AWS EKS: draft notes on how to provide k8s "view" permissions to an AWS IAM user

[consideRatio]

In https://2i2c.freshdesk.com/a/tickets/502 a request came from Greg, a k8s power user, to be granted read permissions to the k8s cluster, and I suggested the k8s official user facing ClusterRole view that doesn't grant access to inspect Secret resources etc but other resources overall, including logs for pods as explicitly requested.

This is how I've attempted to provide that in the AWS based cluster.

# define the <username> to be associated with the AWS account's
# IAM user, and to be part of the eks-view group
eksctl create iamidentitymapping \                                        
    --cluster=nasa-veda \
    --region=us-west-2 \
    --arn arn:aws:iam::$AWS_ACCOUNT:user/$AWS_IAM_USERNAME \
    --username $AWS_IAM_USERNAME \
    --group eks-view \
    --no-duplicate-arns

# create a ClusterRoleBinding, coupling the k8s default ClusterRole "view" to
# the group eks-view
kubectl create clusterrolebinding view --clusterrole=view --group=eks-view

The user can then authenticate as their AWS IAM user and run:

aws eks update-kubeconfig --region=$AWS_REGION --name=$EKS_CLUSTER_NAME

The user confirmed this approach is working. So, we need to:

• [ ] Document these notes in our infra docs

[ranchodeluxe]

forgot to respond here, but this works as expected thank you

[damianavila]

Thanks for the confirmation, @ranchodeluxe!

[damianavila]

IMHO, the next step here properly document it in our infra docs (adding a task for that in the top message).