0

Following this tutorial: https://archive.eksworkshop.com/beginner/091_iam-groups/test-cluster-access/ - Which I believe is missing the point it is trying to make, by assuming the role directly at the Test EKS page

I've created a role called k8sAdmin with the following policy/trust relations

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNT:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

I've create a user group called k8sAdministrators with the following permission policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAssumeOrganizationAccountRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT:role/k8sAdmin"
        }
    ]
}

I've modified the kube-system aws-auth ConfigMap to assign permission to the k8sAdmin role.

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::ACCOUNT:role/eksctl-production-nodegrou-NodeInstanceRole
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - system:masters
      rolearn: arn:aws:iam::ACCOUNT:role/k8sAdmin
      username: admin
  mapUsers: |
    []

When I assume the role directly, I can access the cluster. But the goal is, to allow any user in the k8sAdministrators group to have access to the cluster, since the group has permission to assume role.

Does not work with the current config, group members are not authorized to access the cluster.

0

You must log in to answer this question.

Browse other questions tagged .