Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWSManagedCluster should support granting additional IAM roles access to the EKS cluster #1850

Closed
rudoi opened this issue Jul 31, 2020 · 5 comments · Fixed by #1995
Closed
Assignees
Labels
area/provider/eks Issues or PRs related to Amazon EKS provider area/security Issues or PRs related to security kind/feature Categorizes issue or PR as related to a new feature. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor.
Milestone

Comments

@rudoi
Copy link
Contributor

rudoi commented Jul 31, 2020

/kind feature

Describe the solution you'd like

By default, only the IAM entity that has access to an EKS cluster is the entity that created it. Additional IAM roles must be added manually using an aws-auth ConfigMap in the kube-system namespace.

It would be great if we could specify additional roles (maybe users, too?) in the spec and have that ConfigMap be set up automatically.

Anything else you would like to add:

Find information about the format of the auth configuration here: https://github.com/kubernetes-sigs/aws-iam-authenticator#full-configuration-format

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 31, 2020
@randomvariable randomvariable added area/security Issues or PRs related to security area/provider/eks Issues or PRs related to Amazon EKS provider labels Aug 14, 2020
@randomvariable randomvariable added this to the v0.6.1 milestone Aug 14, 2020
@richardcase
Copy link
Member

/assign
/lifecycle active

@k8s-ci-robot k8s-ci-robot added the lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. label Sep 7, 2020
@richardcase
Copy link
Member

@rudoi - do you think we'd want to also support aws-iam-authenticator on the unmanaged side of the provider?

@rudoi
Copy link
Contributor Author

rudoi commented Sep 8, 2020

Hmmm how do you mean?

@richardcase
Copy link
Member

Hmmm how do you mean?

I was thinking for people that install it and use it with an ec2 based cluster instead of eks. Probably best wait for that until someone asks for it. Will just add it to the managed side for now.

@randomvariable
Copy link
Member

Yeah, I'd rather not force it, and it's one of the key benefits of the ec2 model is not being forced down the aws-iam-authenticator route and being able to use something like Dex & OIDC instead. It's pretty important for multi-cloud deploys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/provider/eks Issues or PRs related to Amazon EKS provider area/security Issues or PRs related to security kind/feature Categorizes issue or PR as related to a new feature. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants