Authenticate to K8s as specific user

1/25/2021

I recently built an EKS cluster w/ Terraform. In doing that, I Created 3 different roles on the cluster, all mapped to the same AWS IAM Role (the one used to create the cluster)

Now, when I try to manage the cluster, RBAC seems to use the least privileged of these (which I made a view role) that only has read-only access.

Is there anyway to tell config to use the admin role instead of view?

I'm afraid I've hosed this cluster and may need to rebuild it.

-- mbspark
amazon-eks
kubernetes

1 Answer

1/27/2021

Some into

You don't need to create a mapping in K8s for an IAM entity that created an EKS cluster, because by default it will be mapped to "system:masters" K8s group automatically. So, if you want to give additional permissions in a K8s cluster, just map other IAM roles/users.

In EKS, IAM entities are used authentication and K8s RBAC are for authorization purposes. The mapping between them is set in aws-auth configMap in kube-system namespace,

Back to the question

I'm not sure, why K8s may have mapped that IAM user to the least privileged K8s user - it may be the default behaviour (bug?) or due to the mapping record (for view perms) being later in the CM, so it just re-wrote the previous mapping.

Any way, there is no possibility to specify a K8s user to use with such mapping.

Also, if you used eksctl to spin up the cluster, you may try creating a new mapping as per docs, but not sure if that will work.

Some reading reference: #1, #2

-- Alexey S.
Source: StackOverflow