Amazon Elastic Kubernetes Service (EKS) is a popular solution for deploying and managing Kubernetes clusters in the cloud. One of the essential aspects of managing any system is controlling access to resources, including Kubernetes clusters. Amazon EKS supports AWS Identity and Access Management (IAM) roles, which enables you to manage access to your Kubernetes clusters. In this post, we’ll explore how to create a read-only user in Amazon EKS.
Overview
- Create an IAM Policy
- Create an IAM User
- Create ClusterRole and ClusterRoleBinding
- Map user in aws-auth configmap
- Verify Permissions
Steps:
Step 1: Create an IAM Policy
The first step in creating a read-only user in EKS is to create an IAM policy that grants read-only access to the EKS cluster.
- Sign in to the AWS Management Console and navigate to the IAM dashboard.
- In the left-hand menu, select “Policies”.
- Click the “Create policy” button.
- Choose “JSON” tab for editing policies.
- Here’s an example IAM policy that allows read-only access to an EKS cluster:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "eks:ListFargateProfiles", "eks:DescribeNodegroup", "eks:ListNodegroups", "eks:DescribeFargateProfile", "eks:ListTagsForResource", "eks:ListUpdates", "eks:DescribeUpdate", "eks:DescribeCluster", "eks:ListClusters", "eks:AccessKubernetesApi", "eks:GetParameter" ], "Resource": "*" } ] }
Give your policy a name and a description and Click “Create policy” to save your new IAM policy.
Step 2: Create an IAM User
Next, you’ll need to create an IAM user that is associated with the IAM policy created in step 1. Here’s how to create an IAM user:
- Log in to the AWS Management Console and go to the IAM dashboard.
- Click “Users” in the left-hand menu and then click “Add user.”
- Enter a name for the user and select “Programmatic access” as the access type.
- On the “Permissions” page, select “Attach existing policies directly” and select the IAM policy created in step 1.
- Review the user details and click “Create user.”
Step 3: Create ClusterRole and ClusterRoleBinding
Log into your EKS cluster and create ClusterRole and ClusterRoleBinding.
you can use below sample code.
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: k8s-read rules: - apiGroups: - '*' resources: - deployments - pods - pods/log - configmaps - secrets - services - virtualservices - horizontalpodautoscalers - gateways - namespaces verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-read roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: k8s-read subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: k8s-read
apply above manifest file using kubectl
kubectl apply -f your-file-name.yaml
Step 4: Map user in aws-auth configmap
Now, you need to add this user in aws-auth configmap to grant read access to EKS cluster.
kubectl edit -n kube-system configmap/aws-auth
add user in mapUsers section. Here is a sample code
- groups: - k8s-read userarn: arn:aws:iam::<account-number>:user/<user-name> username: k8s-read
Below is the complete sample file.
apiVersion: v1 data: mapRoles: | - groups: - system:bootstrappers - system:nodes rolearn: arn:aws:iam::xxxxxxxxxxxx:role/EKSNodeInstanceRole username: system:node:{{EC2PrivateDNSName}} mapUsers: | - groups: - k8s-read userarn: arn:aws:iam::xxxxxxxxxxxx:user/k8s-read username: k8s-read kind: ConfigMap metadata: name: aws-auth namespace: kube-system
Step 5: Verify Permissions
Now, we have to configure aws access and secret key in ~/.aws/credentials
and kubeconfig, run the below command to configure kubeconfig.
aws eks update-kubeconfig --region <your-region> --name <eks-cluster-name>
To check if user can delete the namespace you can run the below commands.
kubectl auth can-i delete namespace
output:
no
To check if user can list pods you can run the below commands.
kubectl auth can-i list pods
output:
yes
you can read about kubectl auth can-i
here.
Thanks for reading it out!! If you can have any issues or suggestions let me know in the comment box.