Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for specifying identityMappings in config #3097

Closed
wants to merge 10 commits into from
Closed

Add support for specifying identityMappings in config #3097

wants to merge 10 commits into from

Conversation

aclevername
Copy link
Contributor

@aclevername aclevername commented Jan 18, 2021
edited
Loading

Description

#874

Edit:
Updated to include being able to specify identitymappings to be created during cluster creation #1695

# An example of ClusterConfig with identityMapping:
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: cluster-27
  region: us-west-2

iam:
  identityMappings:
    - arn: arn:aws:iam::123456:role/testing
      groups:
      - system:masters
      username: admin

eksctl ./eksctl get iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
ARN                                                                                             USERNAME                                GROUPS
arn:aws:iam::<redacted>>:role/eks-nodegroup.cluster-api-provider-aws.sigs.k8s.io               system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::<redacted>>:role/eksctl-jk-nodegroup-ng-c292c102-NodeInstanceRole-1MKGUGJLQF6TA   system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes

eksctl ./eksctl create iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
[ℹ]  adding identity "arn:aws:iam::123456:role/testing" to auth ConfigMap

eksctl ./eksctl get iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
ARN                                                                                             USERNAME                                GROUPS
arn:aws:iam::<redacted>>:role/eks-nodegroup.cluster-api-provider-aws.sigs.k8s.io               system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::<redacted>>:role/eksctl-jk-nodegroup-ng-c292c102-NodeInstanceRole-1MKGUGJLQF6TA   system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::123456:role/testing                                                                admin                                   system:masters

eksctl ./eksctl delete iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
[ℹ]  removing identity "arn:aws:iam::123456:role/testing" from auth ConfigMap (username = "admin", groups = ["system:masters"])

eksctl ./eksctl get iamidentitymapping -f examples/27-iamidentitymapping.yaml
[ℹ]  eksctl version 0.37.0-dev+5a87dad4.2021-01-19T14:36:34Z
[ℹ]  using region us-west-2
ARN                                                                                             USERNAME                                GROUPS
arn:aws:iam::<redacted>>:role/eks-nodegroup.cluster-api-provider-aws.sigs.k8s.io               system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::<redacted>>:role/eksctl-jk-nodegroup-ng-c292c102-NodeInstanceRole-1MKGUGJLQF6TA   system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes

Cluster creation time:

[ℹ]  eksctl version 0.37.0-dev+975130a8.2021-01-19T15:09:38Z
[ℹ]  using region us-west-2
[ℹ]  setting availability zones to [us-west-2d us-west-2b us-west-2a]
[ℹ]  subnets for us-west-2d - public:192.168.0.0/19 private:192.168.96.0/19
[ℹ]  subnets for us-west-2b - public:192.168.32.0/19 private:192.168.128.0/19
[ℹ]  subnets for us-west-2a - public:192.168.64.0/19 private:192.168.160.0/19
[ℹ]  using Kubernetes version 1.18
[ℹ]  creating EKS cluster "jk-im" in "us-west-2" region with
...
[ℹ]  creating IAMIdentityMappings
[ℹ]  adding identity "arn:aws:iam::123456:role/testing" to auth ConfigMap
[ℹ]  kubectl command should work with "/Users/jake/.kube/config", try 'kubectl get nodes'
[✔]  EKS cluster "jk-im" in "us-west-2" region is ready

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the userdocs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes
  • (Core team) Added labels for change area (e.g. area/nodegroup), target version (e.g. version/0.12.0) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟

@aclevername aclevername added area/aws-iam kind/feature New feature or request labels Jan 18, 2021
@michaelbeaumont michaelbeaumont mentioned this pull request Jan 19, 2021
Closed
@aclevername aclevername mentioned this pull request Jan 19, 2021
Closed
@Legion2
Copy link
Contributor

Legion2 commented Jan 19, 2021

Is it possible to update/add/remove users and groups from the identity mapping after the initial create operation?

@aclevername
Copy link
Contributor Author

Is it possible to update/add/remove users and groups from the identity mapping after the initial create operation?

hey @Legion2 👋 , we don't support updating atm, but you can delete and re-create

@aclevername aclevername marked this pull request as ready for review January 19, 2021 17:36
@aclevername aclevername requested a review from a team January 19, 2021 17:36
@Legion2
Copy link
Contributor

Legion2 commented Jan 21, 2021

when eksctl create iamidentitymapping --cluster <...> is called without a cluster file and without any option it should provide a better error message that:
failed to create identity mapping : expected a valid arn but got empty string

@Legion2
Copy link
Contributor

Legion2 commented Jan 21, 2021

When deleting all mappings, a missing mapping should not stop the deletion of the remaining mappings.

@aclevername aclevername marked this pull request as draft January 22, 2021 09:19
@aclevername aclevername linked an issue Jan 27, 2021 that may be closed by this pull request
Add iam identityMappings to config file #874
Closed
Base automatically changed from master to main February 2, 2021 15:06
@Legion2
Copy link
Contributor

Legion2 commented Feb 12, 2021

@aclevername are you going to finish this PR or what is blocking it?

@aclevername
Copy link
Contributor Author

Closing. We are expecting an new API from AWS to handle cluster permissions, so we could implement this feature but it would likely be replaced very soon by this new API. I think it makes sense to halt any new development on iamidentitymappings functionality

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/aws-iam kind/feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add iam identityMappings to config file
2 participants
@aclevername @Legion2