authconfigmap

package
v0.0.0-...-ee2d30e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 15, 2023 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package authconfigmap allows manipulation of the EKS auth ConfigMap (aws-auth), which maps IAM entities to Kubernetes groups.

See for more information: - https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html - https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/README.md#full-configuration-format

Index

Constants

View Source
const (
	// ObjectName is the Kubernetes resource name of the auth ConfigMap
	ObjectName = "aws-auth"
	// ObjectNamespace is the namespace the object can be found
	ObjectNamespace = metav1.NamespaceSystem

	// GroupMasters is the admin group which is also automatically
	// granted to the IAM role that creates the cluster.
	GroupMasters = "system:masters"

	// RoleNodeGroupUsername is the default username for a nodegroup
	// role mapping.
	RoleNodeGroupUsername = "system:node:{{EC2PrivateDNSName}}"
)

Variables

View Source
var RoleNodeGroupGroups = []string{"system:bootstrappers", "system:nodes"}

RoleNodeGroupGroups are the groups to allow roles to interact with the cluster, required for the instance role ARNs of nodegroups.

Functions

func AddNodeGroup

func AddNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error

AddNodeGroup creates or adds a nodegroup IAM role in the auth ConfigMap for the given nodegroup.

func ObjectMeta

func ObjectMeta() metav1.ObjectMeta

ObjectMeta constructs metadata for the ConfigMap.

func RemoveNodeGroup

func RemoveNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error

RemoveNodeGroup removes a nodegroup from the ConfigMap and does a client update.

Types

type AuthConfigMap

type AuthConfigMap struct {
	// contains filtered or unexported fields
}

AuthConfigMap allows modifying the auth ConfigMap.

func New

New creates an AuthConfigMap instance that manipulates a ConfigMap. If it is nil, one is created.

func NewFromClientSet

func NewFromClientSet(clientSet kubernetes.Interface) (*AuthConfigMap, error)

NewFromClientSet fetches the auth ConfigMap.

func (*AuthConfigMap) AddAccount

func (a *AuthConfigMap) AddAccount(account string) error

AddAccount appends an IAM account to the `mapAccounts` entry in the Configmap. It also deduplicates.

func (*AuthConfigMap) AddIdentity

func (a *AuthConfigMap) AddIdentity(identity iam.Identity) error

AddIdentity maps an IAM role or user ARN to a k8s group dynamically. It modifies the role or user with given groups. If you are calling this as part of node creation you should use DefaultNodeGroups.

func (*AuthConfigMap) AddIdentityIfNotPresent

func (a *AuthConfigMap) AddIdentityIfNotPresent(identity iam.Identity, exists func(iam.Identity) bool) error

AddIdentityIfNotPresent adds the specified identity if the predicate exists(identity) returns false for all entries

func (*AuthConfigMap) GetIdentities

func (a *AuthConfigMap) GetIdentities() ([]iam.Identity, error)

GetIdentities returns a list of iam users and roles that are currently in the (cached) configmap.

func (*AuthConfigMap) RemoveAccount

func (a *AuthConfigMap) RemoveAccount(account string) error

RemoveAccount removes the given IAM account entry in mapAccounts.

func (*AuthConfigMap) RemoveIdentity

func (a *AuthConfigMap) RemoveIdentity(arnToDelete string, all bool) error

RemoveIdentity removes an identity. If `all` is false it will only remove the first it encounters and return an error if it cannot find it. If `all` is true it will remove all of them and not return an error if it cannot be found.

func (*AuthConfigMap) Save

func (a *AuthConfigMap) Save() (err error)

Save persists the ConfigMap to the cluster. It determines whether to create or update by looking at the ConfigMap's UID.

type ServiceAccess

type ServiceAccess struct {
	// contains filtered or unexported fields
}

Grants an AWS service access to an EKS cluster

func NewServiceAccess

func NewServiceAccess(rawClient *kubernetes.RawClient, acm *AuthConfigMap, accountID string) *ServiceAccess

NewServiceAccess creates a new ServiceAccess

func (*ServiceAccess) Grant

func (s *ServiceAccess) Grant(serviceName, namespace string, partition string) error

Grant grants access to the specified service

type ServiceName

type ServiceName string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL