Read-Only Access to specific resources in AWS EKS Cluster via EKS Authentication & Authorization
Rajit Paul
Posted on January 15, 2022
Hi, Folks.
Our objective for today is stated on the blog post header, let's get started.
Authorization in EKS Cluster using RBAC(Role Based Access Control)
- Create a manifest for ClusterRole or Role as required in your use case. (ClusterRole is implied across all namespaces, Role is for specific namespace, we shall be using ClusterRole in this use-case as we need to access resources across different namespaces).
Sample ClusterRole.yaml (Read only pods & pod/logs)
- Create a manifest for ClusterRoleBinding or RoleBinding as required.
Sample ClusterRoleBinding.yaml
3. Apply the ClusterRole and then the ClusterRole Binding.
(kubectl apply -f ClusterRole.yaml)
(kubectl apply -f ClusterRoleBinding.yaml)
4. Please Note the groupname from ClusterRoleBinding we shall be requiring it while mapping the user during authentication.
EKS Authentication using AWS IAM.
- Create an AWS IAM User with Programmatic Access.
- Create an IAM policy with EKS Read-Only Permission and assign it to the IAM user.
- Download the IAM User creds, copy the IAM username and IAM user ARN.
- Go to aws-auth configmap in kube-system namespace.
(kubectl edit cm aws-auth -n kube-system)
5. Enter the userARN, username and groupname in mapUsers section in aws-auth configmap.
Setup local access to our EKS Cluster and test the permissions.
1. Install AWS CLI Latest Version locally (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
- Install Kubectl latest version (https://kubernetes.io/docs/tasks/tools/).
- Configure AWS-CLI with the previously created IAM user creds (aws configure)
- Run after configuring aws-cli: aws eks update-kubeconfig --name Eksclustername
- Next, run following commands to test permission:
kubectl auth can-i create pods (Answer should be no)
kubectl auth can-i delete pods (Answer should be no)
kubectl auth can-i list pods (Answer should be yes)
kubectl auth can-i list pods/log (Answer should be yes)
Accordingly you can check with differnt resources and verbs, we should only be receiving yes for readonly verbs for pods and pods/log resources.
If you face any issues or have any queries you can connect with me on Linkedin(https://www.linkedin.com/in/rajitpaul/).
Cheers!
Posted on January 15, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.