Give all users of an AWS account access to an EKS cluster

1
votes

I have created an EKS cluster. At the moment only I can access it via kubectl. I want to give all my colleges access to it. We all have users in the same AWS account.

If I understood the documentation at https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html correctly, I have to add every user separately.

Is there an easier way?

2
amazon-web-servicesamazon-eks

2 Answers

1
votes

By adding the account to the mapAccounts section in the aws-auth config map you only get authentication.

This means kubernetes will assign your IAM-user's arn -something like: arn:aws:iam::111111111111:user/myIAMUser- to the kubernete's username but you don't get any rights to do anything, not even listing pods.

Additionally you would have to create (Cluster)RoleBindings to give the rights to the user.

For example, to give the previous user read-only access to all namespaces we create a ClusterRoleBinding containing the following:

# This role binding allows the user to read in all namespaces.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
    name: myIAMUser-readOnly
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: arn:aws:iam::111111111111:user/myIAMUser
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

More information about the user facing roles defined in kubernetes can be found in the documentation.

Another possible solution would be to edit the mapUsers section in the aws-auth config map. I don't like this approach because you have to modify the aws-auth config map each time you want to add a user and you could, by mistake, modify other parts of the file or corrupt the contents. Also adding or deleting role bindings is easier to automatize than editing an existing file.

More information about the format of the aws-auth config map can be found here.

---UPDATE---

Instead of creating cluster role bindings for every user you can just make use of the system:authenticated group like this:

# This role binding allows the user to read in all namespaces.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
    name: authenticatedUsers-readOnly
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

By the way, that cluster role binding can be created like this: kubectl create clusterrolebinding authenticatedUsers-readOnly --clusterrole=view --group=system:authenticated.

You could even not touch the aws-auth config map at all -no need to modify the mapAccounts- and create a cluster role binding with read only permissions for authenticated and unauthenticated users by issuing: kubectl create clusterrolebinding authenticatedUsers-readOnly --clusterrole=view --group=system:authenticated --group=system:unauthenticated

0
votes

The easiest way to accomplish this is to use mapAccounts in the aws-auth config map.

See documentation here on the aws-iam-authenticator.

https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/README.md

By using mapAccounts, you map all IAM users into the eks cluster; and if the users have the correct IAM permissions to connect then they should be able to authenticate.