C-0232 - Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156
Framework
cis-eks-t1.2.0
Severity
High
Description of the the issue
On- and off-boarding users is often difficult to automate and prone to error. Using a single source of truth for user permissions reduces the number of locations that an individual must be off-boarded from, and prevents users gaining unique permissions sets that increase the cost of audit.
Related resources
Role
What does this control test
Amazon EKS uses IAM to provide authentication to your Kubernetes cluster through the AWS IAM Authenticator for Kubernetes. You can configure the stock kubectl client to work with Amazon EKS by installing the AWS IAM Authenticator for Kubernetes and modifying your kubectl configuration file to use it for authentication.
How to check it manually
To Audit access to the namespace $NAMESPACE, assume the IAM role yourIAMRoleName for a user that you created, and then run the following command:
$ kubectl get role -n $NAMESPACE
The response lists the RBAC role that has access to this Namespace.
Remediation
Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS documentation.
Note: If using AWS CLI version 1.16.156 or later there is no need to install the AWS IAM Authenticator anymore.
The relevant AWS CLI commands, depending on the use case, are:
aws eks update-kubeconfig
aws eks get-token
Impact Statement
Users must now be assigned to the IAM group created to use this namespace and deploy applications. If they are not they will not be able to access the namespace or deploy.
Default Value
For role-based access control (RBAC), system:masters permissions are configured in the Amazon EKS control plane
Example
No example
Updated 9 days ago