Created
June 23, 2020 10:13
-
-
Save lukaszbudnik/5d923cd2a6d12cde57dcd07f32811061 to your computer and use it in GitHub Desktop.
Shows how to integrate AWS IAM users/roles with Kubernetes RBAC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # eksctl version | |
| eksctl version | |
| 0.20.0 | |
| # kubectl/Kubernetes version | |
| Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-21T14:51:23Z", GoVersion:"go1.14.3", Compiler:"gc", Platform:"darwin/amd64"} | |
| Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.8-eks-e16311", GitCommit:"e163110a04dcb2f39c3325af96d019b4925419eb", GitTreeState:"clean", BuildDate:"2020-03-27T22:37:12Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"} | |
| CLUSTER_NAME=lukaszbudniktest1 | |
| AWS_REGION=us-east-2 | |
| # eksctl will use the current identity to provision EKS cluster | |
| aws sts get-caller-identity | |
| eksctl create cluster --version 1.16 --name $CLUSTER_NAME --region $AWS_REGION | |
| # user who created the cluster has full permissions | |
| kubectl config current-context | |
| kubectl apply -f https://k8s.io/examples/application/deployment.yaml | |
| kubectl get pods | |
| # open another session and use different IAM user/role | |
| # aws cli can generate a new entry in kubeconfig for a different IAM user/role | |
| aws sts get-caller-identity | |
| aws eks update-kubeconfig --name $CLUSTER_NAME --region $AWS_REGION | |
| kubectl config current-context | |
| # test it - Kubernetes doesn't know anything about the new user | |
| kubectl get pods | |
| error: You must be logged in to the server (Unauthorized) | |
| # back to first session | |
| # add a new entry to either mapUsers or mapRoles in "configmap/aws-auth" | |
| # see https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html for more information | |
| # this section maps either IAM user or IAM role to Kubernetes user and groups | |
| # below I'm mapping IAM lbudnik-test2 user to Kubernetes user "lukasz" and group "readonly" | |
| # you can get ARN from aws sts get-caller-identity | |
| # mapUsers: | | |
| # - groups: | |
| # - readonly | |
| # userarn: arn:aws:iam::XXXX:user/lbudnik-test2 | |
| # username: lukasz | |
| kubectl edit -n kube-system configmap/aws-auth | |
| # create role binding for "readonly" group to "view" ClusterRole | |
| cat <<EOF > role-binding.yaml | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| namespace: default | |
| name: view | |
| subjects: | |
| - kind: Group | |
| name: readonly | |
| apiGroup: rbac.authorization.k8s.io | |
| roleRef: | |
| kind: ClusterRole | |
| name: view | |
| apiGroup: rbac.authorization.k8s.io | |
| EOF | |
| kubectl apply -f role-binding.yaml | |
| # switch back to the another session and now test a couple of kubectl commands | |
| kubectl get deployments | |
| kubectl get pods | |
| # as expected create and delete fail | |
| kubectl delete -f https://k8s.io/examples/application/deployment.yaml | |
| Error from server (Forbidden): error when deleting "https://k8s.io/examples/application/deployment.yaml": deployments.apps "nginx-deployment" is forbidden: User "lukasz" cannot delete resource "deployments" in API group "apps" in the namespace "default" | |
| # switch back to first session | |
| # delete the deployment | |
| kubectl delete -f https://k8s.io/examples/application/deployment.yaml | |
| # delete the cluster | |
| eksctl delete cluster --name $CLUSTER_NAME --region $AWS_REGION |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment