Example

Enterprise Kubernetes RBAC & Security Setup for AWS EKS

Scenario: Multi-Team Access Control in an Enterprise

An enterprise XYZ Corp is using AWS EKS for managing applications. They have multiple teams with different access levels:

Team

Responsibilities

Access Required

Platform Admins

Manage EKS, Nodes, Networking, Security

Full Cluster Admin

DevOps Engineers

Manage Deployments, CI/CD, Infra

Limited Admin (Can Deploy, Manage Nodes)

Developers

Deploy & Monitor Apps, No Infra Access

App Deployment Only

QA Testers

Run Tests, Debug, View Logs

Read-Only to Apps

Security Team

Monitor Logs, Audit Access

Read-Only to Everything

Solution: AWS IAM + Kubernetes RBAC

We'll use: ✅ AWS IAM roles for Authentication ✅ Kubernetes RBAC for Authorization ✅ Service Accounts for Secure App Access

Step 1: Define IAM Roles for Teams

🔹 1️⃣ Platform Admins IAM Role

aws iam create-role --role-name EKSPlatformAdmin \
    --assume-role-policy-document file://admin-trust-policy.json

🔹 2️⃣ DevOps Engineers IAM Role

aws iam create-role --role-name EKSLimitedAdmin \
    --assume-role-policy-document file://devops-trust-policy.json

🔹 3️⃣ Developers IAM Role

aws iam create-role --role-name EKSDeveloper \
    --assume-role-policy-document file://developer-trust-policy.json

🔹 4️⃣ QA Testers IAM Role

aws iam create-role --role-name EKSQAReadOnly \
    --assume-role-policy-document file://qa-trust-policy.json

🔹 5️⃣ Security Team IAM Role

aws iam create-role --role-name EKSSecurityAudit \
    --assume-role-policy-document file://security-trust-policy.json

Step 2: Map IAM Roles to Kubernetes RBAC

🔹 Edit the AWS Auth ConfigMap

kubectl edit configmap -n kube-system aws-auth

Add IAM Role Mappings:

mapRoles:
  - rolearn: arn:aws:iam::123456789012:role/EKSPlatformAdmin
    username: admin-user
    groups:
      - system:masters
  - rolearn: arn:aws:iam::123456789012:role/EKSLimitedAdmin
    username: devops-user
    groups:
      - eks-limited-admin
  - rolearn: arn:aws:iam::123456789012:role/EKSDeveloper
    username: dev-user
    groups:
      - eks-developer
  - rolearn: arn:aws:iam::123456789012:role/EKSQAReadOnly
    username: qa-user
    groups:
      - eks-readonly
  - rolearn: arn:aws:iam::123456789012:role/EKSSecurityAudit
    username: security-user
    groups:
      - eks-security

✅ Now, IAM users are mapped to Kubernetes RBAC groups.

Step 3: Create Kubernetes RBAC Roles & Bindings

1️⃣ Platform Admins (Full Cluster Access)

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: platform-admin-binding
subjects:
  - kind: Group
    name: system:masters
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

✅ Platform Admins can manage everything.

2️⃣ DevOps Engineers (Limited Admin)

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: limited-admin-role
rules:
  - apiGroups: [""]
    resources: ["pods", "services", "deployments", "configmaps"]
    verbs: ["create", "get", "list", "update", "delete"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["create", "get", "list", "update", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devops-binding
subjects:
  - kind: Group
    name: eks-limited-admin
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: limited-admin-role
  apiGroup: rbac.authorization.k8s.io

✅ DevOps can manage applications, but not cluster settings.

3️⃣ Developers (Namespace-Scoped Access)

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev-team
  name: developer-role
rules:
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["create", "get", "list", "update", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev-team
  name: developer-binding
subjects:
  - kind: Group
    name: eks-developer
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer-role
  apiGroup: rbac.authorization.k8s.io

✅ Developers can only access resources in the dev-team namespace.

4️⃣ QA Testers (Read-Only Access)

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: qa-team
  name: qa-readonly-role
rules:
  - apiGroups: [""]
    resources: ["pods", "services", "deployments"]
    verbs: ["get", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: qa-team
  name: qa-readonly-binding
subjects:
  - kind: Group
    name: eks-readonly
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: qa-readonly-role
  apiGroup: rbac.authorization.k8s.io

✅ QA can only view applications, not modify them.

5️⃣ Security Team (Audit Logs & Read-Only to Everything)

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: security-audit-role
rules:
  - apiGroups: [""]
    resources: ["pods", "nodes", "events", "secrets"]
    verbs: ["get", "list"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: security-audit-binding
subjects:
  - kind: Group
    name: eks-security
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: security-audit-role
  apiGroup: rbac.authorization.k8s.io

✅ Security team can audit logs but cannot modify anything.

Step 4: Verify Access for Teams

1️⃣ Check Platform Admin Access

kubectl auth can-i create pods --as=admin-user

✅ Should return "yes"

2️⃣ Check Developer Access

kubectl auth can-i delete deployments --namespace=dev-team --as=dev-user

✅ Should return "yes"

3️⃣ Check QA Tester Access

kubectl auth can-i create pods --namespace=qa-team --as=qa-user

❌ Should return "no"

Conclusion: Secure & Organized Access

✔ Admins manage the full cluster ✔ DevOps manages deployments, not core infra ✔ Developers deploy apps, but only in their namespace ✔ QA team can read data but not modify ✔ Security team can monitor but not deploy

🚀 NEXT: Do you want to add Network Policies for this setup?

PreviousRBAC NextScalling Nodes

Last updated 11 months ago

hashtagEnterprise Kubernetes RBAC & Security Setup for AWS EKS

hashtagScenario: Multi-Team Access Control in an Enterprise

hashtagSolution: AWS IAM + Kubernetes RBAC

hashtagStep 1: Define IAM Roles for Teams

hashtagStep 2: Map IAM Roles to Kubernetes RBAC

hashtagStep 3: Create Kubernetes RBAC Roles & Bindings

hashtag1️⃣ Platform Admins (Full Cluster Access)

hashtag2️⃣ DevOps Engineers (Limited Admin)

hashtag3️⃣ Developers (Namespace-Scoped Access)

hashtag4️⃣ QA Testers (Read-Only Access)

hashtag5️⃣ Security Team (Audit Logs & Read-Only to Everything)

hashtagStep 4: Verify Access for Teams

hashtagConclusion: Secure & Organized Access

hashtag🚀 NEXT: Do you want to add Network Policies for this setup?