Controlling EKS  access with AWS IAM

Scenario

  • Existing KOPS cluster running for over a year
  • Cluster access managed by a slackbot which creates a kubernetes role behind the scene
  • Access is time based

Problems

  • No single source of truth for users
  • If someone leaves the organization, you may have to manually delete access
  • If your config expires, you have to regenerate a new one (not a big pain, but what if we avoid it)

Not enough problems ?

Lets move to EKS!

New Problems ? (or a solution)

  • Access is managed via aws-iam-authenticator using AWS IAMs
  • Each user's IAM Role must be added to the aws-auth configmap in the kube-system

What if we sync AWS IAM with EKS Auth

A solution for all the problems ...?

Let's create

iam-eks-user-mapper

What can it do

  • Sync kubernetes roles with AWS IAM groups
  • Support for multi AWS account setup
  • Give different access levels to different IAM groups
  • All EKS auth synced with AWS IAM

Thank You

@yashm95

Devops @

Yash Mehrotra

Made with Slides.com