What is the relationship between the role my principal is using and the RBAC in k8s?
Specifically, when I do kubectl describe -n kube-system configmap/aws-auth I see this role: myAmazonEKSNodeRole as described here.
But when I look in the role permission in AWS IAM console, I expect to see this:
[jenia@archlinux ibn-battuta]$ kubectl get rolebindings -A
NAMESPACE NAME ROLE AGE
kube-public system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 11d
kube-system eks-vpc-resource-controller-rolebinding Role/eks-vpc-resource-controller-role 11d
kube-system eks:addon-manager Role/eks:addon-manager 11d
kube-system eks:authenticator Role/eks:authenticator 11d
kube-system eks:az-poller Role/eks:az-poller 11d
kube-system eks:certificate-controller Role/eks:certificate-controller 11d
kube-system eks:cloud-controller-manager:apiserver-authentication-reader Role/extension-apiserver-authentication-reader 11d
kube-system eks:fargate-manager Role/eks:fargate-manager 11d
kube-system eks:k8s-metrics Role/eks:k8s-metrics 11d
kube-system eks:node-manager Role/eks:node-manager 11d
kube-system eks:service-operations Role/eks:service-operations-configmaps 11d
kube-system system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 11d
kube-system system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 11d
kube-system system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 11d
kube-system system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 11d
kube-system system:controller:cloud-provider Role/system:controller:cloud-provider 11d
kube-system system:controller:token-cleaner Role/system:controller:token-cleaner 11d
But instead in the IAM console I see this:
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
There seems to be no connection whatsoever between the permissions in the IAM console for the CLI role myAmazonEKSNodeRole and the RBAC in k8s. This is puzzling. How do I control which permission a specific IAM role has in my k8s cluster?
2
Answers
The answer is: When you create an Amazon EKS cluster, the IAM principal that creates the cluster is automatically granted system:masters permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane
The aws-auth ConfigMap maintains a mapping between IAM principles and Kubernetes RBAC groups. Granting access to EKS clusters is a multi-step process.
While its possible to update the aws-auth ConfigMap manually, I recommend using eksctl or the aws-iam-authenticator instead because you’re less likely to corrupt your aws-auth ConfigMap with those tools.
The role you’re looking at in the AWS console is the IAM role assigned to the worker node. It needs those permissions to fetch images from ECR.