amazon-web-serviceskubernetesamazon-iamamazon-eks

Read only access to all kubernetes objects in an EKS cluster

My requirement is to provide read-only access to all objects of Kubernetes in the EKS cluster to certain IAM users. These objects can be nodes, pods, services, replica sets, daemonset, etc.

I referred the docs but haven't found what is the best way. What I did is create an IAM role with the name read-only-access-eks which has the policy ReadOnlyAccess attached to it. This is a managed policy.

I attached this policy to one of the IAM users on my team, but when he logged in to the EKS cluster, he got the below error:

Error loading GenericResourceCollection/namespaces

namespaces is forbidden: User "xxxxx" cannot list resource "namespaces" in API group "" at the cluster scope

How to fix this?

UPDATE 1

here is the output of

kubectl edit -n kube-system configmap/aws-auth

output

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::02334:role/AmazonEKSVPCCNIRole
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    - userarn: arn:aws:iam::02334:user/user1
      username: user1
      groups:
        - view
    - userarn: arn:aws:iam::02334:user/user2
      username: user2
      groups:
        - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: "2023-04-13T14:27:20Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "357187"
  uid: 58a534550-bcc-44f-2d6-15435435

I see that the user1 is a part of the view group, then still he is getting an access denied error. Please help.

Solution

  • You need to modify the aws-auth configmap (in the kube-system namespace) and add the mapUsers section to add the IAM user you need to provide with read-only access to see/view (most) objects in the Cluster.

    The configuration you need to add shall look something like this:

    data:
  mapUsers: |
    - userarn: arn:aws:iam::123456789:user/read-only-access-eks
      username: read-only-access-eks
      groups:
        - view

    where view is the default ClusterRole which allows read-only access to see most objects in a namespace. Read more about it here

    Here is another link that should guide you to map an IAM user arn to a pre-defined ClusterRole.

    Some documentation around aws-auth ConfigMap in an eks cluster.

    Hope it helps!