusters/public-cloud/aws/enable-secrets-encryption-kms-key.md
@@ -2,7 +2,6 @@
 sidebar_label: "Enable Secrets Encryption for EKS Cluster"
 title: "Enable Secrets Encryption for EKS Cluster"
 description: "Learn how to create an AWS KMS key to encrypt Kubernetes secrets for EKS Clusters."
-hide_table_of_contents: false
 tags: ["public cloud", "aws", "eks", "kms"]
 sidebar_position: 40
 ---
@@ -24,13 +23,40 @@ Palette provides an **Enable encryption** option, which is only available during
 
 - An AWS KMS key created in the AWS region you intend to deploy cluster to with Palette.
 
-- Ensure the KMS key policy allows the IAM user or role Palette usage of the KMS key. The KMS key policy must allow the IAM role or IAM user the following actions:
+- Ensure the IAM user or role Palette uses has at a minimum, permissions to list, describe, all KMS keys in the account. The describe and create grant permissions are only required for the KMS key that Palette uses to encrypt Kubernetes secrets.
 
-      "kms:Encrypt",
-      "kms:Decrypt",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:DescribeKey"
+  - `kms:ListKeys`
+  - `kms:ListAliases`
+  - `kms:DescribeKey`
+  - `kms:CreateGrant`
+
+  <br />
+
+  ```json
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "Statement1",
+        "Effect": "Allow",
+        "Action": [
+          "kms:ListKeys",
+          "kms:ListAliases"
+        ],
+        "Resource": ["*"]
+      },
+      {
+        "Sid": "Statement2",
+        "Effect": "Allow",
+        "Action": [
+          "kms:DescribeKey",
+          "kms:CreateGrant"
+          ],
+        "Resource": ["*"]
+      }
+    ]
+  }
+  ```
 
   Check out the [Create a KMS Key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) guide for more information on key policies.
 
@@ -43,28 +69,17 @@ Use the following steps to configure a KMS key.
 
 2. Select the region where your KMS key policy is created.
 
-:::caution
+  :::caution
 
-Ensure you create the KMS key in the same region that you intend to deploy EKS clusters through Palette. Alternatively, you can create a multi-region KMS key that can be used across different regions. To learn how to create a multi-region key, review Amazon’s [Multi-Region Keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) reference guide.
+  Ensure you create the KMS key in the same region that you intend to deploy EKS clusters through Palette. Alternatively, you can create a multi-region KMS key that can be used across different regions. To learn how to create a multi-region key, review Amazon’s [Multi-Region Keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) reference guide.
 
+  ::: 
 
-::: 
+3. Create a KMS key of type **Symmetric** and with usage **Encrypt and decrypt**. Check out the AWS guide [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) for guidance.
 
-3. Create a key of type **Symmetric** and with usage **Encrypt and decrypt**.
-
-4. Ensure the IAM user or role that Palette is using has a policy attached with the following required IAM permissions.  Replace the account ID and `REPLACE_ME` with the name of IAM User. If you are using an IAM role, change the ARN to end with `:role/REPLACE_ME`.
-
-
-  ```json hideClipboard
-  kms:CreateGrant,
-  kms:ListAliases,
-  kms:ListKeys,
-  kms:DescribeKeys
-  ```
-   
-   Example:
+4. Ensure the IAM user or role that Palette is using has a policy attached with the following required IAM permissions.  Replace the account ID and the placeholder `REPLACE_ME` with the name of IAM User. If you are using an IAM role, change the ARN to end with `:role/REPLACE_ME`.
 
-   ```json
+  ```json
   {
       "Sid": "Allow Palette use of the KMS key",
       "Effect": "Allow",
@@ -80,16 +95,16 @@ Ensure you create the KMS key in the same region that you intend to deploy EKS c
       ],
       "Resource": "*"
   },
-   ```
+    ```
 
-:::info 
-  
-If you are using IAM to delegate access to the KMS key, you can continue to do so without modifying the KMS key policy. Ensure the Palette IAM User or role have the proper custom IAM policy attached that grants it access to the KMS key. Refer to the [Using IAM policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html) to learn more about managing KMS keys with IAM policies. 
-  
-:::  
+  :::info 
+    
+  If you are using IAM to delegate access to the KMS key, you can continue to do so without modifying the KMS key policy. Ensure the Palette IAM User or role have the proper custom IAM policy attached that grants it access to the KMS key. Refer to the [Using IAM policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html) to learn more about managing KMS keys with IAM policies. 
+    
+  :::  
 
 If you need more guidance creating a KMS key, review the AWS [Creating KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) reference guide.
 
-### Validate
+## Validate
 
 You can verify the KMS key is integrated with Palette. When you deploy an EKS cluster on AWS and toggle the **Enable encryption** option at the Cluster Config step in the wizard, the KMS key ARN displays in the **drop-down Menu**. 
diff --git a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md
index 0857294a90..293c8edf1a 100644
--- a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md
+++ b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md
@@ -4,7 +4,7 @@ title: "Required IAM Policies"
 description: "A list of required IAM policies that Palette requires."
 hide_table_of_contents: false
 tags: ["public cloud", "aws", "iam"]
-sidebar_position: 40
+sidebar_position: 50
 ---
 
 Palette requires proper Amazon Web Services (AWS) permissions to operate and perform actions on your behalf.
diff --git a/docs/docs-content/integrations/kubernetes-generic.md b/docs/docs-content/integrations/kubernetes-generic.md
index ffe7f339d1..66f7d45133 100644
--- a/docs/docs-content/integrations/kubernetes-generic.md
+++ b/docs/docs-content/integrations/kubernetes-generic.md
@@ -194,7 +194,6 @@ Follow these steps to configure a third-party OIDC IDP. You can apply these step
       oidc-extra-scope: profile,email,openid
   ```
 
-
 </TabItem>
 
 <TabItem label="Amazon EKS" value="Amazon EKS Setup">
@@ -229,7 +228,10 @@ clientConfig:
 
 3. Provide third-party OIDC IDP details.
 
-Alternatively, to use AWS Identity and Access Management (IAM) for authentication, refer to [Access EKS Cluster](../clusters/public-cloud/aws/eks.md/#access-eks-cluster).
+
+
+4. Refer to the [Access EKS Cluster](../clusters/public-cloud/aws/eks.md#access-eks-cluster) for guidance on how to access an EKS cluster.
+
 
 </TabItem>
 </Tabs>
@@ -406,6 +408,7 @@ Follow these steps to configure a third-party OIDC IDP. You can apply these step
   ```
 
 
+
 </TabItem>
 
 <TabItem label="Amazon EKS" value="Amazon EKS Setup">
@@ -439,7 +442,9 @@ clientConfig:
 
 3. Provide third-party OIDC IDP details.
 
-Alternatively, to use AWS Identity and Access Management (IAM) for authentication, refer to [Access EKS Cluster](../clusters/public-cloud/aws/eks.md/#access-eks-cluster).
+
+4. Refer to the [Access EKS Cluster](../clusters/public-cloud/aws/eks.md#access-eks-cluster) for guidance on how to access an EKS cluster.
+
 
 </TabItem>
 </Tabs>
@@ -652,7 +657,8 @@ Follow these steps to configure OIDC for managed EKS clusters.
 
 3. Provide third-party OIDC IDP details.
 
-Alternatively, to use AWS Identity and Access Management (IAM) for authentication, refer to [Access EKS Cluster](../clusters/public-cloud/aws/eks.md/#access-eks-cluster).
+
+4. Refer to the [Access EKS Cluster](../clusters/public-cloud/aws/eks.md#access-eks-cluster) for guidance on how to access an EKS cluster.
 
 </TabItem>
 </Tabs>

From 995655b40580091bc949842e84a39740127cee26 Mon Sep 17 00:00:00 2001
From: Rita Watson <rita@spectrocloud.com>
Date: Wed, 8 Nov 2023 10:13:09 -0800
Subject: [PATCH 28/28] Fix typo

---
 docs/docs-content/clusters/public-cloud/aws/eks.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
index a8a2f51b53..55674de495 100644
--- a/docs/docs-content/clusters/public-cloud/aws/eks.md
+++ b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -89,7 +89,7 @@ Use the following steps to deploy an EKS cluster on AWS.
   |**Cluster Endpoint Access**| This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Public Access CIDRs** |This setting controls which IP address CIDR ranges can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
   |**Private Access CIDRs** |This setting controls which private IP address CIDR ranges can access the cluster. Private CIDRs provide a way to specify private, self-hosted, and air-gapped networks or Private Cloud Gateway (PCG) that may be located in other VPCs connected to the VPC hosting the cluster endpoint.<br /><br />To restrict network access, enter the IP address CIDR range that will provide access to the cluster. Although `0.0.0.0/0` is pre-populated in this field, only IPs that can reach the private endpoint are those within the VPC or any other connected VPCs. For example, while using `0.0.0.0/0` would allow traffic throughout the VPC and all peered VPCs, specifying the VPC CIDR `10.0.0.0/16` would limit traffic to an individual VPC. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
-  |**Enable Encryption**| Use this option for secrets encryption. You must have an existing AWS Key Managment Service (KMS) key you can use. Toggle the **Enable encryption** option and use the **drop-down Menu** in the **ARN** field to select the KMS key ARN.<br /><br />If you do not have a KMS key and want to create one to use this option, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md). Once your KMS key is created, return to this Cluster Config step to enable secrets encryption and specify the KMS key ARN. |
+  |**Enable Encryption**| Use this option for secrets encryption. You must have an existing AWS Key Management Service (KMS) key you can use. Toggle the **Enable encryption** option and use the **drop-down Menu** in the **ARN** field to select the KMS key ARN.<br /><br />If you do not have a KMS key and want to create one to use this option, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md). Once your KMS key is created, return to this Cluster Config step to enable secrets encryption and specify the KMS key ARN. |
 
   :::caution