Merge branch 'main' into mrgrain/chore/request-cli-integ-test-fix2

aws · Jul 26, 2023 · 9927379 · 9927379
2 parents da48efb + 3baffd8
commit 9927379
Showing 1 changed file with 68 additions and 0 deletions.
diff --git a/packages/aws-cdk-lib/aws-eks/README.md b/packages/aws-cdk-lib/aws-eks/README.md
@@ -928,6 +928,74 @@ declare const role: iam.Role;
 cluster.awsAuth.addMastersRole(role);
 ```
 
+To access the Kubernetes resources from the console, make sure your viewing principal is defined
+in the `aws-auth` ConfigMap. Some options to consider:
+
+```ts
+import { KubectlV27Layer } from '@aws-cdk/lambda-layer-kubectl-v27';
+declare const cluster: eks.Cluster;
+declare const your_current_role: iam.Role;
+declare const vpc: ec2.Vpc;
+
+// Option 1: Add your current assumed IAM role to system:masters. Make sure to add relevant policies.
+cluster.awsAuth.addMastersRole(your_current_role);
+
+your_current_role.addToPolicy(new iam.PolicyStatement({
+  actions: [
+    'eks:AccessKubernetesApi',
+    'eks:Describe*',
+    'eks:List*',
+],
+  resources: [ cluster.clusterArn ],
+}));
+```
+
+```ts
+// Option 2: create your custom mastersRole with scoped assumeBy arn as the Cluster prop. Switch to this role from the AWS console.
+import { KubectlV27Layer } from '@aws-cdk/lambda-layer-kubectl-v27';
+declare const vpc: ec2.Vpc;
+
+const mastersRole = new iam.Role(this, 'MastersRole', {
+  assumedBy: new iam.ArnPrincipal('arn_for_trusted_principal'),
+});
+
+const cluster = new eks.Cluster(this, 'EksCluster', {
+  vpc,
+  version: eks.KubernetesVersion.V1_27,
+  kubectlLayer: new KubectlV27Layer(this, 'KubectlLayer'),
+  mastersRole,
+});
+
+mastersRole.addToPolicy(new iam.PolicyStatement({
+  actions: [
+    'eks:AccessKubernetesApi',
+    'eks:Describe*',
+    'eks:List*',
+],
+  resources: [ cluster.clusterArn ],
+}));
+```
+
+```ts
+// Option 3: Create a new role that allows the account root principal to assume. Add this role in the `system:masters` and witch to this role from the AWS console.
+declare const cluster: eks.Cluster;
+
+const consoleReadOnlyRole = new iam.Role(this, 'ConsoleReadOnlyRole', {
+  assumedBy: new iam.ArnPrincipal('arn_for_trusted_principal'),
+});
+consoleReadOnlyRole.addToPolicy(new iam.PolicyStatement({
+  actions: [
+    'eks:AccessKubernetesApi',
+    'eks:Describe*',
+    'eks:List*',
+],
+  resources: [ cluster.clusterArn ],
+}));
+
+// Add this role to system:masters RBAC group
+cluster.awsAuth.addMastersRole(consoleReadOnlyRole)
+```
+
 ### Cluster Security Group
 
 When you create an Amazon EKS cluster, a [cluster security group](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)