-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticator CRD & Operator Proposal #79
Comments
The prometheus operator recently made a similar shift, and provided a tool to migrate existing configmaps to CRDs:
prometheus-operator 0.20 will otherwise automatically convert (upgrade) existing configmaps to crds. If this move to CRDs goes forward, then you could borrow their code to make the shift painless. |
Awesome @StevenACoffman that feedback is great… |
This could be a nice addition wouldn't be too hard to also have it done in-cluster, so you could pass the name of the |
@christopherhein Let's discuss the feedback on this doc in sig-aws next meeting to move this forward. |
Sounds good! |
@christopherhein I am going to take a stab at the implementation for this feature this week. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
@christopherhein Is the CRD available in EKS cluster? |
As far as I know not yet. |
@christopherhein is there any plans to make it available on EKS? If yes, is there an ETA? |
|
Any updates on the ETA? |
We're overdue for an authenticator release so that should come relatively soon, but in terms of bringing this feature to EKS, that is TBD. If its something you want please add it to https://github.com/aws/containers-roadmap. I don't think we've had a lot of customers asking for it in EKS so there are currently other higher priorities. |
If I'm not wrong this is an alternative to #34
Authenticator IAM CRD Proposal
Overview
The current structure of the Heptio Authenticator uses default Kubernetes
ConfigMap
primitives that allow you to add and remove IAM Roles this gives a single point of configuration for the whole lookup table and allows the authenticator to load once and cache the results. The problem is when it comes to updating if you make a change to this file and re-apply it won’t automatically be affected, admins need to reload theDaemonSet
webhook backend for the new config to load. This proposal came out of the 2018-04-05 community call, The discussion was about the usage of CRDs as a way to make this better. The rest of this document will talk about the specifics of how this could work for the authenticator.Comments - https://docs.google.com/document/d/1UgSDcMbZdMXLY1SxUtQ7r1puLFdGYF660usGW7AlGwE/edit#
/cc @nckturner @mattlandis @mattmoyer
The text was updated successfully, but these errors were encountered: