K
Q

Read-only user gets full access

2/18/2020

Aim is to create a read-only user for production namespace for my EKS cluster. However, I see the user has full access. As I am new to EKS and Kubernetes, please let me know the error that I have injected.

I have created an IAM user without any permission added. ARN is: arn:aws:iam::460764xxxxxx:user/eks-prod-readonly-user. Also, I have noted down the access key id and secret access key -

aws_access_key_id= AKIAWWxxxxxxxxxxxxx
aws_secret_access_key= lAbtyv3zlbAMPxym8Jktal+xxxxxxxxxxxxxxxxxxxx

Then, I have created the production namespace, role, and role binding as follows –

ubuntu@ip-172-16-0-252:~$ sudo kubectl create namespace production

ubuntu@ip-172-16-0-252:~$ cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: production
  name: prod-viewer-role
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]  
  verbs: ["get", "list", "watch"]

ubuntu@ip-172-16-0-252:~$ sudo kubectl apply -f role.yaml

ubuntu@ip-172-16-0-252:~$ cat rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: prod-viewer-binding
  namespace: production
subjects:
- kind: User
  name: eks-prod-readonly-user
  apiGroup: ""
roleRef:
  kind: Role
  name: prod-viewer-role
  apiGroup: ""

ubuntu@ip-172-16-0-252:~$ sudo kubectl apply -f rolebinding.yaml

Then, we have added the newly created user to aws-auth configuration map and have applied the changes -

ubuntu@ip-172-16-0-252:~$ sudo kubectl -n kube-system get configmap aws-auth -o yaml > aws-auth-configmap.yaml
ubuntu@ip-172-16-0-252:~$ vi aws-auth-configmap.yaml

The following section is added under ‘mapUsers’ –

- userarn: arn:aws:iam::460764xxxxxx:user/eks-prod-readonly-user
      username: eks-prod-readonly-user
      groups:
        - prod-viewer-role

ubuntu@ip-172-16-0-252:~$ sudo kubectl apply -f aws-auth-configmap.yaml

Now, I include this user details as a new section inside AWS credential file ( ~/.aws/credentials ) so that this user can be authenticated to API server of Kubernetes -

[eksprodreadonlyuser]
aws_access_key_id= AKIAWWxxxxxxxxxxxxx
aws_secret_access_key= lAbtyv3zlbAMPxym8Jktal+xxxxxxxxxxxxxxxxxxxx
region=eu-west-2
output=json

I activate this AWS profile -

ubuntu@ip-172-16-0-252:~$ export AWS_PROFILE="eksprodreadonlyuser"
ubuntu@ip-172-16-0-252:~$ aws sts get-caller-identity

We see the correct user ARN in the output of get-caller-identity command.

While trying to see pods of default namespace, it works. Ideally it shall not as the user is given access on the production namespace only -

ubuntu@ip-172-16-0-252:~$ sudo kubectl get pods
NAME                              READY   STATUS    RESTARTS   AGE
test-autoscaler-697b95d8b-5wl5d   1/1     Running   0          7d20h
ubuntu@ip-172-16-0-252:~$

Let know pointers to resolve. Thanks in advance!

-- Martin
amazon-eks
aws-eks
eks
kubectl
kubernetes

Similar Questions

minikube stop doesn't stop the pods after sudo minikube start --vm-driver none. kube-apiserver still running
Kubernetes pods graceful shutdown with TCP connections (Spring boot)
Kubernetes Container application process recovery in case of Node failure
ResponseEntity in Spring MVC for https

0 Answers