This docker image allows you to easily run kubectl
(v.1.28) commands against your
AWS EKS cluster from a Docker image.
The docker image performs a simple aws eks update-kubeconfig
followed
by executing the kubectl
command with provided inputs. When running it, pass
the following environment variables:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION
KUBE_CLUSTER_NAME
and pass the kubectl command to the command line. You can also create an alias for the command. For example, to get a list of deployments:
alias k-eks="docker run --rm -it --env-file ./.env leen15/eks-kubectl "
k-eks get deployments
This docker image already include kubecolor and dyff.
To be able to get a right output of dyff
, you have to pass the --plain
flag:
k-eks diff --plain -f dist
There are two aspects to EKS security:
- Authentication
- Authorization
To use the image, your IAM user needs to have the eks:DescribeCluster
permission in order
to get an authentication token to your cluster. For example, this AWS IAM user policy will
allow you to run kubectl commands against the my-cluster
in AWS account 123412341234
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "arn:aws:eks:us-east-1:123412341234:cluster/my-cluster"
}
]
}
With the above policy, you will be authenticated to the EKS cluster. Now you need to make sure
you are authorized to run kubectl
commands. You can do that by ensuring a ConfigMap
exists
in the kube-system
namespace that provides permissions for your IAM user. For example, you
can run kubectl edit configmap/aws-auth --namespace=kube-system
to add your new IAM user
(somenewuser). While the configuration below provides full cluster access to your new user,
in a production system, don't add your new user to the system:masters
group. Instead, use
finer-grained authorizations for better security.
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::123456789012:role/NodeInstanceRole
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: arn:aws:iam::123456789012:user/somenewuser
username: somenewuser
If you authenticate your user but fail to authorize your IAM user to run EKS commands, you may see this error:
error: You must be logged in to the server (Unauthorized)
If you have insufficient EKS permissions, you may see an error message like:
Error from server (Forbidden): pods is forbidden: User "somenewuser" cannot list resource "pods" in API group "" in the namespace "default"