How do I manage permissions across namespaces for my IAM users in an Amazon EKS cluster?

Last updated: 2020-08-20

I want to manage user permissions for my AWS Identity and Access Management (IAM) users across namespaces in my Amazon Elastic Kubernetes Service (Amazon EKS) cluster.

Short description

To manage user permissions across namespaces in an Amazon EKS cluster, you must:

  1. Create an IAM role that can be assumed by members of your organization
  2. Create a Kubernetes role-based access control (RBAC) role (Role) and role binding (RoleBinding) for your cluster
  3. Map the IAM roles to the RBAC roles and groups using aws-auth ConfigMap

Note: When a cluster is created, only the Amazon Resource Name (ARN) of the IAM user or role that created the cluster is added to the aws-auth ConfigMap and has system:masters permissions. This means that only the cluster creator can add more users or roles to the aws-auth ConfigMap.

Resolution

Create an IAM role that can be assumed by members of your organization

To give members of your organization access to a namespace, you must create an IAM role that can be assumed by those members.

1.    Create a role to delegate permissions to an IAM user.

2.    To verify that a user has permission to assume the IAM role from step 1, configure the AWS Command Line Interface (AWS CLI), and then run the following command from that user's workstation:

$ aws sts assume-role --role-arn arn:aws:iam::yourAccountID:role/yourIAMRoleName --role-session-name abcde
{
    "Credentials": {
        "AccessKeyId": "yourAccessKeyId",
        "SecretAccessKey": "yourSecretAccessKey",
        "SessionToken": "yourSessionToken",
        "Expiration": "2020-01-30T01:57:17Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "yourAssumedRoleId",
        "Arn": "arn:aws:iam::yourAccountID:role/yourIAMRoleName"
    }
}

Note: Replace yourAccessKeyId, yourSecretAccessKey, yourSessionToken, yourAssumedRoleId, yourAccountID, and yourIAMRoleName with your values.

3.    To configure the IAM user's kubectl to always use the role when accessing the Kubernetes API, run the following command to update the kubeconfig file:

$ aws eks update-kubeconfig --name yourClusterName --role-arn arn:aws:iam::yourAccountID:role/yourIAMRoleName

Note: Replace yourClusterName, yourAccountID, and yourIAMRoleName with your values.

Create a Kubernetes RBAC role and role binding for your cluster

Important: The following steps must be completed from a workstation that's configured to access Kubernetes. The user must be a cluster creator or an IAM entity that's already been granted access through the aws-auth ConfigMap. The IAM role created in previous steps hasn't been given access to the cluster yet.

You can bind a cluster role (ClusterRole) to a role binding. This is possible because an RBAC role and role binding are Kubernetes namespaced resources. However, you can't bind a role to a cluster role binding (ClusterRoleBinding).

1.    To list all the built-in cluster roles, bind the cluster role admin to a role binding for that namespace, and then run the following command:

$ kubectl get clusterrole

2.    To see the permissions associated with the cluster role admin, run the following command:

$ kubectl describe clusterrole admin

Important: To use an existing namespace, you can skip the following step 3. If you choose a different name for the namespace test, replace the values for the namespace parameter in the following steps 4 and 6.

3.    To create the namespace test that grants access to the IAM users as part of the IAM group, run the following command:

$ kubectl create namespace test

4.    To create a Kubernetes RBAC role, copy the following code into a new YAML file (for example, role.yaml):

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: k8s-test-role
  namespace: test
rules:
  - apiGroups:
      - ""
      - "apps"
      - "batch"
      - "extensions"
    resources:
      - "configmaps"
      - "cronjobs"
      - "deployments"
      - "events"
      - "ingresses"
      - "jobs"
      - "pods"
      - "pods/attach"
      - "pods/exec"
      - "pods/log"
      - "pods/portforward"
      - "secrets"
      - "services"
    verbs:
      - "create"
      - "delete"
      - "describe"
      - "get"
      - "list"
      - "patch"
      - "update"

Note: The preceding role allows users to perform all the actions in the verbs section.

5.    To create the RBAC role, run the following command:

$ kubectl apply -f role.yaml

6.    To create a Kubernetes role binding, copy the following code into a new YAML file:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: k8s-test-rolebinding
  namespace: test
subjects:
- kind: User
  name: k8s-test-user
roleRef:
  kind: Role
  name: k8s-test-role
  apiGroup: rbac.authorization.k8s.io

Note: The role binding is a namespaced resource that binds the RBAC role in the roleRef section to the user in the subjects section. You don't need to create the user k8s-test-user, because Kubernetes doesn't have a resource type user.

7.    To create the RBAC role binding, run the following command:

$ kubectl apply -f rolebinding.yaml

8.    To associate the IAM role yourIAMRoleName with the Kubernetes user k8s-test-user, run the following command:

$ eksctl create iamidentitymapping --cluster yourClusterName --arn arn:aws:iam::yourAccountID:role/yourIAMRoleName --username k8s-test-user

Note: Replace yourClusterName, yourAccountID, and yourIAMRoleName with your values.

Test the access to the namespace

To test access to the namespace test, assume the IAM role yourIAMRoleName for a user that you created, and then run the following command:

$ kubectl get role -n test

The preceding command lists the RBAC role k8s-test-role that you created earlier.

The IAM users that are part of the IAM group can now use this namespace and deploy their applications.


Did this article help?


Do you need billing or technical support?