Does eks:AccessKubernetesApi allows to update any resources or it allows only readonly access?

Question

Hello,

Please advise does "eks:AccessKubernetesApi" allows only to view the workloads or it allows to update any kubernetes resources.

If you could point me to security implications of adding "eks:AccessKubernetesApi" to a role in production, that would be really helpful.

Thanks

Answer

The IAM policy action `eks:AccessKubernetesApi` is used to allow users to view Kubernetes resources on the AWS Console. Without this the user cannot see the Overview and Workloads tabs content. You can see in the IAM action type definitions that this action is classified as read-only. You can view full list of actions and their access levels [here](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions).

On top of this you also need to create IAM role mapping inside the EKS cluster to give the AWS Console access to make requests on users behalf. More details available at [here](https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html).

Does eks:AccessKubernetesApi allows to update any resources or it allows only readonly access?

相關內容