google-kubernetes-engine amazon-iam amazon-eks identity-management kubernetes-rbac

GKE has an IAM roles/container.clusterViewer, How can I duplicate that on EKS? Read only kubectl access on EKS by default for all authenticated users?

Context:

GKE has this great feature where:

Most IAM roles inherit permissions of roles/container.clusterViewer.
It grants them RO kubectl access, they can view most stuff, just not secrets, and can't kubectl exec. So they can't privilege escalate.
In the end what effectively happens is all users who have access to the GKE web console (devs, ops, and cloud admins), get read only kubectl access.

EKS's defaults are annoying and result in a bad UX(User Experience):

By default: Even the root user, account creator, admin doesn't have rights to see what's in EKS clusters by default.
I wish I could just give all authenticated users (specifically authenticated users within my AWS account, not authenticated AWS users across all AWS Accounts.) Viewer Access to the EKS Web Console AND read only kubectl. (Where they could run most kubectl commands, except for view secrets and exec into pods.)
I want to do this because it's a good balance of internal user experience and security. I'd like all authenticated users to have viewer only access, then I'll give a few people who need it admin access.

Question:

I'd like to reproduce the functionality of GKE's viewer only IAM role, or as close to it as possible, on EKS. How can I do that?

Solution

Note: The following is a reasonable solution for single tenancy clusters.
Don't do this with multi-tenancy clusters.

2 Steps:

Step 1: kubectl edit cm aws-auth -n=kube-system

Update aws-auth configmap as follows:

apiVersion: v1
data:
  mapAccounts: '["111122223333"]' #<-- Your AWS Account
...

Step 2: kubectl apply -f all-authenticated-users-viewer.yaml
all-authenticated-users-viewer.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding # <-- apply rights to all namespaces
metadata:
  name: all-authenticated-users-viewer
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated # <-- authenticated = all kube identities & all that show in aws-auth configmap in kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole 
  name: view #<-- acts as an aggregation role
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: enhanced-viewer
  labels:
    rbac.authorization.k8s.io/aggregate-to-view: "true" #<-- this will get merged into the "view" clusterrole
rules:
- apiGroups: [""]
  verbs: ["get", "list", "watch"]
  resources:
  - podtemplates
  - nodes
  - persistentvolumes
- apiGroups: ["scheduling.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - priorityclasses
- apiGroups: ["apiregistration.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - apiservices
- apiGroups: ["coordination.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - leases
- apiGroups: ["node.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - runtimeclasses
- apiGroups: ["flowcontrol.apiserver.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - flowschemas
  - prioritylevelconfigurations
- apiGroups: ["networking.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - ingressclasses
- apiGroups: ["storage.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - storageclasses
  - volumeattachments
  - csidrivers
  - csinodes
  - csistoragecapacities
- apiGroups: ["rbac.authorization.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - clusterroles
  - clusterrolebindings
  - roles
  - rolebindings
- apiGroups: ["apiextensions.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - customresourcedefinitions
- apiGroups: ["admissionregistration.k8s.io"]
  verbs: ["get", "list", "watch"]
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations