EKS Access

Previous Next

How to access EKS clusters generated by pltf.

Kubeconfig

  1. Fetch outputs: 
    pltf terraform output -f env.yaml -e <env> --json | jq '.aws_eks'
    Note k8s_cluster_name, k8s_endpoint, and k8s_ca_data.
  2. Update kubeconfig: 
    aws eks update-kubeconfig \
  --region <region> \
  --name <cluster> \
  --profile <aws-profile-if-needed>
    Use the same AWS profile that has access to the environment account (or backend profile if you share credentials).

Generated Terraform already configures Kubernetes and Helm providers using these outputs when you run pltf terraform plan/apply.

AWS IAM to Kubernetes RBAC

EKS uses the aws-auth ConfigMap in kube-system to map IAM users/roles to Kubernetes groups.

Example aws-auth data: 

apiVersion: v1
data:
  mapRoles: |
    - groups: ['system:bootstrappers', 'system:nodes']
      rolearn: arn:aws:iam::ACCOUNT_ID:role/pltf-live-example-dev-eks-default-node-group
      username: system:node:{{EC2PrivateDNSName}}
    - groups: ['system:masters']
      rolearn: arn:aws:iam::ACCOUNT_ID:role/demo-admin
      username: pltf-managed
  mapUsers: |
    - groups: ['system:masters']
      userarn: arn:aws:iam::ACCOUNT_ID:user/demo-admin
      username: pltf-managed
Fields: - rolearn/userarn: IAM principal. - username: friendly alias. - groups: Kubernetes RBAC groups (use system:masters for admin).

Granting access via pltf

Use admin_arns on aws_k8s_base to inject IAM admins without editing Kubernetes directly: 

modules:
  - type: aws_k8s_base
    admin_arns:
      - "arn:aws:iam::123456789012:user/platform-admin"
      - "arn:aws:iam::123456789012:role/platform-admin"

Viewing RBAC bindings

kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.subjects[0].kind==\"Group\") | .metadata.name'
kubectl get rolebindings -A -o json | jq -r '.items[] | select(.subjects[0].kind==\"Group\") | .metadata.name'

Example cluster role binding: 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:discovery
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: my-group
This grants members of my-group the permissions of system:discovery across all namespaces.

Summary

  • Use aws eks update-kubeconfig with cluster outputs to get access.
  • Add IAM admins via admin_arns on aws_k8s_base (maps to system:masters).
  • For custom RBAC, edit aws-auth or create your own role/cluster role bindings.
Overview EKS Upgrade