Provide Access to AWS Accounts to view EKS Resources
As many of you know, when we set up the EKS cluster and create objects through CLI, those created objects are not viewable to the user on AWS Management Console. We will see what steps are required to configure to view the resources of EKS Cluster on AWS Management Console level.
Access to the below link to download the required file or run the command to get the file on your EC2 machine.
Documentation Link: https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html#view-kubernetes-resources-permissions
Step 1: Create a ClusterRole and ClusterRoleBinding:
Click on the below link to download the file:
wget https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-full-access.yaml
Below are the contents of the file:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: eks-console-dashboard-full-access-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
- configmaps
- endpoints
- events
- limitranges
- persistentvolumeclaims
- podtemplates
- replicationcontrollers
- resourcequotas
- secrets
- serviceaccounts
- services
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
- list
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- get
- list
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- networkpolicies
- replicasets
verbs:
- get
- list
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csistoragecapacities
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: eks-console-dashboard-full-access-binding
subjects:
- kind: Group
name: eks-console-dashboard-full-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: eks-console-dashboard-full-access-clusterrole
apiGroup: rbac.authorization.k8s.io
You can customize these resources based on your needs to give the least permissions. But for the example's sake we will keep it to default.
Once everything is ready from your end, then execute this file in the Cluster with the below command:
kubectl apply -f eks-console-full-access.yaml
Step 2: Create required User or Role and Provide the required policy:
As you can see in the above image I have already created a test user in the IAM User dashboard and I have attached the required policy to the user identity. Below the policy as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:ListUpdates",
"eks:AccessKubernetesApi",
"eks:ListAddons",
"eks:DescribeCluster",
"eks:DescribeAddonVersions",
"eks:ListClusters",
"eks:ListIdentityProviderConfigs",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:*:111122223333:parameter/*"
}
]
}
Once the User is created and Role is attached. Then the last thing is we need to configure the AWS Auth ConfigMaps in the Kubernetes cluster where the ConfigMaps reside in the Kube-System namespace.
Step 3: Configure the aws-auth configmaps in the kube-system namespace
To view the aws-auth pod running in the kube-system, run the below command:
kubectl get configmaps -n kube-system
In the below image, you can see the pod which is running under the kube-system namespace:
Now its time to add our configuration into the aws auth pod. So to add the custom configs for the access, edit the pod with the below command:
kubectl edit -n kube-system configmap/aws-auth
Below are the configs to add into the pod:
mapUsers: |
- "groups":
- "eks-console-dashboard-full-access-group"
"userarn": "arn:aws:iam::112233421171:user/rahil-iam-user"
"username": "rahil-iam-user"
Add the above section under the mapUsers section with the Username and the ARN of your aws user.
You can also add this for the group as well. Check out the below config to add for the common role:
mapRoles: |
- "groups":
- "eks-console-dashboard-full-access-group"
"rolearn": "arn:aws:iam::112233421171:role/adminstrator"
"username": "rahil-iam-user"
Add the above config under the mapRoles section with the Username and the ARN of your aws role.
Wait for sometime and check the status of the pod. Once it is running, then it is our time to move to the AWS Console now.
Step 4: Check the resources access in the EKS Cluster
Once all the above steps are completed, then you will able to see the resources in the EKS Cluster.
Congratulations, Now you have successfully configured your AWS User and Role to provide the access to EKS Cluster on AWS Management Console.
Please show your support to the blog as I have published this for the first time on HashNode. Consider liking the article and follow me on HashNode where I will cover some advance topics of some widely used services in the Cloud domain.
Also, follow me on Linkedin for other posts related to DevOps. Thank you.