Profile Applicability:
• Level 1
Description:
Amazon EKS uses IAM to provide authentication to your Kubernetes cluster through the AWS IAM Authenticator for Kubernetes. You can configure the standard kubectl client to work with Amazon EKS by installing the AWS IAM Authenticator for Kubernetes and modifying your kubectl configuration file to use it for authentication.
Rationale:
Managing user access effectively is critical to maintaining security and preventing unauthorized access. By using a single source of truth for user permissions (AWS IAM), the process of onboarding and offboarding users becomes streamlined, reducing errors and improving audit compliance.
Impact:
Users must now be assigned to the IAM group that provides access to the appropriate Kubernetes namespace for deploying applications. If users are not assigned to the proper group, they will not be able to access the namespace or deploy applications.
Default Value:
For role-based access control (RBAC), system:masters permissions are configured by default in the Amazon EKS control plane.
Pre-requisites:
The cluster must have AWS IAM Authenticator for Kubernetes configured for integrating IAM roles with Kubernetes RBAC. Alternatively, you can use AWS CLI v1.16.156 or greater for managing users and roles.
Remediation:
Test Plan:
Using AWS Console:
Go to Amazon EKS Console and check if AWS IAM Authenticator for Kubernetes is configured.
If using AWS CLI v1.16.156 or greater, check the version of the AWS CLI by running:
aws --version
Using AWS CLI:
Run the following command to verify the AWS CLI version:
aws --version
Ensure that the IAM roles are properly configured to control Kubernetes RBAC access:
aws eks describe-cluster --name <cluster-name> --query 'cluster.identity.oidc.issuer'
Implementation Plan:
Using AWS Console:
Navigate to Amazon EKS Console and configure AWS IAM Authenticator for Kubernetes for managing RBAC.
If using the AWS CLI, ensure it is upgraded to version v1.16.156 or greater:
To upgrade, run:
aws --version(Check if the current version is v1.16.156 or greater)If necessary, download and install the latest AWS CLI version from AWS CLI v2.
Using AWS CLI:
Upgrade the AWS CLI to version v1.16.156 or greater:
Follow the instructions on AWS CLI Installation and Update.
Configure AWS IAM Authenticator for Kubernetes if not yet installed.
Backout Plan:
Using AWS Console:
If needed, revert the configuration by removing the AWS IAM Authenticator integration and switching back to the default RBAC user management.
Revert any changes made to AWS CLI configurations if AWS CLI v1.16.156 or greater is not compatible with your setup.
Using AWS CLI:
If AWS IAM Authenticator configuration needs to be removed, you can undo the configuration steps.
If you need to downgrade the AWS CLI, you can uninstall the new version and reinstall an older version.
References: