Once you’ve deployed an EKS cluster, and try to view this in the AWS Console, sometimes you may see the following message in your console:
"Your current user or role does not have access to Kubernetes objects on this EKS Cluster"
This happen because your AWS user account doesn't have access to the Kubernetes control plane. This because of when you create an Amazon EKS cluster, the IAM user or role who is created the the cluster is automatically granted system:masters permissions in the cluster's RBAC configuration. But if you acc ess the Amazon EKS console with IAM users or roles that aren't part of aws-auth ConfigMap you can't see the overview details for the cluster. To fix this, you need to add the IAM user or role to the aws-auth ConfigMap.

Grab User ARN

First you need to grab the User ARN which you want to add from the Identity and Access Management (IAM) page.

User ARN looks like this:

1
arn:aws:iam::xxxxxxxxx:user/<user-name>

Update aws-auth ConfigMap

Now you need to update the aws-auth ConfigMap with the User ARN you grabbed from the previous step. To do this, you need to run the following command:
1
kubectl edit configmap -n kube-system aws-auth

This will open the aws-auth ConfigMap in your default text editor. Add the following line to the end of the file, replacing with the ARN of the IAM user or role you want to add:

1
2
3
4
5
mapUsers: |
  - userarn: arn:aws:iam::xxxxxxxxx:user/<user-name>
    username: <user-name>
    groups:
      - system:masters

For the root user, you can use the following command to add the root user to the aws-auth ConfigMap:

1
2
3
4
5
mapUsers: |
  - userarn: arn:aws:iam::xxxxxxxxx:root
    username: <user-name>
    groups:
      - system:masters

Warning: system:masters will give admin access to the cluster.

Save the file and exit the editor. The aws-auth ConfigMap is updated with the new IAM user or role. After a minute or so, once you revisit the EKS Cluster page in the AWS console, you will see all the relevant details.

Restrict access

If you want to give only read access to the cluster, it's ideal to create a Kubernetes cluster-role that allows read-only (get and list) access to the resources in the cluster.

Create a file named read-only.yaml with the following content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: read-only
rules:
  - apiGroups:
      - ""
    resources:
      - nodes
      - namespaces
      - pods
    verbs:
      - get
      - list
  - apiGroups:
      - apps
    resources:
      - deployments
      - daemonsets
      - statefulsets
      - replicasets
    verbs:
      - get
      - list
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - get
      - list

Then apply the above yaml file to the cluster using the following command:

1
kubectl apply -f read-only.yaml

Next, you have to bind the cluste-role with a group. To do it you need to create a file named read-only-role-binding.yaml with the following content:

1
2
3
4
5
6
7
8
9
10
11
12
13
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-only-role-binding
subjects:
  - kind: Group
    name: read-only
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: read-only
  apiGroup: rbac.authorization.k8s.io

Then apply the above yaml file to the cluster using the following command:

1
kubectl apply -f read-only-role-binding.yaml

Finally, you have to add the IAM user or role to the aws-auth ConfigMap.

1
2
3
4
5
mapUsers: |
  - userarn: arn:aws:iam::xxxxxxxxx:user/<user-name>
    username: <user-name>
    groups:
      - read-only

Conclusion

If you have any issue regarding this tutorial, mention your issue in the comment section or reach me through my E-mail.

Happy Coding