Cluster Access on EKS
Overview
Access to an EKS cluster involves two layers:
Authentication (AuthN) - Verifying who you are (IAM identity)Authorization (AuthZ) - Determining what you can do (RBAC)
Access Vectors
Method Purpose AuthN kubectlKubernetes API (clusters, workloads) IAM via aws eks get-token Kubernetes API (direct) Programmatic access IAM IRSA/Pod Identity Pods accessing AWS services IAM role AWS SDK in pods AWS API calls from workloads IAM role
Authentication Methods
Human Access
Method Setup Use Case AWS CLI + aws eks update-kubeconfig IAM user/role with EKS access Local development AWS Console IAM credentials Web UI Bastion host EC2 in public subnet with IAM Private clusters CloudShell Browser-based shell Quick access, private clusters Cloud9 IDE IDE in VPC Development with VPC access
Workload Access (Pods)
Method Setup Use Case IRSA OIDC provider + IAM role trust Full AWS SDK access Pod Identity EKS-managed associations Simpler than IRSA Node IAM Role Instance profile Fallback (not recommended)
IAM and RBAC Relationship
┌─────────────────────────────────────────────────────────────┐
│ Access Decision Flow │
├─────────────────────────────────────────────────────────────┤
│ │
│ Request ──► IAM AuthN ──► Kubernetes RBAC ──► Allow/Deny │
│ │ │
│ │ │
│ "Who are you?" "What can │
│ │
│ IAM role or you do in │
│ IAM user this cluster? │
│ │
└─────────────────────────────────────────────────────────────┘
Default Access
Principal Access Node IAM role Workers can join cluster (via NodeAuthorizer) IAM users/roles No access by default Service accounts No permissions by default
Cluster Endpoint Configuration
Configuration Public Endpoint Private Endpoint Access From Public only Enabled Disabled Internet Public & Private Enabled Enabled Internet + VPC (default) Private only Disabled Enabled VPC only
See Endpoint Access Deep-Dive for detailed configuration options.