eksuser
eksuser is a convenience utility that you can use to manage Amazon EKS users.
It allows you to add, update and delete existing IAM users to EKS. It also allows you to add/delete users of an existing IAM group to EKS.
Prerequisites
- An Amazon EKS cluster is installed and running
- aws-cli is configured
- kubectl and aws-iam-authenticator are configured
- Existing kubernetes groups that have access
You can create a Role/ClusterRole and then create a binding to the group:
dev-role1.yaml - A Role that gives rights to everything in namespace app1
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: super-developer
namespace: app1
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: super-developer
namespace: app1
subjects:
- kind: Group
name: super-developer
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: super-developer
apiGroup: rbac.authorization.k8s.io
$ kubectl apply -f dev-role1.yaml
admin-cluster-role1.yaml - A ClusterRole that gives super privileges on cluster
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: super-admin
rules:
- apiGroups: [ "*" ]
resources: ["*"]
verbs: ["*"]
- nonResourceURLs: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: super-admin
subjects:
- kind: Group
name: super-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: super-admin
apiGroup: rbac.authorization.k8s.io
$ kubectl apply -f admin-cluster-role1.yaml
Now to add an existing IAM user to EKS:
$ eksuser add --user=prabhat --group=super-admin
$ eksuser add --user=prabhat --group=super-admin,super-developer
To provide an IAM user admin rights on cluster:
$ eksuser add --user=prabhat --group=system:masters
To update an existing IAM user to EKS:
$ eksuser update --user=prabhat --group=super-developer
To delete an existing IAM user to EKS:
$ eksuser delete --user=prabhat
Remember that it does not delete the IAM user from AWS IAM, just the IAM user entry from EKS.
To add all users of an AWS IAM group to EKS:
$ eksuser add --iamgroup=admin --group=system:masters
To delete all users of an AWS IAM group from EKS:
$ eksuser delete --iamgroup=admin
Generate kubeconfig file
On user's machine who has been added to EKS, they can configure .kube/config file using the following command:
$ aws eks update-kubeconfig --name cluster_name
Installation
Download binaries from releases page and place the binary in PATH