EKS RBAC
Kubernetes Group
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: guest
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: guest
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: guest
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: guest
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: guest
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: guest
namespace: default
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: guest
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: guest
mapUsers
Policy
name = "read-eks-policy"
read_eks_policy = aws.iam.Policy(
name,
name_prefix=name,
policy=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters",
],
"Resource": "*",
}
],
}
),
tags={
"Name": name,
"Stack": variable.stack_name,
},
)
aws-auth
kind: ConfigMap
apiVersion: v1
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
...
mapUsers: |
- userarn: arn:aws:iam::<account-id>:user/<username>
username: <username>
groups:
- guest
정보
userarn과 username의 <username>이 동일할 필요는 없습니다.
kubectl
aws sts get-caller-identity
aws eks list-clusters
aws eks update-kubeconfig \
--name <cluster-name> \
--kubeconfig ~/.kube/<cluster-name>
export KUBECONFIG=<config-path>[:<config-path>]
kubectl get pods
mapRoles
Policy
aws-auth
kind: ConfigMap
apiVersion: v1
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::<account-id>:role/<rolename>
username: <rolename>
groups:
- guest
mapUsers: |
...
정보
rolearn과 username의 <rolename>이 동일할 필요는 없습니다.