Adding roles and mapping IAM users to AWS EKS cluster
Amazon Elastic Kubernetes Service (Amazon EKS) gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud or on-premises. Amazon EKS helps you provide highly-available and secure clusters and automates key tasks such as patching, node provisioning, and updates.
EKS runs upstream Kubernetes and is certified Kubernetes conformant for a predictable experience. You can easily migrate any standard Kubernetes application to EKS without needing to refactor your code.
Here we will see how to add and assign roles to the IAM users into the EKS cluster.
Add an IAM user with read only access to EKS cluster
- Install kubectl tool in your local machine from the below link
https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html - Create file rbac.yaml
---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: readrules:- apiGroups: ["*"]resources: ["deployments", "configmaps", "pods", "secrets", "services"]verbs: ["get", "list", "watch"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: readsubjects:- kind: Groupname: readapiGroup: rbac.authorization.k8s.ioroleRef:kind: ClusterRolename: readapiGroup: rbac.authorization.k8s.io
2. Apply the above rbac file to create a role with the specified permission under resources and verbs section.
$ kubectl apply -f rbac.yaml3. Create AmazonEKSDeveloperPolicy policy to let users view nodes and workloads for all clusters in the AWS Management Console
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["eks:DescribeNodegroup","eks:ListNodegroups","eks:DescribeCluster","eks:ListClusters","eks:AccessKubernetesApi","ssm:GetParameter","eks:ListUpdates","eks:ListFargateProfiles"],"Resource": "*"}]}
4. Create eks-developer IAM group and attach AmazonEKSDeveloperPolicy policy
5. Create developer IAM user
6. Configure AWS CLI in your machine
$ aws configure --profile developer7. Add to aws-auth configmap developer user ARN.
$ kubectl edit -n kube-system configmap/aws-auth...mapUsers: |- userarn: arn:aws:iam::1234567890:user/developerusername: developergroups:- read...
Note: You can also assign admin priviledges by adding the user to system:masters group
groups:- system:masters
8. Configure kubectl context for developer user
$ aws eks --region us-east-1 update-kubeconfig --name eks-clustername --profile developer9. Check permissions
kubectl auth can-i get podskubectl auth can-i create podskubectl run nginx --image=nginx
Now the developer user can access the EKS cluster with the specified permissions.
