CODEWITHSUNDEEP
kubernetesrbacamazon-eks
Josh Woodcock
Josh Woodcock

Reputation: 2803

How to set an IAM user to have specific rights in Kubernetes Cluster on AWS.

I want to allow a user to do things in the Kubernetes cluster for EKS for example: apply deployment, create secrets, create volumes etc. I'm not sure which role to use for that. I don't want to allow users: to create clusters, delete clusters, list cluster only perform the Kubernetes operations within the cluster.

As far as I know the permissions to the cluster are performed with Heptio authenticator. I believe I am missing something here but can't figure out what.

Upvotes: 0

Views: 1061

Answers (2)

nicor88
nicor88

Reputation: 1553

This link is the right one to add an AWS IAM user or AWS Role to a given K8S Role.

Let's say that you wanted to create a new K8S Role to only have read permission, called pod-reader

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

After creating the role, you need to give the permission to your IAM user to assume that role. This is easily doable doing:

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapUsers: |
    - userarn: arn:aws:iam::270870090353:user/franziska_adler
      username: iam_user_name
      groups:
        - pod-reader

More information about K8S RBAC Authorization here

Upvotes: 2

Josh Woodcock
Josh Woodcock

Reputation: 2803

Looks like you have to manually add the users in the config map under the 'mapUsers' item and then run kubectl apply config-map.yml according the aws documentation in section 3. "Add your IAM users, roles, or AWS accounts to the configMap."

https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

Upvotes: 0

Related Questions