kubectl edit configmap aws-auth --namespace kube-system
mapRoles: |
- rolearn: arn:aws:iam::${account number}:role/${iam role name}
username: ${user name}
mapUsers: |
- userarn: arn:aws:iam::${account number}:user/${iam user name}
username: ${user name}
groups:
- system:masters
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ${role name}
namespace: ${namespace}
rules:
- apiGroups:
- ""
resources:
- "namespaces"
verbs:
- "get"
- "list"
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
- "autoscaling"
- "networking.k8s.io"
- "rbac.authorization.k8s.io"
- "networking.istio.io"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
- "serviceaccounts"
- "persistentvolumeclaims"
- "horizontalpodautoscalers"
- "roles"
- "rolebindings"
- "endpoints"
- "statefulsets"
- "virtualservices"
- "destinationrules"
- "daemonsets"
- "replicasets"
- "replicationcontrollers"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
- "watch"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ${rolebinding name}
namespace: ${name space}
subjects:
- kind: User
name: ${user name}
roleRef:
kind: Role
name: ${role name}
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ${cluster role name}
labels:
rbac.example.com/aggregate-to-monitoring: "true"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list", "watch", "get", "patch"]
- apiGroups: ["", "storage.k8s.io"]
resources: [ "storageclasses" , "persistentvolumes"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ${cluster role binding name}
subjects:
- kind: User
name: ${user name}
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: ${cluster role name}
apiGroup: rbac.authorization.k8s.io
