Introduction

Managing access to Amazon Elastic Kubernetes Service (EKS) clusters has traditionally relied on the aws-auth ConfigMap, a method that, while functional, often introduces complexities and limitations. With the introduction of enhanced EKS cluster access management, AWS aims to streamline and improve the process, making it easier for administrators to manage access permissions efficiently. In this post, we’ll explore the challenges of traditional access management, introduce the new streamlined approach, and guide you through the transition process.

The Challenges of Traditional EKS Cluster Access Management with aws-auth ConfigMap

The aws-auth ConfigMap has been the cornerstone of access management for EKS clusters, but it comes with several challenges:

  • Manual Management: Administrators must manually update the ConfigMap to grant or revoke access, which can be error-prone and time-consuming.
  • Limited Scalability: As the number of users and roles increases, managing the ConfigMap becomes increasingly complex and challenging.
  • Security Risks: Incorrect configurations in the ConfigMap can lead to unauthorized access or accidental privilege escalations.
  • Lack of Granularity: The ConfigMap provides limited options for defining fine-grained access controls, making it challenging to enforce least-privilege policies.

Introducing Enhanced EKS Cluster Access Management

To address these challenges, AWS introduced enhanced EKS cluster access management, which provides a more flexible, scalable, and secure approach to managing access. This new method leverages IAM roles and policies to control access, reducing reliance on the aws-auth ConfigMap.

Access Entries and Access Policies: The Building Blocks of Simplified Authentication

In the enhanced access management model, two key components form the foundation of simplified authentication:

  1. Access Entries: These entries define which IAM roles or users are allowed to authenticate with the EKS cluster. Each entry specifies the entity and the level of access it requires.
  2. Access Policies: Access policies are IAM policies attached to the roles or users defined in the access entries. These policies determine the specific permissions that the entity has within the cluster, such as access to particular namespaces or resources.

Authentication Modes: Flexibility and Transition Options

AWS provides three authentication modes to facilitate the transition from traditional to enhanced access management:

  1. CONFIG_MAP: The default mode relies solely on the aws-auth ConfigMap for access management.
  2. API_AND_CONFIG_MAP: A hybrid mode allowing administrators to use the aws-auth ConfigMap and the new API-based access management.
  3. API: This is the final mode that fully transitions to API-based access management, eliminating the need for the aws-auth ConfigMap.

Migrating to Enhanced Access Management

Transitioning to enhanced access management involves several steps:

  1. Creating Access Entries: Define access entries for your IAM roles and users. These entries should specify the level of access required for each entity.
  2. Assigning Access Policies: Attach appropriate IAM policies to the roles or users defined in your access entries. AWS provides predefined policies that can be customized to meet your specific needs.

Essential Considerations for Switching Authentication Modes

When transitioning between authentication modes, it’s crucial to consider the following:

  • Testing: Before entirely switching to API-based access management, test the hybrid mode (API_AND_CONFIG_MAP) to ensure your configurations work as expected.
  • Backup: Always back up your current aws-auth ConfigMap and IAM policies before making any changes.
  • Rollback Plan: Develop a rollback plan in case any issues arise during the transition.

Irreversible Transition: CONFIG_MAP to API_AND_CONFIG_MAP to API

The process is irreversible once you transition from CONFIG_MAP to API_AND_CONFIG_MAP to API. Therefore, careful planning and testing are essential before making the final switch.

Planning Your Migration Strategy

To ensure a smooth transition, follow these best practices:

  • Assess Current Configurations: Review your existing aws-auth ConfigMap and IAM policies to understand your current access setup.
  • Identify Stakeholders: Involve all relevant stakeholders, including security teams, to ensure the new access controls meet organizational requirements.
  • Pilot Testing: Start with a small, non-critical cluster to pilot the new access management model before rolling it out across your entire environment.
  • Documentation and Training: Update your documentation and train your team on the new access management model.

Conclusion

Simplifying access management for Amazon EKS clusters is crucial for enhancing security, scalability, and operational efficiency. By transitioning from the traditional aws-auth ConfigMap to the new API-based access management model, you can streamline access control and reduce the complexities of managing EKS cluster access.

References

Migrating existing aws-auth ConfigMap entries to access entries

A deep dive into simplified Amazon EKS access management controls