Can't configure RBAC to users in EKS

Question

I have deployed EKS using eksctl following this docs.

As the user who created the cluster I have full access control.
Trying to grant system:masters permissions to a specific user doesn't work this way:

kubectl edit -n kube-system configmap/aws-auth
apiVersion: v1
data:
  mapAccounts: |
    - "111111111111"
  mapRoles: |
    - groups:
        - system:bootstrappers
        - system:nodes
      rolearn: ***
      username: ***
  mapUsers: |
    - rolearn: arn:aws:iam::***:user/test-user
      username: test-user
      groups:
        - system:masters
kind: ConfigMap
metadata:
  ...

Logging in as the test-user and executing kubectl get pods I receive:

Error from server (Forbidden): pods is forbidden: User "arn:aws:iam::***:user/test-user" cannot list resource "pods" in API group "" in the namespace "default"

I have read somewhere that mapAccounts maps the users to system:authenticated, but I couldn't verify it in AWS docs.
I have tried to created different clusterRole and clusterRoleBindings and attaching them to the test-user but nothing works...

How can I grant access to the specific test-user user, or in general give full access (modify system:authenticated) to my group in IAM?

score 0 · Answer 1 · edited Feb 28 '21 at 18:41

0

I see that you are using rolearn instead of userarn under mapUsers:.

Replace that and it should work.

To apply a new configuration to the RBAC configuration of the Amazon EKS cluster, run the following command: kubectl apply -f aws-auth-cm.yml

Then you should be able to login as test-user.

edited Feb 28 '21 at 18:41

KHobbits

1,090
7
13

answered Feb 25 '21 at 20:23

theopsguy

1
1

Can't configure RBAC to users in EKS

1 Answers1