Skip to main content

EKS RBAC


Kubernetes Group

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: guest
rules:
  - apiGroups:
      - ""
    resources:
      - nodes
      - namespaces
    verbs:
      - get
      - list

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: guest
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: guest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: guest

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: guest
  namespace: default
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - list
  - apiGroups:
      - apps
    resources:
      - deployments
      - daemonsets
      - statefulsets
      - replicasets
    verbs:
      - get
      - list

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: guest
  namespace: default
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: guest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: guest

mapUsers

Policy

name = "read-eks-policy"
read_eks_policy = aws.iam.Policy(
    name,
    name_prefix=name,
    policy=json.dumps(
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "VisualEditor0",
                    "Effect": "Allow",
                    "Action": [
                        "eks:DescribeCluster",
                        "eks:ListClusters",
                    ],
                    "Resource": "*",
                }
            ],
        }
    ),
    tags={
        "Name": name,
        "Stack": variable.stack_name,
    },
)

aws-auth

kind: ConfigMap
apiVersion: v1
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    ...

  mapUsers: |
    - userarn: arn:aws:iam::<account-id>:user/<username>
      username: <username>
      groups:
        - guest
info

userarn과 username의 <username>이 동일할 필요는 없습니다.

kubectl

aws sts get-caller-identity
aws eks list-clusters
aws eks update-kubeconfig \
    --name <cluster-name> \
    --kubeconfig ~/.kube/<cluster-name>
export KUBECONFIG=<config-path>[:<config-path>]
kubectl get pods

mapRoles

Policy

aws-auth

kind: ConfigMap
apiVersion: v1
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: arn:aws:iam::<account-id>:role/<rolename>
      username: <rolename>
      groups:
        - guest

  mapUsers: |
    ...
info

rolearn과 username의 <rolename>이 동일할 필요는 없습니다.

kubectl

Reference