I have a service running inside the EKS cluster which reads/adds/updates/patches different kubernetes objects across multiple namespaces. For this to work, I did the following:
- Create an IAM Role =>
service_account_role - Attached
arn:aws:iam::aws:policy/AdministratorAccesspolicy to it - Create a
ServiceAccountinside the cluster which is annotated witheks.amazonaws.com/role-arn: ${service_account_role} - Create a
ClusterRolewith rules to give proper access for performing required operations - Create a
ClusterRoleBindingto bind the above createdClusterRoleandServiceAccount
On running the application, I get error as: User \"system:anonymous\" cannot patch resource (403) (Here I was trying to patch an Ingress object to update annotation using python kubernetes client using the method read_namespaced_ingress)
Next, I tried adding the service_account_role to aws_auth config map with group system:masters and the application started running fine without any issues.
So my questions are:
- Despite having all the required rules setup as a part of
ClusterRolewhich is bound to the podsServiceAccount, why is it still required to map the relevant role using theaws-authconfig map? - Isn't this map only used to access the AWS resources outside the cluster?
- What is the
system:anonymousgroup? I couldn't find any good source of information regarding this. - Is it possible to move the IRSA to
system:masterswithout touching aws-auth config map? Patching this map concurrently is big pain which could happen as I need multiple services/IRSAs which would require such permissions.