containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

[EKS] [request]: Ability to create custom EKS access policies

Open kpanic9 opened this issue 1 year ago • 8 comments

Tell us about your request We have recently started using the EKS access entries for allowing IAM entities access the EKS cluster control plane. But at the moment there are only few predefined access policies we can use. We would like to have the ability to create custom access policies.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We are a platform team building EKS clusters for application teams. When we provision an EKS cluster, we would like to provide controlled access to (beyond what's available in predefined access policies, eg: to a specific namespace and to a specific set of resources) to the dev teams using the cluster at the time of provisioning the clusters. The current solution we use have the necessary configurations in few places and done in different stages. It would be great if we can provision dev team access while provisioning the clusters.

Are you currently working around this issue? How are you currently solving this problem? At the moment we are solving this problem by creating K8s RBAC resources and assigning k8s group names to IAM entities using access entries.

kpanic9 avatar Aug 14 '24 00:08 kpanic9

Would love to see this feature as well

tkimble-cafeyn avatar Sep 11 '24 09:09 tkimble-cafeyn

I’d love to see this capability added as well !!

seifrajhi avatar Sep 11 '24 13:09 seifrajhi

This would be amazing to have. Pretty please.

janquijano avatar Sep 20 '24 03:09 janquijano

We really miss this feature.

nv30 avatar Sep 26 '24 17:09 nv30

This could also be a solution to the limitation of the existing access policies which do not include escalate and bind verbs. Because of this, no access policy other than AmazonEKSClusterAdminPolicy is capable of creating (Cluster)Roles / (Cluster)RoleBindings

atheiman avatar Nov 05 '24 20:11 atheiman

We were blocked by this as well as AmazonEKSClusterAdminPolicy can't create Roles in its namespace...

radsto avatar Jan 10 '25 10:01 radsto

I would love this feature and here is my use case: I have an automated workflow to update the application/applicationset ArgoCD CRD, but since this is a CRD scoped, There is no other cluster-access-policy except for AmazonEKSClusterAdminPolicy or some other compute roles which are way too broad for my use case.

sungmincs avatar Feb 02 '25 17:02 sungmincs

🆙 Same problem here with external-secrets CRDs :/ Is there any plan to allow customization please?

openl4m4 avatar May 19 '25 14:05 openl4m4

You can use EKS access policies in combination with Kubernetes RBAC to manage cluster access and permissions effectively.

minhtutnyein avatar Nov 13 '25 13:11 minhtutnyein