Amazon EKS Operations: Difference between revisions
| Line 81: | Line 81: | ||
{{External|https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html}} | {{External|https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html}} | ||
==Allow Role Access== | ==Allow Role Access== | ||
Individual AWS users can be allowed access if an IAM role is allowed access and then the role is configured to allow users to assume it. This is the preferred solution, because different roles can be associated with different cluster permissions, and the same user can access the cluster with different permissions, by just using a different role. | Individual AWS users (authenticating as particular IAM Users) can be allowed access if an IAM role is allowed access and then the role is configured to allow users to assume it. This is the preferred solution, because different roles can be associated with different cluster permissions, and the same user can access the cluster with different permissions, by just using a different role. | ||
1. Create an IAM role dedicated to cluster access, as described here: [[AWS_Security_Operations#Create_a_Role_to_Delegate_Permission_to_an_IAM_User|Create a Role to Delegate Permission to an IAM User]]. | 1. Create an IAM role dedicated to cluster access, as described here: [[AWS_Security_Operations#Create_a_Role_to_Delegate_Permission_to_an_IAM_User|Create a Role to Delegate Permission to an IAM User]]. | ||
Revision as of 18:37, 28 September 2020
External
Internal
Overview
Create a Cluster
Cluster Information
Cluster Status
aws eks [--region us-east-1] describe-cluster --name example-cluster --query "cluster.status"
"ACTIVE"
If the right region is configured in the profile, there is no need to be specified.
Cluster Endpoint
aws eks [--region us-east-1] describe-cluster --name example-cluster --query "cluster.endpoint" --output text
https://FDXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.gr0.us-east-1.eks.amazonaws.com
If the right region is configured in the profile, there is no need to be specified.
Cluster Certificate Authority
aws eks [--region us-east-1] describe-cluster --name example-cluster --query "cluster.certificateAuthority.data" --output text
LS0t...LQo=
If the right region is configured in the profile, there is no need to be specified.
Connect to an EKS Cluster with kubectl
Update .kube/config with the EKS cluster definition as follows:
aws eks [--region us-east-1] update-kubeconfig --name example-eks-cluster [--alias <context-alias>] [--role-arn arn:aws:iam::999999999999:role/some-role]
This command constructs a Kubernetes context with pre-populated server and certificate authority data values for the cluster specified by name. If the right region is configured in the profile, there is no need to be specified. If no alias is used, the default name of the context is the cluster ARN. The result is to add a new context to .kube/config:
Added new context arn:aws:eks:us-east-1:999999999999:cluster/example-eks-cluster to /Users/testuser/.kube/config
If no --role-arn option is specified for the aws eks command, kubectl context is configured to accesses the EKS cluster with the default AWS CLI IAM user identity at the time of aws eks execution. This identity can be obtained with aws sts get-caller-identity. The IAM identity associated with the context can be changed with the --role-arn option. If the --role-arn option is specified, the Kubernetes context will be configured as such that it will not be necessary to explicitly assume the role; kubectl operations in the correct context will simply work. Note that the IAM role used for --role-arn is NOT the cluster service role, but a completely different role altogether.
For more details on how the IAM user or role identity is linked to a specific set of RBAC permissions, see:
Building upon this capability, it is possible to create two different Kuberenetes context that imply to different sets of RBAC permission on the Kubernetes clusters:
aws eks update-kubeconfig --name example-eks-cluster --alias access-with-cluster-admin-permissions --role-arn arn:aws:iam::999999999999:role/eks-clusterrole-cluster-admin
aws eks update-kubeconfig --name example-eks-cluster --alias access-with-limited-permissions --role-arn arn:aws:iam::999999999999:role/eks-clusterrole-limited-permissions
Switching between Kubernetes contexts is done with kubectl config use-context:
kubectl config use-context access-with-cluster-admin-permissions
kubectl config current-context
access-with-cluster-admin-permissions
kubectl config use-context access-with-limited-permissions
kubectl config current-context
access-with-limited-permissions
Allowing Additional Users to Access the Cluster
Allow Role Access
Individual AWS users (authenticating as particular IAM Users) can be allowed access if an IAM role is allowed access and then the role is configured to allow users to assume it. This is the preferred solution, because different roles can be associated with different cluster permissions, and the same user can access the cluster with different permissions, by just using a different role.
1. Create an IAM role dedicated to cluster access, as described here: Create a Role to Delegate Permission to an IAM User.
2. Update aws-auth ConfigMap to allow role access and associate it with a specific set of RBAC permissions:
kubectl -n kube-system edit cm aws-auth
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::...
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::999999999999:role/playground-eks-cluster-admin
groups:
- system:masters
Allow Individual User Access
Configuring individual user access directly in aws-auth ConfigMap is less preferable than using an IAM role for access, for reasons explained in that section.
TODO https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html