Grant developers access to the EKS Kubernetes cluster
To
You can download this article in PDF format via the link below to support us.
Download the guide in PDF format
turn off
To
To
To
In the previous article, we introduced the steps to install an EKS cluster on the Amazon Cloud platform. Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed Kubernetes service that eliminates the hassle of control plane management including SysAdmin’s etcd. You can easily upgrade the cluster with the click of a button. In this short guide, I will guide you through the process of granting developers access to the Kubernetes namespace using IAM policies and Kubernetes native RBAC.
In order for this guide to be beneficial to you, the following prerequisites should be checked:
- A working EKS cluster: check the installation of the EKS cluster
- Effective AWS CLI configuration: install and use AWS CLI on Linux
- IAM user with required administrative rights
- Visit the AWS Web Console for management. The same operation can be done exactly in the CLI, but we will use both operations at the same time.
before the start
Confirm that you can list local computers or clusters on bastion servers that can access the EKS control plane.
$ eksctl get cluster
NAME REGION
prod-eks-cluster eu-west-1
Or use the aws command.
$ aws eks list-clusters
If your command does not return any output, please check that you are using the correct credentials and region.
From the web console:
By default, only the creator of the Amazon EKS cluster owns system: masters permissions This will unlock all Kubernetes cluster operations to be performed from kubectl. To extend the functionality so that other users can access the cluster, Verification code The ConfigMap will be modified.
We need to create an IAM role, AWS Security Token Service (STS) Permission, which allows the user to request temporary restricted privileged credentials.
Step 1: Create an IAM role
Next is at IAM>Roles>Create Role.
Choose “Another AWS account” As a type of trusted entity:
Do not attach any permissions
Add appropriate tags.
Give the role a name and create it using the “Create Role” button at the bottom. Mine will be called k8s-devs-role, Which is the same as the name set in the creation policy.
Step 2: Use STS to create an IAM policy to assume role permissions
Log in to your AWS web console and navigate to IAM>Strategy>Create Policy > JSON And paste the json content below to replace
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam:::role/k8s-devs-role"
},
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}
Account ID example 293759796572
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::293759796572:role/k8s-devs-role"
},
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}
Give the strategy a name and click the “Create” button.
Step 3: Create an IAM user group
Create an IAM group named k8s-devs
Attach the policy created in step 2.
Review the policy and complete the creation process.
Step 4: Add IAM users to the group
Our last step is to add the IAM users who need to access the Kubernetes Cluster to the group we just created.
go with I’m > group > k8s-devs > Add user to group Add users to the group.
Add all other users you want to grant access to.
Step 5: Create Kubernetes RBAC for developers
Role-based access control (RBAC) is a method that regulates access to computer or network resources based on the roles of individual users in an organization. The RBAC API declares four kinds of Kubernetes objects: Role, ClusterRole, RoleBinding and ClusterRoleBinding.
First, I will create three namespaces for developers to access: Prickles, oats with Developer
$ kubectl create namespace prod
namespace/prod created
$ kubectl create namespace uat
namespace/uat created
$ kubectl create namespace dev
namespace/dev created
List all namespaces to confirm creation.
$ kubectl get ns
NAME STATUS AGE
default Active 25d
dev Active 9s
istio-operator Active 14d
istio-system Active 14d
kube-node-lease Active 25d
kube-public Active 25d
kube-system Active 25d
monitoring Active 17d
prod Active 40s
uat Active 26s
Create a cluster role
I will create a file called Full developer access The manifest file is as follows:
kubectl apply -f - <
Expected output:
clusterrole.rbac.authorization.k8s.io/dev-full-access created
Confirm settings:
$ kubectl get clusterroles dev-full-access -o yaml
Create role binding
The next step is to create a group role binding for our developers. This group is called k8s-devs
# Access to Prod namespace
NAMESPACE="prod"
CLUSTERROLE="dev-full-access"
kubectl apply -f - <
Step 6: Edit the Kubernetes aws-auth ConfigMap
To grant other AWS users or roles the ability to interact with the cluster, you must edit aws-auth
ConfigMap in Kubernetes
Check whether the aws-auth ConfigMap has been applied.
$ kubectl describe configmap -n kube-system aws-auth
Add IAM users or roles to Amazon EKS cluster
We will add the IAM role created in the following location step 1 piece By editing the aws-auth ConfigMap to the EKS cluster.
$ kubectl edit -n kube-system configmap/aws-auth
Update data.mapRoles Part of it is to use IAM roles and Kubernetes RBAC groups to authorize access.
apiVersion: v1
data:
mapRoles: |
- groups:
- k8s-devs
rolearn: arn:aws:iam:::role/k8s-devs-role
username: developer
replace:
Use the account ID of your AWS account.
This is a screenshot of my configuration:
If you want to grant access to a specific user "Primary Administrator", please add the following.
mapUsers: |
- groups:
- system:masters
userarn: arn:aws:iam:::user/
username: arn:aws:iam:::user/
Or just access the specific namespace set in the role binding earlier:
mapUsers: |
- groups:
- k8s-devs
userarn: arn:aws:iam:::user/
username: arn:aws:iam:::user/
Step 7: Create kubeconfig for Amazon EKS (as a developer)
Developers will need to first install the AWS CLI and configure their credentials.
$ aws configure
After setting the credentials, use the following command to confirm:
$ aws sts get-caller-identity
Expected output:
{
"UserId": "",
"Account": "",
"Arn": "arn:aws:iam:::user/"
}
Developers will use the AWS CLI update-kubeconfig command to create or update kubeconfig for the cluster:
aws eks --region update-kubeconfig --name --role-arn arn:aws:iam:::role/k8s-devs-role
The following example applies to Product cluster Built in eu-west-1 Area on account ID 293759796572
$ aws eks --region eu-west-1 update-kubeconfig --name prod-eks-cluster --role-arn arn:aws:iam::293759796572:role/k8s-devs-role
Command output:
Added new context arn:aws:eks:eu-west-1:293759796572:cluster/prod-eks-cluster to /var/root/.kube/config
Attempting to list cluster-scoped resources, you will receive a "forbidden" error message:
$ kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "developer" cannot list resource "nodes" in API group "" at the cluster scope
But you should be able to list namespace scoped resources:
$ kubectl get all -n prod
No resources found in prod namespace.
$ kubectl get all -n uat
No resources found in prod namespace.
$ kubectl get all -n dev
No resources found in prod namespace.
Deploy the test application:
$ kubectl run nginx-example --image=nginx --replicas=2 -n dev
deployment.apps/nginx-example created
$ kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
nginx-example-79c476f965-jqm6f 1/1 Running 0 29s
nginx-example-79c476f965-lkzll 1/1 Running 0 29s
$ kubectl delete deploy nginx-example -n dev
deployment.apps "nginx-example" deleted
Enjoy your development on Kubernetes supported by Amazon EKS. Here are some video courses you can try on Kubernetes and microservices.
Kubernetes for absolute beginners-hands-on
★★★★★
(17069)
$ 15.39
$ 153.93
In stock
Udemy.com
Docker and Kubernetes: The complete guide
★★★★★
(31054)
$ 17.76
$ 118.41
In stock
Udemy.com
Certified Kubernetes Administrator (CKA) and practice test
★★★★★
(14798)
$ 15.39
$ 153.93
In stock
Udemy.com
Learn DevOps: The complete Kubernetes course
★★★★☆
(11249)
$ 17.76
$47.36
In stock
Udemy.com
Kubernetes Certified Application Developer (CKAD) with testing capabilities
★★★★★
(6970)
$ 15.39
$ 153.93
In stock
Udemy.com
You can download this article in PDF format via the link below to support us.
Download the guide in PDF format
turn off
To
To
To