Secure an Amazon EKS Cluster With IAM & RBAC

Secure your Kubernetes cluster on AWS by integrating IAM users and roles with RBAC to restrict actions that get carried out on resources

You may have heard people refer to Kubernetes as API centric. That is, what happens in the cluster revolves around a core component in the control plane (or master node) known as the API Server. The API server is like a gatekeeper for your entire cluster. If you want to CRUD (Create, Read, Update, Delete) any Kubernetes objects, it has to go through this API. The API Server validates and configures the API objects such as pods, services, replication controllers and deployments. All of the interaction that takes place between the different clients and the API Server are REST based in order to fulfil the various CRUD operations. The clients interacting with the API Server range from the engineers using the kubectl CLI to nodes which have the kubelet (a node agent) running. Furthermore, the rest of the control plane, that is the scheduler and the controllers, are always talking to it (the API Server) as well.

With such an important component that is central to the behaviour and state of the cluster, any incoming requests that are received need to be validated to prove the authenticity of the requester, as well as checked…