EKS Access

Previous Next

How to access EKS clusters generated by pltf.

Kubeconfig

  1. Fetch outputs: 
    pltf terraform output -f env.yaml -e <env> --json
    Note k8s_cluster_name, k8s_endpoint, and k8s_ca_data (output names may be prefixed if there are duplicates).
  2. Update kubeconfig: 
    aws eks update-kubeconfig \
  --region <region> \
  --name <cluster> \
  --profile <aws-profile-if-needed>
    Use the same AWS profile that has access to the environment account (or backend profile if you share credentials).

Generated Terraform already configures Kubernetes and Helm providers using these outputs when you run pltf terraform plan/apply.

AWS IAM to Kubernetes RBAC

EKS uses the aws-auth ConfigMap in kube-system to map IAM users/roles to Kubernetes groups.

Example aws-auth data: 

apiVersion: v1
data:
  mapRoles: |
    - groups: ['system:bootstrappers', 'system:nodes']
      rolearn: arn:aws:iam::ACCOUNT_ID:role/pltf-live-example-dev-eks-default-node-group
      username: system:node:{{EC2PrivateDNSName}}
    - groups: ['system:masters']
      rolearn: arn:aws:iam::ACCOUNT_ID:role/demo-admin
      username: pltf-managed
  mapUsers: |
    - groups: ['system:masters']
      userarn: arn:aws:iam::ACCOUNT_ID:user/demo-admin
      username: pltf-managed
Fields: - rolearn/userarn: IAM principal. - username: friendly alias. - groups: Kubernetes RBAC groups (use system:masters for admin).

Granting access via pltf

pltf does not manage aws-auth by default. Use a custom module or Helm chart to manage RBAC mappings if you want them in code.

Viewing RBAC bindings

kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.subjects[0].kind==\"Group\") | .metadata.name'
kubectl get rolebindings -A -o json | jq -r '.items[] | select(.subjects[0].kind==\"Group\") | .metadata.name'

Example cluster role binding: 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:discovery
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: my-group
This grants members of my-group the permissions of system:discovery across all namespaces.

Summary

  • Use aws eks update-kubeconfig with cluster outputs to get access.
  • Manage aws-auth via your own Terraform module/Helm chart if you want it codified.
  • For custom RBAC, edit aws-auth or create your own role/cluster role bindings.
Overview EKS Upgrade