Grant developers access to the EKS Kubernetes cluster

To
You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off
To

To
To

In the previous article, we introduced the steps to install an EKS cluster on the Amazon Cloud platform. Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed Kubernetes service that eliminates the hassle of control plane management including SysAdmin’s etcd. You can easily upgrade the cluster with the click of a button. In this short guide, I will guide you through the process of granting developers access to the Kubernetes namespace using IAM policies and Kubernetes native RBAC.

In order for this guide to be beneficial to you, the following prerequisites should be checked:

A working EKS cluster: check the installation of the EKS cluster
Effective AWS CLI configuration: install and use AWS CLI on Linux
IAM user with required administrative rights
Visit the AWS Web Console for management. The same operation can be done exactly in the CLI, but we will use both operations at the same time.

before the start

Confirm that you can list local computers or clusters on bastion servers that can access the EKS control plane.

$ eksctl get cluster
NAME			REGION
prod-eks-cluster	eu-west-1

Or use the aws command.

$ aws eks list-clusters

If your command does not return any output, please check that you are using the correct credentials and region.

From the web console:

By default, only the creator of the Amazon EKS cluster owns system: masters permissions This will unlock all Kubernetes cluster operations to be performed from kubectl. To extend the functionality so that other users can access the cluster, Verification code The ConfigMap will be modified.

We need to create an IAM role, AWS Security Token Service (STS) Permission, which allows the user to request temporary restricted privileged credentials.

Step 1: Create an IAM role

Next is at IAM>Roles>Create Role.

Choose “Another AWS account” As a type of trusted entity:

Do not attach any permissions

Add appropriate tags.

Give the role a name and create it using the “Create Role” button at the bottom. Mine will be called k8s-devs-role, Which is the same as the name set in the creation policy.

Step 2: Use STS to create an IAM policy to assume role permissions

Log in to your AWS web console and navigate to IAM>Strategy>Create Policy > JSON And paste the json content below to replace Use your AWS account ID and k8s-devs-role with the name of the role you created.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam:::role/k8s-devs-role"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}

Account ID example 293759796572

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::293759796572:role/k8s-devs-role"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}

Give the strategy a name and click the “Create” button.

Step 3: Create an IAM user group

Create an IAM group named k8s-devs

Attach the policy created in step 2.

Review the policy and complete the creation process.

Step 4: Add IAM users to the group

Our last step is to add the IAM users who need to access the Kubernetes Cluster to the group we just created.

go with I’m > group > k8s-devs > Add user to group Add users to the group.

Add all other users you want to grant access to.

Step 5: Create Kubernetes RBAC for developers

Role-based access control (RBAC) is a method that regulates access to computer or network resources based on the roles of individual users in an organization. The RBAC API declares four kinds of Kubernetes objects: Role, ClusterRole, RoleBinding and ClusterRoleBinding.

First, I will create three namespaces for developers to access: Prickles, oats with Developer

$ kubectl create namespace prod
namespace/prod created

$ kubectl create namespace uat
namespace/uat created

$ kubectl create namespace dev
namespace/dev created

List all namespaces to confirm creation.

$ kubectl get ns
NAME              STATUS   AGE
default           Active   25d
dev               Active   9s
istio-operator    Active   14d
istio-system      Active   14d
kube-node-lease   Active   25d
kube-public       Active   25d
kube-system       Active   25d
monitoring        Active   17d
prod              Active   40s
uat               Active   26s

Create a cluster role

I will create a file called Full developer access The manifest file is as follows:

kubectl apply  -f - <

Expected output:

clusterrole.rbac.authorization.k8s.io/dev-full-access created

Confirm settings:

$ kubectl get clusterroles dev-full-access -o yaml

Create role binding

The next step is to create a group role binding for our developers. This group is called k8s-devs

# Access to Prod namespace
NAMESPACE="prod"
CLUSTERROLE="dev-full-access"

kubectl apply  -f - <

`Step 6: Edit the Kubernetes aws-auth ConfigMap`

To grant other AWS users or roles the ability to interact with the cluster, you must edit aws-auth ConfigMap in Kubernetes

Check whether the aws-auth ConfigMap has been applied.

$ kubectl describe configmap -n kube-system aws-auth

Add IAM users or roles to Amazon EKS cluster

We will add the IAM role created in the following location step 1 piece By editing the aws-auth ConfigMap to the EKS cluster.

$ kubectl edit -n kube-system configmap/aws-auth

Update data.mapRoles Part of it is to use IAM roles and Kubernetes RBAC groups to authorize access.

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - k8s-devs
      rolearn: arn:aws:iam:::role/k8s-devs-role
      username: developer

replace:

Use the account ID of your AWS account.

This is a screenshot of my configuration:

If you want to grant access to a specific user "Primary Administrator", please add the following.

mapUsers: |
    - groups:
      - system:masters
      userarn: arn:aws:iam:::user/
      username: arn:aws:iam:::user/

Or just access the specific namespace set in the role binding earlier:

mapUsers: |
    - groups:
      - k8s-devs
      userarn: arn:aws:iam:::user/
      username: arn:aws:iam:::user/

`Step 7: Create kubeconfig for Amazon EKS (as a developer)`

Developers will need to first install the AWS CLI and configure their credentials.

$ aws configure

After setting the credentials, use the following command to confirm:

$ aws sts get-caller-identity

Expected output:

{
    "UserId": "",
    "Account": "",
    "Arn": "arn:aws:iam:::user/"
}

Developers will use the AWS CLI update-kubeconfig command to create or update kubeconfig for the cluster:

aws eks --region  update-kubeconfig --name  --role-arn arn:aws:iam:::role/k8s-devs-role

The following example applies to Product cluster Built in eu-west-1 Area on account ID 293759796572

$ aws eks --region eu-west-1 update-kubeconfig --name prod-eks-cluster --role-arn arn:aws:iam::293759796572:role/k8s-devs-role

Command output:

Added new context arn:aws:eks:eu-west-1:293759796572:cluster/prod-eks-cluster to /var/root/.kube/config

Attempting to list cluster-scoped resources, you will receive a "forbidden" error message:

$ kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "developer" cannot list resource "nodes" in API group "" at the cluster scope

But you should be able to list namespace scoped resources:

$ kubectl get all -n prod
No resources found in prod namespace.

$ kubectl get all -n uat
No resources found in prod namespace.

$ kubectl get all -n dev
No resources found in prod namespace.

Deploy the test application:

$ kubectl run nginx-example --image=nginx --replicas=2  -n dev
deployment.apps/nginx-example created

$ kubectl get pods -n dev
NAME                             READY   STATUS    RESTARTS   AGE
nginx-example-79c476f965-jqm6f   1/1     Running   0          29s
nginx-example-79c476f965-lkzll   1/1     Running   0          29s

$ kubectl delete deploy nginx-example -n dev
deployment.apps "nginx-example" deleted

Enjoy your development on Kubernetes supported by Amazon EKS. Here are some video courses you can try on Kubernetes and microservices.