Use case

Streamlined EKS Access Management with AWS SSO and Kubernetes RBAC

About the Customer

Finariq is a tech company that specializes in building cloud-based financial platforms for businesses. They are focused on providing secure and scalable solutions that empower financial institutions with tools to better manage compliance, fraud prevention, and onboarding processes.

Customer Challenge

Finariq was experiencing challenges in managing access control across their Amazon Elastic Kubernetes Service (EKS) clusters. With a growing team of developers, DevOps engineers, and administrators, it became essential to implement a secure, scalable, and fine-grained access management system that would prevent unauthorized access while ensuring that users could perform their roles effectively. The existing access control mechanisms were not flexible enough to enforce the principle of least privilege, which was a critical security requirement.

Finariq needed a centralized authentication solution integrated with their identity provider and AWS, allowing for streamlined role-based access control (RBAC) within Kubernetes. Failure to address these issues would risk unauthorized access to sensitive environments, delays in development due to misconfigured permissions, and potential security vulnerabilities across production and development environments.

Solution

IAMOPS provided a solution by integrating AWS Single Sign-On (SSO), now known as AWS IAM Identity Center, with Amazon EKS and Kubernetes RBAC. This approach allowed Finariq to manage access based on user groups while maintaining centralized control via AWS SSO.

1. Centralized Access Management:

  • IAMOPS set up AWS SSO to manage user authentication centrally. Different groups (Admin, Developer, DevOps, Viewer) were created in AWS SSO, which then integrated with Finariq’s existing identity provider (e.g., Google Workspace). This ensured that users authenticated through AWS SSO and were automatically assigned the correct roles within the EKS cluster based on their group membership.

2. RBAC and IAM Role Configuration:

  • AWS Identity and Access Management (IAM) roles were configured and mapped to Kubernetes ClusterRoles. By assigning roles like ‘Admin’, ‘Developer’, ‘DevOps’, and ‘Viewer’, IAMOPS ensured that each user group had only the required level of access. Admins could traverse namespaces and perform any operation, while developers were restricted to specific environments and permissions. DevOps engineers shared similar access to that of admins, while viewers had read-only permissions.

3. Automation of IAM Roles and Kubernetes Roles Binding:

  • IAMOPS automated the creation of these roles and bindings through predefined YAML manifests, ensuring seamless integration with Finariq’s EKS clusters. The aws-auth ConfigMap in the EKS cluster was updated to map IAM roles to the respective Kubernetes roles, ensuring that access levels were synchronized between AWS IAM and Kubernetes RBAC.

Below is the architecture used for the solution. The diagram demonstrates how different user groups (Admins, Developers, DevOps, and Viewers) authenticate through AWS SSO, and are then mapped to appropriate IAM roles that provide access to the EKS cluster based on Kubernetes RBAC.

Semantic Release Workflow

Results & Benefits

By leveraging AWS SSO and Kubernetes RBAC, Finariq significantly enhanced the security and efficiency of managing access to their EKS environment. The key results include:

  • Improved Security: The centralized authentication mechanism through AWS SSO reduced the risk of unauthorized access and ensured compliance with best security practices.
  • Streamlined Access Control: Finariq reduced operational overhead by automating role-based access control for multiple user groups.
  • Enhanced Efficiency: Developers and DevOps teams could focus on their tasks without the need for manual intervention in access management, reducing downtime and increasing productivity.
  • Cost Efficiency: The automation of role assignments and bindings cut down the time spent managing user permissions, leading to a 30% reduction in administrative overhead.

About IAMOPS

IAMOPS is a full DevOps suite company that supports technology companies to achieve intense production readiness.

Our mission is to ensure that our clients’ infrastructure and CI/CD pipelines are scalable, mitigate failure points, optimize performance, ensure uptime, and minimize costs.

Our DevOps suite includes DevOps Core, NOC 24/7, FinOps, QA Automation, and DevSecOps to accelerate overall exponential growth.

As an AWS Advanced Tier Partner and Reseller, we focus on two key pillars: Professionalism by adhering to best practices and utilizing advanced technologies, and Customer Experience with responsiveness, availability, clear project management, and transparency to provide an exceptional experience for our clients.

Looking for a dedicated DevOps team?