- 最新
- 投票最多
- 评论最多
Hi,
Amazon EKS uses IAM to provide authentication to your Kubernetes cluster (through the aws eks get-token command, available in version 1.16.156 or later of the AWS CLI, or the AWS IAM Authenticator for Kubernetes), but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization. This means that IAM is only used for authentication of valid IAM entities. All permissions for interacting with your Amazon EKS cluster’s Kubernetes API is managed through the native Kubernetes RBAC system.
https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
Refer integration guide- https://aws.amazon.com/blogs/opensource/integrating-ldap-ad-users-kubernetes-rbac-aws-iam-authenticator-project/
Please mark Helpful or Correct Answer next to each message. Appreciate it.
IMHO this topic deserves a specific documentation page. AWS SSO uses some weirdly formatted role arns, and I've never been able to set this stuff up so that SSO users can access EKS using kubectl.
Pretty crazy that such an essential thing as kubectl access using SSO roles isn't properly documented
Edited by: trondhindenes-nomono-e2 on Sep 2, 2021 7:45 AM
It looks like they documented it in a blog post: A quick path to Amazon EKS single sign-on using AWS SSO
The magical part is the rolearn
specification in this fragment of the aws-auth
ConfigMap:
- groups:
- system:masters
rolearn: arn:aws:iam::111222333444:role/AWSReservedSSO_EKSClusterAdminAccess_6a316cc66d154241
username: cluster-admin
The role specified is the assumed role (derived from the EKSClusterAdminAccess
PermissionSet on the SSO account), without any suffixed username!
(NB I haven't actually finished this yet, but the above article is the only one I found that pointed out this detail.)
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前