Skip to main content

5.2.3 Accessing Kubernetes

Youtube ๐Ÿ“บ

Let's now access kubernetes using CLI for both our users goku and vegeta

๐Ÿ”’ Accessing K8s - Gokuโ€‹

Let's now attempt to access K8s not using terraform but using the users and their corresponding IAM Roles.

๐Ÿ” Authenticating using Gokuโ€‹

Please replace <prod-account-id>

First, we need to authenticate using the AWS IAM Role that has been assigned to Goku in prod account i.e. arn:aws:iam::<prod-account-id>:role/AssumeRoleK8sAdminWithMFAprod

awsmfa -i goku arn:aws:iam::<prod-account-id>:role/AssumeRoleK8sAdminWithMFAprod

โš™๏ธ Configuring Kubernetesโ€‹

Let's now update the kubeconfig so that real permissions of Goku is updated.

export AWS_PROFILE=default
aws eks --region us-west-1 update-kubeconfig --name s4cp-us-west-1-prod
kubectl get pods -n s4cp

๐Ÿงช Testing Goku's Authzโ€‹

Fire the below commands to test out the RBAC that has been implemented.

kubectl auth can-i get nodes
kubectl auth can-i create pod
kubectl auth can-i get secrets -n s4cp

Answer should be yes for all as Goku is admin.

๐Ÿ”’ Accessing K8s - Vegetaโ€‹

Let's now attempt to access K8s not using terraform but using the users and their corresponding IAM Roles.

๐Ÿ” Authenticating using Vegetaโ€‹

First, we need to authenticate using the AWS IAM Role that has been assigned to Vegeta in prod account i.e. arn:aws:iam::<prod-account-id>:role/AssumeRoleK8sDeveloperWithMFAprod

Please replace <prod-account-id>

awsmfa -i vegeta arn:aws:iam::<prod-account-id>:role/AssumeRoleK8sDeveloperWithMFAprod

โš™๏ธ Configuring Kubernetesโ€‹

Let's now update the kubeconfig so that real permissions of Vegeta is updated.

export AWS_PROFILE=default
aws eks --region us-west-1 update-kubeconfig --name s4cp-us-west-1-prod
kubectl get pods -n s4cp

๐Ÿงช Testing Vegeta's Authzโ€‹

Fire the below commands to test out the RBAC that has been implemented

kubectl auth can-i get nodes
kubectl auth can-i create pod
kubectl auth can-i get secrets -n s4cp
kubectl auth can-i create pod -n s4cp

Answer should be yes for only the last command i.e. kubectl auth can-i create pod -n s4cp as the developer is allowed to operate only in a specific namespace i.e. s4cp where the application is deployed.