Documentation ¶
Overview ¶
Package authconfigmap allows manipulation of the EKS auth ConfigMap (aws-auth), which maps IAM entities to Kubernetes groups.
See for more information: - https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html - https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/README.md#full-configuration-format
Index ¶
- Constants
- Variables
- func AddNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error
- func ObjectMeta() metav1.ObjectMeta
- func RemoveNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error
- type AuthConfigMap
- func (a *AuthConfigMap) AddAccount(account string) error
- func (a *AuthConfigMap) AddIdentity(identity iam.Identity) error
- func (a *AuthConfigMap) AddIdentityIfNotPresent(identity iam.Identity, exists func(iam.Identity) bool) error
- func (a *AuthConfigMap) GetIdentities() ([]iam.Identity, error)
- func (a *AuthConfigMap) RemoveAccount(account string) error
- func (a *AuthConfigMap) RemoveIdentity(arnToDelete string, all bool) error
- func (a *AuthConfigMap) Save() (err error)
- type ServiceAccess
- type ServiceName
Constants ¶
const ( // ObjectName is the Kubernetes resource name of the auth ConfigMap ObjectName = "aws-auth" // ObjectNamespace is the namespace the object can be found ObjectNamespace = metav1.NamespaceSystem // GroupMasters is the admin group which is also automatically // granted to the IAM role that creates the cluster. GroupMasters = "system:masters" // RoleNodeGroupUsername is the default username for a nodegroup // role mapping. RoleNodeGroupUsername = "system:node:{{EC2PrivateDNSName}}" )
Variables ¶
var RoleNodeGroupGroups = []string{"system:bootstrappers", "system:nodes"}
RoleNodeGroupGroups are the groups to allow roles to interact with the cluster, required for the instance role ARNs of nodegroups.
Functions ¶
func AddNodeGroup ¶
func AddNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error
AddNodeGroup creates or adds a nodegroup IAM role in the auth ConfigMap for the given nodegroup.
func ObjectMeta ¶
func ObjectMeta() metav1.ObjectMeta
ObjectMeta constructs metadata for the ConfigMap.
func RemoveNodeGroup ¶
func RemoveNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error
RemoveNodeGroup removes a nodegroup from the ConfigMap and does a client update.
Types ¶
type AuthConfigMap ¶
type AuthConfigMap struct {
// contains filtered or unexported fields
}
AuthConfigMap allows modifying the auth ConfigMap.
func New ¶
func New(client v1.ConfigMapInterface, cm *corev1.ConfigMap) *AuthConfigMap
New creates an AuthConfigMap instance that manipulates a ConfigMap. If it is nil, one is created.
func NewFromClientSet ¶
func NewFromClientSet(clientSet kubernetes.Interface) (*AuthConfigMap, error)
NewFromClientSet fetches the auth ConfigMap.
func (*AuthConfigMap) AddAccount ¶
func (a *AuthConfigMap) AddAccount(account string) error
AddAccount appends an IAM account to the `mapAccounts` entry in the Configmap. It also deduplicates.
func (*AuthConfigMap) AddIdentity ¶
func (a *AuthConfigMap) AddIdentity(identity iam.Identity) error
AddIdentity maps an IAM role or user ARN to a k8s group dynamically. It modifies the role or user with given groups. If you are calling this as part of node creation you should use DefaultNodeGroups.
func (*AuthConfigMap) AddIdentityIfNotPresent ¶
func (a *AuthConfigMap) AddIdentityIfNotPresent(identity iam.Identity, exists func(iam.Identity) bool) error
AddIdentityIfNotPresent adds the specified identity if the predicate exists(identity) returns false for all entries
func (*AuthConfigMap) GetIdentities ¶
func (a *AuthConfigMap) GetIdentities() ([]iam.Identity, error)
GetIdentities returns a list of iam users and roles that are currently in the (cached) configmap.
func (*AuthConfigMap) RemoveAccount ¶
func (a *AuthConfigMap) RemoveAccount(account string) error
RemoveAccount removes the given IAM account entry in mapAccounts.
func (*AuthConfigMap) RemoveIdentity ¶
func (a *AuthConfigMap) RemoveIdentity(arnToDelete string, all bool) error
RemoveIdentity removes an identity. If `all` is false it will only remove the first it encounters and return an error if it cannot find it. If `all` is true it will remove all of them and not return an error if it cannot be found.
func (*AuthConfigMap) Save ¶
func (a *AuthConfigMap) Save() (err error)
Save persists the ConfigMap to the cluster. It determines whether to create or update by looking at the ConfigMap's UID.
type ServiceAccess ¶
type ServiceAccess struct {
// contains filtered or unexported fields
}
Grants an AWS service access to an EKS cluster
func NewServiceAccess ¶
func NewServiceAccess(rawClient *kubernetes.RawClient, acm *AuthConfigMap, accountID string) *ServiceAccess
NewServiceAccess creates a new ServiceAccess
type ServiceName ¶
type ServiceName string