EKS aws-auth 및 rbac

By Bys on March 31, 2021

- Kubernetes aws-auth

aws-auth configmap에 role을 등록하는 것은 Kubernetes환경에 접근하는 권한을 롤로 컨트롤하겠다는 것으로 mapRoles에 AWS IAM Role을 셋팅해주면 해당 권한을 가지고 있는 IAM User는 Kubernets에 접근 가능하다.

아래의 샘플을 통해 이해한다.

configmap aws-auth

kubectl edit cm aws-auth -n kube-system

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - rolearn: arn:aws:iam::690656347157:role/mydata-cluster-prd-node-role
      username: system:node:
      groups:
        - system:bootstrappers
        - system:nodes
    - rolearn: arn:aws:iam::690656347157:role/mydata-cluster-prd-bastion-host-role
      username: mydata-cluster-prd-bastion-host-role
      groups:
        - system:masters
    - rolearn: arn:aws:iam::222383050459:role/ec2-role-for-accessing-eks-cluster
      username: ec2-role-for-accessing-eks-cluster
      groups:
        - system:masters
    - rolearn: arn:aws:iam::690656347157:role/mydata-cluster-prd-ec2-role
      username: mydata-cluster-prd-ec2-role
      groups:
        - system:masters
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"mapRoles":"- rolearn: arn:aws:iam::690656347157:role/mydata-cluster-prd-node-role\n  username: system:node:\n  groups:\n    - system:bootstrappers\n    - system:nodes\n- rolearn: arn:aws:iam::690656347157:role/mydata-cluster-prd-bastion-host-role\n  username: mydata-cluster-prd-bastion-host-role\n  groups:\n    - system:masters\n"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"aws-auth","namespace":"kube-system"}}
  creationTimestamp: "2021-05-18T01:35:01Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "114303"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 3f84427f-5810-41e8-ad13-e16e3c8a065c

- Kubernetes ServiceAccount

AWS자원과 관련이 있는 ServiceAccount에는 Annotations에 AWS IAM Role이 등록이 되어있다.
aws-load-balancer-controller의 서비스 어카운트의 경우 실제 Ingress가 배포되면 해당 Rule에 의한 ALB자원을 생성해야 하기 때문에 서비스어카운트에 맵핑이되어있는 Role에 elb생성 권한이 들어 있어야 한다.

ServiceAccount aws-load-balancer-controller

kubectl describe sa aws-load-balancer-controller -n kube-system

Name:                aws-load-balancer-controller
Namespace:           kube-system
Labels:              app.kubernetes.io/managed-by=eksctl
Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::690656347157:role/eksctl-mydata-cluster-prd-addon-iamserviceac-Role1-NC7VZRSV6NLY
Image pull secrets:  <none>
Mountable secrets:   aws-load-balancer-controller-token-8v7pt
Tokens:              aws-load-balancer-controller-token-8v7pt
Events:              <none>



kubectl describe sa aws-node -n kube-system

Name:                aws-node
Namespace:           kube-system
Labels:              k8s-app=aws-node
Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::690656347157:role/mydata-cluster-prd-cni-role
Image pull secrets:  <none>
Mountable secrets:   aws-node-token-nnd96
Tokens:              aws-node-token-nnd96
Events:              <none>


kubectl describe sa fluentd -n amazon-cloudwatch
Name:                fluentd
Namespace:           amazon-cloudwatch
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   fluentd-token-hnhxs
Tokens:              fluentd-token-hnhxs
Events:              <none>


Tag: [ aws  eks  kubernetes  ]