Managing EKS permissions with Kubernetes RBAC and AWS IAM

AWS EKS has document on how to connect IAM and EKS , but the documentation is too generic, what should I do if I want to grant some user read only access across the cluster? what should I do if I want to grant full permissions on a specific namespace to some user ? there is no documentation for that, in this article I'm going to explain how to achieve this.

When an EKS cluster is created, the user who create the EKS cluster becomes the cluster administrator by default (the user is automatically granted system:masters permissions in the cluster's RBAC configuration), the problem with system:masters permissions is that this permission is too power full, user may not want to grant everyone this permission. we could grant grant specific permission to specific iam user by create Kubernetes RBAC resources and edit aws-auth configmap

grant read only access to someone across the cluster

1. to grant permission across cluster level, ClusterRole and ClusterRoleBinding are needed, the ClusterRole will define the permission in EKS cluster, the ClusterRoleBinding will bind this ClusterRole to a specific group named vipmind:cluster-read-only

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
  name: cluster-read-only
  namespace: default
rules:
- apiGroups:
  - ""
  resources: ["*"]
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources: ["*"]
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources: ["*"]
  verbs:
  - get
  - list
  - watch
  
---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-read-only
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-read-only
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: vipmind:cluster-read-only

2. next we could edit aws-auth configmap to map the permission to IAM user, like below, in the mapUsers section, the userarn could map to IAM user's arn, the groups value could be vipmind:cluster-read-only, so that user ivanli could have read only access across the cluster, the action ivanli could do is defined in ClusterRole cluster-read-only

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxx:role/xxxx-eks-worker-nodes-stackxx
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
  mapUsers: |
    - userarn: arn:aws:iam::xxxx:user/ivanli
      username: ivanli
      groups:
        - vipmind:cluster-read-only

grant full permissions on a specific namespace to some user

1. to grant permission in namespace level, Role and RoleBinding are needed, the Role will define the permission in namespace flow, the RoleBinding will bind this Role to a specific group named vipmind:flow-admin

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
  name: flow-admin
  namespace: flow
rules:
- apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - "*"

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: flow-admin
  namespace: flow
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: flow-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: vipmind:flow-admin

2. next we could edit aws-auth configmap to map the permission to IAM user, like below, in the mapUsers section, the userarn could map to IAM user's arn, the groups value could be vipmind:flow-admin, so that user ivanli could have full access in namespace flow, the action ivanli could do is defined in Role flow-admin

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxx:role/xxxx-eks-worker-nodes-stackxx
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
  mapUsers: |
    - userarn: arn:aws:iam::xxxx:user/ivanli
      username: ivanli
      groups:
        - vipmind:cluster-read-only
        - vipmind:flow-admin

Now the IAM user ivanli could have read only access across the whole EKS cluster and have full permission on namespace flow, with this type of config, the EKS administrator could manage the EKS permission in an efficient way.