Configure access to your K8s cluster
Learn how to create access controls and view your cluster using kubectl, K9s, and eksctl
This document walks you through setting up a user to get access to an EKS release cluster.
- AWS: Amazon Web Services
- IAM: Identity and Access Management
- EKS: Elastic Kubernetes Service
- ARN: Amazon Resource Name
- OAuth/SAML: Open Authorization/Security Assertion Markup Language, methods for identifying and authorising users and applications
Before you continue, you will need the following:
- IAM credentials for someone who already has administrator privileges or who is already listed in the EKS configuration map as an administrator.
- The role or user ARN that identifies the user (looks like
aws:arn:iam::ACCTID:user/USERNAME
). - An existing kubeconfig file for the EKS cluster.
- If you do not have an existing kubeconfig file, generate one by following the initial steps for the end user.
- If you do not already have access to the cluster to generate a kubeconfig file, the original user or role credentials that created the cluster must be used. An AWS administrator should be able to generate the configuration. You can refer to AWS support or ask Release if they can specify which user or role created the cluster.
- AWS IAM credentials for your user or role in the account where the EKS cluster is running.
- The EKS cluster name and region.
These are the steps for administrators to grant access to the cluster. There are two ways to install privileges: using the K9s visual editor or using the command line.
- 1.Start up K9s and use the
:namespace
command to access thekube-system
namespace as shown below:
%20(1)%20(1)%20(1)%20(2)%20(3)%20(1)%20(1)%20(1)%20(2)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(5).png?alt=media)
- 1.Use the
:configmap
command to access theaws_auth
configuration:

- 1.Find
aws_auth
and hit thee
command toedit
the file. Insert the user as shown below:

- 1.Copy and paste the section outlined in red above to create a new user. Be careful to edit the ARN correctly to allow the user to access the system. In this example, the users are administrators, but you can consult the documentation for Kubernetes to define default roles like viewers and ops users.
- 2.Save the file and then verify the changes by using the
d
(describe) command to view the document that was applied.
Follow the documentation available from AWS to follow the same procedure done visually above. The steps are the same:
- 1.Download the existing
aws_auth
configmap from thekube-system
namespace. - 2.Edit the
mapUsers
field and add the user. - 3.Save the file.
- 4.Apply the changes to the cluster.
- 5.Verify the changes have been made.
Assuming that you have been added to the cluster configmap and that you have the prerequisites installed, you can gain access to the cluster to view status and logs, and to perform other tasks you have permissions for.
Have your AWS credentials available in configuration files, in your environment variables, or in named profiles.
Follow the steps in the AWS configuration basics guide. The eksctl binary respects the usual configuration directives that the AWS CLI uses. This document assumes the default credentials are available. If you wish to specify a set of credentials other than default, you will need to specify them appropriately.
Your credentials will authenticate you as a user or role in the account and region where the EKS cluster is available. You may have a user role configured in a different account and then assume a role to the EKS cluster account, or you may have very complicated setups with OAuth or SAML integrations, which are beyond the scope of this document.
To generate your kubeconfig file, type the following where your eksctl binary is available and your AWS credentials are specified by default:
eksctl utils write-kubeconfig --cluster CLUSTERNAME --region REGION
We recommend that you use the K9s interface for visualization and viewing logs and status. Administrating the cluster from the K9s interface is also possible. Here are a few use cases we’ve found useful.
View application namespaces
You can use the
:namespaces
command and filter with the /release
search to list applications running from the Release Environments as shown below:%20(1)%20(1)%20(1)%20(1)%20(1)%20(2)%20(3)%20(1)%20(1)%20(1)%20(2)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1).png?alt=media)
View pods for a Release environment
You can then either click on a namespace or type the
:pods
command to view the applications in the Release Environment as shown below:%20(1)%20(1)%20(1)%20(1)%20(2)%20(6)%20(1)%20(1)%20(1)%20(2)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(6).png~merged?alt=media)
View logs for an application container in a Release environment
You can use the
l
(or logs) command to view what is happening in your application:
Access the container system (if available)
If you have sufficient privileges and configuration, use the
s
(or shell) command to enter the running container if available:%20(1)%20(1)%20(1)%20(1)%20(1)%20(2)%20(3)%20(1)%20(1)%20(1)%20(2)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(4).png?alt=media)
Exit K9s
Use the familiar VI controls to
:quit
the K9s application:
The CLI commands can be used to examine the state of the cluster, but we generally don't recommend using them to change settings or start or stop pods or services, as this should be handled by the Release website or our own CLI tool.
kubectl get namespaces
Remember that a namespace in Kubernetes maps to a Release environment.
kubectl get pods -n RELEASEENV
Remember that a pod in Kubernetes maps to a Release service in the environment.
kubectl get logs RELEASESERVICE
Last modified 3mo ago