logo
Simplified Amazon EKS Cluster Access Management using EKS APIs and AWS Console

Simplified Amazon EKS Cluster Access Management using EKS APIs and AWS Console

Amazon EKS Team have added a new feature of assigning IAM principals access to the EKS cluster and Kubernetes Objects directly using the Amazon EKS API, we shall additionally explore the same via AWS Console.

Published Jan 6, 2024
Pre-Requisites:
  • An EKS Cluster (v1.27) provisioned with the latest platform version.
  • kubectl (v1.29.0), aws-cli (2.15.7) installed
  • Required IAM permissions to call EKS API using aws-cli
Basic Terminologies:
  • Access Entry - "An access entry is a cluster identity—directly linked to an AWS IAM principal user or role—that is used to authenticate to an Amazon EKS cluster."
  • Access Policies - "An Amazon EKS access policy authorizes an access entry to perform specific cluster actions."
Listing all the Access Policies:
aws eks list-access-policies
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
{
"accessPolicies": [
{
"name": "AmazonEKSAdminPolicy",
"arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
},
{
"name": "AmazonEKSClusterAdminPolicy",
"arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
},
{
"name": "AmazonEKSEditPolicy",
"arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSEditPolicy"
},
{
"name": "AmazonEKSViewPolicy",
"arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
}
]
}
Modes of Authentication:
  • CONFIG_MAP - Uses aws-auth configmap authentication exclusively.
  • API_AND_CONFIG_MAP - Uses both aws-auth configmap and Amazon EKS Access Entry API's to source authentication with precedence to the latter.
  • API - Only considers Amazon EKS Access Entry API's to source authentication.
Verifying/Changing the access config of the EKS cluster:
By default the access config for the EKS cluster on the latest platform version would be API_AND_CONFIG_MAP, we can also change the same if not so via calling the EKS API -
aws eks update-cluster-config --name eks-demo-cluster --access-config authenticationMode=API_AND_CONFIG_MAP
Migrating aws-auth configmap user to EKS Access Entry:
I have an admin user in the aws-auth configmap that I shall be replicating accross the EKS Access Entry and attach an EKS Managed policy to the same.
aws-auth configmap -
aws-auth configmap
Creating an Access Entry -
aws eks create-access-entry --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-admin"
Associating Access Policy to the Access Entry -
aws eks associate-access-policy --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-admin" --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy --access-scope type=cluster
Once this is done we can change the cluster access config to API only.
aws eks update-cluster-config --name eks-demo-cluster --access-config authenticationMode=API
Verifying access to the cluster:
We can update the kubeconfig with the credentials of the k8s-admin user
AWS_PROFILE=k8s-admin-demo aws eks update-kubeconfig --name eks-demo-cluster --region ap-south-1
We can review the access for this user on the cluster using
kubectl auth can-i
Cluster Access Verification
The user has the same access across the cluster after replicating it via Access Entry and Access Policy.
Granting access to cluster based on custom permissions using Kubernetes Groups:
Creating a ClusterRole for developer with list, get, watch access to pods, pods/logs
1
2
3
4
5
6
7
8
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-viewer
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["list", "get", "watch"]
Creating a ClusterRoleBinding and mapping it to a Kubernetes Group
kubectl create clusterrolebinding pod-viewer --clusterrole=pod-viewer --group=developer
Creating an Access Entry to associate this Kubernetes Group to an IAM Principal
aws eks create-access-entry --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-dev" --kubernetes-group developer
Verifying Access
Verifying Developer Access to cluster
Accessing Cluster Access Configuration and Creating an Access Entry from AWS Console
Modifying Cluster Access Config Mode from Access Section
Cluster Access Config Modes
We can view all the access entries on the access tab of Amazon EKS on the AWS Console, additionally we can create access entry as well
Access Entries on the AWS Console
Creating an Access Entry from the AWS Console
Listing the newly added access entry
Deleting an Access Entry using EKS API and from the AWS Console
EKS API
aws eks delete-access-entry --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-dev"
AWS Console
Deleting Access Entry
Deleting Access Entry from AWS Console
References:
Conclusion:
Amazon EKS Cluster Access Management provides a clean and flexible way of managing access of AWS IAM Principals directly using the Amazon EKS APIs without the need to use Kubernetes APIs. In future releases of Kubernetes Version of Amazon EKS, the aws-auth configmap authentication source would be removed and authentication would be sourced only from Access entries and Access policies.