Manage EKS system:masters members somehow
#1031
Comments
|
The difficulty is that I'd prefer not to enumerate our AWS IAM user ARNs in |
|
|
I discussed what I want to do about this here, but I've run into snags while trying to implement it. Introducing readonly and admin IAM roles and using them in the |
Introduces a new module in `terraform/cluster_boostrap` which is responsible for provisioning a managed GKE or EKS Kubernetes cluster into a GCP project or AWS account provisioned by `isrg-cloud-bootstrap`. The bulk of the new module consists of the existing `eks` and `gke` modules, moved to a new location. We do this in a separate TF state to avoid configuring a TF provider with output from TF managed resources (see #1046 for details). The following functionality is new: - creation of an AWS ECR or Google Artifact Registry repository for container images via Terraform - creation of a ClusterRoleBinding for the read-only group in EKS This commit removes from `terraform/Makefile` management of the GCS bucket used to store the Terraform remote state. We now expect the bucket to have been created manually by the operator. This reduces the risk of bugs in `Makefile` targets accidentally destroying Terraform state. Finally, we align documentation in `terraform/README.md` with docs introduced in isrg-cloud-boostrap [1] and abetterinternet/docs [2]. [1] abetterinternet/isrg-cloud-bootstrap#1 [2] https://github.com/abetterinternet/docs/pull/10 Resolves #1046 Part of #1170 Part of #1031
Introduces a new module in `terraform/cluster_boostrap` which is responsible for provisioning a managed GKE or EKS Kubernetes cluster into a GCP project or AWS account provisioned by `isrg-cloud-bootstrap`. The bulk of the new module consists of the existing `eks` and `gke` modules, moved to a new location. We do this in a separate TF state to avoid configuring a TF provider with output from TF managed resources (see #1046 for details). The following functionality is new: - creation of an AWS ECR or Google Artifact Registry repository for container images via Terraform - creation of a ClusterRoleBinding for the read-only group in EKS This commit removes from `terraform/Makefile` management of the GCS bucket used to store the Terraform remote state. We now expect the bucket to have been created manually by the operator. This reduces the risk of bugs in `Makefile` targets accidentally destroying Terraform state. Finally, we align documentation in `terraform/README.md` with docs introduced in isrg-cloud-boostrap [1] and abetterinternet/docs [2]. [1] abetterinternet/isrg-cloud-bootstrap#1 [2] https://github.com/abetterinternet/docs/pull/10 Resolves #1046 Part of #1170 Part of #1031
|
The |
@branlwyd and I learned last week that the AWS IAM user that creates an EKS cluster is automatically and invisibly added to a
system:mastersKubernetes group, allowing management of Kubernetes cluster resources. However, other IAM users get no privileges, even if they have administrator privileges at the AWS layer, and must be explicitly added to thekube-system/aws-authconfig map in an appropriatemapUserssection1.We should work out a way to manage this access via Terraform.
The text was updated successfully, but these errors were encountered: