Introduction#

Github shows essential components of an Amazon EKS cluster

  • Kubernetes Role and RoleBinding
  • Configmap aws-auth
  • Kube config file

How It Work#

  • Role means permissions, capabilities, which actions allowed on which resources
  • RoleBinding means who, user, group mapped to a role
  • ClusterRole, ClusterRoleBinding are applied to all namespace
  • User kubectl => Kubernetes API => IAM ID => Configmap aws-auth => RoleBinding
eks cluster authentication
eks configmap aws auth

Setup K8S Access for an IAM Role#

Kubernetes Role to setup permissions or what actions are allowed

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  namespace: default
  name: dev-role
rules:
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "patch", "update", "watch"]

Kubernetes RoleBinding to bind an identity (group or user) with the Role

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: dev-role-binding
  namespace: default
subjects:
  - kind: User
    name: developer
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: dev-role
  apiGroup: rbac.authorization.k8s.io

Update the aws-auth configmap

kubectl edit -n kube-system configmap/aws-auth

An example of the aws-auth, mapping role to user and groups

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: xxx 
      username: developer 
    - rolearn: <ARN of instance role (not instance profile)>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes

Using eksctl as recommended by aws docs

eksctl delete iamidentitymapping \
--region=$Region \
--cluster=$ClusterName \
--arn=$Role \

Update the kube config

aws eks update-kubeconfig --name $ClusterName --role-arn $ROLE

Reference#