Panfactum LogoPanfactum
Infrastructure ModulesDirect ModulesKuberneteskube_rbac
kube_rbac
Stable
Direct
Source Code Link

Kubernetes RBAC

This module configures the basic scaffolding for linking AWS IAM roles to Kubernetes RBAC roles by setting up the aws-auth ConfigMap used by the aws-iam-authenticator project. This enables user authentication to cluster resources through AWS.

While it sets up the initial linkages and global permissions, the majority of the permissions are deployed on the namespace level through the namespace module in access-control.

See the below table for our standard Kubernetes groups, the AWS roles linked to each group (through this module' input variables), and the description of the intended permission level.

Kubernetes GroupAWS Roles LinkedPermission Level
system:superusersvar.kube_superuser_role_arnscluster-admin
system:adminsvar.kube_admin_role_arnsWrite access to everything besides core cluster utilities.
system:readersvar.kube_reader_role_arnsRead access to all non-admin resources except secrets.

Maintainer Notes

  • This requires the cluster first be deployed via the aws_eks module.

  • You will need to import the kubernetes_config_map.aws_auth resource and apply those changes in order for the nodes to successfully register. You will need to use the credentials of the cluster owner (the IAM entity that originally created the cluster).

Providers

The following providers are needed by this module:

  • aws (5.70.0)

  • kubectl (2.0.4)

  • kubernetes (2.27.0)

  • pf (0.0.3)

Required Inputs

The following input variables are required:

aws_node_role_arn

Description: AWS IAM role that the EKS nodes use (required for node bootstrapping)..

Type: string

Optional Inputs

The following input variables are optional (have default values):

kube_admin_role_arns

Description: AWS IAM role ARNs that have read and write access to most cluster resources.

Type: list(string)

Default: []

kube_reader_role_arns

Description: AWS IAM role ARNs that have read-only access to cluster resources.

Type: list(string)

Default: []

kube_restricted_reader_role_arns

Description: AWS IAM role ARNs that have restricted read-only access to cluster resources.

Type: list(string)

Default: []

kube_superuser_role_arns

Description: AWS IAM role ARNs that have 'cluster-admin' access to the cluster.

Type: list(string)

Default: []

Outputs

No outputs.

Usage

No notes

Maintainers

resources.txt is generated by running

kubectl api-resources --no-headers | awk '{
  name = $1;
   if (NF == 4) {
    shortname = "none";
    apiGroup = $2
    namespaced = $3;
    kind = $4;
        t = "1";
  } else {
      shortname = $2;
    apiGroup = $3
    namespaced = $4;
    kind = $5;
        t = "0";
  }
  print name " " apiGroup;
}' | awk '{ arr[$2] = arr[$2] ? arr[$2] "," $1 : $1 } END { for (i in arr) print arr[i], i }'

against a Kubernetes cluster with all the stack resources deployed.

This is required by we must explicitly enumerate permissions for all resources in order to exclude secret resources for the restricted-reader role.