Overview

We support all EKS clusters in Opal to bring you automatic access grants to your cluster roles. In order to do so, you'll have to walk through some simple steps.

Adding an EKS cluster

Step 1: Create an IAM role

You'll need to create an IAM role and attach it to your Kubernetes cluster role. We've tried to make this easy for you with the provided AWS CLI commands:

Create an IAM role for EKS

# Add your AWS account ID to an environment variable
ACCOUNT_ID=<YOUR_AWS_ACCOUNT_ID>
# Create the IAM role naming it something your developers will understand
ROLE_NAME=<YOUR_ROLE_NAME>
# Add your cluster ARN to an environment variable
CLUSTER_ARN=<YOUR_CLUSTER_ARN>

# Create the role trust policy locally
TRUST="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::${ACCOUNT_ID}:root\" }, \"Action\": \"sts:AssumeRole\" } ] }"
echo "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": \"eks:*\", \"Resource\": \"${CLUSTER_ARN}\" } ] }" > /tmp/iam-role-policy

# Create the IAM role
aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document "$TRUST" --output text --query 'Role.Arn'

# Attach the policy to the role
aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name eks-admin --policy-document file:///tmp/iam-role-policy

# Tag the role so Opal will know to import your cluster permissions
aws iam tag-role --role-name "$ROLE_NAME" --tags "Key=opal:eks:cluster-arn,Value=${CLUSTER_ARN}"

The above can also be done in Terraform:

resource "aws_iam_policy" "AmazonEKSAdminPolicy" {
name = "AmazonEKSAdminPolicy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:*",
"Resource": "${CLUSTER_ARN}"
}
]
}
EOF
}

resource "aws_iam_role" "eks_cluster_admin_role" {
name = ${ROLE_NAME}

assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${ACCOUNT_ID}:root"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY

tags = {
"opal:eks:cluster-arn" = ${CLUSTER_ARN}
}

max_session_duration = 12 * 60 * 60
}

resource "aws_iam_role_policy_attachment" "AmazonEKSAdminPolicy" {
policy_arn = aws_iam_policy.AmazonEKSAdminPolicy.arn
role = aws_iam_role.eks_cluster_admin_role.name
}

Tagging multiple clusters to a role

You can tag multiple EKS clusters using the same tag prefix, like so:

Key: "opal:eks:cluster-arn:1" Value: "cluster1"
Key: "opal:eks:cluster-arn:2" Value: "cluster2"
Key: "opal:eks:cluster-arn:3" Value: "cluster3"

Step 2: Update the aws-auth Configmap

We apologize if this part of the setup is confusing. Please don't hesitate to reach out to [email protected] if you get lost!

The aws-auth Configmap exists on every EKS cluster and is how Amazon maps IAM roles to Kubernetes roles. Here's how to map the role you created above to a cluster-admin level role in Kubernetes.

Update aws-auth configmap for admin permissions

ROLE="    - rolearn: arn:aws:iam::$ACCOUNT_ID:role/$ROLE_NAME\n      username: eks-cluster-admin:{{SessionName}}\n      groups:\n        - system:masters"

kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$ROLE\";next}1" > /tmp/aws-auth-patch.yml

kubectl patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-patch.yml)"


📘 Creating different levels of privilege in Kubernetes

You'll be able to map IAM roles to different Kubernetes roles in the aws-auth Configmap. You'll need to do this if you want to add something custom, like a read-only level role. You can do this by manually accessing the Configmap by running the following command and mapping different roles to your IAM role ARN:

kubectl edit configmaps aws-auth -n kube-system

You can read up on how to this by checking out some of these articles:


Accessing your cluster in Opal

Roles that you've tagged properly using the tag key opal:eks:cluster-arn will show up on the Permissions page under Kubernetes tab.

EKS permissions fall under the Kubernetes tab.

EKS permissions fall under the Kubernetes tab.

Permissions to EKS clusters are session-based, meaning they require users to initiate temporary sessions to them. They can do so using the connect button.

Starting a session to EKS in Opal.

Starting a session to EKS in Opal.

Once they're connected, they'll be given temporary credentials to access the Kubernetes cluster.

Kubernetes session credentials in Opal.

Kubernetes session credentials in Opal.

NEXT UP ➡️

Did this answer your question?