新規作成したIAMユーザーでEKS環境を操作できるようにする


やりたいこと

  • 新規ユーザーでEKSを操作したい
  • とりあえずsystem:mastersというKubernetesの世界でのroot権限を割り当てる
  • 今後はもうちょい絞りたい
    • 権限周り難しい・・・

手順

ユーザーの作成

  • APIアクセス可能な権限で作る

ポリシーの作成

  • system:mastersを使う
kubectl describe clusterrolebinding cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters  

  • aws eks update-kubeconfigが実行できればいい(eks:DescribeClusterが最低限あればいいみたい)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:AccessKubernetesApi",
                "ssm:GetParameter",
                "eks:ListUpdates",
                "eks:ListFargateProfiles"
            ],
            "Resource": "*"
        }
    ]
}

アタッチしておく

Configmapをeditで修正

kubectl edit configmap/aws-auth -n kube-system

追加する値

  • userを指定する場合はuserarnなどとする
  mapUsers: |
    - userarn: arn:aws:iam::123456789012:user/autodeploy-executer-production
      username: eks-operator
      groups:
        - system:masters

configmap全体

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::123456789012:role/eksctl-vamdemic-production-eks-clus-NodeInstanceRole-1NW6OO5XFQCMZ
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    - userarn: arn:aws:iam::123456789012:user/autodeploy-executer-production
      username: eks-operator
      groups:
        - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: "2021-04-27T07:10:47Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "30541"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 42befb87-d552-42fa-b8d7-672482a5e2f9

動作確認

  1. クレデンシャルを発行
  2. aws configureで指定する
  3. aws eks update-kubeconfig <クラスタ名>を実行
  4. kubectlでなにがしかのリソースが参照できればOK

参考

https://qiita.com/taishin/items/dfb9a5620f37ffb74fe9
https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/add-user-role.html