Add support for Access Entry type

examples/40-access-entries.yaml

@@ -6,7 +6,7 @@ kind: ClusterConfig
 metadata:
   name: access-entries-cluster
   region: us-west-2
-  version: '1.25'
+  version: '1.29'
 
 nodeGroups:
   - name: ng
@@ -17,6 +17,7 @@ accessConfig:
   authenticationMode: API
   accessEntries:
     - principalARN: arn:aws:iam::111122223333:user/my-user-name
+      type: STANDARD # optional Type
       kubernetesGroups: # optional Kubernetes groups
         - group1 # groups can used to give permissions via RBAC
         - group2
@@ -33,4 +34,6 @@ accessConfig:
       accessPolicies: # optional access polices
         - policyARN: arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy
           accessScope:
-            type: cluster
+            type: cluster
+    - principalARN:  arn:aws:iam::111122223333:role/role-name-2
+      type: EC2_LINUX

pkg/actions/accessentry/getter.go

@@ -81,7 +81,7 @@ func (aeg *Getter) getIndividualEntry(ctx context.Context, principalARN string)
 		p := api.AccessPolicy{
 			PolicyARN: api.MustParseARN(*policy.PolicyArn),
 			AccessScope: api.AccessScope{
-				Type:       string(policy.AccessScope.Type),
+				Type:       policy.AccessScope.Type,
 				Namespaces: policy.AccessScope.Namespaces,
 			},
 		}

pkg/apis/eksctl.io/v1alpha5/access_entry.go

@@ -6,15 +6,23 @@ import (
 	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
 )
 
 // AccessEntry represents an access entry for managing access to a cluster.
 type AccessEntry struct {
+	// existing IAM principal ARN to associate with an access entry
 	PrincipalARN ARN `json:"principalARN"`
+	// `EC2_LINUX`, `EC2_WINDOWS`, `FARGATE_LINUX` or `STANDARD`
+	// +optional
+	Type string `json:"type,omitempty"`
+	// set of Kubernetes groups to map to the principal ARN
 	// +optional
 	KubernetesGroups []string `json:"kubernetesGroups,omitempty"`
+	// username to map to the principal ARN
 	// +optional
 	KubernetesUsername string `json:"kubernetesUsername,omitempty"`
+	// set of policies to associate with an access entry
 	// +optional
 	AccessPolicies []AccessPolicy `json:"accessPolicies,omitempty"`
 }
@@ -27,14 +35,17 @@ type AccessPolicy struct {
 
 // AccessScope defines the scope of an access policy.
 type AccessScope struct {
-	Type string `json:"type"`
+	// `namespace` or `cluster`
+	Type ekstypes.AccessScopeType `json:"type"`
+	// Scope access to namespace(s)
 	// +optional
 	Namespaces []string `json:"namespaces,omitempty"`
 }
 
-// ARN provides custom unmarshalling for an AWS ARN.
 type ARN arn.ARN
 
+// ARN provides custom unmarshalling for an AWS ARN.
+
 // UnmarshalText implements encoding.TextUnmarshaler.
 func (a *ARN) UnmarshalText(arnStr []byte) error {
 	return a.set(string(arnStr))
@@ -92,6 +103,19 @@ func validateAccessEntries(accessEntries []AccessEntry) error {
 			return fmt.Errorf("%s.principalARN must be set to a valid AWS ARN", path)
 		}
 
+		switch ae.Type {
+		case "", "STANDARD":
+		case "EC2_LINUX", "EC2_WINDOWS", "FARGATE_LINUX":
+			if len(ae.KubernetesGroups) > 0 || ae.KubernetesUsername != "" {
+				return fmt.Errorf("cannot specify %s.kubernetesGroups nor %s.kubernetesUsername when type is set to %s", path, path, ae.Type)
+			}
+			if len(ae.AccessPolicies) > 0 {
+				return fmt.Errorf("cannot specify %s.accessPolicies when type is set to %s", path, ae.Type)
+			}
+		default:
+			return fmt.Errorf("invalid access entry type %q for %s", ae.Type, path)
+		}
+
 		for _, ap := range ae.AccessPolicies {
 			if ap.PolicyARN.IsZero() {
 				return fmt.Errorf("%s.policyARN must be set to a valid AWS ARN", path)
@@ -105,15 +129,14 @@ func validateAccessEntries(accessEntries []AccessEntry) error {
 				return fmt.Errorf("invalid %s.policyARN", path)
 			}
 
-			// TODO: use SDK enums.
 			switch typ := ap.AccessScope.Type; typ {
 			case "":
-				return fmt.Errorf("%s.accessScope.type must be set to either %q or %q", path, "namespace", "cluster")
-			case "cluster":
+				return fmt.Errorf("%s.accessScope.type must be set to either %q or %q", path, ekstypes.AccessScopeTypeNamespace, ekstypes.AccessScopeTypeCluster)
+			case ekstypes.AccessScopeTypeCluster:
 				if len(ap.AccessScope.Namespaces) > 0 {
 					return fmt.Errorf("cannot specify %s.accessScope.namespaces when accessScope is set to %s", path, typ)
 				}
-			case "namespace":
+			case ekstypes.AccessScopeTypeNamespace:
 				if len(ap.AccessScope.Namespaces) == 0 {
 					return fmt.Errorf("at least one namespace must be specified when accessScope is set to %s: (%s)", typ, path)
 				}

pkg/apis/eksctl.io/v1alpha5/access_entry_validation_test.go

@@ -37,7 +37,7 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 					{
 						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
 						AccessScope: api.AccessScope{
-							Type: "cluster",
+							Type: ekstypes.AccessScopeTypeCluster,
 						},
 					},
 				},
@@ -86,6 +86,65 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 		expectedErr: `accessEntries[0].accessScope.type must be set to either "namespace" or "cluster"`,
 	}),
 
+	Entry("invalid type", accessEntryTest{
+		authenticationMode: ekstypes.AuthenticationModeApiAndConfigMap,
+		accessEntries: []api.AccessEntry{
+			{
+				PrincipalARN: api.MustParseARN("arn:aws:iam::111122223333:role/role-1"),
+				Type:         "ec2_linux",
+			},
+		},
+
+		expectedErr: `invalid access entry type "ec2_linux" for accessEntries[0]`,
+	}),
+
+	Entry("kubernetesGroups set for non-standard access entry type", accessEntryTest{
+		authenticationMode: ekstypes.AuthenticationModeApiAndConfigMap,
+		accessEntries: []api.AccessEntry{
+			{
+				PrincipalARN:     api.MustParseARN("arn:aws:iam::111122223333:role/role-1"),
+				Type:             "FARGATE_LINUX",
+				KubernetesGroups: []string{"dummy"},
+			},
+		},
+
+		expectedErr: `cannot specify accessEntries[0].kubernetesGroups nor accessEntries[0].kubernetesUsername when type is set to FARGATE_LINUX`,
+	}),
+
+	Entry("kubernetesUsername set for non-standard access entry type", accessEntryTest{
+		authenticationMode: ekstypes.AuthenticationModeApiAndConfigMap,
+		accessEntries: []api.AccessEntry{
+			{
+				PrincipalARN:       api.MustParseARN("arn:aws:iam::111122223333:role/role-1"),
+				Type:               "FARGATE_LINUX",
+				KubernetesUsername: "dummy",
+			},
+		},
+
+		expectedErr: `cannot specify accessEntries[0].kubernetesGroups nor accessEntries[0].kubernetesUsername when type is set to FARGATE_LINUX`,
+	}),
+
+	Entry("accessPolicies set for non-standard access entry type", accessEntryTest{
+		authenticationMode: ekstypes.AuthenticationModeApiAndConfigMap,
+		accessEntries: []api.AccessEntry{
+			{
+				PrincipalARN: api.MustParseARN("arn:aws:iam::111122223333:role/role-1"),
+				Type:         "FARGATE_LINUX",
+				AccessPolicies: []api.AccessPolicy{
+					{
+						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
+						AccessScope: api.AccessScope{
+							Type:       ekstypes.AccessScopeTypeNamespace,
+							Namespaces: []string{"default"},
+						},
+					},
+				},
+			},
+		},
+
+		expectedErr: `cannot specify accessEntries[0].accessPolicies when type is set to FARGATE_LINUX`,
+	}),
+
 	Entry("invalid accessScope.type", accessEntryTest{
 		authenticationMode: ekstypes.AuthenticationModeApiAndConfigMap,
 		accessEntries: []api.AccessEntry{
@@ -114,7 +173,7 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 					{
 						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
 						AccessScope: api.AccessScope{
-							Type:       "cluster",
+							Type:       ekstypes.AccessScopeTypeCluster,
 							Namespaces: []string{"kube-system"},
 						},
 					},
@@ -134,7 +193,7 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 					{
 						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
 						AccessScope: api.AccessScope{
-							Type: "namespace",
+							Type: ekstypes.AccessScopeTypeNamespace,
 						},
 					},
 				},
@@ -153,7 +212,7 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 					{
 						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
 						AccessScope: api.AccessScope{
-							Type: "cluster",
+							Type: ekstypes.AccessScopeTypeCluster,
 						},
 					},
 				},
@@ -164,7 +223,7 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 					{
 						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
 						AccessScope: api.AccessScope{
-							Type: "cluster",
+							Type: ekstypes.AccessScopeTypeCluster,
 						},
 					},
 				},
@@ -175,7 +234,7 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 					{
 						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
 						AccessScope: api.AccessScope{
-							Type:       "namespace",
+							Type:       ekstypes.AccessScopeTypeNamespace,
 							Namespaces: []string{"default"},
 						},
 					},
@@ -195,7 +254,7 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 					{
 						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
 						AccessScope: api.AccessScope{
-							Type: "cluster",
+							Type: ekstypes.AccessScopeTypeCluster,
 						},
 					},
 				},
@@ -206,7 +265,7 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 					{
 						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
 						AccessScope: api.AccessScope{
-							Type: "cluster",
+							Type: ekstypes.AccessScopeTypeCluster,
 						},
 					},
 				},
@@ -216,11 +275,21 @@ var _ = DescribeTable("Access Entry validation", func(aet accessEntryTest) {
 			},
 			{
 				PrincipalARN: api.MustParseARN("arn:aws:iam::111122223333:role/role-4"),
+				Type:         "EC2_LINUX",
+			},
+			{
+				PrincipalARN:       api.MustParseARN("arn:aws:iam::111122223333:role/role-5"),
+				Type:               "STANDARD",
+				KubernetesGroups:   []string{"dummy", "dummy"},
+				KubernetesUsername: "dummy",
+			},
+			{
+				PrincipalARN: api.MustParseARN("arn:aws:iam::111122223333:role/role-6"),
 				AccessPolicies: []api.AccessPolicy{
 					{
 						PolicyARN: api.MustParseARN("arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"),
 						AccessScope: api.AccessScope{
-							Type:       "namespace",
+							Type:       ekstypes.AccessScopeTypeNamespace,
 							Namespaces: []string{"default"},
 						},
 					},

pkg/apis/eksctl.io/v1alpha5/assets/schema.json

@@ -4,9 +4,7 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
     "ARN": {
-      "$ref": "#/definitions/github.com|aws|aws-sdk-go-v2|aws|arn.ARN",
-      "description": "provides custom unmarshalling for an AWS ARN.",
-      "x-intellij-html-description": "provides custom unmarshalling for an AWS ARN."
+      "$ref": "#/definitions/github.com|aws|aws-sdk-go-v2|aws|arn.ARN"
     },
     "AZSubnetMapping": {
       "additionalProperties": {
@@ -74,23 +72,37 @@
           "items": {
             "$ref": "#/definitions/AccessPolicy"
           },
-          "type": "array"
+          "type": "array",
+          "description": "set of policies to associate with an access entry",
+          "x-intellij-html-description": "set of policies to associate with an access entry"
         },
         "kubernetesGroups": {
           "items": {
             "type": "string"
           },
-          "type": "array"
+          "type": "array",
+          "description": "set of Kubernetes groups to map to the principal ARN",
+          "x-intellij-html-description": "set of Kubernetes groups to map to the principal ARN"
         },
         "kubernetesUsername": {
-          "type": "string"
+          "type": "string",
+          "description": "username to map to the principal ARN",
+          "x-intellij-html-description": "username to map to the principal ARN"
         },
         "principalARN": {
-          "$ref": "#/definitions/ARN"
+          "$ref": "#/definitions/ARN",
+          "description": "existing IAM principal ARN to associate with an access entry",
+          "x-intellij-html-description": "existing IAM principal ARN to associate with an access entry"
+        },
+        "type": {
+          "type": "string",
+          "description": "`EC2_LINUX`, `EC2_WINDOWS`, `FARGATE_LINUX` or `STANDARD`",
+          "x-intellij-html-description": "<code>EC2_LINUX</code>, <code>EC2_WINDOWS</code>, <code>FARGATE_LINUX</code> or <code>STANDARD</code>"
         }
       },
       "preferredOrder": [
         "principalARN",
+        "type",
         "kubernetesGroups",
         "kubernetesUsername",
         "accessPolicies"
@@ -122,10 +134,14 @@
           "items": {
             "type": "string"
           },
-          "type": "array"
+          "type": "array",
+          "description": "Scope access to namespace(s)",
+          "x-intellij-html-description": "Scope access to namespace(s)"
         },
         "type": {
-          "type": "string"
+          "$ref": "#/definitions/github.com|aws|aws-sdk-go-v2|service|eks|types.AccessScopeType",
+          "description": "`namespace` or `cluster`",
+          "x-intellij-html-description": "<code>namespace</code> or <code>cluster</code>"
         }
       },
       "preferredOrder": [
@@ -2524,6 +2540,9 @@
       "description": "captures the individual fields of an Amazon Resource Name. See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html for more information.",
       "x-intellij-html-description": "captures the individual fields of an Amazon Resource Name. See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html for more information."
     },
+    "github.com|aws|aws-sdk-go-v2|service|eks|types.AccessScopeType": {
+      "type": "string"
+    },
     "github.com|aws|aws-sdk-go-v2|service|eks|types.AuthenticationMode": {
       "type": "string"
     },

pkg/cfn/builder/access_entry.go

@@ -34,12 +34,17 @@ func (a *AccessEntryResourceSet) AddAllResources() error {
 		accessPolicies = append(accessPolicies, gfneks.AccessEntry_AccessPolicy{
 			PolicyArn: gfnt.NewString(p.PolicyARN.String()),
 			AccessScope: &gfneks.AccessEntry_AccessScope{
-				Type:       gfnt.NewString(p.AccessScope.Type),
+				Type:       gfnt.NewString(string(p.AccessScope.Type)),
 				Namespaces: namespaces,
 			},
 		})
 	}
 
+	var entryType *gfnt.Value
+	if a.accessEntry.Type != "" {
+		entryType = gfnt.NewString(a.accessEntry.Type)
+	}
+
 	var kubernetesGroups *gfnt.Value
 	if len(a.accessEntry.KubernetesGroups) > 0 {
 		kubernetesGroups = gfnt.NewStringSlice(a.accessEntry.KubernetesGroups...)
@@ -50,6 +55,7 @@ func (a *AccessEntryResourceSet) AddAllResources() error {
 	}
 	a.newResource("AccessEntry", &gfneks.AccessEntry{
 		PrincipalArn:     gfnt.NewString(a.accessEntry.PrincipalARN.String()),
+		Type:             entryType,
 		ClusterName:      gfnt.NewString(a.clusterName),
 		KubernetesGroups: kubernetesGroups,
 		Username:         username,