sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/eks/eks-console.md

sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/eks/eks-console.md (about)

     1  # EKS Console
     2  
     3  To use the [Amazon EKS Console](https://docs.aws.amazon.com/eks/latest/userguide/view-workloads.html) to view workloads running in an EKS cluster created using the AWS provider (CAPA) you can do the following:
     4  
     5  1. Create a new policy with the required IAM permissions for the console. This [example](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_id-based-policy-examples.html#policy_example3) can be used. For example, a policy called `EKSViewNodesAndWorkloads`.
     6  
     7  2. Assign the policy created in step 1) to a IAM user or role for the users of your EKS cluster
     8  
     9  3. Map the IAM user or role from step 2) to a Kubernetes user that has the RBAC permissions to view the Kubernetes resources. This needs to be done via the `aws-auth` configmap (used by `aws-iam-authenticator`) which is generated by the AWS provider. This mapping can be specified using in the `AWSManagedControlPlane`, for example:
    10  
    11  ```yaml
    12  kind: AWSManagedControlPlane
    13  apiVersion: controlplane.cluster.x-k8s.io/v1beta1
    14  metadata:
    15    name: "capi-managed-test-control-plane"
    16  spec:
    17    region: "eu-west-2"
    18    sshKeyName: "capi-management"
    19    version: "v1.18.0"
    20    iamAuthenticatorConfig:
    21      mapRoles:
    22      - username: "kubernetes-admin"
    23        rolearn: "arn:aws:iam::1234567890:role/AdministratorAccess"
    24        groups:
    25        - "system:masters"
    26  ```
    27  
    28  > In the sample above the **arn:aws:iam::1234567890:role/AdministratorAccess** IAM role has the **EKSViewNodesAndWorkloads** policy attached (created in step 1.)