EKS Console
To use the Amazon EKS Console to view workloads running in an EKS cluster created using the AWS provider (CAPA) you can do the following:
-
Create a new policy with the required IAM permissions for the console. This example can be used. For example, a policy called
EKSViewNodesAndWorkloads
. -
Assign the policy created in step 1) to a IAM user or role for the users of your EKS cluster
-
Map the IAM user or role from step 2) to a Kubernetes user that has the RBAC permissions to view the Kubernetes resources. This needs to be done via the
aws-auth
configmap (used byaws-iam-authenticator
) which is generated by the AWS provider. This mapping can be specified using in theAWSManagedControlPlane
, for example:
kind: AWSManagedControlPlane
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
metadata:
name: "capi-managed-test-control-plane"
spec:
region: "eu-west-2"
sshKeyName: "capi-management"
version: "v1.18.0"
iamAuthenticatorConfig:
mapRoles:
- username: "kubernetes-admin"
rolearn: "arn:aws:iam::1234567890:role/AdministratorAccess"
groups:
- "system:masters"
In the sample above the arn:aws:iam::1234567890:role/AdministratorAccess IAM role has the EKSViewNodesAndWorkloads policy attached (created in step 1.)