DEV Community

Rajit Paul
Rajit Paul

Posted on

Read-Only Access to specific resources in AWS EKS Cluster via EKS Authentication & Authorization

#aws #kubernetes #security

Hi, Folks.
Our objective for today is stated on the blog post header, let's get started.

Authorization in EKS Cluster using RBAC(Role Based Access Control)

  1. Create a manifest for ClusterRole or Role as required in your use case. (ClusterRole is implied across all namespaces, Role is for specific namespace, we shall be using ClusterRole in this use-case as we need to access resources across different namespaces).


Sample ClusterRole.yaml (Read only pods & pod/logs)

  1. Create a manifest for ClusterRoleBinding or RoleBinding as required.


Sample ClusterRoleBinding.yaml


3. Apply the ClusterRole and then the ClusterRole Binding.

(kubectl apply -f ClusterRole.yaml)

(kubectl apply -f ClusterRoleBinding.yaml)


4. Please Note the groupname from ClusterRoleBinding we shall be requiring it while mapping the user during authentication.

EKS Authentication using AWS IAM.

  1. Create an AWS IAM User with Programmatic Access.
  2. Create an IAM policy with EKS Read-Only Permission and assign it to the IAM user.
  3. Download the IAM User creds, copy the IAM username and IAM user ARN.
  4. Go to aws-auth configmap in kube-system namespace.


(kubectl edit cm aws-auth -n kube-system)


5. Enter the userARN, username and groupname in mapUsers section in aws-auth configmap.


Sample mapUsers syntax

Setup local access to our EKS Cluster and test the permissions.


1. Install AWS CLI Latest Version locally (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).

  1. Install Kubectl latest version (https://kubernetes.io/docs/tasks/tools/).
  2. Configure AWS-CLI with the previously created IAM user creds (aws configure)
  3. Run after configuring aws-cli: aws eks update-kubeconfig --name Eksclustername
  4. Next, run following commands to test permission:


kubectl auth can-i create pods (Answer should be no)


kubectl auth can-i delete pods (Answer should be no)


kubectl auth can-i list pods (Answer should be yes)


kubectl auth can-i list pods/log (Answer should be yes)


Accordingly you can check with differnt resources and verbs, we should only be receiving yes for readonly verbs for pods and pods/log resources.


If you face any issues or have any queries you can connect with me on Linkedin(https://www.linkedin.com/in/rajitpaul/).
Cheers!

Top comments (0)

Read next

nr18 profile image

Compliant infrastructure using infrastructure as code

Joris Conijn -

gwettlaufer profile image

Back on the grind

George Wettlaufer -

karadza profile image

How Telemetry Saved my Open-Source Platform

Juraj -

ehienabs profile image

Deploying Amazon Managed Service for Apache Kafka (Amazon MSK) with CloudFormation

Ehi Enabs -