Hi, Folks.
Our objective for today is stated on the blog post header, let's get started.
Authorization in EKS Cluster using RBAC(Role Based Access Control)
- Create a manifest for ClusterRole or Role as required in your use case. (ClusterRole is implied across all namespaces, Role is for specific namespace, we shall be using ClusterRole in this use-case as we need to access resources across different namespaces).
Sample ClusterRole.yaml (Read only pods & pod/logs)
- Create a manifest for ClusterRoleBinding or RoleBinding as required.
Sample ClusterRoleBinding.yaml
3. Apply the ClusterRole and then the ClusterRole Binding.
(kubectl apply -f ClusterRole.yaml)
(kubectl apply -f ClusterRoleBinding.yaml)
4. Please Note the groupname from ClusterRoleBinding we shall be requiring it while mapping the user during authentication.
EKS Authentication using AWS IAM.
- Create an AWS IAM User with Programmatic Access.
- Create an IAM policy with EKS Read-Only Permission and assign it to the IAM user.
- Download the IAM User creds, copy the IAM username and IAM user ARN.
- Go to aws-auth configmap in kube-system namespace.
(kubectl edit cm aws-auth -n kube-system)
5. Enter the userARN, username and groupname in mapUsers section in aws-auth configmap.
Setup local access to our EKS Cluster and test the permissions.
1. Install AWS CLI Latest Version locally (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
- Install Kubectl latest version (https://kubernetes.io/docs/tasks/tools/).
- Configure AWS-CLI with the previously created IAM user creds (aws configure)
- Run after configuring aws-cli: aws eks update-kubeconfig --name Eksclustername
- Next, run following commands to test permission:
kubectl auth can-i create pods (Answer should be no)
kubectl auth can-i delete pods (Answer should be no)
kubectl auth can-i list pods (Answer should be yes)
kubectl auth can-i list pods/log (Answer should be yes)
Accordingly you can check with differnt resources and verbs, we should only be receiving yes for readonly verbs for pods and pods/log resources.
If you face any issues or have any queries you can connect with me on Linkedin(https://www.linkedin.com/in/rajitpaul/).
Cheers!
Top comments (0)