Comments (7)
jicowan
commented on August 18, 2024
Note to self: include aws-iam-authenticator flags.
from aws-eks-best-practices.
jicowan
commented on August 18, 2024
- Federate with AWS using AWS SSO
- If running AD on premises can use AD Connector to establish an association with AD otherwise use AWS Managed AD.
- Create Permission Set for groups imported from AD
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "arn:aws:eks:us-east-1:123456789012:cluster/<clustername>"
}
]
}
Above policy allows user to assume an AWS role and create a kubeconfig file using aws eks update-kubeconfig CLI command for cluster .
SSO will automatically create AWS IAM roles for imported groups. Each role will start with AWSReservedSSO_
- Update aws-auth ConfigMap with roles and their corresponding RBAC group
- rolearn: arn:aws:iam::123456789012:role/AWSReservedSSO_AD-EKS-Admins_7ab7b31734ed2731
username: adminuser:{{SessionName}}
groups:
- default:ad-eks-admins
- Create Roles and RoleBindings or ClusterRole and ClusterRoleBindings for the federated users, for example:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: eks-admins-binding
namespace: default
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: 'default:ad-eks-admins'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: 'default:ad-eks-admins'
- Install AWS CLI 2.0 and configure SSO profile:
aws sso configure - Login using federated credentials:
aws sso login --profile <profilename> - execute
kubectlcommands
Actions by the federated user will appear in the audit log.
fields @timestamp, @message
| filter user.username = "adminuser:jicowan-CORP.NETPOL.COM"
| sort @timestamp desc
| limit 20
"user": {
"username": "adminuser:jicowan-CORP.NETPOL.COM",
"uid": "heptio-authenticator-aws:123456789012:AROA36C6WWEJ5VZX5PAXY",
"groups": [
"default:ad-eks-admins",
"system:authenticated"
],
"extra": {
"accessKeyId": [
"ASIA36C6WWEJY5KK2H3X"
]
}
from aws-eks-best-practices.
jicowan
commented on August 18, 2024
@ikester, is this what you were thinking of? this is already pretty well documented in this blog.
from aws-eks-best-practices.
os-virtualretail
commented on August 18, 2024
It seems a very old article and i think aws-iam-authenticator functionality was already in aws cli so no more seperate cli command?
from aws-eks-best-practices.
jicowan
commented on August 18, 2024
@os-virtualretail yes, it needs updating. I don't think it accounts for the new SSO functionality in the AWS CLI v2. This dramatically improves the user experience for federated users because they no longer have to use a script or call assume-role before using kubectl. Do you have an opinion about what the best practice ought to be here?
from aws-eks-best-practices.
jicowan
commented on August 18, 2024
@ikester any feedback?
from aws-eks-best-practices.
jicowan
commented on August 18, 2024
I found this article to be very useful.
from aws-eks-best-practices.
Related Issues (20)
- Reference to a potentially unmaintained project (aquasecurity/kubectl-who-can)
- Version skew of EKS managed node group should be updated
- Reference to a potentially unmaintained project (kiosk-sh/kiosk)
- Reference to an archived project (uswitch/kiam)
- Spelling error in Control Plane section HOT 2
- Remove section https://aws.github.io/aws-eks-best-practices/networking/ipv6/#identify-dependencies-on-imdsv2 as it is now supported
- How to enforce read-only root file system using PSS? HOT 1
- Assistance/Explanation of the VPC CNI IP address consummation.
- Reference to an archived project (504ensicsLabs/LiME)
- The maximum pod count for all nodes in a particular node group is defined by the lowest maximum pod count of any single instance type in the node group. HOT 1
- Supported Version Policy HOT 1
- Cost Optimization -> Compute -> Karpenter and Cluster Autoscaler section -> Cluster Autoscaler FAQ hyperlink is incorrect
- Cost Optimization -> Compute -> Karpenter Consolidation & spot section : karpenter provisioner spec should be updated as nodepool
- Document AWS VPC CNI Enhanced Subnet Discovery
- Reference to an archived project (Shopify/voucher) HOT 1
- Reference to a potentially unmaintained project (mhausenblas/rbac.dev) HOT 1
- Reference to a potentially unmaintained project (aws-samples/example-permissions-boundary) HOT 1
- NCC Group article link is dead HOT 2
- Recommended practice(s) for AMI updates HOT 1
- Resiliency: Traffic ingress health checks should be configured
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-eks-best-practices.