Setup AWS Cross IAM and EKS RBAC Authentication

Goal

Deploy EKS cluster in two accounts and provide access to access the cross EKS/K8s/AWS  cluster.

Scenario#1

Pre-Requisites

You must be having two AWS account to create infrastructure resources on AWS cloud.

Deployment

Perform below steps to deploy the above said architecture to achieve the below scenarios

1. Access S3 Bucket running in AWS-2 account from the Pod running in the AWS-1 account EKS cluster.
2. Access the AWS-2 EKS API endpoint from the Pod running in the AWS-1 account EKS cluster.
3. Access the Cluster IP service running in the AWS-2 EKS cluster from the Pod running in the AWS-1 account EKS cluster.

AWS-1

1. Deploy EKS cluster in the us-east-1 region private subnets with any cluster
2. configuration that you choose! we just need EKS cluster running with simple configuration!
3. Write a Dockerfile keeping below packages installed to build the image and publish the image to your preferred Image Registry like ECR, DockerHub
   1. Base Image: Amazonlinux
   2. Install kubectl
   3. Install aws cli
   4. Install telnet
   5. Install apache HTTP web server
   6. ENTRPOINT to start the web server
4. Deploy the application using the container image created in the previous step and also create a Cluster IP service to access the application.
5. Ensure the application Pod is running fine and verify the kubectl, aws cli commands are working fine.

AWS-2

1. Deploy EKS cluster in the us-east-1 region private subnets with any cluster configuration that you choose! we just need EKS cluster running with simple configuration!
2. Deploy the application using the container image created in the previous steps.
3. Create S3 bucket with any name that you choose and upload simple object file.

Scenario  #1

Access S3 Bucket running in AWS-2 account from the Pod running in the AWS-1 account EKS cluster.

1. Create IAM role in the AWS-2 account and grant the access to S3 bucket that you created previously.
2. Create IAM Role in AWS-1 account to assume the IAM role in the AWS-2 account created in the previous step
3. Create a Service Account in the AWS-1 EKS cluster
4. Grant Service Account to assume the AWS-1 IAM Role.
5. Attach the Service Account to the Pod  running in the AWS-1 EKS cluster – Probably you need to modify deployment manifest and re-deploy.
6. Execute “aws s3 ls” command in the AWS-1 EKS running Pod to ensure that the cross AWS account S3 bucket is accessible from Pod.

Scenario # 2

Access the AWS-2 EKS API endpoint from the Pod running in the AWS-1 account EKS cluster.

1. Create IAM role in the AWS-2 account and grant the access toAWS-2 EKS cluster that you created previously.
2. Update K8s RBAC to allow the access to IAM role created in the previous step.
3. Create IAM Role in AWS-1 account to assume the IAM role in the AWS-2 account created in the previous step
4. Create a Service Account in the AWS-1 EKS cluster
5. Grant Service Account to assume the AWS-1 IAM Role.
6. Attach the Service Account to the Pod  running in the AWS-1 EKS cluster – Probably you need to modify deployment manifest and re-deploy.
7. Execute “kubectl get pods” command in the AWS-1 EKS running Pod to ensure that the cross account EKS API Server accessible from Pod.

Scenario #3 

Access the Cluster IP service running in the AWS-2 EKS cluster from the Pod running in the AWS-1 account EKS cluster.

1. Deploy Cluster IP service in the AWS-2 EKS cluster to access the application running in the AWS-2 EKS cluster
2. Create Ingress object to access the Cluster IP service using Internal Load Balancer.
3. Setup Peering/Transit Gateway to access the Internal LB endpoint from the AWS-1 account.
4. Run curl command on AWS-1 EKS running pod to check the application running in the AWS-2 EKS cluster pod.

Good Luck!