Authentication

On This Page

TODO: Create a new AWS account here and replace the aws account number with env variable

You as an administrator running a Kubernetes cluster on AWS can use AWS IAM to manage users for Kubernetes access. You won’t need to manage separate list of users in Kubernetes. Authentication of users for Kubernetes access can be done by aws_iam_authenticator.

AWS created the AWS IAM Authenticator, which allows you to have federated authentication using AWS Identity and Access Management (IAM). To activate, we’ll need to configure the object below in the cluster.yaml This will create aws_iam_authenticator pod in kube-system namespace in cluster.

authentication:
  aws:
    backendMode: CRD
    clusterID: eu-north-1.training.dx-book.com
    identityMappings:
    - arn: arn:aws:iam::292243477487:role/KubernetesAdmin
      username: admin:{{ SessionName }}
      groups:
      - system:masters
    - arn: arn:aws:iam::292243477487:role/Developer
      username: dev:{{SessionName}}
      groups:
      - developers

Let’s update the cluster.yaml using the snippet below, where we’ll make groups to IAM roles, which we’ll create after.

yq e -i ".spec.authentication.aws.backendMode = \"CRD\" |
.spec.authentication.aws.clusterID = env(CLUSTER_NAME) |
.spec.authentication.aws.identityMappings = [
  {
    \"arn\": \"arn:aws:iam::\" + env(AWS_ACCOUNT) + \":role/KubernetesAdmin\",
    \"username\": \"admin:{{ SessionName }}\",
    \"groups\": [\"system:masters\"]
  },
  {
    \"arn\": \"arn:aws:iam::\" + env(AWS_ACCOUNT) + \":role/Developer\",
    \"username\": \"dev:{{SessionName}}\",
    \"groups\": [\"developers\"]
  }
]" cluster.yaml

And also activate some fields under kubelet:

yq e '.spec.kubelet.authenticationTokenWebhook = true' -i cluster.yaml
yq e '.spec.kubelet.authorizationMode = "Webhook"' -i cluster.yaml

Configuring roles

The commands I’ve listed below are using the AWS (Amazon Web Services) IAM (Identity and Access Management) CLI (Command Line Interface) to create a role and a group, and then create a policy that allows users in the group to assume the role.

KubernetesAdmin

This first command creates a new IAM role named KubernetesAdmin. The –assume-role-policy-document option is used to provide the policy that determines who can assume this role. In this case, it’s allowing the root account arn:aws:iam::292243477487:root to assume this role. The sts:AssumeRole action is part of AWS’s Security Token Service (STS), and it’s used to grant temporary access to AWS resources.

aws iam create-role --role-name KubernetesAdmin --assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::292243477487:root"}, "Action": "sts:AssumeRole"}]}'

This next command creates a new IAM group named KubernetesAdmin. Users can be added to this group and any policies attached to this group will apply to all users within the group. So basically here we’re managing the cluster admin users via AWS IAM groups.

aws iam create-group --group-name KubernetesAdmin

Next, we create a new IAM policy named KubeAdminAssumeRolePolicy. This policy allows the sts:AssumeRole action on the KubernetesAdmin role that was created earlier. The policy could then be attached to the KubernetesAdmin group, which would give any users in that group the ability to assume the KubernetesAdmin role.

aws iam create-policy --policy-name KubeAdminAssumeRolePolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"sts:AssumeRole","Resource":"arn:aws:iam::292243477487:role/KubernetesAdmin"}]}'

You may need an additional command to attach the KubeAdminAssumeRolePolicy policy to the KubernetesAdmin group. You can do that with the following command:

aws iam attach-group-policy --group-name KubernetesAdmin --policy-arn arn:aws:iam::292243477487:policy/KubeAdminAssumeRolePolicy

Developer

Now, we will create a similar setup for a role with fewer privileges, which we will name ‘Developer’ in this instance. This role will be utilized by the majority of our team members and has certain restrictions. At a later stage, we will explore how to automate this process using our generators. But for now, let’s proceed with creating the ‘Developer’ role and associating the policy to it, following the same steps as we did with the ‘KubernetesAdmin’ role.

# Creating a new role
aws iam create-role --role-name Developer --assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::292243477487:root"}, "Action": "sts:AssumeRole"}]}'

# Creating a new group for developers
aws iam create-group --group-name Developers

# Create the policy to assume the role Developer
aws iam create-policy --policy-name DevelopersAssumeRolePolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"sts:AssumeRole","Resource":"arn:aws:iam::292243477487:role/Developer"}]}'

# Finally, to attach to policy to the developers group
aws iam attach-group-policy --group-name Developers --policy-arn arn:aws:iam::292243477487:policy/DevelopersAssumeRolePolicy

All good with roles. Next, let’s deploy the cluster.

Configuring roles

KubernetesAdmin

Developer

Table of Contents