When AWS cloud engineer create an AWS EKS cluster, system:masters permissions are automatically granted to the AWS Identity and Access Management (IAM) entity user or role, who creates the cluster, in the cluster’s role-based access control (RBAC) configuration in the Amazon EKS control plane. You must change the aws-auth ConfigMap within Kubernetes and construct a Kubernetes rolebinding or clusterrolebinding with the name of a group that you specify in the aws-auth ConfigMap in order to allow additional AWS users or roles to communicate with your cluster.
First, we will create an IAM user who will be added to the EKS cluster.
Step1: Create an IAM user
- Go to the IAM console and click User->Add user.
- Select the user name and programmatic access credential type.
- Click Next, give tags, review, and select create user.
- Note the access key ID and secret access key.
Step2: Create Role and Rolebinding
- Next, we will enable authorization to the user for the Kubernetes cluster using RBAC. A technique for controlling access to a computer or network resources based on the responsibilities of certain users within your company is called role-based access control (RBAC). You may dynamically configure policies using the Kubernetes API thanks to RBAC authorization, which relies on the rbac.authorization.k8s.io API group to drive authorization decision.
- The RBAC has four kinds of objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding.
- When you create a Role, you must specify the namespace it belongs in. A Role always sets rights within a specific namespace. In contrast, ClusterRole is a non-namespaced resource. A role binding allows a user or group of users to receive the permissions specified in a role. While a ClusterRoleBinding offers access cluster-wide, a RoleBinding just grants permissions within a given namespace.
- First we will create a Role to grant access in default namespace.
- Login to your cluster using admin user. Create a role.yaml file and copy the following code there.
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: developer-role rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "watch", "list","create"]
- Apply this role using following command.
kubectl apply -f role.yaml
- This role will grant read access to pods and read and create access to deployments in the default namespace.
- Next, we will bind this role to the user using Rolebinding. Create a rolebinding.yaml file and copy the following code there.
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: eks-developer-rb subjects: - kind: User name: eks-developer apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: developer-role apiGroup: rbac.authorization.k8s.io
- Apply this file using following command.
kubectl apply -f rolebinding.yaml
Step3: Add user to aws-auth configmap
- AWS auth configmap allows to add Role-based access control access to IAM users and roles.
- Use the following command to edit configmap.
kubectl edit configmap aws-auth -n kube-system- Add the IAM user’s arn in mapUsers field.
mapUsers: |
- userarn: arn:aws:iam::1234567689:user/eks-developer
username: eks-developer
- Close the file.
- Verify the configuration by running kubectl command as new IAM user.
kubectl get pods –as eks-developer
- If user try to access any kubernetes object for which he doesn’t have permission, he will get forbidden error.
Author Details:
This blog is written by Checkmate Global Technologies engineering team. Please feel reach out to our technical consultant if you have any questions about cloud infrastructure management.
