I have deployed EKS using eksctl
following this docs.
As the user who created the cluster I have full access control.
Trying to grant system:masters
permissions to a specific user doesn't work this way:
kubectl edit -n kube-system configmap/aws-auth
apiVersion: v1
data:
mapAccounts: |
- "111111111111"
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: ***
username: ***
mapUsers: |
- rolearn: arn:aws:iam::***:user/test-user
username: test-user
groups:
- system:masters
kind: ConfigMap
metadata:
...
Logging in as the test-user
and executing kubectl get pods
I receive:
Error from server (Forbidden): pods is forbidden: User "arn:aws:iam::***:user/test-user" cannot list resource "pods" in API group "" in the namespace "default"
I have read somewhere that mapAccounts
maps the users to system:authenticated
, but I couldn't verify it in AWS docs.
I have tried to created different clusterRole
and clusterRoleBindings
and attaching them to the test-user
but nothing works...
How can I grant access to the specific test-user
user, or in general give full access (modify system:authenticated
) to my group in IAM?