Wajid.Pro
Wajid.Pro
AboutContact
Employees access to EKS

Employees access to EKS

1. Determine Access Needs
  • Decide what level of access the employee needs:
    • Cluster-level: Admin or read-only access.
    • Namespace-level: Access restricted to specific namespaces.
    • Resource-level: Access to specific Kubernetes resources (e.g., Pods, Services).
2. Create IAM User
  • Create IAM User: If the employee doesn’t already have an AWS IAM user, create one.
      • aws iam create-user --user-name <employee-name>
  • Attach Policies: Assign necessary permissions for EKS (e.g., AmazonEKSClusterPolicy).
      • aws iam attach-user-policy --user-name <employee-name> --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
  • If using federated access (e.g., via AWS SSO), map their federated role to EKS access.
3. Map IAM User to Kubernetes Role
  1. Edit AWS Auth ConfigMap:
      • Update the aws-auth ConfigMap in the kube-system namespace to map the IAM user/role to a Kubernetes group.
      kubectl edit configmap aws-auth -n kube-system
      Add an entry like:
      mapUsers:
- userarn: arn:aws:iam::<account-id>:user/<employee-name>
  username: <employee-name>
  groups:
  - system:masters
4. Create Kubernetes Role and RoleBinding
If the user needs restricted access:
  • Create Role:
      • apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: developer-role
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch"]
  • Bind the Role to the User:
      • apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-binding
  namespace: my-namespace
subjects:
- kind: User
  name: <employee-name>
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer-role
  apiGroup: rbac.authorization.k8s.io
5. Provide kubectl Configuration
  • Generate a kubeconfig file for the employee with their specific credentials:
      • aws eks update-kubeconfig --region <region> --name <cluster-name> --role-arn arn:aws:iam::<account-id>:role/<employee-role>
  • Share the generated kubeconfig securely.
6. Verify Access
  • Have the employee test access using kubectl:
      • kubectl get pods -n my-namespace
  • Adjust permissions if required.
7. Audit and Rotate Access
  • Regularly audit the employee's access using Kubernetes and AWS logs.
  • Implement IAM credential rotation policies and ensure that AWS access keys or tokens expire appropriately.