Add Cluster Admins
When creating a cluster within AWS EKS the IAM user or role that creating the cluster is automatically granted system:masters
permissions in the clusters RBAC (role-based access control). To grant additional users or roles access to manage the cluster you will need to edit the aws-auth
ConfigMap
within Kubernetes.
More Information
A full description of how to add roles/users to your EKS cluster can be found in the AWS documentation EKS add-user-role.
To get your started, the following instructions are provided to add additional users with system:masters
permissions. Note it is advised that role based permissions are used in production contexts.
The user/role that created the cluster will need to make the changes to the aws-auth
ConfigMap
within Kubernetes.
To see the current config map you can use the following command
kubectl describe configmap -n kube-system aws-auth
To edit the ConfigMap
kubectl edit -n kube-system configmap/aws-auth
This will open an editor that is similar to the following:
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
creationTimestamp: "2022-06-27T12:48:43Z"
name: aws-auth
namespace: kube-system
resourceVersion: "1292877"
uid: 1111-2222-3333-4444-5555
~
To add users you can add the following section under the mapRoles
, note you will need the ARN's and usernames for each user you wish to add.
mapUsers: |
- userarn: arn:aws:iam::11122223333444:user/[email protected]
username: [email protected]
groups:
- system:masters
- usearn: arn:aws:iam::111222233334448:user/[email protected]
username: [email protected]
groups:
- system:masters
Once added your aws-auth
ConfigMap
will looks similar to the following:
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- userarn: arn:aws:iam::11122223333444:user/[email protected]
username: [email protected]
groups:
- system:masters
- usearn: arn:aws:iam::111222233334448:user/[email protected]
username: [email protected]
groups:
- system:masters
kind: ConfigMap
metadata:
creationTimestamp: "2022-06-27T12:48:43Z"
name: aws-auth
namespace: kube-system
resourceVersion: "1292877"
uid: 1111-2222-3333-4444-5555
Saving and closing the editor will then make the change to your cluster to allow access for the additional users.
For additional information please take a look at the AWS documentation here - EKS add-user-role.
Updated 23 days ago