I am trying to map AWS IAM Role (Federated) to EKS RBAC, trying to follow this tutorial, but still get error
➜ kubectl edit configmap aws-auth -n kube-system
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapAccounts: |
[]
mapRoles: |
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::xxx:role/edna-dev-eks200000005"
"username": "system:node:{{EC2PrivateDNSName}}"
- "rolearn": "arn:aws:iam::xxx:role/team-developers"
"username": "developer"
"groups":
- "system:master"
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2020-06-11T19:40:47Z"
name: aws-auth
namespace: kube-system
resourceVersion: "4627634"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 137288f1-ae32-4a6f-b3d5-8dbd1da1e21d
➜ k get pods -n edna
Error from server (Forbidden): pods is forbidden: User "developer" cannot list resource "pods" in API group "" in the namespace "edna"
Do I need to create RBAC for that User with the name "developer" and map all permissions? If so what would be a proper way of doing it?
I have installed rakkess with kubectl krew, and if I am trying it with AWS security short-term credentials I get this:
➜ k access-matrix -n edna
NAME LIST CREATE UPDATE DELETE
bindings ✖
certificaterequests.cert-manager.io ✖ ✖ ✖ ✖
certificates.cert-manager.io ✖ ✖ ✖ ✖
challenges.acme.cert-manager.io ✖ ✖ ✖ ✖
configmaps ✖ ✖ ✖ ✖
controllerrevisions.apps ✖ ✖ ✖ ✖
cronjobs.batch ✖ ✖ ✖ ✖
daemonsets.apps ✖ ✖ ✖ ✖
deployments.apps ✖ ✖ ✖ ✖
endpoints ✖ ✖ ✖ ✖
events ✖ ✖ ✖ ✖
events.events.k8s.io ✖ ✖ ✖ ✖
horizontalpodautoscalers.autoscaling ✖ ✖ ✖ ✖
ingresses.extensions ✖ ✖ ✖ ✖
ingresses.networking.k8s.io ✖ ✖ ✖ ✖
issuers.cert-manager.io ✖ ✖ ✖ ✖
jobs.batch ✖ ✖ ✖ ✖
leases.coordination.k8s.io ✖ ✖ ✖ ✖
limitranges ✖ ✖ ✖ ✖
localsubjectaccessreviews.authorization.k8s.io ✖
networkpolicies.networking.k8s.io ✖ ✖ ✖ ✖
orders.acme.cert-manager.io ✖ ✖ ✖ ✖
persistentvolumeclaims ✖ ✖ ✖ ✖
poddisruptionbudgets.policy ✖ ✖ ✖ ✖
pods ✖ ✖ ✖ ✖
podtemplates ✖ ✖ ✖ ✖
replicasets.apps ✖ ✖ ✖ ✖
replicationcontrollers ✖ ✖ ✖ ✖
resourcequotas ✖ ✖ ✖ ✖
rolebindings.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
roles.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
secrets ✖ ✖ ✖ ✖
serviceaccounts ✖ ✖ ✖ ✖
services ✖ ✖ ✖ ✖
statefulsets.apps ✖ ✖ ✖ ✖
Thanks, Dmitry
You need to have role and rolebinding to list pods for that namespace
Create role
kubectl create role developer --verb=get,list,watch --resource=pods,pods/status --namespace=ednaRolebinding for that role
kubectl create rolebinding developer-binding --role=developer --user=developer --serviceaccount=edna:default -n ednaAfter this run this command to check if you can get access or not.
kubectl auth can-i get pods -n edna --as developerand this command will returnyesthen your problem fixed.For more information refer this document
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding