Ananta Durga Prasad

Giving EKS access to IAM users: The simple way

Dhurga Prasad Ananta's photo
Dhurga Prasad Ananta

Elastic Kubernetes Service (EKS) is a managed Kubernetes service provided by AWS. With EKS, you can operate Kubernetes clusters without the hassle of installing, operating, and maintaining your own Kubernetes control plane or nodes. This service simplifies the deployment, management, and scaling of containerized applications using Kubernetes.

Accessing the Kubernetes Cluster

Access to the Kubernetes cluster is a two-part process:

  1. Authentication: This verifies the identity of the user attempting to access the cluster.
  2. Authorization: This determines whether the authenticated user has the necessary permissions to perform a specific action.

Authentication

Kubernetes supports a variety of authentication mechanisms. In the case of EKS, the service uses [aws-iam-authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator) by default to authenticate users. This add-on, installed when EKS is provisioned, enables user authentication through IAM programmatic credentials.

Authorization

For authorization, Kubernetes employs Role-Based Access Control (RBAC). This involves the creation of roles, role bindings, cluster roles, and cluster role bindings.

EKS Access for IAM Users

AWS provides comprehensive documentation that guides you through the process of granting IAM users access to the EKS cluster. By default, the IAM principal used to create the cluster is granted admin permissions (system:masters).

Challenges and Solutions

While the process is straightforward, challenges arise when a single cluster hosts multiple projects involving various teams. The goal is to restrict each team’s access to only their relevant project namespace. Even within the same namespace, different levels of permissions may be required for different developers.

To address this issue, the following approach is suggested:

  1. Create roles and role bindings (or cluster roles and cluster role bindings) with the necessary permissions.
  2. Attach these roles to the IAM role so that users can assume them.

Advantages

  • Assigning permissions to a role allows multiple users to assume that role, eliminating the need for frequent updates to the AWS auth configuration.
  • Adding or removing users becomes easier, as you only need to edit the IAM trust policy rather than the aws-auth configuration.

By implementing this approach, you can efficiently manage access and permissions, making your EKS environment more secure and easier to maintain.