Containers-roadmap: [EKS] [request]: Add AdminRole option at cluster creation
Tell us about your request
Currently you have to create a cluster with a user/role that you actually use for cluster administration(for initializing processes at least).
It'd be nicer if EKS had an option to select "which role you want make an admin for this EKS cluster" especially when creating a cluster with CloudFormation.
Ref. https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html
When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator (with system:master permissions). Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. For more information, see Managing Users or IAM Roles for your Cluster. Also, the AWS IAM Authenticator for Kubernetes uses the AWS SDK for Go to authenticate against your Amazon EKS cluster. If you use the console to create the cluster, you must ensure that the same IAM user credentials are in the AWS SDK credential chain when you are running kubectl commands on your cluster.
Which service(s) is this request for?
EKS
I'm trying to use CloudFormation for creating clusters without eksctl for some reason and can't use kubectl after creating a CFn Stack with CFn role of my company.
inductor
All 3 comments
We run into similar issues using Terraform, which in our case isn't executed locally but instead by a platform which assumes a certain role in the account.
Even when I have admin privileges in the account, I need to go through some crazy hoops (assuming the same role as is assumed by the Terraform platform) to be able to set-up aws-auth.
Furthermore, afaik the cluster creator is completely invisible. You can't deduce it from aws eks describe-cluster or AWS API, which seems odd.
Making the cluster creator a first-class property of the AWS EKS API would make a lot of sense imho.
TBeijen
on 25 Nov 2019
This would help our scenario where we create the EKS Cluster using CloudFormation/CDK in the CodeBuild.
The administrator of the Cluster ends to be the Role assumed by the CodeBuild, and I faced some problems with this because I would end deploying from my machine, and the CodeBuild didn't had access to it.
Having this option I could end deploying from my machine and giving the CodeBuild the administrator access.
Where I can give a 馃憤 for this feature?
rzamana
on 1 Oct 2020
might be worth combining/closing #378 as it is a request for the same feature
robgott
on 17 Nov 2020
Related issues
yavor-atanasov
路
3Comments
J-Mx
路
3Comments
tabern
路
3Comments
tabern
路
3Comments
aliabas7
路
3Comments
Most helpful comment
This would help our scenario where we create the EKS Cluster using CloudFormation/CDK in the CodeBuild.
The administrator of the Cluster ends to be the Role assumed by the CodeBuild, and I faced some problems with this because I would end deploying from my machine, and the CodeBuild didn't had access to it.
Having this option I could end deploying from my machine and giving the CodeBuild the administrator access.
Where I can give a 馃憤 for this feature?