AWS EKS add user restricted to namespace

≯℡__Kan透↙ 提交于 2019-12-23 17:30:48

问题


I have created AWS EKS cluster since I have created using my AWS userID has been added to system:masters group. But when checked ConfigMap aws-auth I don't see my user ID. Why ?

I had to give access to another user, so I have to assign appropriate AWS policies to the IAM user, then I edited the ConfigMap aws-auth with the following mapping

mapUsers:
----
- userarn: arn:aws:iam::573504862059:user/abc-user  
  username: abc-user
  groups:
    - system:masters

So far I have understood when a user is part of system:masters group, this user has admin privileges on the cluster.

How can I add a new user who will have restricted privileges to a specific namespace? Do I have to do the same thing what I have done for the above user? If so then what group I should add the new user to?


回答1:


I would familiarize with Kubernetes RBAC concepts

So you can create a Role since these are limited to a specific namespace.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: my-namespace
  name: full-namespace
rules:
- apiGroups: ["*"] 
  resources: ["*"]
  verbs: ["*"]

Then create a RoleBinding:

$ kubectl create rolebinding my-namespace-binding --role=full-namespace --group=namespacegroup --namespace=my-namespace

Or kubectl create -f this:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-namespace-binding
  namespace: mynamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: full-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  namespace: mynamespace

Then on your ConfigMap:

mapUsers:
----
- userarn: arn:aws:iam::573504862059:user/abc-user  
  username: abc-user
  groups:
    - namespacegroup


来源:https://stackoverflow.com/questions/52765182/aws-eks-add-user-restricted-to-namespace

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!