Cluster Access Settings
Cluster Access Settings
Overview¶
During EKS Cluster Provisioning, the different authentication modes in Amazon EKS allows users to manage cluster access according to their needs, whether they prefer simplicity with IAM-based controls or require more granular configurations. This flexibility helps balance ease of use with detailed access management, aligning access controls with specific security and operational requirements.
Did you know ?
Amazon EKS Cluster Access Settings can be managed through various methods:
Authentication Mode Selection and EKS Access Entry APIs¶
The selected authentication mode determines whether EKS Access Entry APIs can be used, which require the mode to be set to either API or API & Config Map. Users must opt-in to use these APIs, which can be applied to existing clusters or configured during the creation of new ones. By default, ConfigMap is selected, but users can switch to other options:
- EKS API: Uses the EKS API for authentication, simplifying access management by relying solely on AWS IAM, which makes it easier to manage access through IAM roles and policies.
- EKS API and ConfigMap: Utilizes both the EKS API and a ConfigMap for authentication, combining IAM with Kubernetes ConfigMap. This provides flexibility, allowing for both IAM and manual role management within the cluster.
- ConfigMap: Relies solely on a ConfigMap for authentication, offering full control over access through a Kubernetes ConfigMap. This mode requires manual updates to manage IAM role mappings.
If the Cluster Authentication Mode is set to ConfigMap, users automatically receive cluster administration access and the option to configure this is not shown. For the other two modes, cluster administration access is always allowed.
Note: Cluster administration access can only be configured on Day 0, during the initial cluster setup.
To add one or more users and provide access to a cluster or namespace, click IAM Access Entry. Here, users can add access entries along with access policies.
Permissions for Cluster Access Management
The following permissions are necessary to add, update, or delete cluster access entries:
- "eks:ListAccessPolicies"
- "eks:ListAccessEntries"
- "eks:ListAssociatedAccessPolicies"
- "eks:AssociateAccessPolicy"
- "eks:CreateAccessEntry"
- "eks:UpdateAccessEntry"
- "eks:DescribeAccessEntry"
- "eks:DisassociateAccessPolicy"
- "eks:DeleteAccessEntry"
The three different access levels are Cluster View, Cluster Edit, and Cluster Admin. These access entries can be assigned to individual users or groups. When a group is added, all members of that group can access the cluster or namespace as required. Define policies to allow access to the entire cluster or a specific namespace.
Important
When the Type is set to Standard
, Username, kubernetes Groups, and Access Policies can be specified in the IAM Access Entry configuration. For all other types, specifying Username, kubernetes Groups and Access Policies is not permitted.
Click Save and proceed with other configuration
Important
When creating a new cluster, the bootstrapClusterCreatorAdminPermissions
is set to 'true' by default, and users are not allowed to change it to 'false'.
Migration Between Authentication Modes¶
As a Day-2 Operation, users now have the flexibility to migrate between different authentication modes on an existing EKS cluster after the initial provisioning. This enhancement enables a smooth switch between authentication modes, allowing users to modify their authentication settings based on changing security policies and operational requirements without the need to fully re-provision the cluster. Additionally, users can easily revert any changes to a previous authentication mode whenever needed, providing further control and adaptability in managing cluster access.
On Day 2, select the required cluster from the cluster dashboard and click on the Access tab. Make the necessary changes and click Save Changes.
To configure IAM access entries, navigate to the IAM Access Entries tab and click on IAM Access Entry. Then, provide the necessary details and click Save to complete the configuration.