Are you here because your AWS account has an EKS cluster and now you want to access the cluster to launch some pods or run any other resources? Or do you want to allow any user access to the EKS cluster? Let’s understand how we can do it.
If the user has the right EKS-related permissions assigned, he/she can list the EKS clusters, list workloads & nodes, modify networking or even delete the clusters.
# Few EKS-related permissions
"eks:DescribeCluster",
"eks:ListClusters"
"eks:DescribeUpdate",
"eks:DescribeNodegroup",
"eks:DescribeClusterConfig",
"eks:ListUpdates",
"eks:ListNodegroups",
However, the user still cannot create an object, such as a pod, inside the cluster. Or simply, we cannot access this cluster using kubectl. We will know how to do it but before that let’s recap some basics.
EKS Authentication & Authorisation
Authentication: EKS cluster authentication happens through the AWS IAM. That means to authenticate to an EKS cluster a user must be a part of AWS IAM (unless anonymous access is allowed in the Kubernetes configuration).
Authorization: EKS authorization happens through Kubernetes native RBAC.
When we create an Amazon EKS cluster, the IAM entity (user or role) that created the cluster is automatically granted the administrator (system:masters
) permissions in the cluster's role-based access control (RBAC).
Allowing an IAM user in the existing cluster’s RBAC
Now let us assume that we have an IAM user iam-pod-admin
to allow access to the cluster. We will achieve this in three steps detailed below.
Step 1 — Create the IAM Identity Mapping
EKS by default does not recognize the IAM entity (user or role). We need to create a mapping between the IAM user and an equivalent user which is recognized by the K8s.
We can modify aws-auth
ConfigMap
within the EKS cluster to create identity mapping
When no IAM user or role other than the one who created the cluster is permitted, below is what the “ConfigMap” would look like.
Now, let’s create a mapping of IAM users to usernames in configmap/aws-auth. Kubernetes uses the mapped usernames to authenticate and authorize. AWS recommends using eksctl
to perform the modification.
eksctl create iamidentitymapping \
--cluster mycluster \
--region=us-west-2 \
--arn arn:aws:iam::012345678912:user/iam-pod-admin \
--username k8s-pod-admin\
A successful modification would give the below result:
Here we have mapped the IAM user iam-pod-admin
to k8s-pod-admin
. While configuring Kubernetes resources, we would use the latter.
We can verify the configuration by using two methods:
a. eksctl
b. kubectl
Both the commands tell us that we have successfully mapped the IAM user iam-pod-admin
to the K8s user k8s-pod-admin
.
Note: To allow an IAM role, we can replace the user ARN with the role ARN, and the rest of the process would remain the same.
Step 2 — Create Cluster Role
[This step is optional if we already have a cluster role.]
Now we would create the Kubernetes role where we specify the type of action that a user can perform.
let us create a YAML file for a Kubernetes role — pod-manage-role.yaml and apply it to create the cluster role called “pod-manage-role”.
#Kubernetes Cluster Role Object
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-manage-role
rules:
- apiGroups:
- "rbac.authorization.k8s.io/v1"
resources:
- "pods"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
kubectl apply -f pod-manage-role.yaml
Step 3 — Binding Role & User together
Now we have an IAM-mapped user called k8s-pod-admin
, a Kubernetes role called pod-manage-role
, we need to bind them together through another Kubernetes object called RoleBinding.
A RoleBinding binds a role to subjects. Subjects can be groups, users, or service accounts.
Let us create a ClusterRoleBinding YAML file — pod-manage-binding.yaml.
#Kubernetes Role Binding Object
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-manage-binding
subjects:
- kind: User
name: iam-admin-k8s
roleRef:
kind: Role
name: pod-manage-role
apiGroup: rbac.authorization.k8s.io
In the ClusterRoleBinding YAML file, we have included subjects
and roleRef
components to map the subject (user) to the role. Now let us create the cluster role binding by applying the YAML file.
kubectl apply -f pod-manage-binding.yaml
Now we have completed the EKS and RBAC configuration. Let us see how we can access the EKS (K8s) clusters using the IAM User.
Testing
- Create Kube Config File
aws eks update-kubeconfig --region us-west-2 --name my-cluster
2. Access K8s.
user@mycomp % kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 159d