Kubernetes RBAC
This module configures the basic scaffolding for linking AWS IAM roles to Kubernetes RBAC roles by setting up
the aws-auth
ConfigMap used by the aws-iam-authenticator
project. This enables user authentication to cluster resources through AWS.
While it sets up the initial linkages and global permissions, the majority of the permissions are deployed on the namespace level through the namespace module in access-control.
See the below table for our standard Kubernetes groups, the AWS roles linked to each group (through this module' input variables), and the description of the intended permission level.
Kubernetes Group | AWS Roles Linked | Permission Level |
---|---|---|
system:superusers | var.kube_superuser_role_arns | cluster-admin |
system:admins | var.kube_admin_role_arns | Write access to everything besides core cluster utilities. |
system:readers | var.kube_reader_role_arns | Read access to all non-admin resources except secrets. |
Maintainer Notes
-
This requires the cluster first be deployed via the aws_eks module.
-
You will need to import the
kubernetes_config_map.aws_auth
resource and apply those changes in order for the nodes to successfully register. You will need to use the credentials of the cluster owner (the IAM entity that originally created the cluster).
Providers
The following providers are needed by this module:
-
aws (5.70.0)
-
kubectl (2.0.4)
-
kubernetes (2.27.0)
-
pf (0.0.3)
Required Inputs
The following input variables are required:
aws_node_role_arn
Description: AWS IAM role that the EKS nodes use (required for node bootstrapping)..
Type: string
Optional Inputs
The following input variables are optional (have default values):
kube_admin_role_arns
Description: AWS IAM role ARNs that have read and write access to most cluster resources.
Type: list(string)
Default: []
kube_reader_role_arns
Description: AWS IAM role ARNs that have read-only access to cluster resources.
Type: list(string)
Default: []
kube_restricted_reader_role_arns
Description: AWS IAM role ARNs that have restricted read-only access to cluster resources.
Type: list(string)
Default: []
kube_superuser_role_arns
Description: AWS IAM role ARNs that have 'cluster-admin' access to the cluster.
Type: list(string)
Default: []
Outputs
No outputs.
Usage
No notes
Maintainers
resources.txt
is generated by running
kubectl api-resources --no-headers | awk '{
name = $1;
if (NF == 4) {
shortname = "none";
apiGroup = $2
namespaced = $3;
kind = $4;
t = "1";
} else {
shortname = $2;
apiGroup = $3
namespaced = $4;
kind = $5;
t = "0";
}
print name " " apiGroup;
}' | awk '{ arr[$2] = arr[$2] ? arr[$2] "," $1 : $1 } END { for (i in arr) print arr[i], i }'
against a Kubernetes cluster with all the stack resources deployed.
This is required by we must explicitly enumerate permissions for all resources in order to exclude secret resources for the restricted-reader role.