How to create Read Only User in EKS Cluster

February 26, 2023

awscluster-role-bindingclusterroleconfigmapekskubectlkubernetesrbac
How to create Read Only User in EKS Cluster

Amazon Elastic Kubernetes Service (EKS) is a popular solution for deploying and managing Kubernetes clusters in the cloud. One of the essential aspects of managing any system is controlling access to resources, including Kubernetes clusters. Amazon EKS supports AWS Identity and Access Management (IAM) roles, which enables you to manage access to your Kubernetes clusters. In this post, we'll explore how to create a read-only user in Amazon EKS.

Overview

Steps:

Create an IAM Policy

The first step in creating a read-only user in EKS is to create an IAM policy that grants read-only access to the EKS cluster.

  1. Sign in to the AWS Management Console and navigate to the IAM dashboard.
  2. In the left-hand menu, select "Policies".
  3. Click the "Create policy" button.
  4. Choose "JSON" tab for editing policies.
  5. Here's an example IAM policy that allows read-only access to an EKS cluster:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "eks:ListFargateProfiles",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeFargateProfile",
                "eks:ListTagsForResource",
                "eks:ListUpdates",
                "eks:DescribeUpdate",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:AccessKubernetesApi",
                "eks:GetParameter"
            ],
            "Resource": "*"
        }
    ]
}

Give your policy a name and a description and Click "Create policy" to save your new IAM policy.

Create an IAM User

Next, you'll need to create an IAM user that is associated with the IAM policy created in step 1. Here's how to create an IAM user:

  1. Log in to the AWS Management Console and go to the IAM dashboard.
  2. Click "Users" in the left-hand menu and then click "Add user."
  3. Enter a name for the user and select "Programmatic access" as the access type.
  4. On the "Permissions" page, select "Attach existing policies directly" and select the IAM policy created in step 1.
  5. Review the user details and click "Create user."
Create ClusterRole and ClusterRoleBinding

Log into your EKS cluster and create ClusterRole and ClusterRoleBinding.

you can use below sample code.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k8s-read
rules:
- apiGroups:
  - '*'
  resources:
  - deployments
  - pods
  - pods/log
  - configmaps
  - secrets
  - services
  - virtualservices
  - horizontalpodautoscalers
  - gateways
  - namespaces
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k8s-read
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k8s-read
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: k8s-read

apply above manifest file using kubectl

kubectl apply -f your-file-name.yaml

[monsterinsights_popular_posts_inline]

Map user in aws-auth configmap

Now, you need to add this user in aws-auth configmap to grant read access to EKS cluster.

kubectl edit -n kube-system configmap/aws-auth

add user in mapUsers section. Here is a sample code

    - groups:
      - k8s-read
      userarn: arn:aws:iam::<account-number>:user/<user-name>
      username: k8s-read

Below is the complete sample file.

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::xxxxxxxxxxxx:role/EKSNodeInstanceRole
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    - groups:
      - k8s-read
      userarn: arn:aws:iam::xxxxxxxxxxxx:user/k8s-read
      username: k8s-read
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
Verify Permissions

Now, we have to configure aws access and secret key in ~/.aws/credentials and kubeconfig, run the below command to configure kubeconfig.

aws eks update-kubeconfig --region <your-region> --name <eks-cluster-name>

To check if user can delete the namespace you can run the below commands.

kubectl auth can-i delete namespace

output:

no

To check if user can list pods you can run the below commands.

kubectl auth can-i list pods

output:

yes

you can read about kubectl auth can-i here.

Thanks for reading it out!! If you can have any issues or suggestions let me know in the comment box.