aws-iam-authenticator introduced the possibility to use custom resources to configure roles and user bindings. However, this version of the app was not available in EKS. So here is an operator to reflect IamIdentityMappings changes in the aws-auth configmap.
2024 update: Amazon EKS team has improved the cluster authentication (AuthN) and authorization (AuthZ) user experience with improved cluster access management controls. This operator is now deprecated. See this and the official announcement.
Language: Python 3.12+
- Install pyenv to manage your Python environment
- Install Python 3.12
pyenv install 3.13
- In the repository, switch to the chosen Python version
pyenv local 3.13
Step 2: Install Coveo Stew dependencies (CI)
- Open a pyenv shell for the correct python version
pyenv shell 3.13
- Configure Poetry to use our Python version
poetry env use $(pyenv which python)
- Install the dependencies with Poetry for the first time.
poetry install
- Run Stew.
stew ci
- Find the path of the virtual environment created by Poetry:
poetry env info
- Set that poetry environment as your PyCharm virtual environment for the project
kopf run --dev --debug --standalone --liveness=http://:8080/healthz src/kubernetes_operator/iam_mapping.py
You can also test the operator locally in a minikube context.
WARNING: Make sure you change your context to minikube before doing these commands. |
---|
- Create a test config-map
kubectl apply -f kubernetes/test/configmap.yaml
- Create the IamIdentityMapping crd
kubectl apply -f kubernetes/iamidentitymappings.yaml
- Inspect the current state of the configmap with
kubectl get cm -n kube-system aws-auth -o yaml
- Start the operator in
minikube
kopf run --dev --debug --standalone --liveness=http://:8080/healthz src/kubernetes_operator/iam_mapping.py
- Create, in a different terminal, an IamIdentityMapping
kubectl apply -f kubernetes/test/test-iam-rolearn.yaml
- Verify the change is applied by the operator in the configmap with
kubectl get cm -n kube-system aws-auth -o yaml
- Deploy the CRD definition
kubectl apply -f kubernetes/iamidentitymapping.yaml
- Deploy the operator
kubectl apply -f kubernetes/auth-operator.yaml
# Choose a specific ref and tag if needed
REF=master
TAG=0.8.1
cat <<EOF > kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
resources:
- https://github.com/coveooss/aws_auth_eks_crd//kubernetes/?ref=$REF
images:
- name: coveo/aws-auth-operator:0.1
newName: ghcr.io/coveooss/aws_auth_eks_crd
newTag: $TAG
EOF
# Deploy
kustomize build . | kubectl apply -f -