EKS Permissions Models - are RBAC & Kubernetes service accounts all the same thing? Which should I use for relatively simplistic permissions to access AWS resources?

Question

There are a few permission models/concepts for EKS:
* RBAC as discussed here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
* IAM roles for service accounts: https://eksctl.io/usage/iamserviceaccounts/
I believe the second of these is more in-line with standard AWS IAM, but it's still a bit distinctive. Do I need to use RBAC? What permissions get setup for a default EKS Auto cluster?

re:Post Agent · Answer

RBAC (Role-Based Access Control) and Kubernetes service accounts are related but distinct concepts in EKS permissions management. They serve different purposes and can be used together for comprehensive access control.

RBAC is a Kubernetes-native authorization mechanism that allows you to define fine-grained permissions within the cluster. It controls access to Kubernetes resources and API operations.

IAM roles for service accounts (IRSA) is an AWS-specific feature that allows you to associate IAM roles with Kubernetes service accounts. This enables pods to access AWS resources securely without storing AWS credentials in the cluster.

For relatively simplistic permissions to access AWS resources from your EKS pods, IAM roles for service accounts (IRSA) is generally the recommended approach. It provides a more straightforward and AWS-native way to manage permissions for accessing AWS services from your EKS workloads.

You don't necessarily need to use RBAC if you're only concerned with accessing AWS resources. However, RBAC is still valuable for managing access within the Kubernetes cluster itself.

Regarding permissions for a default EKS cluster, the cluster creator typically gets full administrative access. However, it's important to note that Amazon EKS has introduced new access management controls that simplify granting access to EKS clusters. These controls allow administrators to define access entries and policies directly through Amazon EKS APIs, providing more granular control over cluster access.

For most use cases involving AWS resource access from EKS pods, using IAM roles for service accounts (IRSA) provides a good balance of simplicity and security. It allows you to leverage existing IAM roles and policies while maintaining the principle of least privilege for your Kubernetes workloads.  
**Sources**  
[Grant Kubernetes workloads access to AWS using Kubernetes Service Accounts - Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html)  
[A deep dive into simplified Amazon EKS access management controls | Containers](https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/)  
[IAM roles for service accounts - Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)

EKS Permissions Models - are RBAC & Kubernetes service accounts all the same thing? Which should I use for relatively simplistic permissions to access AWS resources?

Add your answer

Relevant content