Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support EKS API auth/ access entries #1115

Open
1 task
jasondbaker opened this issue Feb 11, 2025 · 2 comments
Open
1 task

Support EKS API auth/ access entries #1115

jasondbaker opened this issue Feb 11, 2025 · 2 comments
Labels
feature

Comments

@jasondbaker
Copy link

Describe the feature

The CDK EKS Blueprints project supports the traditional ConfigMap authentication mechanism in teams provisioning. AWS considers this auth mechanism deprecated in favor of its newer EKS API and use of access entries to manage cluster access. https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/

Use Case

We would like to use the recommended EKS cluster auth mechanism rather than a deprecated mechanism.

Proposed Solution

We can enable the use of the EKS API for authentication in a GenericClusterProvider configuration. For example:

  return new blueprints.GenericClusterProvider({
    authenticationMode: AuthenticationMode.API_AND_CONFIG_MAP,

However, it's not clear how to define access entries using the blueprint library. A CDK construct is available to define access entries: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.AccessEntry.html

Maybe a custom ResourceProvider could be used currently to create access entries? I'm not sure what's the best approach to wire up this functionality using the blueprint.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request

CDK version used

2.173.4

EKS Blueprints Version

1.16.3

Node.js Version

20.x

Environment details (OS name and version, etc.)

n/a
@jasondbaker
Copy link
Author

jasondbaker commented Feb 13, 2025
edited
Loading

I'll answer my own question in case anyone else in interested in using access entries. I ended up creating an AccessEntry construct using a custom addon.

import * as blueprints from "@aws-quickstart/eks-blueprints";
import { AccessEntry, AccessPolicy, AccessPolicyArn, AccessScopeType } from "aws-cdk-lib/aws-eks";

export class AccessEntryAddOn implements blueprints.ClusterAddOn {

  deploy(clusterInfo: blueprints.ClusterInfo): void {
      new AccessEntry(clusterInfo.cluster.stack, `AccessEntry`, {
        cluster: clusterInfo.cluster,
        principal: "your role arn,
        accessPolicies: [
          new AccessPolicy({
            accessScope: {
              type: AccessScopeType.CLUSTER,
            },
            policy: AccessPolicyArn.AMAZON_EKS_CLUSTER_ADMIN_POLICY,
          }),
        ],
      });
  }
}

I call this by adding it to the AddOn list:

const addOns: Array<blueprints.ClusterAddOn> = [
  new AccessEntryAddon(),
  ...other addons...

I hope this helps someone else.

@shapirov103
Copy link
Collaborator

@jasondbaker, thank you for posting your solution, I was a bit slow to respond. We had a thread on this here: #1027 (comment)

You can use an addon to create access entries, but I do think that having them in the cluster provider for admin roles and in the teams may be more aligned with overall design. I will keep the issue open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jasondbaker @shapirov103