How to manage only specific namespaces with IAM users in Amazon EKS

Namespaces allow to create virtual clusters backed by the same physical cluster. A popular feature of namespaces is to create resource quotas where you can limit the amount of resources assigned.

You may want to allow specific IAM users to manage only a single Kubernetes namespace, preventing them from interacting with other namespaces.

Amazon EKS uses aws-iam-authenticator for authentication and Kubernetes Role Based Access Control (RBAC) for authorization. In our example we will set up an IAM role for authentication and assign a RBAC role to scope the API calls allowed.


Summary:

  • Create namespace: env-a.
  • Create IAM role: eks-role-env-a.
  • Add policy to existing users to assume role.
  • Create Kubernetes user: admin-env-a.
  • Configure Kubeconfig with the new role.
Image for post
Image for post

  1. Create namespace:

2. Create IAM role:

In the IAM console, create a role: eks-role-env-a. There is no need to add IAM permissions. You will only need to add a Trust Relationship:

Image for post
Image for post

Add a trust relationship to allow who should be able to assume the IAM role.

Note: this code allows all users from an account ID to assume role. You can customize this policy. Read more in the documentation.

3. Allow users/roles to assume the IAM role to interact with the namespace.

Check what IAM user/role the AWS CLI is using in the host from where you want to manage your cluster with “kubectl”.

In case you do not know/remember your user/role, check the file $HOME/.aws/credentials to find the access key ID you are using. Use the search box in the IAM console to find the user.

If you manage your cluster from an instance which uses an EC2 Instance role get the IAM role name from the instance details in the EC2 console.

Go to the permissions tab and add this policy:

4. Edit the aws-auth configmap to map users to the cluster.

Add the lines marked in bold.

5. Create an RBAC role and map it to the RBAC user.

Apply the role:

6. Create role binding.

Role Bindings bind roles to user or groups.

7. Edit Kubeconfig.

Add the lines in bold so that iam-authenticator assumes the role.

8. Test your set up.

Pod is launched in the default namespace and fails:

In env-a namespace works:

9. References / considerations.

  • This is a basic sample. It can definitely be improved with RBAC groups and more accurate rules for the API calls required by your users.
    Refer to RBAC documentation for learn more.
  • In the above example, many users assume a role, the role is mapped to a Kubernetes user. Unfortunately IAM policies do not support Groups in principals which would make easier to manage the mappings.
  • This example is AWS cross-account compatible.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store