eks iam rbac 最佳实践

rbac

最后更新: 此方案国内不可用

0x00 目标

昨天写的 https://www.jianshu.com/p/e9c769192746, 是基于自己爬google 总结出来的.
今天, 参考 https://www.eksworkshop.com/beginner/091_iam-groups/intro/ 来一波官方最佳实践.

• 本文目标:
  开发者提供快速账号添加,移除操作. 中国AWS环境

0x01 创建IAM Role

export ACCOUNT_ID={12位账号}

POLICY=$(echo -n '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws-cn:iam::'; echo -n "$ACCOUNT_ID"; echo -n ':root"},"Action":"sts:AssumeRole","Condition":{}}]}')

aws iam create-role \
  --role-name k8sDev \
  --description "Kubernetes developer role (for AWS IAM Authenticator for Kubernetes)." \
  --assume-role-policy-document "$POLICY" \
  --output text \
  --query 'Role.Arn'

# arn:aws-cn:iam::{12Number}:role/k8sDev

0x02 创建IAM Group

aws iam create-group --group-name k8sDev

为这个Group添加访问IAM Role 的策略

DEV_GROUP_POLICY=$(echo -n '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeOrganizationAccountRole",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws-cn:iam::'; echo -n "$ACCOUNT_ID"; echo -n ':role/k8sDev"
    }
  ]
}')
echo DEV_GROUP_POLICY=$DEV_GROUP_POLICY

aws iam put-group-policy \
--group-name k8sDev \
--policy-name k8sDev-policy \
--policy-document "$DEV_GROUP_POLICY"

手动添加Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws-cn:eks:*:{12Number}:cluster/*"
        }
    ]
}

0x03 创建IAM User

创建开发者用户: dev-mm, 绑定到Group, 生成密钥

aws iam create-user --user-name dev-mm
aws iam add-user-to-group --group-name k8sDev --user-name dev-mm
aws iam create-access-key --user-name dev-mm | tee ./dev-mm.json

重点 :后续SRE管理新增用户时, 只需执行上面三行即可.

0x04 配置EKS Role, RoleBinding

我们希望把开发者限定在namespace sit 下面, 可以这样

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dev-role
  namespace: sit
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments", "replicasets", "pods", "configmaps","services"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-role-binding
  namespace: sit
subjects:
- kind: User
  name: dev-user
roleRef:
  kind: Role
  name: dev-role
  apiGroup: rbac.authorization.k8s.io

0x05 配置IAM-EKS账号关联

这一步是把IAM Role 绑定到EKS的User, 这样就把所有对象串联起来了.

eksctl create iamidentitymapping \
  --cluster eksworkshop-eksctl \
  --arn arn:aws:iam::${ACCOUNT_ID}:role/k8sDev \
  --username dev-user

也可以直接在集群里修改aws-auth配置:

apiVersion: v1
data:
  mapRoles: |
    - rolearn: arn:aws-cn:iam::{12Number}:role/k8sDev
      username: dev-user

0x06 验证

略过 ...