K
Q

restricting EKS user access

9/12/2018

I am trying to add new user to EKS cluster and giving then access. So far I was able to add the user just by editing configmap/aws-auth (kubectl edit -n kube-system configmap/aws-auth) and adding new user to

mapUsers: |
 - userarn: arn:aws:iam::123456789:user/user01
   username: user01
   groups:
     - system:masters

How can add user to EKS cluster and give full access to to specific namespace, but nothing outside of it ?

I tried to create Roles & RoleBinding as

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: namespace1
  name: namespace1-user
rules:
- apiGroups: ["*"] 
  resources: ["*"]
  verbs: ["*"]


# This role binding allows "user01" to read pods in the "namespace1" namespace.
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace1-user-role-binding
  namespace: namespace1
subjects:
- kind: User
  name: user01
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: namespace1-user

user01 can see all the pods from other users with kubectl get pods --all-namespaces, is there any way to restrict this ?

-- roy
kubectl
kubernetes
rbac

Similar Questions

Error restarting cluster: restarting kube-proxy: waiting for kube-proxy to be up for configmap update: timed out waiting for the condition
GCP - Yaml file definitions
How to deploy a deployment in another namespace in Kubernetes?
Internal load balancer for multi region shared vpc gke service

1 Answer

9/13/2018

Essentially what you want is to define a cluster role and use a role binding to apply it to a specific namespace. Using a cluster role (rather than a role) allows you to re-use it across namespaces. Using a role binding allows you to target a specific namespace rather than giving cluster-wide permissions.

-- Michael Hausenblas
Source: StackOverflow