You can take advantage of IAM's authentication mechanism when adding a new user to your EKS cluster.
Because, signing in to an EKS cluster via a client certificate is not possible (source).
Imagine you need two different user groups; developers , admins
Users in the group developers can see only pods and their logs
Users in the group admins can do everything in the cluster
Let’s create a role:
Go to the IAM Roles Page and click Create Role:
Select AWS Account:
Select “This account” (select “Another AWS account”, if you need to connect to another account)
Then click next. You will see the “Add Permissions” page. Do not select any permissions and click Next.
Role name: developers
Click “Create role”.
The role developers has been created. Permissions and Trust relationships should look like this:
Follow the same steps for the role admins
Why didn't we add any permissions to the role?
EKS uses IAM for authentication purpose. Kubernetes already has a built-in authorization mechanism called RBAC. Therefore, we do not need to add any permissions to the role.
(What is the difference between authentication and authorization?)
Create the roles in the cluster
00-cluster-role.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: developers-role
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["list", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: admins-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]We will replicate the roles created on IAM in the cluster. The roles we will create in the cluster will have the necessary permissions.
Apply:
➜ ~ kubectl apply -f 00-cluster-role.yaml
clusterrole.rbac.authorization.k8s.io/developers-role created
clusterrole.rbac.authorization.k8s.io/admins-role created01-cluster-role-binding.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: developers-role-binding
subjects:
- kind: User
name: developers
roleRef:
kind: ClusterRole
name: developers-role
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admins-role-binding
subjects:
- kind: User
name: admins
roleRef:
kind: ClusterRole
name: admins-role
apiGroup: rbac.authorization.k8s.ioApply:
➜ ~ kubectl apply -f 01-cluster-role-binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/developers-role-binding created
clusterrolebinding.rbac.authorization.k8s.io/admins-role-binding createdThe resources should be like this:
Since the users will not use a username/password pair when logging into EKS Cluster, we will create dummy users in the 01-cluster-role-binding.yaml file; admins and developers
Next, we will link the IAM Roles to these dummy users.
Link IAM Role developers to dummy user developers:
eksctl create iamidentitymapping --cluster YOUR_CLUSTER_NAME --arn arn:aws:iam::ACCOUNT_ID:role/developers --username developersLink IAM Role admins to user admins:
eksctl create iamidentitymapping --cluster YOUR_CLUSTER_NAME --arn arn:aws:iam::ACCOUNT_ID:role/admins --username adminsOr you can change the config map manually:
kubectl edit configmaps aws-auth -n kube-systemYou can manually change the config as follows:
The configmap/aws-auth should be like this:
- We created IAM Roles
- We created ClusterRoles to have the correct permissions
- We created ClusterRoleBinds to link ClusterRoles to dummy users. Thus, dummy users can have the necessary permissions.
- We linked IAM Roles to the dummy users.
We can now create user accounts via IAM. We will create one account for the developers and one account for the admins: developer-mike, admin-oliver
Go to the IAM Users Page and click Create user:
Add user developer-mike:
Then click Next. Select “Attach policies directly”:
After that, click “Create policy”:
Another page will automatically open. The new window is the Policy creation page. Keep the “Set permissions” page open. On the “Specify permissions” page, click JSON:
Add this JSON (don’t forget to replace YOUR_ACCOUNT_ID keyword):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeOrganizationAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/developers"
}
]
}
Click next. Add the policy name on the next screen:
Click “Create policy”. The developers-policy created:
Close this page and return to the “Set permissions” page in the Create user section. First, refresh the Permissions policies, click on Customer managed policies, and select the developers-policy. Click Next.
On the next page, click Create User. The user developer-mike is created.
The user overview page should look like this:
Follow the same steps for admin-oliver.
In the JSON, the resource must be role/admins .
Create an access token for the user
On the user overview page, click Security credentials:
On the security credentials page, click “Create access key”
On the next page, select the “Command Line Interface (CLI)” button. Then Click next. On the next page, click the Create access key.
Save the generated access key and Secret access key.
Follow the same steps for admin-oliver.
After this step, don’t use your computer. Use a virtual machine, another computer, etc, to simulate the developer machine.
Go back to your computer and run this command:
kubectl config view --flatten --minifyThis command will print your Kube config. Copy the config to the new machine’s kube config path (e.g.: ~/.kube/config)
In the new machine, make sure that you have kubectl , aws andaws-iam-authenticator commands.
Create an AWS Profile with the credentials you have just created:
If you need to have more than one AWS profile, you may need to add the correct AWS profile into the Kube config:
To refresh the variables, exit from the terminal and reconnect to the virtual machine.
Let’s try to list the pods:
I see that I have the developers role, and I can list the pods.
Let’s try to create a new deployment:
We did not enable the “create deployment” permission for developers in the
00-cluster-role.yaml file.
You can follow the same steps for the admin-olivier user
Notes:
- Most of the steps can also be performed via AWS Cli
- You may want to create an IAM Group and set the Policy in the Group. You can then create a new user and add the user to the relevant Group. This way, you don’t need to deal with policies when creating a new user.
