Enabling IAM principal access to your cluster
Jump to navigation
Jump to search
system:masters
kubectl describe -n kube-system configmap/aws-auth
apiVersion: v1 data: mapRoles: | - groups: - system:bootstrappers - system:nodes rolearn: arn:aws:iam::111122223333:role/my-role username: system:node:Template:EC2PrivateDNSName - groups: - eks-console-dashboard-full-access-group rolearn: arn:aws:iam::111122223333:role/my-console-viewer-role username: my-console-viewer-role mapUsers: | - groups: - system:masters userarn: arn:aws:iam::111122223333:user/admin username: admin - groups: - eks-console-dashboard-restricted-access-group userarn: arn:aws:iam::444455556666:user/my-user username: my-user
Activities[edit]
Related[edit]
aws-iam-authenticator add
- K8s Cluster roles:
cluster-admin, admin, edit, view
- AWS IAM Authenticator for Kubernetes configured in aws-auth ConfigMap
kubectl get roles -A
kubectl get clusterroles
kubectl get rolebindings -A
kubectl describe role your-role-name -n kube-system
- AWS IAM principal
kubectl get clusterroles
- ServiceNow Kubernetes discovery
curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
aws sts get-session-token
See also[edit]
- AWS IAM Authenticator for Kubernetes:
aws-iam-authenticator
: [token | verify | add | init | server | version | --help
],configmap/aws-auth
,AmazonEKSAdminPolicy
,AmazonEKSClusterAdminPolicy
- AWS IAM Authenticator for Kubernetes:
aws-auth, kubectl edit -n kube-system configmap/aws-auth, eksctl create iamidentitymapping
,mapUsers:, mapRoles:, mapAccounts:
- Kubernetes RBAC
kubectl auth, kubectl auth can-i, kubectl auth reconcile
kubectl create [ role | clusterrole | clusterrolebinding
|rolebinding | serviceaccount ], groups:
, Kubernetes RBAC good practices,kube2iam
, K8s Cluster roles,rbac.authorization.k8s.io
,system:
Advertising: