Server Fault Asked by Giovanni Tirloni on December 22, 2020
I’ve created a cluster (eks.3) through the console and then used aws eks update-config
to generate the kubeconfig configuration. I immediately had access to the cluster through kubectl
but the EKS user guide talks about aws-iam-authenticator as if it was required. Is this still needed? If not, how is authentication happening after cluster creation?
Amazon EKS uses IAM to provide authentication to your Kubernetes cluster[...], but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization. [...] All permissions for interacting with your Amazon EKS cluster’s Kubernetes API is managed through the native Kubernetes RBAC system. EKS userguide
So you don't necessary need the aws-iam-authenticator. The aws-iam-authenticator maps IAM user and roles to the native Kubernetes Role Based Access Control (RBAC) for authorization. So theoretically it should be possible to just use the RBAC. However the official documentation only refers to IAM authentication. So I would advice to use that as well. I'm not 100% sure if a missing aws-iam-authenticator could cause problems with service based policies. Stuff like granting a pod access to a s3 bucket.
When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration. EKS userguide
That is why your user has access to the EKS cluster.
Correct answer by Henrik Pingel on December 22, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP