Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alexei-led/eks-ro-access

EKS read-only access guide
https://github.com/alexei-led/eks-ro-access

aws eks iam kubernetes

Last synced: about 1 month ago
JSON representation

EKS read-only access guide

Host: GitHub
URL: https://github.com/alexei-led/eks-ro-access
Owner: alexei-led
License: apache-2.0
Created: 2020-03-18T12:45:31.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2022-06-24T11:52:20.000Z (over 2 years ago)
Last Synced: 2024-10-15T20:09:23.267Z (3 months ago)
Topics: aws, eks, iam, kubernetes
Homepage:
Size: 15.6 KB
Stars: 2
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Grant access to customer EKS Cluster

Sometimes you need to access customer-managed EKS cluster with public endpoint. Follow this guide to get a read-only access to customer-managed EKS cluster on customer AWS account.

## Create IAM Role (cross-account) or temporary IAM User

[AWS Cross AWS Account Access](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html)

In order to access EKS cluster you need AWS IAM credentials. The most secure way is to define a cross AWS account role and assume this role.

### Cross-account IAM Role

[![Launch Stack](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=eks-ro-acccess&templateURL=https://min.gitcdn.link/cdn/alexei-led/eks-ro-access/master/template.yaml)

CloudFormation [template](./template.yaml) for read-only access to an EKS cluster.

### Using temporary IAM User

Another, less secure option, is to create a temporary IAM User in customer AWS account.

Then you need to attach IAM Policy to cross-account IAM Role or in-account IAM User.

The required IAM Policy (replace `<>` values):

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["eks:DescribeCluster", "eks:ListClusters"],
"Resource": "arn:aws:eks:::cluster/"
}
]
}
```

## Create ClusterRoleBinding to `view` ClusterRole

[Kubernetes RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)

EKS has a built-in `view` ClusterRole with `get,list,watch` access to all APIs and all resources.

Please, create a `support:viewer` ClusterRoleBinding to the `view` ClusterRole.

```sh
cat < --cluster --region
```

## Generate/update kubeconfig

[AWS guide](https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html)

Generate/update `kubeconfig` for the EKS clusterm assuming IAM Role (from above) or using AWS credentials for temporary IAM User.

```sh
aws eks --region update-kubeconfig --name
```

## Additional References

- [How do I manage permissions across namespaces for my IAM users in an Amazon EKS cluster?](https://aws.amazon.com/premiumsupport/knowledge-center/eks-iam-permissions-namespaces/)
- [Read-Only Access to Kubernetes Cluster](https://medium.com/@rschoening/read-only-access-to-kubernetes-cluster-fcf84670b698)
- [eksctl: Manage IAM users and roles](https://eksctl.io/usage/iam-identity-mappings/)