Skip to main content

Create a read Only cli User for EKS

Use Case: When you want to provide access to users, you must always avoid prividing admin priviledges to users. This is needed for security and audit Purpose. Kubernetes allows you to create Rbac credentials using roles and cluster roles for service accounts, users, groups.
From k8s: RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing you to dynamically configure policies through the Kubernetes API.

 

1. Lets First Create the cluster role and group

Create file cluster-role-and-binding.yml

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: eks-readonly-group-binding
subjects:
- kind: Group
  name: eks-readonly-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: eks-readonly-group-cluster-role
  apiGroup: rbac.authorization.k8s.io

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: eks-readonly-group-cluster-role
rules:
- apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

Now Apply all the changes 

 kubectl apply -f cluster-role-and-binding.yml

Note: This is only required once


2. Create a Iam user with the below Policy 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:AccessKubernetesApi",
                "ssm:GetParameter",
                "eks:ListUpdates",
                "eks:ListFargateProfiles"
            ],
            "Resource": "*"
        }
    ]
}

3. Allow user access in EKS

This can be done by updating the mentioned below resource and adding the user in the group

Resource: Location: configmap/aws-auth
Namespace: kube-system
Group: eks-readonly-group 

 mapUsers: |
    - userarn: arn:aws:iam::ACCOUNT_ID:user/user1
      username: user1
      groups:
        - eks-readonly-group

4. Set up Cli access

a. Install kubectl
b. Install AWS CLI
c. Create a Accesxs key ID and Access key Secret from IAM console because it is required
AWS EKS setup on local 
  # add credentials
  aws configure 
  
  # setup eks, this would show the userarn and it should be same as Step 3 config
  aws sts get-caller-identity
  
  # update region and cluster name
  aws eks --region example_region update-kubeconfig --name cluster_name
  
  # get pods using
  kubectl get pods --all-namespaces
Labels:

Comments

Post a Comment

Popular posts from this blog

Monitor On Prem Resources From kube prom stack (Prometheus)

For this you would need Few Items Endpoints Service ServiceMonitor --- apiVersion: v1 kind: Endpoints metadata: name: onprem-proxy namespace: monitoring subsets: - addresses: - ip: "192.168.10.10" - ip: "192.168.10.11" ports: - name: 'onprem-proxy-metrics' protocol: TCP port: 9100 --- apiVersion: v1 kind: Service metadata: name: onprem-proxy namespace: monitoring labels: app.kubernetes.io/name: onprem-proxy spec: ports: - name: "onprem-proxy-metrics" protocol: TCP port: 9100 targetPort: 9100 --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: onprem-proxy namespace: monitoring spec: endpoints: - interval: 10s path: /metrics port: onprem-proxy-metrics namespaceSelector: matchNames: - monitoring selector: matchLabels: app.kubernetes.io/name: onprem-proxy
Post a Comment
Read more

Microsoft Ldap login using python

Microsoft Ldap login using python3 Install dependent packages python3 -m pip install ldap3 Sample Code to test login from ldap3 import Server, Connection, ALL, SUBTREE from ldap3.core.exceptions import LDAPException, LDAPBindError def connect_ldap_server(SERVER_URI, DN,USERNAME, PASSWORD): try: # Provide the hostname and port number of the openLDAP server = Server(SERVER_URI, get_info=ALL) # username and password can be configured during openldap setup connection = Connection(server, user='CN='+USERNAME+','+DN, password=PASSWORD) bind_response = connection.bind() # Returns True or False return bind_response except LDAPBindError as e: connection = e return False # print(connection) # print(bind_response) if connect_ldap_server('ldap://9.1.0.3','OU=Headoffice,DC=example,DC=com', 'testuser',...
Post a Comment
Read more

Add a Approval System in Jenkins For Build

Approval System in Jenkins For Build Use Cases: Only Specific users must be able to approve the build Speific users should be able to run the build without Approval Approval Can be turn off and On On-Demand Jenkins Variables Needs to Created under ( Manage Jenkins > Configure System > Environment variables ) ApprovalAdmins (Value: jenkins emails comma separated) skipApprovalUsers (Value: jenkins emails comma separated) BuildApproval (Value: True, False) import jenkins.model.Jenkins def getBuildUser() { return currentBuild.getBuildCauses('hudson.model.Cause$UserIdCause')['userId'] } pipeline { agent { label 'ec2-fleet-common' } stages { stage('Approval Process') { when { expression { env.BuildApproval == 'True' || env.BuildApproval == 'true' } } steps { script { ...
Post a Comment
Read more