DEV Community

Rajit Paul
Rajit Paul

Posted on

Read-Only Access to specific resources in AWS EKS Cluster via EKS Authentication & Authorization

Hi, Folks.
Our objective for today is stated on the blog post header, let's get started.

Authorization in EKS Cluster using RBAC(Role Based Access Control)

  1. Create a manifest for ClusterRole or Role as required in your use case. (ClusterRole is implied across all namespaces, Role is for specific namespace, we shall be using ClusterRole in this use-case as we need to access resources across different namespaces).


Sample ClusterRole.yaml (Read only pods & pod/logs)

  1. Create a manifest for ClusterRoleBinding or RoleBinding as required.


Sample ClusterRoleBinding.yaml


3. Apply the ClusterRole and then the ClusterRole Binding.

(kubectl apply -f ClusterRole.yaml)

(kubectl apply -f ClusterRoleBinding.yaml)


4. Please Note the groupname from ClusterRoleBinding we shall be requiring it while mapping the user during authentication.

EKS Authentication using AWS IAM.

  1. Create an AWS IAM User with Programmatic Access.
  2. Create an IAM policy with EKS Read-Only Permission and assign it to the IAM user.
  3. Download the IAM User creds, copy the IAM username and IAM user ARN.
  4. Go to aws-auth configmap in kube-system namespace.


(kubectl edit cm aws-auth -n kube-system)


5. Enter the userARN, username and groupname in mapUsers section in aws-auth configmap.


Sample mapUsers syntax

Setup local access to our EKS Cluster and test the permissions.


1. Install AWS CLI Latest Version locally (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).

  1. Install Kubectl latest version (https://kubernetes.io/docs/tasks/tools/).
  2. Configure AWS-CLI with the previously created IAM user creds (aws configure)
  3. Run after configuring aws-cli: aws eks update-kubeconfig --name Eksclustername
  4. Next, run following commands to test permission:


kubectl auth can-i create pods (Answer should be no)


kubectl auth can-i delete pods (Answer should be no)


kubectl auth can-i list pods (Answer should be yes)


kubectl auth can-i list pods/log (Answer should be yes)


Accordingly you can check with differnt resources and verbs, we should only be receiving yes for readonly verbs for pods and pods/log resources.


If you face any issues or have any queries you can connect with me on Linkedin(https://www.linkedin.com/in/rajitpaul/).
Cheers!

Speedy emails, satisfied customers

Postmark Image

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (0)

Heroku

Simplify your DevOps and maximize your time.

Since 2007, Heroku has been the go-to platform for developers as it monitors uptime, performance, and infrastructure concerns, allowing you to focus on writing code.

Learn More

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay