AWS eks add IAM user role

Posted by phpbeginer on Fri, 03 Dec 2021 16:44:47 +0100

Author: SRE operation and maintenance blog

Blog address: https://www.cnsre.cn/

Article address: https://www.cnsre.cn/posts/211203931498/

Related topics: https://www.cnsre.cn/tags/aws/

Because when creating an Amazon EKS cluster, IAM users or roles will be automatically granted the system:masters permission in the RBAC configuration of the cluster. For example, an IAM user or role can be a federated user who creates a cluster. If you access the Amazon EKS console with an IAM user or role that is not part of AWS auth configmap, you cannot see the Kubernetes workload. You will not see the overview details of the cluster. Therefore, to grant other AWS users or roles the ability to interact with the cluster, you must edit AWS auth configmap in Kubernetes.

Because departments have different roles, they want to assign different permissions based on different roles. The following is the record. Add an AIM user with read-only permission to EKS.

{{< notice info "note:" >}}
If you encounter an error while running AWS command line interface (AWS CLI) commands, Make sure you are using the latest version of AWS CLI.

{{< /notice >}}

Configure permissions for IAM users or roles

  • To find the cluster creator or administrator role with primary cluster configuration permissions, search in AWS CloudTrail CreateCluster API call. Then, check the UserIdentity part of this API call.
  • Identify IAM users or roles that require permissions.
  • Verify that the identified IAM user or role has permission to view all cluster nodes and workloads in the AWS management console.

Map IAM users or roles to RBAC roles and groups using AWS auth configmap

{{< notice info "important note:" >}}
Before connecting to the Amazon EKS API server, install and to configure The latest version of AWS CLI.
{{< /notice >}}

Get the configuration of AWS CLI users or roles:

 aws sts get-caller-identity

The output returns the Amazon resource name (ARN) of the IAM user or role. For example:

{
    "UserId": "XXXXXXXXXXXXXXXXXXXXX",
    "Account": "XXXXXXXXXXXX",
    "Arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
}

Verify that the ARN matches the cluster creator or administrator who has access to the primary cluster configuration. If the ARN does not match the cluster creator or administrator, please contact the cluster creator AWS auth configmap.

Add IAM users with read-only access to EKS clusters

{{< notice info "note:" >}}
To allow superuser access to perform any operation on any resource, add system:masters instead of system:bootstrappers and system:nodes. For more information, see on the Kubernetes website Default roles and role bindings.
{{< /notice >}}

Create rbac.yaml

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: reader
rules:
- apiGroups: ["*"]
  resources: ["deployments", "configmaps", "pods", "secrets", "services"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: reader
subjects:
- kind: Group
  name: reader
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: reader
  apiGroup: rbac.authorization.k8s.io

To add an IAM user or role, complete one of the following steps.

Add IAM users to mapUsers.

...
  mapUsers: |
    - userarn: arn:aws:iam::424432388155:user/developer
      username: developer
      groups: 
      - reader
...

Create RBAC

kubectl apply -f rbac.yaml

Create an Amazon eksdeveloperpolicy policy in AWS to allow users to view the nodes and workloads of all clusters in the AWS administrative console

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:AccessKubernetesApi",
                "ssm:GetParameter",
                "eks:ListUpdates",
                "eks:ListFargateProfiles"
            ],
            "Resource": "*"
        }
    ]
}
  • Create the eks developer Iam group and attach the Amazon eks developer policy
  • Create developer user
  • Add developer profile aws configure --profile developer
  • Add to the AWS authconfigmapdeveloper user ARN.
kubectl edit -n kube-system configmap/aws-auth
...
  mapUsers: |
    - userarn: arn:aws:iam::424432388155:user/developer
      username: developer
      groups: 
      - reader
...
  • Configuring kubectl context for developer users
aws eks --region us-east-1 update-kubeconfig --name eks --profile developer
  • Check kubeconfig
kubectl config view --minify
  • Check permissions
kubectl auth can-i get pods
kubectl auth can-i create pods
kubectl run nginx --image=nginx

Create an IAM role with administrator access and substitute IAM users into this role.

  • Create an Amazon eksadmpolicy policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "eks.amazonaws.com"
                }
            }
        }
    ]
}
  • Create the eks admin role and attach the Amazon eksadminpolicy policy policy
  • Describe the eks admin role
aws iam get-role --profile terraform --role-name eks-admin
  • Create policies that Amazon eksassumepolicy allows to assume roles
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::424432388155:role/eks-admin"
        }
    ]
}
  • Create a manager user to use the eks admin role
  • Add Manager Profile aws configure --profile manager
  • Check whether the manager user can assume the eks admin role
aws sts assume-role --role-arn arn:aws:iam::424432388155:role/eks-admin --role-session-name manager-session --profile manager
  • Update kubeconfig for users who create EKS clusters
aws eks --region us-east-1 update-kubeconfig --name eks --profile terraform
  • Add to the AWS authconfigmapeks admin role ARN.
 kubectl edit -n kube-system configmap/aws-auth
...
- rolearn: arn:aws:iam::424432388155:role/eks-admin
  username: eks-admin
  groups:
  - system:masters
...
  • Create eks admin configuration file to assume the role vim ~/.aws/config
[profile eks-admin]
role_arn = arn:aws:iam::424432388155:role/eks-admin
source_profile = manager
  • Configure the kubectl context for the manager user to automatically assume the eks admin role
aws eks --region us-east-1 update-kubeconfig --name eks --profile eks-admin
  • Check kubeconfig
kubectl config view --minify
  • Check that the manager has administrator access to the EKS cluster
kubectl auth can-i "*" "*"

Author: SRE operation and maintenance blog

Blog address: https://www.cnsre.cn/

Article address: https://www.cnsre.cn/posts/211203931498/

Related topics: https://www.cnsre.cn/tags/aws/

Topics: AWS Kubernetes

Hot Topics

©2024 Programmer Think