Simplifying Access Entries in EKS: A Guide

Simplifying Access Entries in EKS: A Guide

EKS has introduced a new set of controls (Apologies I am late to explain this :p) for authentication and authorization, effectively integrating IAM principles with Kubernetes RBAC—a seamless and robust integration.

Accessing the cluster involves three types:

ConfigMap only (CONFIG_MAP)aws-auth ConfigMap (legacy )
EKS API and ConfigMap(API_AND_CONFIG_MAP)access entries in the EKS API, AWS Command Line Interface, AWS SDKs, AWS CloudFormation, and AWS Management Console and aws-auth ConfigMap
EKS API only (API)access entries in the EKS API, AWS Command Line Interface, AWS SDKs, AWS CloudFormation, and AWS Management Console

Lets us understand how it was working before using aws-auth and CONFIGMAP.

The aws-auth ConfigMap (deprecated)

This process involves mapping AWS IAM identities, including users, groups, and roles, to Kubernetes role-based access control (RBAC) for authorization.

Challenges and Pain Points

Ideally, this configuration should be managed internally within the cluster. After provisioning the cluster, it is necessary to establish a configuration that facilitates the relationship between IAM and the Kubernetes system.

Although eksctl can be used for this setup, it's important to note that not all clusters are created with eksctl. Thus, alternative methods need to be available for those who do not use this tool.

Why I love EKS Access Entries? Simplicity!

You do not need to learn anything new; simply integrate existing IAM principles with Kubernetes permissions.

IAM principles can be mapped to any of the four EKS permissions. Below is the mapping between EKS access policies and Kubernetes' default RBAC:

Excited?

How to enable the access entries API?

Eksctl

accessConfig: 
    authenticationMode: <>

Terraform:

authentication_mode = "API_AND_CONFIG_MAP"

Cluster administrators now have the capability to grant AWS IAM principals access to Amazon EKS clusters and Kubernetes objects across all supported versions (version 1.23 and later).

configmap is to be disabled soon?

Access Entries:

Image ref: aws.amazon.com/blogs/containers/a-deep-dive..

If you already using aws auth configmap, here is migration guide for the easy access management life

Here is an example of Terraform configuration for associating your IAM users and roles with the respective EKS access:

Step 1 - create access entry

resource "aws_eks_access_entry" "readonly" {
  cluster_name      = "eks-demo-cluster"
  principal_arn     = aws_iam_role.example.arn #user-iam-arn
  kubernetes_groups = []
  type              = "STANDARD"
}

Step 2 - associate policy to it.

resource "aws_eks_access_policy_association" "readonly" {
  cluster_name  = "eks-demo-cluster"
  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
  principal_arn = aws_iam_user.example.arn #user-iam-arn

  access_scope {
    type       = "namespace"
    namespaces = ["example-namespace"]
  }
}

Thank you!

If you have any questions, feel free to reach out to me on LinkedIn, and let's discuss further.

Detailed References:

https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html

https://aws.github.io/aws-eks-best-practices/security/docs/iam/#the-aws-auth-configmap-deprecated

Did you find this article valuable?

Support Jothimani Radhakrishnan by becoming a sponsor. Any amount is appreciated!