How do I manage permissions across namespaces for IAM users in an Amazon EKS cluster?

Last updated: 2021-06-25

I want to manage user permissions for my AWS Identity and Access Management (IAM) users across namespaces in my Amazon Elastic Kubernetes Service (Amazon EKS) cluster.

Short description

To manage user permissions across namespaces in an Amazon EKS cluster, you must:

  1. Create an IAM role that can be assumed by members of your organization.
  2. Create a Kubernetes role-based access control (RBAC) role (Role) and role binding (RoleBinding) (from the Kubernetes website) for your cluster.
  3. Map the IAM roles to the RBAC roles and groups using aws-auth ConfigMap.

Note: When a cluster is created, only the Amazon Resource Name (ARN) of the IAM user or role that created the cluster is added to the aws-auth ConfigMap. Also, it is only this ARN that has system:masters permissions. This means that only the cluster creator can add more users or roles to the aws-auth ConfigMap.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Create an IAM role that can be assumed by members of your organization

To give members of your organization access to a namespace, you must create an IAM role that can be assumed by those members.

1.    Create a role to delegate permissions to an IAM user.

2.    To verify that a user has permission to assume the IAM role from step 1, configure the AWS CLI. Then, run the following command from that user's workstation:

$ aws sts assume-role --role-arn arn:aws:iam::yourAccountID:role/yourIAMRoleName --role-session-name abcde
{
    "Credentials": {
        "AccessKeyId": "yourAccessKeyId",
        "SecretAccessKey": "yourSecretAccessKey",
        "SessionToken": "yourSessionToken",
        "Expiration": "2020-01-30T01:57:17Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "yourAssumedRoleId",
        "Arn": "arn:aws:iam::yourAccountID:role/yourIAMRoleName"
    }
}

Note: Replace yourAccessKeyId, yourSecretAccessKey, yourSessionToken, yourAssumedRoleId, yourAccountID, and yourIAMRoleName with your values.

3.    To configure the IAM user's kubectl to always use the role when accessing the Kubernetes API, run the following command to update the kubeconfig file:

$ aws eks update-kubeconfig --name yourClusterName --role-arn arn:aws:iam::yourAccountID:role/yourIAMRoleName

Note: Replace yourClusterName, yourAccountID, and yourIAMRoleName with your values.

Create a Kubernetes RBAC role and role binding for your cluster

Important: The following steps must be completed from a workstation that's configured to access Kubernetes. The user must be a cluster creator or an IAM entity that already has access through the aws-auth ConfigMap. The IAM role created in previous steps hasn't been given access to the cluster yet.

You can bind a cluster role (ClusterRole) to a role binding. This is possible because an RBAC role and role binding are Kubernetes namespaced resources. However, you can't bind a role to a cluster role binding (ClusterRoleBinding).

1.    To list all built-in cluster roles and bind the cluster role admin to a role binding for that namespace, run the following command:

$ kubectl get clusterrole

2.    To see the permissions associated with the cluster role admin, run the following command:

$ kubectl describe clusterrole admin

Important: To use an existing namespace, you can skip the following step 3. If you choose a different name for the namespace test, replace the values for the namespace parameter in the following steps 4 and 6.

3.    To create the namespace test that grants access to the IAM users as part of the IAM group, run the following command:

$ kubectl create namespace test

4.    To create a Kubernetes RBAC role, copy the following code into a new YAML file (for example, role.yaml):

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: k8s-test-role
  namespace: test
rules:
  - apiGroups:
      - ""
      - "apps"
      - "batch"
      - "extensions"
    resources:
      - "configmaps"
      - "cronjobs"
      - "deployments"
      - "events"
      - "ingresses"
      - "jobs"
      - "pods"
      - "pods/attach"
      - "pods/exec"
      - "pods/log"
      - "pods/portforward"
      - "secrets"
      - "services"
    verbs:
      - "create"
      - "delete"
      - "describe"
      - "get"
      - "list"
      - "patch"
      - "update"

Note: The preceding role allows users to perform all the actions in the verbs section.

5.    To create the RBAC role, run the following command:

$ kubectl apply -f role.yaml

6.    To create a Kubernetes role binding, copy the following code into a new YAML file (for example, rolebinding.yaml):

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: k8s-test-rolebinding
  namespace: test
subjects:
- kind: User
  name: k8s-test-user
roleRef:
  kind: Role
  name: k8s-test-role
  apiGroup: rbac.authorization.k8s.io

Note: The role binding is a namespaced resource that binds the RBAC role in the roleRef section to the user in the subjects section. You don't need to create the user k8s-test-user, because Kubernetes doesn't have a resource type user.

7.    To create the RBAC role binding, run the following command:

$ kubectl apply -f rolebinding.yaml

Map the IAM role to the RBAC role and group using the aws-auth ConfigMAP 

1.    To associate the IAM role yourIAMRoleName with the Kubernetes user k8s-test-user, run the following command:

$ eksctl create iamidentitymapping --cluster yourClusterName --arn arn:aws:iam::yourAccountID:role/yourIAMRoleName --username k8s-test-user

Note: Replace yourClusterName, yourAccountID, and yourIAMRoleName with your values.

Test the access to the namespace

1.    To test access to the namespace test, assume the IAM role yourIAMRoleName for a user that you created, and then run the following command:

$ kubectl create job hello -n test --image=busybox -- echo "Hello World"

Note: The preceding command creates a job by using the RBAC role k8s-test-role that you created earlier.

2.    To check the pod and job in the namespace test, run the following commands:

$ kubectl get job -n test
NAME    COMPLETIONS   DURATION   AGE
hello   1/1           4s         15s

$ kubectl get pods -n test
NAME          READY   STATUS      RESTARTS   AGE
hello-tpjmf   0/1     Completed   0          2m34s

The IAM users that are part of the IAM group can now use this namespace and deploy their applications.


Did this article help?


Do you need billing or technical support?