Difference between revisions of "Enabling IAM principal access to your cluster"
Jump to navigation
Jump to search
| (9 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
[[kubectl describe -n kube-system configmap/aws-auth]] | [[kubectl describe -n kube-system configmap/aws-auth]] | ||
| + | |||
| + | |||
| + | apiVersion: v1 | ||
| + | data: | ||
| + | [[mapRoles:]] | | ||
| + | - groups: | ||
| + | - system:bootstrappers | ||
| + | - system:nodes | ||
| + | rolearn: arn:aws:iam::111122223333:role/my-role | ||
| + | username: system:node:{{EC2PrivateDNSName}} | ||
| + | - groups: | ||
| + | - eks-console-dashboard-full-access-group | ||
| + | rolearn: arn:aws:iam::111122223333:role/my-console-viewer-role | ||
| + | username: my-console-viewer-role | ||
| + | [[mapUsers:]] | | ||
| + | - groups: | ||
| + | - [[system:masters]] | ||
| + | userarn: arn:aws:iam::111122223333:user/admin | ||
| + | username: admin | ||
| + | - groups: | ||
| + | - eks-console-dashboard-restricted-access-group | ||
| + | userarn: arn:aws:iam::444455556666:user/my-user | ||
| + | username: my-user | ||
== Activities == | == Activities == | ||
* [[Granting access to an IAM principal to view Kubernetes resources on a cluster]] | * [[Granting access to an IAM principal to view Kubernetes resources on a cluster]] | ||
| − | + | * [[How do I provide access to other IAM users and roles after cluster creation in Amazon EKS?]] | |
== Related == | == Related == | ||
| − | * [[aws-iam-authenticator add]] | + | * <code>[[aws-iam-authenticator add]]</code> |
* [[K8s Cluster roles]]: <code>[[cluster-admin]], [[admin]], [[edit]], [[Kubernetes view role|view]]</code> | * [[K8s Cluster roles]]: <code>[[cluster-admin]], [[admin]], [[edit]], [[Kubernetes view role|view]]</code> | ||
* [[AWS IAM Authenticator for Kubernetes]] configured in [[aws-auth ConfigMap]] | * [[AWS IAM Authenticator for Kubernetes]] configured in [[aws-auth ConfigMap]] | ||
* <code>[[kubectl get roles -A]]</code> | * <code>[[kubectl get roles -A]]</code> | ||
| − | * [[kubectl get clusterroles]] | + | * <code>[[kubectl get clusterroles]]</code> |
| − | * [[kubectl get rolebindings -A]] | + | * <code>[[kubectl get rolebindings -A]]</code> |
| − | * [[kubectl describe role]] your-role-name -n kube-system | + | * <code>[[kubectl describe role]] your-role-name -n kube-system</code> |
* [[AWS IAM principal]] | * [[AWS IAM principal]] | ||
* <code>[[kubectl get clusterroles]]</code> | * <code>[[kubectl get clusterroles]]</code> | ||
* [[ServiceNow Kubernetes discovery]] | * [[ServiceNow Kubernetes discovery]] | ||
| + | * <code>[[curl $APISERVER/api --header]] "[[Authorization: Bearer]] $TOKEN" [[--insecure]]</code> | ||
| + | * <code>[[aws sts get-session-token]]</code> | ||
== See also == | == See also == | ||
| − | |||
* {{aws-iam-authenticator}} | * {{aws-iam-authenticator}} | ||
* {{aws-auth}} | * {{aws-auth}} | ||
Latest revision as of 11:35, 4 March 2024
system:masters
kubectl describe -n kube-system configmap/aws-auth
apiVersion: v1 data: mapRoles: | - groups: - system:bootstrappers - system:nodes rolearn: arn:aws:iam::111122223333:role/my-role username: system:node:Template:EC2PrivateDNSName - groups: - eks-console-dashboard-full-access-group rolearn: arn:aws:iam::111122223333:role/my-console-viewer-role username: my-console-viewer-role mapUsers: | - groups: - system:masters userarn: arn:aws:iam::111122223333:user/admin username: admin - groups: - eks-console-dashboard-restricted-access-group userarn: arn:aws:iam::444455556666:user/my-user username: my-user
Activities[edit]
- Granting access to an IAM principal to view Kubernetes resources on a cluster
- How do I provide access to other IAM users and roles after cluster creation in Amazon EKS?
Related[edit]
aws-iam-authenticator add- K8s Cluster roles:
cluster-admin, admin, edit, view - AWS IAM Authenticator for Kubernetes configured in aws-auth ConfigMap
kubectl get roles -Akubectl get clusterroleskubectl get rolebindings -Akubectl describe role your-role-name -n kube-system- AWS IAM principal
kubectl get clusterroles- ServiceNow Kubernetes discovery
curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecureaws sts get-session-token
See also[edit]
- AWS IAM Authenticator for Kubernetes:
aws-iam-authenticator: [token | verify | add | init | server | version | --help],configmap/aws-auth,AmazonEKSAdminPolicy,AmazonEKSClusterAdminPolicy - AWS IAM Authenticator for Kubernetes:
aws-auth, kubectl edit -n kube-system configmap/aws-auth, eksctl create iamidentitymapping,mapUsers:, mapRoles:, mapAccounts: - Kubernetes RBAC
kubectl auth, kubectl auth can-i, kubectl auth reconcilekubectl create [ role | clusterrole | clusterrolebinding|rolebinding | serviceaccount ], groups:, Kubernetes RBAC good practices,kube2iam, K8s Cluster roles,rbac.authorization.k8s.io,system:
Advertising:
