{"id":3410,"date":"2022-10-20T12:08:10","date_gmt":"2022-10-20T12:08:10","guid":{"rendered":"https:\/\/www.checkmateq.com\/blog\/?p=3410"},"modified":"2023-08-04T13:41:57","modified_gmt":"2023-08-04T13:41:57","slug":"rbac-eks","status":"publish","type":"post","link":"https:\/\/www.checkmateq.com\/blog\/rbac-eks","title":{"rendered":"How to enable RBAC access for an IAM user in EKS cluster"},"content":{"rendered":"<p>When <a href=\"https:\/\/www.checkmateq.com\/aws-cloud\">AWS cloud engineer<\/a> create an<strong> AWS EKS<\/strong> cluster, <strong>system:masters<\/strong> permissions are automatically granted to the AWS Identity and Access Management (IAM) entity user or role,\u00a0 who creates the cluster, in the cluster&#8217;s role-based access control (RBAC) configuration in the Amazon EKS control plane. You must change the <strong>aws-auth ConfigMap<\/strong> within Kubernetes and construct a Kubernetes <strong>rolebinding<\/strong> or <strong>clusterrolebinding<\/strong> with the name of a group that you specify in the aws-auth ConfigMap in order to allow additional AWS users or roles to communicate with your cluster.<\/p>\n<p>First, we will create an IAM user who will be added to the EKS cluster.<\/p>\n<h3>Step1: Create an IAM user<\/h3>\n<ul>\n<li>Go to the IAM console and click<strong> User-&gt;Add user<\/strong>.<\/li>\n<li>Select the user name and programmatic access credential type.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-3414\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-android-development-1-300x114.png\" alt=\"RBAC\" width=\"771\" height=\"293\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-android-development-1-300x114.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-android-development-1-1024x388.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-android-development-1-768x291.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-android-development-1-1536x582.png 1536w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-android-development-1-1200x455.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-android-development-1.png 1642w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Click<strong> Nex<\/strong>t, give tags, review, and select create user.<\/li>\n<li>Note the access key ID and secret access key.<\/li>\n<\/ul>\n<h3>Step2: Create Role and Rolebinding<\/h3>\n<ul>\n<li>Next, we will enable authorization to the user for the Kubernetes cluster using RBAC. A technique for controlling access to a computer or network resources based on the responsibilities of certain users within your company is called role-based access control (RBAC). You may dynamically configure policies using the Kubernetes API thanks to RBAC authorization, which relies on the rbac.authorization.k8s.io API group to drive authorization decision.<\/li>\n<li>The RBAC has four kinds of objects: <strong>Role, ClusterRole, RoleBinding, and ClusterRoleBinding.<\/strong><\/li>\n<li>When you create a Role, you must specify the namespace it belongs in. A Role always sets rights within a specific namespace. In contrast, ClusterRole is a non-namespaced resource. A role binding allows a user or group of users to receive the permissions specified in a role. While a ClusterRoleBinding offers access cluster-wide, a RoleBinding just grants permissions within a given namespace.<\/li>\n<li>First we will create a Role to grant access in default namespace.<\/li>\n<li><strong>Login to your cluster using admin user<\/strong>. Create a role.yaml file and copy the following code there.<\/li>\n<\/ul>\n<pre>apiVersion: rbac.authorization.k8s.io\/v1\r\nkind: Role\r\nmetadata:\r\n  namespace: default\r\n  name: developer-role\r\nrules:\r\n- apiGroups: [\"\"]\r\n  resources: [\"pods\"]\r\n  verbs: [\"get\", \"watch\", \"list\"]\r\n\r\n- apiGroups: [\"apps\"]\r\n  resources: [\"deployments\"]\r\n  verbs: [\"get\", \"watch\", \"list\",\"create\"]\r\n<\/pre>\n<ul>\n<li>Apply this role using following command.<\/li>\n<\/ul>\n<p>kubectl apply -f role.yaml<\/p>\n<ul>\n<li>This role will grant read access to pods and read and create access to deployments in the default namespace.<\/li>\n<li>Next, we will bind this role to the user using Rolebinding. Create a rolebinding.yaml file and copy the following code there.<\/li>\n<\/ul>\n<pre>apiVersion: rbac.authorization.k8s.io\/v1\r\nkind: RoleBinding\r\nmetadata:\r\n  name: eks-developer-rb\r\nsubjects:\r\n- kind: User\r\n  name: eks-developer\r\n  apiGroup: rbac.authorization.k8s.io\r\nroleRef:\r\n  kind: Role\r\n  name: developer-role\r\n  apiGroup: rbac.authorization.k8s.io\r\n<\/pre>\n<ul>\n<li>Apply this file using following command.<\/li>\n<\/ul>\n<p>kubectl apply -f rolebinding.yaml<\/p>\n<h3>Step3: Add user to aws-auth configmap<\/h3>\n<ul>\n<li>AWS auth configmap allows to add Role-based access control access to IAM users and roles.<\/li>\n<li>Use the following command to edit configmap.<\/li>\n<\/ul>\n<pre class=\" language-shell\"><code class=\" language-shell\"> kubectl edit configmap aws-auth -n kube-system<\/code><\/pre>\n<ul>\n<li>Add the IAM user&#8217;s arn in mapUsers field.<\/li>\n<\/ul>\n<pre> mapUsers: |\r\n    - userarn: arn:aws:iam::1234567689:user\/eks-developer\r\n      username: eks-developer\r\n\r\n<\/pre>\n<ul>\n<li>Close the file.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-3426\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-AWS-cloud-service-300x107.png\" alt=\"RBAC\" width=\"768\" height=\"274\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-AWS-cloud-service-300x107.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-AWS-cloud-service-1024x366.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-AWS-cloud-service-768x274.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-AWS-cloud-service-1200x429.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-AWS-cloud-service.png 1473w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<ul>\n<li>Verify the configuration by running kubectl command as new IAM user.<\/li>\n<\/ul>\n<p>kubectl get pods &#8211;as eks-developer<\/p>\n<ul>\n<li>If user try to access any kubernetes object for which he doesn&#8217;t have permission, he will get forbidden error.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" class=\"alignnone wp-image-3420\" src=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-data-analytics-services-2-300x18.png\" alt=\"\" width=\"750\" height=\"45\" srcset=\"https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-data-analytics-services-2-300x18.png 300w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-data-analytics-services-2-1024x63.png 1024w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-data-analytics-services-2-768x47.png 768w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-data-analytics-services-2-1536x94.png 1536w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-data-analytics-services-2-1200x74.png 1200w, https:\/\/www.checkmateq.com\/blog\/wp-content\/uploads\/2022\/10\/Checkmate-data-analytics-services-2.png 1920w\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>Author Details:<\/p>\n<p>This blog is written by Checkmate Global Technologies engineering team. Please feel <a href=\"https:\/\/www.checkmateq.com\/cloud\">reach out<\/a> to our technical consultant if you have any questions about cloud infrastructure management.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When AWS cloud engineer create an AWS EKS cluster, system:masters permissions are automatically granted to the AWS Identity and Access Management (IAM) entity user or role,\u00a0 who creates the cluster, in the cluster&#8217;s role-based access control (RBAC) configuration in the Amazon EKS control plane. You must change the aws-auth ConfigMap within Kubernetes and construct a &hellip; <a href=\"https:\/\/www.checkmateq.com\/blog\/rbac-eks\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;How to enable RBAC access for an IAM user in EKS cluster&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":3423,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[3,70,69,68,7,59,11],"_links":{"self":[{"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/posts\/3410"}],"collection":[{"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/comments?post=3410"}],"version-history":[{"count":10,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/posts\/3410\/revisions"}],"predecessor-version":[{"id":4223,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/posts\/3410\/revisions\/4223"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/media\/3423"}],"wp:attachment":[{"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/media?parent=3410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/categories?post=3410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.checkmateq.com\/blog\/wp-json\/wp\/v2\/tags?post=3410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}