Versions Compared

Version Old Version 18 New Version 19
Changes made by

Daria Lebedeva

Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:masters

WHERE

CLOUDAWARE_ROLE_ARN in rolearn- is a placeholder that needs to be replaced by your Cluster Role ARN.

rolearn - the ARN of the IAM role to be added (CLOUDAWARE_ROLE_ARN is a placeholder that needs to be replaced by your Cluster Role ARN).

username - the username within Kubernetes to be mapped to the IAM role (doesn't require changes).

groups - a list of groups within Kubernetes where the role is mapped to . Read (doesn't require changes). Check Default Roles and Role Bindings in the Kubernetes documentation for  for more information.

2. In case you would like to grant the read-only access for Cloudaware allowing creation of ClusterRole and ClusterRole Binding in Kubernetes, run the following command:

...

:

2.1. Create cloudaware-rbac.yaml

...

Use using the section below:

Code Block
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudaware-reader
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudaware-binding
subjects:
- kind: User
  name: cloudaware
  namespace: default
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: cloudaware-reader
  apiGroup: ""

...

ClusterRole cloudaware-reader grants read access to all resources within the cluster. ClusterRoleBinding cloudaware-binding maps the aforementioned cluster role to Cloudaware User.

2.2 Run the following command:

Code Block
kubectl create -f cloudaware-rbac.yaml

2.3. To map IAM users and roles to Kubernetes users in the EKS cluster, define them in the aws-auth ConfigMap which should exist after creation of your cluster. To add an IAM role to the cluster, modify this ConfigMap by adding the respective ARN and Kubernetes username value to the mapRole property as an array item. To perform the modification, run the following command:

...

Code Block
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: cloudaware

WHERE

CLOUDAWARE_ROLE_ARN in rolearn- is a placeholder that needs to be replaced by your Cluster Role ARN.

Make sure to not remove the existing mappings in mapRoles and/or mapUsers sections. You only need to append a role for Cloudaware.

...