Inherited EKS Cluster, don't have access to run kubectl commands

4/29/2020

I have inherited an eks cluster but I do not know what IAM user is set up as the "master user" (the user that created the cluster always has system:master access). I have used the worker role to try to read/modify the aws-auth configmap, but the worker nodes don't seem to have access to that either.

sh-4.2$ kubectl get configmap -n kube-system
Error from server (Forbidden): configmaps is forbidden: User "system:node:ip-10-10-10-10.ec2.internal" cannot list resource "configmaps" in API group "" in the namespace "kube-system": No Object name found

What steps can I do externally without knowing the contents of aws-auth to gain access to this cluster again?

-- Carles Figuerola
eks
kubectl
kubernetes
permissions
rbac

1 Answer

5/3/2020

When you first create an Amazon EKS cluster on AWS, the IAM entity user or role that creates the cluster, is the only identity authorized to authenticate to it and manage the aws-auth ConfigMap, it's automatically granted system:masters permissions in the cluster's RBAC configuration for the cluster creator as you hve mentioned [1].

To identify who is the cluster creator, you can user the CloudTrail console on "Event History" you can filter by "Event name" and select "CreateCluster", it will list the event used to create the cluster, there you will be able to see the identity (user or role) that was used to create the cluster.

In order to be able to authenticate, first you need to install the aws-iam-authenticator [2], then assume the cluster creator identity on your AWS-CLI, by default the AWS IAM Authenticator for Kubernetes will use the same credentials that are returned with the following command:

aws sts get-caller-identity Lastly you need to create a kubeconfig file with the command below to be able to "kubectl get nodes" [3]:

aws eks --region region-code update-kubeconfig --name cluster_name You can find more information about the authentication process on AWS EKS at the "Managing cluster authentication" documentation [4].

If you need to grant access to new users other than the cluster creator, you must add the role/user via ConfigMap logged in with an identity already authorized on the aws-auth ConfigMap [5].

[1]https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html [2]https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html [3]https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html [4]https://docs.aws.amazon.com/eks/latest/userguide/managing-auth.html [5]https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

-- Rodrigo Tavares
Source: StackOverflow