You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In https://2i2c.freshdesk.com/a/tickets/502 a request came from Greg, a k8s power user, to be granted read permissions to the k8s cluster, and I suggested the k8s official user facing ClusterRole view that doesn't grant access to inspect Secret resources etc but other resources overall, including logs for pods as explicitly requested.
This is how I've attempted to provide that in the AWS based cluster.
# define the <username> to be associated with the AWS account's# IAM user, and to be part of the eks-view group
eksctl create iamidentitymapping \
--cluster=nasa-veda \
--region=us-west-2 \
--arn arn:aws:iam::$AWS_ACCOUNT:user/$AWS_IAM_USERNAME \
--username $AWS_IAM_USERNAME \
--group eks-view \
--no-duplicate-arns
# create a ClusterRoleBinding, coupling the k8s default ClusterRole "view" to# the group eks-view
kubectl create clusterrolebinding view --clusterrole=view --group=eks-view
The user can then authenticate as their AWS IAM user and run:
In https://2i2c.freshdesk.com/a/tickets/502 a request came from Greg, a k8s power user, to be granted read permissions to the k8s cluster, and I suggested the k8s official user facing ClusterRole
view
that doesn't grant access to inspect Secret resources etc but other resources overall, including logs for pods as explicitly requested.This is how I've attempted to provide that in the AWS based cluster.
The user can then authenticate as their AWS IAM user and run:
The user confirmed this approach is working. So, we need to:
The text was updated successfully, but these errors were encountered: