Building on the previous setup, we will now introduce a new namespace for production, create a new IAM user with limited roles, and configure Kubernetes to integrate this user. This step-by-step guide will help ensure that your production environment is securely managed and properly isolated.
Creating a Production Namespace
Namespaces in Kubernetes provide a way to divide cluster resources between multiple users. To create a namespace for production, use the following command:
sudo kubectl create namespace production
Configuring IAM for testproduser
We will create and configure a new IAM user, testproduser
, to interact with the production namespace.
- Configure AWS CLI for
testproduser
: Set up AWS CLI for the new user:
aws configure
Follow the prompts to enter testproduser
credentials.
- Edit AWS Auth ConfigMap: Retrieve the current
aws-auth
ConfigMap and edit it to maptestproduser
to a role in Kubernetes:
sudo kubectl -n kube-system get configmap aws-auth -o yaml > aws-auth-configmap.yaml
vim aws-auth-configmap.yaml
Add the following under mapUsers
:
mapUsers: |
- userarn: arn:aws:iam::xxxxxxxxx:user/testproduser
username: testproduser
groups:
- testproduser-role
- Apply the Updated ConfigMap: Apply the modified
aws-auth
ConfigMap:
sudo kubectl apply -f aws-auth-configmap.yaml -n kube-system
- Verify the Configuration: Check if the changes have been applied correctly:
sudo kubectl -n kube-system get cm aws-auth
sudo kubectl -n kube-system describe cm aws-auth
Updating AWS Credentials File
Update the ~/.aws/credentials
file to include profiles for testproduser
:
[default]
aws_access_key_id=.....testuser
aws_secret_access_key=.....
region=us-east-2
output=json
[clusteradmin]
aws_access_key_id=…..testadminuser aws_secret_access_key=….. region=us-east-2 output=json
[prodviewer]
aws_access_key_id=…..testproduser aws_secret_access_key=….. region=us-east-2 output=json
Switching to prodviewer
Profile
To switch to the prodviewer
profile and verify access:
aws sts get-caller-identity
export AWS_PROFILE="prodviewer"
aws sts get-caller-identity
Applying RBAC Configuration
Create role.yaml
and rolebinding.yaml
to define roles and permissions for testproduser
.
Example role.yaml
:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
Example rolebinding.yaml
:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: production
subjects:
- kind: User
name: testproduser
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Apply the RBAC Configuration:
sudo kubectl apply -f role.yaml
sudo kubectl apply -f rolebinding.yaml
Verifying Access
Ensure that testproduser
can access resources within the production namespace:
sudo kubectl get nodes
sudo kubectl -n kube-system get pods
sudo kubectl -n production get pods
Cleaning Up
To maintain a clean environment, you may occasionally need to delete node groups or services:
- Delete a Node Group:
eksctl delete nodegroup --cluster=eks-cluster --name=ng-1 --approve
- Get and Delete Services:
sudo kubectl get svc --all-namespaces
sudo kubectl delete svc service-name
- Delete the EKS Cluster:
eksctl delete cluster --name eks-cluster
By following this guide, you have now expanded your EKS cluster management to include a production namespace and configured IAM and RBAC to securely manage user access. This setup ensures that your production environment is well-isolated and that users have the appropriate level of access based on their roles. Understanding and implementing these configurations is crucial for maintaining a secure and efficient Kubernetes environment.