AWS eks add cluster user or Iam role

Amazon EKS Use IAM by Kubernetes The cluster provides authentication （ adopt AWS CLI Of 1.16.156 Available in version or later aws eks get-token Order or Apply to Kubernetes Of AWS IAM Authenticators ）, But it still depends on Kubernetes Role-based access control (RBAC) To authorize .

One 、 take aws-auth ConfigMap Apply to clusters

1. Check if you have applied aws-auth ConfigMap.

   kubectl describe configmap -n kube-system aws-auth
   

   If you receive an error indication “Error from server (NotFound): configmaps "aws-auth" not found”, Then continue with the following steps to apply inventory ConfigMap.

2. download 、 Edit and apply AWS Authenticator configuration mapping .

   1. Download configuration mapping .

      curl -o aws-auth-cm.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/aws-auth-cm.yaml
      

   2. Open the file with your usual text editor . take <ARN of instance role (not instance profile)> Replace with the... Associated with the node IAM Character's Amazon Resource Name (ARN), Then save the corresponding file . Do not modify any other lines in this file .

      important

      role ARN Cannot contain path . role ARN The format of must be arn:aws:iam::<123456789012>:role/<role-name>. For more information , see also aws-auth ConfigMap Do not grant access to the cluster .

      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: aws-auth
        namespace: kube-system
      data:
        mapRoles: |
          - rolearn: <ARN of instance role (not instance profile)>
            username: system:node:{
             {EC2PrivateDNSName}}
            groups:
              - system:bootstrappers
              - system:nodes
      

      You can check the status of the worker node group AWS CloudFormation Stack output , And find the following values ：

      • InstanceRoleARN（ For used eksctl Create a new node group ）
      • NodeInstanceRole（ For already in AWS Management Console Use in Amazon EKS Provided AWS CloudFormation Node group created by template ）

   3. Application configuration . This command may take several minutes to complete .

      kubectl apply -f aws-auth-cm.yaml
      

      Be careful

      If you receive any authorization or resource type error , See... In the troubleshooting section Unauthorized or access denied (kubectl).

3. Look at the status of the nodes and wait for them to reach Ready state .

   kubectl get nodes --watch
   

Two 、 take IAM Add users or roles to Amazon EKS colony

1. Make sure AWS To be used kubectl The certificate has been authorized for the cluster . By default , Create the name of the cluster IAM Users have these permissions .

2. open aws-auth ConfigMap.

   kubectl edit -n kube-system configmap/aws-auth
   

   Be careful

   If you receive an error indication “Error from server (NotFound): configmaps "aws-auth" not found”, Then use the above process to apply inventory ConfigMap.

   Example ConfigMap：

   apiVersion: v1
   data:
     mapRoles: |
       - groups:
         - system:bootstrappers
         - system:nodes
         rolearn: arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF
         username: system:node:{
        {EC2PrivateDNSName}}
   kind: ConfigMap
   metadata:
     creationTimestamp: "2020-09-30T21:09:18Z"
     name: aws-auth
     namespace: kube-system
     resourceVersion: "1021"
     selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
     uid: dcc31de5-3838-11e8-af26-02e00430057c
   

3. take IAM user 、 Role or AWS Add account to configMap. You can't put IAM Groups adding to configMap in .

   • ** add to IAM role （ for example , about Federated users ）：** Add role details to data Next ConfigMap Of mapRoles part . If this part does not exist in the file , Please add it . Each entry supports the following parameters ：
     • rolearn： To add IAM Character's ARN.
     • username：Kubernetes To map to IAM User name of the role .
     • groups：Kubernetes List of groups to which the role in the is mapped . For more information , see also Kubernetes In document Default role and role binding .
   • ** add to IAM user ：** Add user details to data Next ConfigMap Of mapUsers part . If this part does not exist in the file , Please add it . Each entry supports the following parameters ：
     • userarn： To add IAM User ARN.
     • username：Kubernetes To map to IAM User name .
     • groups：Kubernetes A list of groups to which users in the group are mapped . For more information , see also Kubernetes In document Default role and role binding .

   for example , The following block contains ：

   • mapRoles part , This section adds node instance roles , So that nodes can register themselves with the cluster .
   • mapUsers part , It contains information from the default AWS account AWS user admin And from other AWS account ops-user. Both users are added to system:masters Group .

   Will all <example-values>（ contain <>） Replace with your own value .

   # Please edit the object below. Lines beginning with a '#' will be ignored,
   # and an empty file will abort the edit. If an error occurs while saving this file will be
   # reopened with the relevant failures.
   #
   apiVersion: v1
   data:
     mapRoles: |
       - rolearn: <arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF>
         username: <system:node:{
        {EC2PrivateDNSName}}>
         groups:
           - <system:bootstrappers>
           - <system:nodes>
     mapUsers: |
       - userarn: <arn:aws:iam::111122223333:user/admin>
         username: <admin>
         groups:
           - <system:masters>
       - userarn: <arn:aws:iam::111122223333:user/ops-user>
         username: <ops-user>
         groups:
           - <system:masters>
   

4. Save the file and exit your text editor .

5. Ensure that Kubernetes User or group （ Mapped IAM Users or roles ） Bind to with RoleBinding or ClusterRoleBinding Of Kubernetes role . For more information , see also Kubernetes In document Use RBAC to grant authorization . You can download the following sample listing , These lists create clusterrole and clusterrolebinding or role and rolebinding：

   • View all namespaces Kubernetes resources – The group name in the file is eks-console-dashboard-full-access-group, Your IAM Users or roles need to be in aws-auth configmap Map to this group in . if necessary , You can change the name of the group before applying it to the cluster , And then in configmap Take your IAM Users or roles are mapped to this group . Download the file from ：

     https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-full-access.yaml
     

   • View... In a specific namespace Kubernetes resources – The namespace in this file is default, therefore , If you want to specify a different namespace , Please edit this file , Then apply it to the cluster . The group name in the file is eks-console-dashboard-restricted-access-group, Your IAM Users or roles need to be in aws-auth configmap Map to this group in . if necessary , You can change the name of the group before applying it to the cluster , And then in configmap Take your IAM Users or roles are mapped to this group . Download the file from ：

     https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-restricted-access.yaml
     

6. （ Optional ） If you wish to have added to configmap Users in can be in AWS Management Console in Look at the node or View workload , Then the user or role must have the following two types of permissions ：

   • stay Kubernetes View resources in Kubernetes jurisdiction
   • stay AWS Management Console View resources in IAM jurisdiction . For more information , see also stay AWS Management Console View the nodes and workloads of all clusters in .