Step-by-Step Guide: Configuring RBAC for an Existing EKS Cluster in CloudThrottle Overview Role-Based Access Control (RBAC) is a security mechanism in Kubernetes that controls access to cluster resources based on roles and permissions. Proper RBAC configuration ensures that only authorized users and CloudThrottle workflows can manage resources in an Amazon EKS (Elastic Kubernetes Service) cluster , preventing unauthorized changes and ensuring compliance with budget management policies .
In this guide, we’ll walk through the step-by-step process of configuring RBAC in an existing EKS cluster to enable CloudThrottle to manage budgets, schedules, and cloud resources securely .
Prerequisites Before proceeding, ensure that you have:
✅ An existing EKS cluster configured and operational.IAM roles for the EKS cluster and worker nodes already created.AWS CLI and kubectl installed on your local machine or Cloud Shell.Administrative permissions to modify IAM roles and Kubernetes ConfigMaps.
If you haven't set up an EKS cluster, refer to the AWS EKS Documentation .
Step 1: Verify aws-auth ConfigMap Where to Navigate? To verify if the aws-auth ConfigMap is correctly set up:
1️⃣ Open a terminal on your local machine or use AWS CloudShell .
aws eks --region <AWS_REGION> update-kubeconfig --name <EKS_CLUSTER_NAME>
Copy code
3️⃣ Run the following command to check the aws-auth ConfigMap:
kubectl get configmap -n kube-system aws-auth -o yaml
Copy code
Expected Output Format
If the configuration is correct, you should see an output similar to this:
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::<TENANT_ACCOUNT_ID>:role/EKSNodeRole
username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
Copy code
📌 Expected Output & Validation
What Each Placeholder Means:
<TENANT_ACCOUNT_ID> : The AWS Account ID where the EKS cluster is deployed.rolearn : The IAM role ARN assigned to EKS worker nodes.system:bootstrappers : Grants permissions needed during node bootstrapping.system:nodes : Provides permissions necessary for worker nodes to join the cluster.username: system:node:{{EC2PrivateDNSName}} : Dynamically assigns a Kubernetes username using the node’s private DNS.
What to Check?
rolearn : Ensure the correct IAM role (EKSNodeRole) is listed.groups : The roles should be assigned to system groups like system:bootstrappers and system:nodes.Confirm the IAM Role ARN is correct and exists in AWS IAM Console.
Check if worker nodes are correctly joining the EKS cluster.
Run kubectl get nodes to verify that worker nodes are registered successfully.
Why This is Important?
The aws-auth ConfigMap controls access to your Kubernetes cluster.
If CloudThrottle’s IAM roles are missing, it won’t be able to manage cluster resources.
Checking the current state ensures we are updating the correct configuration before proceeding.
Ensures EKS worker nodes can communicate with the cluster.
Prevents issues where nodes fail to join due to missing permissions.
Helps in debugging worker node registration failures.
Step 2: Update aws-auth ConfigMap Where to Navigate? To modify the aws-auth ConfigMap:
1️⃣ Open a terminal or AWS CloudShell .
kubectl edit configmap -n kube-system aws-auth
Copy code
3️⃣ Add the following entry under mapRoles to allow CloudThrottle’s execution role:
- rolearn: arn:aws:iam::<TENANT_ACCOUNT_ID>:role/<CT7MemberExecutionRole>
username: <ct7member-execution-role>
groups:
- <ct7-ops-group>
Copy code
Updated aws-auth ConfigMap ✅ Once updated, your aws-auth ConfigMap should look like this:
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::<TENANT_ACCOUNT_ID>:role/<CT7MemberExecutionRole>
username: <ct7member-execution-role>
groups:
- <ct7-ops-group>
- rolearn: arn:aws:iam::<TENANT_ACCOUNT_ID>:role/MadhuEKSClusterRole1
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
Copy code
✅ Save and exit the editor for changes to take effect.
📌 Expected Output & Validation
What Each Placeholder Means:
<TENANT_ACCOUNT_ID> : The AWS Account ID where the EKS cluster is deployed.rolearn : The IAM role ARN assigned to CloudThrottle's execution role.username: <ct7member-execution-role> : Custom username assigned to CloudThrottle for authentication.groups: <ct7-ops-group> : The Kubernetes group that CloudThrottle belongs to.system:bootstrappers : Grants permissions needed during node bootstrapping.system:nodes : Provides permissions necessary for worker nodes to join the cluster.
🔹 What to Check?
Ensure the correct IAM role (CT7MemberExecutionRole) is listed under rolearn .
Verify that the username matches CloudThrottle’s expected execution role.
Check that the correct Kubernetes group (ct7-ops-group) is assigned.
Confirm that the role updates appear in the aws-auth ConfigMap after editing.
Ensure the role was applied successfully by running:kubectl get configmap -n kube-system aws-auth -o yaml
Why This is Important?
The CT7MemberExecutionRole is required for CloudThrottle to manage resources securely .
Without this update, CloudThrottle cannot assume roles in the EKS cluster.
Ensures that only authorized users can access and manage cluster resources.
Prevents misconfigurations that might cause CloudThrottle to lose access.
Step 3: Configure Kubernetes RBAC for CloudThrottle Why This is Important? RBAC defines granular permissions in Kubernetes, preventing unauthorized actions.Ensures CloudThrottle can only perform necessary operations like managing pods and deployments. Where to Navigate? To define Kubernetes permissions:
1️⃣ Open a terminal or AWS CloudShell.rbac-roles.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: <ct7member-execution-role>
rules:
- apiGroups: ["", "apps", "extensions"]
resources: ["pods", "deployments", "services", "namespaces", "nodes"]
verbs: ["get", "list", "watch", "update", "patch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: <ct7member-execution-role-binding>
subjects:
- kind: User
name: <ct7member-execution-role>
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: <ct7-ops-group>
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: <ct7member-execution-role>
apiGroup: rbac.authorization.k8s.io
Copy code
3️⃣ Apply the configuration:
kubectl apply -f rbac-roles.yaml
Copy code
📌 Expected Output & Validation
What Each Placeholder Means:
<ct7member-execution-role> : The execution role that CloudThrottle uses to interact with Kubernetes.apiGroups: ["", "apps", "extensions"] : Defines access to core Kubernetes objects, applications, and extended API resources.resources: ["pods", "deployments", "services", "namespaces", "nodes"] : Lists the Kubernetes resources CloudThrottle is allowed to manage.verbs: ["get", "list", "watch", "update", "patch", "create"] : Defines the actions CloudThrottle can perform on the allowed resources.ClusterRoleBinding : Binds the execution role to the Kubernetes RBAC role for authorization.
🔹 What to Check?
Ensure the ct7member-execution-role is correctly defined and assigned.
Verify that the ClusterRole has the necessary permissions for managing Kubernetes resources.
Confirm that ClusterRoleBinding correctly links the execution role to the defined permissions.
Check the applied configuration by running:kubectl get clusterrolebinding ct7member-execution-role-binding -o yaml
Ensure no syntax errors occur when applying the RBAC roles:
Run: kubectl apply -f rbac-roles.yaml and confirm no error messages appear.
Why This is Important?
Ensures CloudThrottle has granular permissions to manage Kubernetes resources securely.
Prevents unauthorized actions by limiting permissions to necessary operations only .
Validates that CloudThrottle’s execution role is properly bound to RBAC policies .
Avoids misconfigurations that could result in deployment failures or security vulnerabilities.
Step 4: Verify RBAC Access Where to Navigate? To test CloudThrottle’s permissions:
1️⃣ Open a terminal or AWS CloudShell.
kubectl auth can-i list pods --as=ct7member-execution-role
kubectl auth can-i get nodes --as=ct7member-execution-role
kubectl auth can-i create deployments --as=ct7member-execution-role
Copy code
✅ Expected Output:
yes
yes
yes
📌 Expected Output & Validation
What Each Command Does:
kubectl auth can-i list pods --as=ct7member-execution-role --> Checks if the role can list pods.kubectl auth can-i get nodes --as=ct7member-execution-role --> Validates if the role can retrieve node details.kubectl auth can-i create deployments --as=ct7member-execution-role --> Confirms if the role has deployment creation privileges.
🔹 What to Check?
Ensure all commands return "yes" , indicating successful permission validation.
If any command returns "no" , verify the ClusterRole and ClusterRoleBinding configurations.
Run kubectl get clusterrolebinding ct7member-execution-role-binding -o yaml to confirm role bindings.
Check for typos in role names or incorrect group associations.
Why This is Important?
Validates that CloudThrottle has the correct RBAC permissions before using the EKS cluster.
Ensures that CloudThrottle can list, retrieve, and create Kubernetes resources as expected.
Prevents deployment failures due to insufficient permissions .
Helps troubleshoot misconfigurations in RBAC settings before going live.
Step 5: Common Issues & Troubleshooting
⚠️ Common Issues & Troubleshooting
Issue: "Forbidden" Error When Testing Permissions
This error occurs when the CT7MemberExecutionRole does not have the required RBAC permissions or is missing from the aws-auth ConfigMap.
🛠️ Solution:
Verify that CT7MemberExecutionRole is correctly added to aws-auth ConfigMap.
kubectl get configmap -n kube-system aws-auth -o yaml
If the role is missing, edit the ConfigMap and add the correct IAM role:
kubectl edit configmap -n kube-system aws-auth
Ensure that the ClusterRoleBinding correctly associates the execution role:
kubectl get clusterrolebinding ct7member-execution-role-binding -o yaml
If needed, reapply the role configuration:
kubectl apply -f rbac-roles.yaml
✅ Why This is Important?
Helps quickly diagnose misconfigured roles in RBAC.
Ensures that CloudThrottle has the required access to manage Kubernetes resources .
Prevents unexpected permission errors that may block deployments.
Reduces debugging time by providing a step-by-step validation process.
Step 6: Best Practices & Security Considerations
✅ Best Practices & Security Considerations
✅ Follow the Principle of Least Privilege (PoLP) – Grant only necessary permissions.
✅ Regularly review IAM and RBAC policies to prevent security vulnerabilities.
✅ Enable AWS CloudTrail and Kubernetes audit logs to track access and modifications.
✅ Restrict IAM role assumption to trusted AWS accounts to prevent unauthorized access.
✅ Enable Multi-Factor Authentication (MFA) for IAM users and roles to strengthen access security.
✅ Monitor and Rotate IAM Credentials Regularly to minimize security risks.
✅ Use Kubernetes Network Policies to restrict and control pod-to-pod communication.
✅ Restrict Public Access to EKS API Server unless explicitly required.
✅ Enable AWS GuardDuty for Threat Detection to identify suspicious activities.
Budget Override and Add Funds Instructions on how to set up a budget Override amount and Add funds to the existing budget.
Read article
Vendor Setup This instruction will help you setup Vendor aka Cloud Service Provider/Reseller/CSP Channel Partner information in the CloudThrottle
Read article
