Using kubernetes rbac.authorization.k8s.io with iam.aws.rustrial.org
TypeScriptIn order to integrate Kubernetes RBAC with AWS IAM identities, you will need to do the following:
-
Define RBAC Roles and RoleBindings in Kubernetes: You'll need to configure Kubernetes RBAC to specify permissions for Kubernetes resources. This will be done using
Role
andRoleBinding
resources in your Kubernetes manifests. -
Map AWS IAM Identities to Kubernetes: To allow AWS IAM identities (like a user or role) to interact with your Kubernetes cluster, you need to create a ConfigMap called
aws-auth
in thekube-system
namespace. This ConfigMap contains mappings from AWS IAM users and roles to Kubernetes users and groups. -
Use aws-iam-authenticator: The
aws-iam-authenticator
helps to enforce the use of AWS IAM credentials when executing kubectl commands.
Assuming you have Pulumi installed and configured to manage your Kubernetes cluster resources, here is a Pulumi TypeScript program that demonstrates how to set up Kubernetes RBAC for an AWS IAM user using the
aws-auth
ConfigMap.First, make sure your Pulumi Kubernetes provider is correctly configured to manage resources in your cluster. Then create Kubernetes
Role
andRoleBinding
resources with the following Pulumi program:import * as k8s from "@pulumi/kubernetes"; // For a specific namespace, create a Role that dictates what actions are allowed on which resources. const podReaderRole = new k8s.rbac.v1.Role("pod-reader", { metadata: { namespace: "default" // Specify the namespace where you want to apply the Role }, rules: [{ apiGroups: [""], // The "" indicates the core API group resources: ["pods"], verbs: ["get", "watch", "list"], }], }); // Bind the AWS IAM role to the Kubernetes Role we've created above. // This binding allows the subjects (AWS IAM role here) the permissions defined in the Role. const podReaderRoleBinding = new k8s.rbac.v1.RoleBinding("pod-reader-binding", { metadata: { namespace: "default" // Ensure this is the same namespace as the Role }, subjects: [{ kind: "User", name: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<AWS_IAM_ROLE>", // Specify the AWS IAM role ARN apiGroup: "rbac.authorization.k8s.io", }], roleRef: { kind: "Role", name: podReaderRole.metadata.name, apiGroup: "rbac.authorization.k8s.io", }, }); // To grant access to the AWS IAM role, you must update the `aws-auth` ConfigMap // This is commonly done at cluster creation time. See (https://www.pulumi.com/docs/reference/pkg/aws/eks/cluster/)
Replace
<AWS_ACCOUNT_ID>
and<AWS_IAM_ROLE>
with your actual AWS account ID and IAM role name you want to allow access.Please Note:
- AWS accounts typically use an
aws-auth
ConfigMap to manage access to EKS clusters. The above Pulumi code assumes that you have already set up an EKS cluster with the appropriateaws-auth
ConfigMap that adds your IAM role to themapRoles
section. If you haven't done so, you will need to create or update theaws-auth
ConfigMap accordingly. - This Pulumi program doesn't directly create or modify the AWS IAM role. You must define this role in AWS IAM and provide the necessary trust relationship to the EKS cluster.
- The created
Role
andRoleBinding
above are namespaced. For cluster-wide permissions, you would useClusterRole
andClusterRoleBinding
instead. - The actual ARN constructed in the
subjects
field must match an existing IAM Role ARN, and that IAM Role must have the trust relationship allowing it to assume roles for the EKS cluster. - Authenticating to the Kubernetes API using an AWS IAM role depends on the cluster configuration to support this, typically done by the
aws-iam-authenticator
.
Remember to review the official Pulumi documentation for Kubernetes and the official Pulumi documentation for AWS EKS for a deeper understanding of integrating IAM with RBAC on a Kubernetes cluster.
-