EKS has introduced a new set of controls (Apologies I am late to explain this :p) for authentication and authorization, effectively integrating IAM principles with Kubernetes RBAC—a seamless and robust integration.
Accessing the cluster involves three types:
ConfigMap only (CONFIG_MAP ) | aws-auth ConfigMap (legacy ) |
EKS API and ConfigMap (API_AND_CONFIG_MAP ) | access entries in the EKS API, AWS Command Line Interface, AWS SDKs, AWS CloudFormation, and AWS Management Console and aws-auth ConfigMap |
EKS API only (API ) | access entries in the EKS API, AWS Command Line Interface, AWS SDKs, AWS CloudFormation, and AWS Management Console |
Lets us understand how it was working before using aws-auth and CONFIGMAP.
The aws-auth
ConfigMap (deprecated)
This process involves mapping AWS IAM identities, including users, groups, and roles, to Kubernetes role-based access control (RBAC) for authorization.
Challenges and Pain Points
Ideally, this configuration should be managed internally within the cluster. After provisioning the cluster, it is necessary to establish a configuration that facilitates the relationship between IAM and the Kubernetes system.
Although eksctl can be used for this setup, it's important to note that not all clusters are created with eksctl. Thus, alternative methods need to be available for those who do not use this tool.
Why I love EKS Access Entries? Simplicity!
You do not need to learn anything new; simply integrate existing IAM principles with Kubernetes permissions.
IAM principles can be mapped to any of the four EKS permissions. Below is the mapping between EKS access policies and Kubernetes' default RBAC:
AmazonEKSClusterAdminPolicy: cluster-admin in kubernetes
AmazonEKSAdminPolicy: admin
AmazonEKSAdminViewPolicy: (
get
,list
,watch
across all API and resources)AmazonEKSEditPolicy: edit
AmazonEKSViewPolicy: view
Excited?
How to enable the access entries API?
Eksctl
accessConfig:
authenticationMode: <>
Terraform:
authentication_mode = "API_AND_CONFIG_MAP"
Cluster administrators now have the capability to grant AWS IAM principals access to Amazon EKS clusters and Kubernetes objects across all supported versions (version 1.23 and later).
configmap is to be disabled soon?
Access Entries:
Image ref: aws.amazon.com/blogs/containers/a-deep-dive..
If you already using aws auth configmap, here is migration guide for the easy access management life
Here is an example of Terraform configuration for associating your IAM users and roles with the respective EKS access:
Step 1 - create access entry
resource "aws_eks_access_entry" "readonly" {
cluster_name = "eks-demo-cluster"
principal_arn = aws_iam_role.example.arn #user-iam-arn
kubernetes_groups = []
type = "STANDARD"
}
Step 2 - associate policy to it.
resource "aws_eks_access_policy_association" "readonly" {
cluster_name = "eks-demo-cluster"
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
principal_arn = aws_iam_user.example.arn #user-iam-arn
access_scope {
type = "namespace"
namespaces = ["example-namespace"]
}
}
Thank you!
If you have any questions, feel free to reach out to me on LinkedIn, and let's discuss further.
Detailed References:
https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html
https://aws.github.io/aws-eks-best-practices/security/docs/iam/#the-aws-auth-configmap-deprecated