Amazon EKS user management

You have setup the EKS cluster and are able to use it.

Now you want your teammates to access to the cluster too, so that they can build and run the applications. User management for EKS is done via the aws-auth configmap in kube-system namespace. You can learn how to add users manually by modifying the aws-auth configmap using the official documentation which shows how to add users to EKS by editing the aws-auth configmap.

Today we will learn how to add users using a tool called eksuser to make it easier to avoid any manual editing mistakes.

This is where eksuser utility comes in. Let’s see how it works. We will do the following steps to add users.

Install eksuser Create a Role and RoleBinding the will provide the appropriate rights to the users in the group. Add the IAM user to the cluster under the created group Configure machine of user who was added to the cluster by creating a kube-config file

1. Install eksuser

Download the appropriate binary for your platform from https://github.com/prabhatsharma/eksuser/releases and place it in the PATH.

2. Create Role and RoleBinding

Le’ts create a Role and RoleBinding for a group “super-developer” .

Save the below text as super-developer.yaml .

kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: super-developer namespace: app1 rules: - apiGroups: [ "*" ] resources: [ "*" ] verbs: [ "*" ] -- - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: super-developer namespace: app1 subjects: - kind: Group name: super-developer apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: super-developer apiGroup: rbac.authorization.k8s.io

To add the above to your EKS cluster you can run:

$ kubectl apply -f super-developer.yaml

This will provide access to all resources in namespace “app1” to users of “super-developer” group.

3. Add the IAM user to the cluster under the created group

Before we proceed let’s take a look at the existing aws-auth configmap.

$ kubectl -n kube-system get configmap aws-auth -o yaml --export

apiVersion: v1 data: mapRoles: | - rolearn: arn:aws:iam::111122223333:role/doc-test-worker-nodes-NodeInstanceRole-WDO5P42N3ETB username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes kind: ConfigMap metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","data":{"mapRoles":"- rolearn: arn:aws:iam::111122223333:role/doc-test-worker-nodes-NodeInstanceRole-WDO5P42N3ETB

username: system:node:{{EC2PrivateDNSName}}

groups:

- system:bootstrappers

- system:nodes

"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"aws-auth","namespace":"kube-system"}} creationTimestamp: 2018-04-04T18:49:10Z name: aws-auth namespace: kube-system resourceVersion: "780" selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth uid: dcc31de5 -3838-11e8 -af26-02e00430057c

To add an existing IAM user to EKS run:

$ eksuser add --user = prabhat --group = super-developer

Let’s examine the aws-configmap again

apiVersion: v1 data: mapRoles: | - rolearn: arn:aws:iam::111122223333:role/doc-test-worker-nodes-NodeInstanceRole-WDO5P42N3ETB username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes mapUsers: | - userarn: arn:aws:iam::111122223333:user/prabhat username: prabhat groups: - super-developer kind: ConfigMap metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","data":{"mapRoles":"- rolearn: arn:aws:iam::111122223333:role/doc-test-worker-nodes-NodeInstanceRole-WDO5P42N3ETB

username: system:node:{{EC2PrivateDNSName}}

groups:

- system:bootstrappers

- system:nodes

"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"aws-auth","namespace":"kube-system"}} creationTimestamp: 2018-04-04T18:49:10Z name: aws-auth namespace: kube-system resourceVersion: "780" selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth uid: dcc31de5 -3838-11e8 -af26-02e00430057c

To add an user to multiple groups:

$ eksuser add --user = prabhat --group = super-admin,super-developer

To update an existing IAM user:

$ eksuser update --user = prabhat --group = super-developer

To delete an existing user:

$ eksuser delete --user = prabhat

This will remove the user from aws-auth configmap but won’t delete the IAM user itself from AWS IAM.

To provide the user with admin privileges:

$ eksuser add --user = prabhat --group = system:masters

From https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - Allows super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the rolebinding’s namespace, including the namespace itself.

4. Configure machine of user who was added to the cluster by creating a kube-config file

You will need to configure the machine of the user who will be accessing the cluster.

Following are the prerequisites:

aws-cli is installed and configured Follow the docs if you don’t already have it. kubectl is installed and is in PATH Follow steps in the documentation to install kubectl aws-iam-authenticator is installed and is in PATH Download and place the aws-iam-authenticator file in your PATH from github(https://github.com/kubernetes-sigs/aws-iam-authenticator/releases)

Then run the following command:

$ aws eks update-kubeconfig --name cluster_name

This will create the ~/.kube/config file.

Now the user is all set to use kubectl with the cluster.