DevOps Tools

Expanding EKS Cluster Management with Production Namespace and User Access

Building on the previous setup, we will now introduce a new namespace for production, create a new IAM user with limited roles, and configure Kubernetes to integrate this user. This step-by-step guide will help ensure that your production environment is securely managed and properly isolated.

Creating a Production Namespace

Namespaces in Kubernetes provide a way to divide cluster resources between multiple users. To create a namespace for production, use the following command:

sudo kubectl create namespace production

Configuring IAM for testproduser

We will create and configure a new IAM user, testproduser, to interact with the production namespace.

  1. Configure AWS CLI for testproduser: Set up AWS CLI for the new user:
   aws configure

Follow the prompts to enter testproduser credentials.

  1. Edit AWS Auth ConfigMap: Retrieve the current aws-auth ConfigMap and edit it to map testproduser to a role in Kubernetes:
   sudo kubectl -n kube-system get configmap aws-auth -o yaml > aws-auth-configmap.yaml
   vim aws-auth-configmap.yaml

Add the following under mapUsers:

     mapUsers: |
       - userarn: arn:aws:iam::xxxxxxxxx:user/testproduser
         username: testproduser
         groups:
           - testproduser-role
  1. Apply the Updated ConfigMap: Apply the modified aws-auth ConfigMap:
   sudo kubectl apply -f aws-auth-configmap.yaml -n kube-system
  1. Verify the Configuration: Check if the changes have been applied correctly:
   sudo kubectl -n kube-system get cm aws-auth
   sudo kubectl -n kube-system describe cm aws-auth

Updating AWS Credentials File

Update the ~/.aws/credentials file to include profiles for testproduser:

[default]
aws_access_key_id=.....testuser
aws_secret_access_key=.....
region=us-east-2
output=json

[clusteradmin]

aws_access_key_id=…..testadminuser aws_secret_access_key=….. region=us-east-2 output=json

[prodviewer]

aws_access_key_id=…..testproduser aws_secret_access_key=….. region=us-east-2 output=json

Switching to prodviewer Profile

To switch to the prodviewer profile and verify access:

aws sts get-caller-identity
export AWS_PROFILE="prodviewer"
aws sts get-caller-identity

Applying RBAC Configuration

Create role.yaml and rolebinding.yaml to define roles and permissions for testproduser.

Example role.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Example rolebinding.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
- kind: User
  name: testproduser
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Apply the RBAC Configuration:

sudo kubectl apply -f role.yaml
sudo kubectl apply -f rolebinding.yaml

Verifying Access

Ensure that testproduser can access resources within the production namespace:

sudo kubectl get nodes
sudo kubectl -n kube-system get pods
sudo kubectl -n production get pods

Cleaning Up

To maintain a clean environment, you may occasionally need to delete node groups or services:

  1. Delete a Node Group:
   eksctl delete nodegroup --cluster=eks-cluster --name=ng-1 --approve
  1. Get and Delete Services:
   sudo kubectl get svc --all-namespaces
   sudo kubectl delete svc service-name
  1. Delete the EKS Cluster:
   eksctl delete cluster --name eks-cluster

By following this guide, you have now expanded your EKS cluster management to include a production namespace and configured IAM and RBAC to securely manage user access. This setup ensures that your production environment is well-isolated and that users have the appropriate level of access based on their roles. Understanding and implementing these configurations is crucial for maintaining a secure and efficient Kubernetes environment.

Ali Imran
Over the past 20+ years, I have been working as a software engineer, architect, and programmer, creating, designing, and programming various applications. My main focus has always been to achieve business goals and transform business ideas into digital reality. I have successfully solved numerous business problems and increased productivity for small businesses as well as enterprise corporations through the solutions that I created. My strong technical background and ability to work effectively in team environments make me a valuable asset to any organization.
https://ITsAli.com

Leave a Reply