Documentation ¶
Index ¶
- Constants
- Variables
- type Config
- func (c *Config) CertOpts() certs.CertificateOptions
- func (c *Config) CertPath() string
- func (c *Config) GenerateFiles() error
- func (c *Config) GenerateWebhookKubeconfig() error
- func (c *Config) GetOrCreateX509KeyPair() (*tls.Certificate, error)
- func (c *Config) KeyPath() string
- func (c *Config) ListenAddr() string
- func (c *Config) ServerAddr() string
- func (c *Config) ServerURL() string
- type IdentityMapping
- type ReservedPrefixConfig
- type RoleMapping
- type UserMapping
Constants ¶
const ( // ConfiguredInitDirectories enables placing files directly in configured // directories with init ConfiguredInitDirectories featuregate.Feature = "ConfiguredInitDirectories" // IAMIdentityMappingCRD enables using CRDs to manage allowed users IAMIdentityMappingCRD featuregate.Feature = "IAMIdentityMappingCRD" )
Variables ¶
var DefaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{ ConfiguredInitDirectories: {Default: false, PreRelease: featuregate.Alpha}, IAMIdentityMappingCRD: {Default: false, PreRelease: featuregate.Alpha}, }
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct { // PartitionID is the AWS partition tokens are valid in. See // github.com/aws/aws-sdk-go/aws/endpoints // endpoints.DefaultPartitions() PartitionID string // ClusterID is a unique-per-cluster identifier for your // aws-iam-authenticator installation. ClusterID string // KubeconfigPregenerated is set to `true` when a webhook kubeconfig is // pre-generated by running the `init` command, and therefore the // `server` shouldn't unnecessarily re-generate a new one. KubeconfigPregenerated bool // HostPort is the TCP Port on which to listen for authentication checks. HostPort int // Hostname is the address clients should use for this server. Hostname string // GenerateKubeconfigPath is the output path where a generated webhook // kubeconfig (for `--authentication-token-webhook-config-file`) will be // stored. GenerateKubeconfigPath string // StateDir is the directory where generated certificates and private keys // will be stored. You want these persisted between runs so that your API // server webhook configuration doesn't change on restart. StateDir string // RoleMappings is a list of mappings from AWS IAM Role to // Kubernetes username + groups. RoleMappings []RoleMapping // UserMappings is a list of mappings from AWS IAM User to // Kubernetes username + groups. UserMappings []UserMapping // AutoMappedAWSAccounts is a list of AWS accounts that are allowed without an explicit user/role mapping. // IAM ARN from these accounts automatically maps to the Kubernetes username. AutoMappedAWSAccounts []string // ScrubbedAWSAccounts is a list of AWS accounts that the role ARNs and uids // are scrubbed from server log statements ScrubbedAWSAccounts []string // ServerEC2DescribeInstancesRoleARN is an optional AWS Resource Name for an IAM Role to be assumed // before calling ec2:DescribeInstances to determine the private DNS of the calling kubelet (EC2 Instance). // If nil, defaults to using the IAM Role attached to the instance where aws-iam-authenticator is // running. ServerEC2DescribeInstancesRoleARN string // SourceARN is value which is passed while assuming role specified by ServerEC2DescribeInstancesRoleARN. // When a service assumes a role in your account, you can include the aws:SourceAccount and aws:SourceArn global // condition context keys in your role trust policy to limit access to the role to only requests that are generated // by expected resources. https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html SourceARN string // Address defines the hostname or IP Address to bind the HTTPS server to listen to. This is useful when creating // a local server to handle the authentication request for development. Address string // Master is an optional param which configures api servers endpoint for listening for new CRDs // +optional Master string // Kubeconfig is an optional param which configures the kubeconfig path for connecting to a specific // API server this is useful for local development, allowing you to connect to a remote server. // +optional Kubeconfig string // BackendMode is an ordered list of backends to get mappings from. Comma-delimited list of: MountedFile,EKSConfigMap,CRD,DynamicFile BackendMode []string // Ec2 DescribeInstances rate limiting variables initially set to defaults until we completely // understand we don't need to change EC2DescribeInstancesQps int EC2DescribeInstancesBurst int // Dynamic File Path for DynamicFile BackendMode DynamicFilePath string // Use UserId for mapping, IdentityArn is not used any more when DynamicFileUserIDStrict=true DynamicFileUserIDStrict bool // ReservedPrefixConfig defines reserved username prefixes for each backend ReservedPrefixConfig map[string]ReservedPrefixConfig // Dynamic File Path for BackendMode DynamicBackendModePath string }
Config specifies the configuration for a aws-iam-authenticator server
func (*Config) CertOpts ¶ added in v0.5.4
func (c *Config) CertOpts() certs.CertificateOptions
func (*Config) GenerateFiles ¶
GenerateFiles will generate the certificate and private key and then create the kubeconfig
func (*Config) GenerateWebhookKubeconfig ¶ added in v0.5.4
func (*Config) GetOrCreateX509KeyPair ¶ added in v0.5.4
func (c *Config) GetOrCreateX509KeyPair() (*tls.Certificate, error)
GetOrCreateCertificate will create a certificate if it cannot find one based on the config
func (*Config) ListenAddr ¶
ListenAddr returns the IP address and port mapping to bind with
func (*Config) ServerAddr ¶ added in v0.5.3
ServerAddr returns the host and port clients should use for server endpoint.
type IdentityMapping ¶ added in v0.5.0
type IdentityMapping struct { IdentityARN string // Username is the username pattern that this instances assuming this // role will have in Kubernetes. Username string // Groups is a list of Kubernetes groups this role will authenticate // as (e.g., `system:masters`). Each group name can include placeholders. Groups []string }
type ReservedPrefixConfig ¶ added in v0.5.15
type ReservedPrefixConfig struct { // Backend mode defined in Config.BackendMode BackendMode string `json:"backendmode" yaml:"backendmode"` // Defines the reserved prefixes for kubernetes username UsernamePrefixReserveList []string `json:"usernamePrefixReserveList,omitempty" yaml:"usernamePrefixReserveList,omitempty"` }
type RoleMapping ¶
type RoleMapping struct { // RoleARN is the AWS Resource Name of the role. (e.g., "arn:aws:iam::000000000000:role/Foo"). RoleARN string `json:"rolearn"` // Username is the username pattern that this instances assuming this // role will have in Kubernetes. Username string `json:"username"` // Groups is a list of Kubernetes groups this role will authenticate // as (e.g., `system:masters`). Each group name can include placeholders. Groups []string `json:"groups" yaml:"groups"` // UserId is the AWS PrincipalId of the role. (e.g., "ABCXSOTJDDV"). UserId string `json:"userid,omitempty" yaml:"userid,omitempty"` }
RoleMapping is a mapping of an AWS Role ARN to a Kubernetes username and a list of Kubernetes groups. The username and groups are specified as templates that may optionally contain two template parameters:
- "{{AccountID}}" is the 12 digit AWS ID.
- "{{SessionName}}" is the role session name.
The meaning of SessionName depends on the type of entity assuming the role. In the case of an EC2 instance role this will be the EC2 instance ID. In the case of a federated role it will be the federated identity (controlled by the federated identity provider). In the case of a role assumed directly with sts:AssumeRole it will be user controlled.
You can use plain values without parameters to have a more static mapping.
func (*RoleMapping) IdentityMapping ¶ added in v0.5.21
func (m *RoleMapping) IdentityMapping(identity *token.Identity) *IdentityMapping
IdentityMapping converts the RoleMapping into a generic IdentityMapping object
type UserMapping ¶
type UserMapping struct { // UserARN is the AWS Resource Name of the user. (e.g., "arn:aws:iam::000000000000:user/Test"). UserARN string `json:"userarn"` // Username is the Kubernetes username this role will authenticate as (e.g., `mycorp:foo`) Username string `json:"username"` // Groups is a list of Kubernetes groups this role will authenticate as (e.g., `system:masters`) Groups []string `json:"groups" yaml:"groups"` // UserId is the AWS PrincipalId of the user. (e.g., "ABCXSOTJDDV"). UserId string `json:"userid,omitempty" yaml:"userid,omitempty"` }
UserMapping is a static mapping of a single AWS User ARN to a Kubernetes username and a list of Kubernetes groups
func (*UserMapping) IdentityMapping ¶ added in v0.5.21
func (m *UserMapping) IdentityMapping(identity *token.Identity) *IdentityMapping
IdentityMapping converts the UserMapping into a generic IdentityMapping object