Help improve this page
Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.
Review access policy permissions
Access policies include rules
that contain Kubernetes
verbs
(permissions) and resources
. Access policies don’t include IAM permissions or resources. Similar to Kubernetes
Role
and ClusterRole
objects, access policies only include allow
rules
. You can’t modify the contents of an access policy. You can’t create your own access policies. If the permissions in the access policies don’t meet your needs, then create Kubernetes RBAC objects and specify group names for your access entries. For more information, see Create access entries. The permissions contained in access policies are similar to the permissions in the Kubernetes user-facing cluster roles. For more information, see User-facing roles
Choose any access policy to see its contents. Each row of each table in each access policy is a separate rule.
AmazonEKSAdminPolicy
This access policy includes permissions that grant an IAM principal most permissions to resources. When associated to an access entry, its access scope is typically one or more Kubernetes namespaces. If you want an IAM principal to have administrator access to all resources on your cluster, associate the AmazonEKSClusterAdminPolicy access policy to your access entry instead.
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy
Kubernetes API groups | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AmazonEKSClusterAdminPolicy
This access policy includes permissions that grant an IAM principal administrator access to a cluster. When associated to an access entry, its access scope is typically the cluster, rather than a Kubernetes namespace. If you want an IAM principal to have a more limited administrative scope, consider associating the AmazonEKSAdminPolicy access policy to your access entry instead.
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy
Kubernetes API groups | Kubernetes nonResourceURLs | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|---|
|
|
|
|
|
|
AmazonEKSAdminViewPolicy
This access policy includes permissions that grant an IAM principal access to list/view all resources in a cluster. Note this includes Kubernetes Secrets.
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy
Kubernetes API groups | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|
|
|
|
AmazonEKSEditPolicy
This access policy includes permissions that allow an IAM principal to edit most Kubernetes resources.
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSEditPolicy
Kubernetes API groups | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AmazonEKSViewPolicy
This access policy includes permissions that allow an IAM principal to view most Kubernetes resources.
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSViewPolicy
Kubernetes API groups | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AmazonEKSAutoNodePolicy
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSAutoNodePolicy
This policy includes the following permissions that allow Amazon EKS components to complete the following tasks:
-
kube-proxy
– Monitor network endpoints and services, and manage related events. This enables cluster-wide network proxy functionality. -
ipamd
– Manage Amazon VPC networking resources and container network interfaces (CNI). This allows the IP address management daemon to handle pod networking. -
coredns
– Access service discovery resources like endpoints and services. This enables DNS resolution within the cluster. -
ebs-csi-driver
– Work with storage-related resources for Amazon EBS volumes. This allows dynamic provisioning and attachment of persistent volumes. -
neuron
– Monitor nodes and pods for Amazon Neuron devices. This enables management of Amazon Inferentia and Trainium accelerators. -
node-monitoring-agent
– Access node diagnostics and events. This enables cluster health monitoring and diagnostics collection.
Each component uses a dedicated service account and is restricted to only the permissions required for its specific function.
If you manually specifiy a Node IAM role in a NodeClass, you need to create an Access Entry that associates the new Node IAM role with this Access Policy.
AmazonEKSBlockStoragePolicy
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSBlockStoragePolicy
This policy includes permissions that allow Amazon EKS to manage leader election and coordination resources for storage operations:
-
coordination.k8s.io
– Create and manage lease objects for leader election. This enables EKS storage components to coordinate their activities across the cluster through a leader election mechanism.
The policy is scoped to specific lease resources used by the EKS storage components to prevent conflicting access to other coordination resources in the cluster.
Amazon EKS automatically creates an access entry with this access policy for the cluster IAM role when Auto Mode is enabled, ensuring that the necessary permissions are in place for the block storage capability to function properly.
AmazonEKSLoadBalancingPolicy
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSLoadBalancingPolicy
This policy includes permissions that allow Amazon EKS to manage leader election resources for load balancing:
-
coordination.k8s.io
– Create and manage lease objects for leader election. This enables EKS load balancing components to coordinate activities across multiple replicas by electing a leader.
The policy is scoped specifically to load balancing lease resources to ensure proper coordination while preventing access to other lease resources in the cluster.
Amazon EKS automatically creates an access entry with this access policy for the cluster IAM role when Auto Mode is enabled, ensuring that the necessary permissions are in place for the networking capability to function properly.
AmazonEKSNetworkingPolicy
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSNetworkingPolicy
This policy includes permissions that allow Amazon EKS to manage leader election resources for networking:
-
coordination.k8s.io
– Create and manage lease objects for leader election. This enables EKS networking components to coordinate IP address allocation activities by electing a leader.
The policy is scoped specifically to networking lease resources to ensure proper coordination while preventing access to other lease resources in the cluster.
Amazon EKS automatically creates an access entry with this access policy for the cluster IAM role when Auto Mode is enabled, ensuring that the necessary permissions are in place for the networking capability to function properly.
AmazonEKSComputePolicy
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSComputePolicy
This policy includes permissions that allow Amazon EKS to manage leader election resources for compute operations:
-
coordination.k8s.io
– Create and manage lease objects for leader election. This enables EKS compute components to coordinate node scaling activities by electing a leader.
The policy is scoped specifically to compute management lease resources while allowing basic read access (get
, watch
) to all lease resources in the cluster.
Amazon EKS automatically creates an access entry with this access policy for the cluster IAM role when Auto Mode is enabled, ensuring that the necessary permissions are in place for the networking capability to function properly.
AmazonEKSBlockStorageClusterPolicy
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSBlockStorageClusterPolicy
This policy grants permissions necessary for the block storage capability of Amazon EKS Auto Mode. It enables efficient management of block storage resources within Amazon EKS clusters. The policy includes the following permissions:
CSI Driver Management:
-
Create, read, update, and delete CSI drivers, specifically for block storage.
Volume Management:
-
List, watch, create, update, patch, and delete persistent volumes.
-
List, watch, and update persistent volume claims.
-
Patch persistent volume claim statuses.
Node and Pod Interaction:
-
Read node and pod information.
-
Manage events related to storage operations.
Storage Classes and Attributes:
-
Read storage classes and CSI nodes.
-
Read volume attribute classes.
Volume Attachments:
-
List, watch, and modify volume attachments and their statuses.
Snapshot Operations:
-
Manage volume snapshots, snapshot contents, and snapshot classes.
-
Handle operations for volume group snapshots and related resources.
This policy is designed to support comprehensive block storage management within Amazon EKS clusters running in Auto Mode. It combines permissions for various operations including provisioning, attaching, resizing, and snapshotting of block storage volumes.
Amazon EKS automatically creates an access entry with this access policy for the cluster IAM role when Auto Mode is enabled, ensuring that the necessary permissions are in place for the block storage capability to function properly.
AmazonEKSComputeClusterPolicy
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSComputeClusterPolicy
This policy grants permissions necessary for the compute management capability of Amazon EKS Auto Mode. It enables efficient orchestration and scaling of compute resources within Amazon EKS clusters. The policy includes the following permissions:
Node Management:
-
Create, read, update, delete, and manage status of NodePools and NodeClaims.
-
Manage NodeClasses, including creation, modification, and deletion.
Scheduling and Resource Management:
-
Read access to pods, nodes, persistent volumes, persistent volume claims, replication controllers, and namespaces.
-
Read access to storage classes, CSI nodes, and volume attachments.
-
List and watch deployments, daemon sets, replica sets, and stateful sets.
-
Read pod disruption budgets.
Event Handling:
-
Create, read, and manage cluster events.
Node Deprovisioning and Pod Eviction:
-
Update, patch, and delete nodes.
-
Create pod evictions and delete pods when necessary.
Custom Resource Definition (CRD) Management:
-
Create new CRDs.
-
Manage specific CRDs related to node management (NodeClasses, NodePools, NodeClaims, and NodeDiagnostics).
This policy is designed to support comprehensive compute management within Amazon EKS clusters running in Auto Mode. It combines permissions for various operations including node provisioning, scheduling, scaling, and resource optimization.
Amazon EKS automatically creates an access entry with this access policy for the cluster IAM role when Auto Mode is enabled, ensuring that the necessary permissions are in place for the compute management capability to function properly.
AmazonEKSLoadBalancingClusterPolicy
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSLoadBalancingClusterPolicy
This policy grants permissions necessary for the load balancing capability of Amazon EKS Auto Mode. It enables efficient management and configuration of load balancing resources within Amazon EKS clusters. The policy includes the following permissions:
Event and Resource Management:
-
Create and patch events.
-
Read access to pods, nodes, endpoints, and namespaces.
-
Update pod statuses.
Service and Ingress Management:
-
Full management of services and their statuses.
-
Comprehensive control over ingresses and their statuses.
-
Read access to endpoint slices and ingress classes.
Target Group Bindings:
-
Create and modify target group bindings and their statuses.
-
Read access to ingress class parameters.
Custom Resource Definition (CRD) Management:
-
Create and read all CRDs.
-
Specific management of targetgroupbindings.eks.amazonaws.com and ingressclassparams.eks.amazonaws.com CRDs.
Webhook Configuration:
-
Create and read mutating and validating webhook configurations.
-
Manage the eks-load-balancing-webhook configuration.
This policy is designed to support comprehensive load balancing management within Amazon EKS clusters running in Auto Mode. It combines permissions for various operations including service exposure, ingress routing, and integration with Amazon load balancing services.
Amazon EKS automatically creates an access entry with this access policy for the cluster IAM role when Auto Mode is enabled, ensuring that the necessary permissions are in place for the load balancing capability to function properly.
AmazonEKSNetworkingClusterPolicy
ARN –
arn:aws-cn:eks::aws:cluster-access-policy/AmazonEKSNetworkingClusterPolicy
AmazonEKSNetworkingClusterPolicy
This policy grants permissions necessary for the networking capability of Amazon EKS Auto Mode. It enables efficient management and configuration of networking resources within Amazon EKS clusters. The policy includes the following permissions:
Node and Pod Management:
-
Read access to NodeClasses and their statuses.
-
Read access to NodeClaims and their statuses.
-
Read access to pods.
CNI Node Management:
-
Permissions for CNINodes and their statuses, including create, read, update, delete, and patch.
Custom Resource Definition (CRD) Management:
-
Create and read all CRDs.
-
Specific management (update, patch, delete) of the cninodes.eks.amazonaws.com CRD.
Event Management:
-
Create and patch events.
This policy is designed to support comprehensive networking management within Amazon EKS clusters running in Auto Mode. It combines permissions for various operations including node networking configuration, CNI (Container Network Interface) management, and related custom resource handling.
The policy allows the networking components to interact with node-related resources, manage CNI-specific node configurations, and handle custom resources critical for networking operations in the cluster.
Amazon EKS automatically creates an access entry with this access policy for the cluster IAM role when Auto Mode is enabled, ensuring that the necessary permissions are in place for the networking capability to function properly.
AmazonEKSHybridPolicy
This access policy includes permissions that grant EKS access to the nodes of a cluster. When associated to an access entry, its access scope is typically the cluster, rather than a Kubernetes namespace. This policy is used by Amazon EKS hybrid nodes.
ARN – arn:aws:eks::aws:cluster-access-policy/AmazonEKSHybridPolicy
Kubernetes API groups | Kubernetes nonResourceURLs | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|---|
|
|
|
Access policy updates
View details about updates to access policies, since they were introduced. For automatic alerts about changes to this page, subscribe to the RSS feed in Document history.
Change | Description | Date |
---|---|---|
Add policies for Amazon EKS Hybrid |
Publish |
December 2, 2024 |
Add policies for Amazon EKS Auto Mode |
These access policies give the Cluster IAM Role and Node IAM Role permission to call Kubernetes APIs. Amazon uses these to automate routine tasks for storage, compute, and networking resources. |
December 2, 2024 |
Add |
Add a new policy for expanded view access, including resources like Secrets. |
April 23, 2024 |
Access policies introduced. |
Amazon EKS introduced access policies. |
May 29, 2023 |