I want to manage user permissions for my AWS Identity and Access Management (IAM) users across namespaces in my Amazon Elastic Kubernetes Service (Amazon EKS) cluster.
Short description
To manage user permissions across namespaces in an Amazon EKS cluster, complete the following steps:
- Create an IAM role for the members of your organization to assume.
- Create a Kubernetes role-based access control (RBAC) role (Role) and role binding (RoleBinding) for your cluster. For more information, see Using RBAC authorization on the Kubernetes website.
- Use the aws-auth ConfigMap to map the IAM roles to the RBAC roles and groups.
Note: When an IAM user or role creates a cluster, only this IAM identity's ARN is added to the aws-auth ConfigMap and has system:masters permissions. This means that only the cluster creator can add more users or roles to the aws-auth ConfigMap.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Create an IAM role that members of your organization can assume
Create an IAM role to give members of your organization access to a namespace:
-
Create a role to delegate permissions to an IAM user.
-
To verify that a user has permission to assume the IAM role, configure the AWS CLI. Then, run the following command from that user's workstation:
$ aws sts assume-role --role-arn arn:aws:iam::yourAccountID:role/yourIAMRoleName --role-session-name abcde{
"Credentials": {
"AccessKeyId": "yourAccessKeyId",
"SecretAccessKey": "yourSecretAccessKey",
"SessionToken": "yourSessionToken",
"Expiration": "2020-01-30T01:57:17Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "yourAssumedRoleId",
"Arn": "arn:aws:iam::yourAccountID:role/yourIAMRoleName"
}
}
Note: Replace yourAccessKeyId, yourSecretAccessKey, yourSessionToken, yourAssumedRoleId, yourAccountID, and yourIAMRoleName with your values.
-
Update the kubeconfig file to configure the IAM user's kubectl to always use the role when it accesses the Kubernetes API:
$ aws eks update-kubeconfig --name yourClusterName --role-arn arn:aws:iam::yourAccountID:role/yourIAMRoleName
Note: Replace yourClusterName, yourAccountID, and yourIAMRoleName with your values.
Create a Kubernetes RBAC role and role binding for your cluster
Important: You must complete the following steps from a workstation that's configured to access Kubernetes. You must be a cluster creator or an IAM identity that already has access through the aws-auth ConfigMap. The IAM role doesn't have access to the cluster yet.
Bind a cluster role (ClusterRole) to a role binding. An RBAC role and role binding are Kubernetes namespaced resources. However, you can't bind a role to a cluster role binding (ClusterRoleBinding).
-
Run the following command to list all built-in cluster roles and bind the cluster role admin to a role binding for the namespace:
$ kubectl get clusterrole
-
Run the following command to see the permissions that are associated with the cluster role admin:
$ kubectl describe clusterrole admin
-
Create a namespace that's named test to grant access to the IAM users as part of the IAM group:
Note: If you choose a different name, then replace the values for the namespace parameter To use an existing namespace, proceed to step 4.
$ kubectl create namespace test
-
To create a Kubernetes RBAC role, copy the following code into a new YAML file (for example, role.yaml):
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k8s-test-role
namespace: test
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
Note: The Kubernetes RBAC role allows users to perform all the actions in the verbs section.
-
Run the following command to create the RBAC role:
$ kubectl apply -f role.yaml
-
Create a Kubernetes role binding. Copy the following code into a new YAML file (for example, rolebinding.yaml):
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k8s-test-rolebinding
namespace: test
subjects:
- kind: User
name: k8s-test-user
roleRef:
kind: Role
name: k8s-test-role
apiGroup: rbac.authorization.k8s.io
Note: The role binding is a namespaced resource that binds the RBAC role in the roleRef section to the user in the subjects section. You don't need to create the k8s-test-user user because Kubernetes doesn't have a user resource type.
-
Run the following command to create the RBAC role binding:
$ kubectl apply -f rolebinding.yaml
Use the aws-auth ConfigMAP to map the IAM role to the RBAC role and group
Run the following command to associate the yourIAMRoleName IAM role with the k8s-test-user Kubernetes user:
$ eksctl create iamidentitymapping --cluster yourClusterName --arn arn:aws:iam::yourAccountID:role/yourIAMRoleName --username k8s-test-user
Note: Replace yourClusterName, yourAccountID, and yourIAMRoleName with your values.
Test the access to the namespace
- Run the following command to test access to the test namespace:
$ kubectl create job hello -n test --image=busybox -- echo "Hello World"
Note: The preceding command creates a job that uses the k8s-test-role RBAC role that you created.
- Run the following commands to check the pod and job in the test namespace:
$ kubectl get job -n testNAME COMPLETIONS DURATION AGE
hello 1/1 4s 15s
$ kubectl get pods -n test
NAME READY STATUS RESTARTS AGE
hello-tpjmf 0/1 Completed 0 2m34s