How to Connect to EKS with Proper Authentication Using @ kubernetes/client-node

A step-by-step guide on how to properly authenticate to AWS EKS using the `@ kubernetes/client-node` library. Learn about RBAC roles and IAM user setup necessary for successful API access.
---
This video is based on the question https://stackoverflow.com/q/76119763/ asked by the user 'J. Samak' ( https://stackoverflow.com/u/7602026/ ) and on the answer https://stackoverflow.com/a/76131866/ provided by the user 'J. Samak' ( https://stackoverflow.com/u/7602026/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: How to connect - correctly authenticated - to EKS with loadFromOptions using @ kubernetes/client-node?

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
How to Connect to EKS with Proper Authentication Using @ kubernetes/client-node

Connecting to a Kubernetes API running on AWS EKS (Elastic Kubernetes Service) can be a challenging task, especially when it comes to user authentication and authorization. Many users encounter issues with insufficient permissions, leading to the infamous "forbidden" error message. In this post, we'll walk through the steps to properly authenticate to your EKS cluster using the @ kubernetes/client-node library.

The Problem

Imagine you've set up a new IAM user intended to access the Kubernetes API. You have the necessary permissions to connect, but you still get an error indicating that your user "system:anonymous" is trying to list namespaces but is not authorized to do so. This happens because although you think your IAM user has access, it may not be correctly linked to Kubernetes RBAC (Role-Based Access Control) permissions.

Example Error Encountered

Here’s an example of the message you might receive when executing listNamespace():

[[See Video to Reveal this Text or Code Snippet]]

The Solution

The root of the issue is that the IAM user does not have a connection to RBAC policies in Kubernetes. Let’s walk through the steps to set this up correctly.

Step 1: Create a Kubernetes RBAC Role

Begin by creating an RBAC role that grants read permissions on all resources. You can do this by applying a YAML manifest:

Create a file named rbac-add-reader.yaml with the following content:

[[See Video to Reveal this Text or Code Snippet]]

Apply this RBAC configuration with the command:

[[See Video to Reveal this Text or Code Snippet]]

Step 2: Set Up IAM User and Policy

Next, create a new IAM user in AWS. Attach a policy that allows the user to interact with EKS and acquire session tokens.

Create a policy with the following permissions:

[[See Video to Reveal this Text or Code Snippet]]

Add this policy to a user group and then assign the user to that group.

Step 3: Connect IAM User to Kubernetes

You need to link the IAM user to a Kubernetes role to ensure proper permissions.

Edit the AWS Auth ConfigMap:

[[See Video to Reveal this Text or Code Snippet]]

Add the IAM user's ARN to the mapUsers section:

[[See Video to Reveal this Text or Code Snippet]]

Step 4: Configure and Update kubeconfig

Switch to your new IAM user or create a new AWS CLI profile for it.

Update the kubeconfig file with the following command:

[[See Video to Reveal this Text or Code Snippet]]

Step 5: Validate Permissions

It’s essential to verify that your permissions are set correctly. Execute these commands to test:

[[See Video to Reveal this Text or Code Snippet]]

The expected output should indicate permissions in line with your RBAC configuration.

Step 6: Load Configuration with loadFromDefault()

Now that permissions are set correctly, you can streamline your connection process by using:

[[See Video to Reveal this Text or Code Snippet]]

Conclusion

By following the steps outlined above, you can correctly authenticate to your EKS cluster using the @ kubernetes/client-node library. Properly setting up IAM users and RBAC configurations is crucial for secure and efficient Kubernetes management on AWS. Don’t overlook the necessity of integrating IAM and Kubernetes RBAC to avoid permission-related issues in the future.

With this understanding, you're equipped to troubleshoot and connect to your EKS environment securely. Happy coding!