I've recently been playing about with AWS's Elastic Kubernetes Service. One of the nice features it provides is a mapping between IAM users and Kubernetes users/groups. Even an IAM role with no permissions can be used to serve as a way to access just your EKS cluster.

EKS is still fairly new, at the time of writing this it has only recently been made available in eu-west-1. Because of this, it was hard to find a good explanation for someone not only new to Kubernetes but also EKS on RBAC permissions. Alejandro Millan Frias has a really good write up for what I was trying to achieve.

Namespaces allow to create virtual clusters backed by the same physical cluster. A popular feature of namespaces is to create resource quotas where you can limit the amount of resources assigned.

You may want to allow specific IAM users to manage only a single Kubernetes namespace, preventing them from interacting with other namespaces.

Amazon EKS uses aws-iam-authenticator for authentication and Kubernetes Role Based Access Control (RBAC) for authorization. In our example we will set up an IAM role for authentication and assign a RBAC role to scope the API calls allowed.

How to manage only specific namespaces with IAM users in Amazon EKS