Sometimes you need to access customer-managed EKS cluster with public endpoint. Follow this guide to get a read-only access to customer-managed EKS cluster on customer AWS account.
In order to access EKS cluster you need AWS IAM credentials. The most secure way is to define a cross AWS account role and assume this role.
CloudFormation template for read-only access to an EKS cluster.
Another, less secure option, is to create a temporary IAM User in customer AWS account.
Then you need to attach IAM Policy to cross-account IAM Role or in-account IAM User.
The required IAM Policy (replace <> values):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["eks:DescribeCluster", "eks:ListClusters"],
"Resource": "arn:aws:eks:<AWS_REGION>:<AWS_ACCOUNT>:cluster/<EKS_NAME>"
}
]
}EKS has a built-in view ClusterRole with get,list,watch access to all APIs and all resources.
Please, create a support:viewer ClusterRoleBinding to the view ClusterRole.
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: support:viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: support:viewer
EOFEdit aws-auth ConfigMap manually (kubectl edit -n kube-system configmap/aws-auth command) or with eksctl create iamidentitymapping, adding IAM User or IAM Role to mapUsers or mapRoles configuration.
For example:
eksctl create iamidentitymapping --username viewer --group support:viewer --arn <USER_ARN|ROLE_ARN> --cluster <CLUSTER_NAME> --region <AWS_REGION>Generate/update kubeconfig for the EKS clusterm assuming IAM Role (from above) or using AWS credentials for temporary IAM User.
aws eks --region <AWS_REGION> update-kubeconfig --name <CLUSTER_NAME>