Skip to content

EKS Cluster Access Management

Summary

Allows to manage access to clusters using the AWS API:

  1. Map AWS identities to pre-defined AWS-managed Kubernetes permissions called "access policies"
  2. Map AWS identities to specific Kubernetes groups
  3. Gain visibility on former "shadow administrators"—AWS identities who initially created the EKS cluster—and remove their access

Concepts

  • When you grant access to an AWS principal on a specific EKS cluster, you create an access entry for that principal
  • You can then assign permissions to that principal by mapping the access entry to Kubernetes groups, and/or access policies (an AWS-managed set of Kubernetes permissions)
  • You can grant an access policy either at the cluster or namespace level

Interaction with aws-auth ConfigMap

The way Cluster Access Management interacts with the aws-auth ConfigMap depends on a cluster-wide setting called the authentication mode.

Authentication mode Description
CONFIG_MAP
  • Set by default when creating a new cluster through the EKS API or an AWS SDK
  • The control plane only takes the aws-auth ConfigMap into account, and you cannot create access entries in the cluster
API_AND_CONFIG_MAP
  • Set by default when creating a new cluster through the AWS console
  • When an AWS principal is referenced both in an access entry and in the aws-auth ConfigMap, only permissions granted through the access entry are considered, and the aws-auth ConfigMap is ignored
API
  • Totally ignores the aws-auth ConfigMap and only takes into account access entries
Switching

Switching across these authentication modes is a one-way operation

  • You can switch from
    • CONFIG_MAP to API_AND_CONFIG_MAP or API
    • API_AND_CONFIG_MAP to API
  • But not the opposite.

Evaluation

  • When an access entry maps to both managed access policies and Kubernetes groups, effective permissions are the union of both permissions granted through the Kubernetes group and the managed access policy.