5.2.3 Accessing Kubernetes
Let's now access kubernetes using CLI for both our users goku
and vegeta
๐ Accessing K8s - Gokuโ
Let's now attempt to access K8s not using terraform but using the users and their corresponding IAM Roles.
๐ Authenticating using Gokuโ
Please replace
<prod-account-id>
First, we need to authenticate using the AWS IAM Role that has been assigned to Goku in prod account i.e.
arn:aws:iam::<prod-account-id>:role/AssumeRoleK8sAdminWithMFAprod
awsmfa -i goku arn:aws:iam::<prod-account-id>:role/AssumeRoleK8sAdminWithMFAprod
โ๏ธ Configuring Kubernetesโ
Let's now update the kubeconfig so that real permissions of Goku is updated.
export AWS_PROFILE=default
aws eks --region us-west-1 update-kubeconfig --name s4cp-us-west-1-prod
kubectl get pods -n s4cp
๐งช Testing Goku's Authzโ
Fire the below commands to test out the RBAC that has been implemented.
kubectl auth can-i get nodes
kubectl auth can-i create pod
kubectl auth can-i get secrets -n s4cp
Answer should be yes
for all as Goku is admin.
๐ Accessing K8s - Vegetaโ
Let's now attempt to access K8s not using terraform but using the users and their corresponding IAM Roles.
๐ Authenticating using Vegetaโ
First, we need to authenticate using the AWS IAM Role that has been assigned to Vegeta in prod account i.e.
arn:aws:iam::<prod-account-id>:role/AssumeRoleK8sDeveloperWithMFAprod
Please replace
<prod-account-id>
awsmfa -i vegeta arn:aws:iam::<prod-account-id>:role/AssumeRoleK8sDeveloperWithMFAprod
โ๏ธ Configuring Kubernetesโ
Let's now update the kubeconfig so that real permissions of Vegeta is updated.
export AWS_PROFILE=default
aws eks --region us-west-1 update-kubeconfig --name s4cp-us-west-1-prod
kubectl get pods -n s4cp
๐งช Testing Vegeta's Authzโ
Fire the below commands to test out the RBAC that has been implemented
kubectl auth can-i get nodes
kubectl auth can-i create pod
kubectl auth can-i get secrets -n s4cp
kubectl auth can-i create pod -n s4cp
Answer should be yes
for only the last command i.e. kubectl auth can-i create pod -n s4cp
as the developer is allowed to operate only in a specific namespace i.e. s4cp
where the application is deployed.