Controlling EKS access with AWS IAM
Scenario
- Existing KOPS cluster running for over a year
- Cluster access managed by a slackbot which creates a kubernetes role behind the scene
- Access is time based
Problems
- No single source of truth for users
- If someone leaves the organization, you may have to manually delete access
- If your config expires, you have to regenerate a new one (not a big pain, but what if we avoid it)
Not enough problems ?
Lets move to EKS!
New Problems ? (or a solution)
- Access is managed via aws-iam-authenticator using AWS IAMs
- Each user's IAM Role must be added to the aws-auth configmap in the kube-system
What if we sync AWS IAM with EKS Auth
A solution for all the problems ...?
Let's create
iam-eks-user-mapper
What can it do
- Sync kubernetes roles with AWS IAM groups
- Support for multi AWS account setup
- Give different access levels to different IAM groups
- All EKS auth synced with AWS IAM
Thank You
@yashm95
Devops @
Yash Mehrotra