Authorise IAM user for all EKS clusters in an AWS account

Question

We need to monitor nodes and pods in all clusters. To get this information, IAM user should be authorised using ClusterRoleBinding.
As per our understanding, ClusterRoleBinding needs to be applied for every cluster in EKS separately to get access to a cluster for a specific IAM user. It also requires us to keep a watch on new cluster creation as authorisation needs to be done for new cluster as soon as it's added. This is very cumbersome. 
Is there any way by which an IAM user can be authorised for all EKS clusters in an AWS account in one step? Also, this user should get access to newly created clusters.

Accepted Answer

Hi,

The only way would be to automate the modification of the particular config file that modifies the aws-auth ConfigMap adding the particular user/role. For example if you are using CDK you can use the class [AwsAuth](https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-eks.AwsAuth.html) to add roles/users at the cluster creation time. Here is an [alternative with terraform](https://registry.terraform.io/modules/aidanmelen/eks-auth/aws/latest).

If all the clusters are created with the same user/role, you could also create a recurrent tasks that lists all the EKS clusters and checks & modifies all the cluster to be compliant with the current IAM access allow.

Hope this helps!

Authorise IAM user for all EKS clusters in an AWS account

관련 콘텐츠