This article provides an example of how to create an Elastic Kubernetes Service Instance Profile resource with an Assume Role. This will allow for having multiple resources of this type to the same EKS cluster with different permissions within the cluster.
The example shows the configuration of the resource with permissions for a DevOps team and includes the Kubernetes RBAC configuration so you can see how the IAM Role specified in the Assume Role field of the resource is mapped in the Kubernetes cluster. Also included is the IAM Policy of the Instance Role attached to the StrongDM node, which grants the role permission to assume the role specified in the resource, as well as the IAM trust relationships set on the IAM Role.
Prerequisites
Ensure the EKS cluster API endpoint is accessible from one or more of your StrongDM nodes.
Note: It is recommended to have the Audit and Authentication logs enabled for the EKS cluster, as these can be very helpful in troubleshooting any connection issues that you may encounter.
Create the Resource in the StrongDM Admin UI
In the Admin UI, add a new cluster resource of the Elastic Kubernetes Service (instance profile) type. Populate the Display Name, Cluster Type, Endpoint, Server CA, Cluster Name, and Region fields, as in the example settings shown below. For the Healthcheck Namespace field, set “dev” because the RBAC configuration in this example limits the role to the dev namespace and the ARN of the k8sDev Role is specified in the Assume Role field. This tells the cluster resource you’re creating to assume the k8sDev Role using the permissions granted to the node by that instance profile role attached to the StrongDM node.
Before setting up the resource, the IAM permissions and RBAC configuration should be completed. Examples of the configuration used for this resource are included below.
AssumeRole IAM Policy Example
Policy attached to the Instance Profile Role
(arn:aws:iam::xxxxxxxxxxxx:role/sdm-node-role):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::xxxxxxxxxxxx:role/k8sAdmin",
"arn:aws:iam::xxxxxxxxxxxx:role/k8sInteg",
"arn:aws:iam::xxxxxxxxxxxx:role/k8sDev"
]
}
]
}
Trust Relationship JSON for the k8sDev IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:role/sdm-node-role"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Example RBAC Configuration
~$ eksctl get iamidentitymapping --cluster cluster-name
ARN USERNAME GROUPS ACCOUNT
arn:aws:iam::671496566364:role/eksctl-cluster-name-nodegroup-worker-n-NodeInstanceRole-kE6cjaE3ob2v system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes
arn:aws:iam::xxxxxxxxxxxx:role/k8sDev k8sDev dev-access-group
arn:aws:iam::xxxxxxxxxxxx:role/sdm-node-role admin system:masters
~$ kubectl get cm -n kube-system aws-auth -o yaml
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::xxxxxxxxxxxx:role/eksctl-cluster-name-nodegroup-worker-n-NodeInstanceRole-kE6cjaE3ob2v
username: system:node:{{EC2PrivateDNSName}}
- groups:
- dev-access-group
rolearn: arn:aws:iam::xxxxxxxxxxxx:role/k8sDev
username: k8sDev
- groups:
- system:masters
rolearn: arn:aws:iam::xxxxxxxxxxxx:role/sdm-node-role
username: admin
kind: ConfigMap
metadata:
creationTimestamp: "2023-10-19T21:45:52Z"
name: aws-auth
namespace: kube-system
~$ kubectl get role -n dev
NAME CREATED AT
devOps-role 2023-10-20T01:01:42Z
~$ kubectl get rolebinding -n dev
NAME ROLE AGE
devOps-role-binding Role/devOps-role 132m
Role and RoleBinding example YAML for devOps-role and devOpsRole-Binding
#devOpsRole.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: devOps-role
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- "*"
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- "*"
verbs:
- get
- list
- watch
- apiGroups: # Ability to impersonate and review your own access
- ""
resources:
- users
- groups
verbs:
- impersonate
- apiGroups:
- "authorization.k8s.io"
resources:
- selfsubjectaccessreviews
verbs:
- create
# devOpsRole-binding.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devOps-role-binding
namespace: dev
subjects:
- kind: Group
name: dev-access-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: devOps-role
apiGroup: rbac.authorization.k8s.io