iCompaas Support

Profile Applicability:

• Level 1
  

Description:

The --authorization-mode argument controls the authorization process for API requests in Kubernetes. Including RBAC (Role-Based Access Control) in the --authorization-mode argument ensures that only users with appropriate roles and permissions can access resources and perform actions within the Kubernetes cluster. RBAC is a robust, flexible, and scalable mechanism for managing access control based on roles assigned to users or service accounts.

Rationale:

Enabling RBAC for authorization is crucial in a Kubernetes environment, as it allows for granular control over who can perform which actions on the resources within the cluster. With RBAC, you can define roles with specific permissions, ensuring that only authorized users can access sensitive resources or perform critical operations.

Impact:

Pros:

• Fine-grained access control, ensuring that users and service accounts have only the necessary permissions.
  

• Reduces the risk of unauthorized access and potential misuse of resources.
  

• Scalable and manageable authorization, ideal for large and complex Kubernetes environments.
  

Cons:

• Requires careful management of roles and permissions to avoid overly permissive access.
  

• Misconfigurations may result in denying legitimate access or allowing excessive access.
  

Default Value:

RBAC is typically the default authorization mode in Kubernetes clusters.

Pre-requisites:

• RBAC roles and role bindings must be configured in the Kubernetes cluster.
  

• Proper definition of roles and permissions for users, service accounts, and other identities.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Node Group or EKS configuration details.
   

4. Verify that the --authorization-mode argument includes RBAC in the node group's user data or the EKS configuration.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS node group's configuration:

aws eks describe-nodegroup --cluster-name <cluster-name> --nodegroup-name <nodegroup-name>

1. Review the --authorization-mode argument in the output and ensure that RBAC is included.
   

Implementation Plan:

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Go to the Node Group section and select the relevant node group.
   

3. Modify the configuration to include RBAC in the --authorization-mode argument.
   

4. Save the configuration and redeploy the node group if necessary.
   

Using AWS CLI:

Update the --authorization-mode argument to include RBAC:

aws eks update-nodegroup-config --cluster-name <cluster-name> --nodegroup-name <nodegroup-name> --launch-template name=<launch-template-name>,version=<version-number> --config-file <path-to-config-file>

Backout Plan:

Using AWS Console:

1. Navigate to the Node Group configuration in the AWS Console.
   

2. Revert the --authorization-mode argument to its previous value (if necessary).
   

3. Save and redeploy the node group to ensure the settings are reverted.
   

Using AWS CLI:

If issues occur, revert to the previous configuration using:

aws eks update-nodegroup-config --cluster-name <cluster-name> --nodegroup-name <nodegroup-name> --launch-template name=<launch-template-name>,version=<old-version-number>

References:

• Kubelet Authorization Documentation
  

• EKS Node Group Documentation
  

• RBAC Authorization in Kubernetes