Overhauled EKS access control

Update 2024-04-04: These changes have been rolled out to all clusters.

We’re overhauling the EKS auth system, which will result in a more flexible setup. This change should be transparent for you, but if you notice any new access-related issues, please let us know. This update has already been rolled out to non-production clusters, and the production update will soon happen (together with the 1.29 upgrade).

Under the hood we were using the aws-auth configmap to manage the IAM roles that are allowed to access the EKS cluster. This configmap’s purpose was to map IAM roles to K8s RBAC groups. Although this worked, it was a challenge and not very flexibly to properly manage through IaC. AWS recently introduced EKS Access Entries as an alternative to the configmap. This new method allows us to manage IAM roles and their permissions through the AWS API directly. As an added benefit we can also immediately attach default RBAC policies (like Edit, View) to the IAM roles.