Simplified Amazon EKS Cluster Access Management using EKS APIs and AWS Console
Amazon EKS Team have added a new feature of assigning IAM principals access to the EKS cluster and Kubernetes Objects directly using the Amazon EKS API, we shall additionally explore the same via AWS Console.
Published Jan 6, 2024
Pre-Requisites:
- An EKS Cluster (v1.27) provisioned with the latest platform version.
- kubectl (v1.29.0), aws-cli (2.15.7) installed
- Required IAM permissions to call EKS API using aws-cli
Basic Terminologies:
[Source: AWS EKS Access Management Docs]
- Access Entry - "An access entry is a cluster identity—directly linked to an AWS IAM principal user or role—that is used to authenticate to an Amazon EKS cluster."
- Access Policies - "An Amazon EKS access policy authorizes an access entry to perform specific cluster actions."
Listing all the Access Policies:
aws eks list-access-policiesModes of Authentication:
- CONFIG_MAP - Uses aws-auth configmap authentication exclusively.
- API_AND_CONFIG_MAP - Uses both aws-auth configmap and Amazon EKS Access Entry API's to source authentication with precedence to the latter.
- API - Only considers Amazon EKS Access Entry API's to source authentication.
Verifying/Changing the access config of the EKS cluster:
By default the access config for the EKS cluster on the latest platform version would be API_AND_CONFIG_MAP, we can also change the same if not so via calling the EKS API -
aws eks update-cluster-config --name eks-demo-cluster --access-config authenticationMode=API_AND_CONFIG_MAPMigrating aws-auth configmap user to EKS Access Entry:
I have an admin user in the aws-auth configmap that I shall be replicating accross the EKS Access Entry and attach an EKS Managed policy to the same.
aws-auth configmap -
Creating an Access Entry -
aws eks create-access-entry --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-admin"Associating Access Policy to the Access Entry -
aws eks associate-access-policy --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-admin" --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy --access-scope type=clusterOnce this is done we can change the cluster access config to API only.
aws eks update-cluster-config --name eks-demo-cluster --access-config authenticationMode=APIVerifying access to the cluster:
We can update the kubeconfig with the credentials of the k8s-admin user
AWS_PROFILE=k8s-admin-demo aws eks update-kubeconfig --name eks-demo-cluster --region ap-south-1We can review the access for this user on the cluster using
kubectl auth can-i
The user has the same access across the cluster after replicating it via Access Entry and Access Policy.
Granting access to cluster based on custom permissions using Kubernetes Groups:
Creating a ClusterRole for developer with list, get, watch access to pods, pods/logs
Creating a ClusterRoleBinding and mapping it to a Kubernetes Group
kubectl create clusterrolebinding pod-viewer --clusterrole=pod-viewer --group=developerCreating an Access Entry to associate this Kubernetes Group to an IAM Principal
aws eks create-access-entry --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-dev" --kubernetes-group developerVerifying Access
Accessing Cluster Access Configuration and Creating an Access Entry from AWS Console
We can view all the access entries on the access tab of Amazon EKS on the AWS Console, additionally we can create access entry as well
Deleting an Access Entry using EKS API and from the AWS Console
EKS API
aws eks delete-access-entry --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-dev"AWS Console
References:
Conclusion:
Amazon EKS Cluster Access Management provides a clean and flexible way of managing access of AWS IAM Principals directly using the Amazon EKS APIs without the need to use Kubernetes APIs. In future releases of Kubernetes Version of Amazon EKS, the aws-auth configmap authentication source would be removed and authentication would be sourced only from Access entries and Access policies.