Kubeconfig Setup on EKS ​

Grant Access to EKS ​

To access the EKS Kubernetes API, you must grant access via Access Entries. See the AWS documentation for details on this topic.

AWS Console ​

Configure your IAM role under the Access tab in the AWS console for the EKS cluster by adding your role to the IAM access entries section with an access policy that is appropriate for your requirements. For example, to manage all resources in the cluster, configure the AmazonEKSClusterAdminPolicy at the Cluster access scope.

AWS CLI ​

First, identity your IAM principal ARN (role or user). If you don't know whether you are logged in as a user or assuming a role, this can be found by using aws sts get-caller-identity. If your identity ARN includes assumed-role, you are assuming a role, otherwise if it includes user then you are a user.

This is an example of a user:

{
    "UserId": "AIDAQPFEP7X2BWRP3L3FO",
    "Account": "012345678901",
    "Arn": "arn:aws:iam::012345678901:user/example-user-name"
}                                          ^---------------^
                                                   | This is your user name

This is an example of an assumed role:

{
    "UserId": "AROAQPFEP7Y1JNOB3EYME:example@yellowbrick.com",
    "Account": "012345678901",
    "Arn": "arn:aws:sts::012345678901:assumed-role/example-role-name/example@yellowbrick.com"
}                                                  ^---------------^
                                                           | This is your role name

When you know your user or role name, you can query the full ARN.

To list an IAM user ARN:

aws iam get-user \
    --user-name "$user_name" \
    --query "User.Arn" \
    --output text

To list an IAM role ARN:

aws iam get-role \
    --role-name "$role_name" \
    --query "Role.Arn" \
    --output text

Now that you know your princiapal ARN, create an EKS Access Entry and grant it a desired access policy. To grant the user access to all namespaces in the cluster, give it the AmazonEKSClusterAdminPolicy access policy:

aws eks create-access-entry \
    --cluster-name "$cluster" \
    --principal-arn "$principal_arn"

aws eks associate-access-policy \
    --cluster-name "$cluster" \
    --principal-arn "$principal_arn" \
    --policy-arn "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" \
    --access-scope "type=cluster"

Please note that AmazonEKSClusterAdminPolicy is an AWS-managed policy. If you are running on a different partition such as GovCloud, you will need to adjust your ARNs to have the proper partition. If you are unsure about the correct policy ARN, you can see the proper value with:

aws eks list-access-policies \
    --output table

To see more information on available access policies, see the AWS associate access policies with access entries documentation.

Obtaining a Kubernetes Configuration for EKS ​

Given that you know:

• the name of the Kubernetes cluster you installed $cluster
• the region you installed to $region

You can use the aws command line tool to export a Kubernetes config file:

aws eks update-kubeconfig --region $region --name $cluster --kubeconfig ~/.kube/aws/$cluster-$region.config --alias aws-$cluster-$region

Setup for AWS Console ​

You may see the following note in your AWS console for the EKS cluster of your Yellowbrick instance.

To resolve this, follow the instructions provided above in Grant Access to EKS. Ensure that the Access Policy granted provides access to the namespace you are attempting to access.