Documentation
¶
Index ¶
- Constants
- Variables
- type Config
- func (c *Config) CertOpts() certs.CertificateOptions
- func (c *Config) CertPath() string
- func (c *Config) GenerateFiles() error
- func (c *Config) GenerateWebhookKubeconfig() error
- func (c *Config) GetOrCreateX509KeyPair() (*tls.Certificate, error)
- func (c *Config) KeyPath() string
- func (c *Config) ListenAddr() string
- func (c *Config) ServerAddr() string
- func (c *Config) ServerURL() string
- type IdentityMapping
- type RoleMapping
- type SSOARNMatcher
- type UserMapping
Constants ¶
const ( // ConfiguredInitDirectories enables placing files directly in configured // directories with init ConfiguredInitDirectories featuregate.Feature = "ConfiguredInitDirectories" // IAMIdentityMappingCRD enables using CRDs to manage allowed users IAMIdentityMappingCRD featuregate.Feature = "IAMIdentityMappingCRD" // SSORoleMatch enables matching roles managed by AWS SSO, with handling // for their randomly generated suffixes SSORoleMatch featuregate.Feature = "SSORoleMatch" )
Variables ¶
var DefaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{ ConfiguredInitDirectories: {Default: false, PreRelease: featuregate.Alpha}, IAMIdentityMappingCRD: {Default: false, PreRelease: featuregate.Alpha}, SSORoleMatch: {Default: false, PreRelease: featuregate.Alpha}, }
var (
SSORoleMatchEnabled bool
)
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// PartitionID is the AWS partition tokens are valid in. See
// github.com/aws/aws-sdk-go/aws/endpoints
// endpoints.DefaultPartitions()
PartitionID string
// ClusterID is a unique-per-cluster identifier for your
// aws-iam-authenticator installation.
ClusterID string
// KubeconfigPregenerated is set to `true` when a webhook kubeconfig is
// pre-generated by running the `init` command, and therefore the
// `server` shouldn't unnecessarily re-generate a new one.
KubeconfigPregenerated bool
// HostPort is the TCP Port on which to listen for authentication checks.
HostPort int
// Hostname is the address clients should use for this server.
Hostname string
// GenerateKubeconfigPath is the output path where a generated webhook
// kubeconfig (for `--authentication-token-webhook-config-file`) will be
// stored.
GenerateKubeconfigPath string
// StateDir is the directory where generated certificates and private keys
// will be stored. You want these persisted between runs so that your API
// server webhook configuration doesn't change on restart.
StateDir string
// RoleMappings is a list of mappings from AWS IAM Role to
// Kubernetes username + groups.
RoleMappings []RoleMapping
// UserMappings is a list of mappings from AWS IAM User to
// Kubernetes username + groups.
UserMappings []UserMapping
// AutoMappedAWSAccounts is a list of AWS accounts that are allowed without an explicit user/role mapping.
// IAM ARN from these accounts automatically maps to the Kubernetes username.
AutoMappedAWSAccounts []string
// ScrubbedAWSAccounts is a list of AWS accounts that the role ARNs and uids
// are scrubbed from server log statements
ScrubbedAWSAccounts []string
// ServerEC2DescribeInstancesRoleARN is an optional AWS Resource Name for an IAM Role to be assumed
// before calling ec2:DescribeInstances to determine the private DNS of the calling kubelet (EC2 Instance).
// If nil, defaults to using the IAM Role attached to the instance where aws-iam-authenticator is
// running.
ServerEC2DescribeInstancesRoleARN string
// Address defines the hostname or IP Address to bind the HTTPS server to listen to. This is useful when creating
// a local server to handle the authentication request for development.
Address string
// Master is an optional param which configures api servers endpoint for listening for new CRDs
// +optional
Master string
// Kubeconfig is an optional param which configures the kubeconfig path for connecting to a specific
// API server this is useful for local development, allowing you to connect to a remote server.
// +optional
Kubeconfig string
// BackendMode is an ordered list of backends to get mappings from. Comma-delimited list of: MountedFile,EKSConfigMap,CRD
BackendMode []string
// Ec2 DescribeInstances rate limiting variables initially set to defaults until we completely
// understand we don't need to change
EC2DescribeInstancesQps int
EC2DescribeInstancesBurst int
//Dynamic File Path for DynamicFile BackendMode
DynamicFilePath string
}
Config specifies the configuration for a aws-iam-authenticator server
func (*Config) CertOpts ¶ added in v0.5.4
func (c *Config) CertOpts() certs.CertificateOptions
func (*Config) GenerateFiles ¶
GenerateFiles will generate the certificate and private key and then create the kubeconfig
func (*Config) GenerateWebhookKubeconfig ¶ added in v0.5.4
func (*Config) GetOrCreateX509KeyPair ¶ added in v0.5.4
func (c *Config) GetOrCreateX509KeyPair() (*tls.Certificate, error)
GetOrCreateCertificate will create a certificate if it cannot find one based on the config
func (*Config) ListenAddr ¶
ListenAddr returns the IP address and port mapping to bind with
func (*Config) ServerAddr ¶ added in v0.5.3
ServerAddr returns the host and port clients should use for server endpoint.
type IdentityMapping ¶ added in v0.5.0
type IdentityMapping struct {
IdentityARN string
// Username is the username pattern that this instances assuming this
// role will have in Kubernetes.
Username string
// Groups is a list of Kubernetes groups this role will authenticate
// as (e.g., `system:masters`). Each group name can include placeholders.
Groups []string
}
type RoleMapping ¶
type RoleMapping struct {
// RoleARN is the AWS Resource Name of the role. (e.g., "arn:aws:iam::000000000000:role/Foo").
RoleARN string `json:"rolearn,omitempty" yaml:"rolearn,omitempty"`
// SSO contains fields used to match Role ARNs that
// are generated for AWS SSO sessions.
SSO *SSOARNMatcher `json:"sso,omitempty" yaml:"sso,omitempty"`
// Username is the username pattern that this instances assuming this
// role will have in Kubernetes.
Username string `json:"username" yaml:"username"`
// Groups is a list of Kubernetes groups this role will authenticate
// as (e.g., `system:masters`). Each group name can include placeholders.
Groups []string `json:"groups" yaml:"groups"`
}
RoleMapping is a mapping of an AWS Role ARN to a Kubernetes username and a list of Kubernetes groups. The username and groups are specified as templates that may optionally contain two template parameters:
- "{{AccountID}}" is the 12 digit AWS ID.
- "{{SessionName}}" is the role session name.
The meaning of SessionName depends on the type of entity assuming the role. In the case of an EC2 instance role this will be the EC2 instance ID. In the case of a federated role it will be the federated identity (controlled by the federated identity provider). In the case of a role assumed directly with sts:AssumeRole it will be user controlled.
You can use plain values without parameters to have a more static mapping.
func (*RoleMapping) Key ¶ added in v0.5.11
func (m *RoleMapping) Key() string
Key returns RoleARN or SSOArnLike(), whichever is not empty. Used to get a Key name for map[string]RoleMapping
func (*RoleMapping) Matches ¶ added in v0.5.11
func (m *RoleMapping) Matches(subject string) bool
Matches returns true if the supplied ARN or SSO settings matches this RoleMapping
func (*RoleMapping) SSOArnLike ¶ added in v0.5.11
func (m *RoleMapping) SSOArnLike() string
SSOArnLike returns a string that can be passed to arnlike.ArnLike to match canonicalized IAM Role ARNs against. Assumes Validate() has been called.
func (*RoleMapping) Validate ¶ added in v0.5.11
func (m *RoleMapping) Validate() error
Validate returns an error if the RoleMapping is not valid after being unmarshaled
type SSOARNMatcher ¶ added in v0.5.11
type SSOARNMatcher struct {
// PermissionSetName is the name of the SSO Permission Set that will be found
// after the "AWSReservedSSO_" string in the Role ARN.
// See: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsets.html
PermissionSetName string `json:"permissionSetName" yaml:"permissionSetName"`
// AccountID is the AWS Account ID to match in the Role ARN
AccountID string `json:"accountID" yaml:"accountID"`
// Partition is the AWS partition to match in the Role ARN. Defaults to "aws"
Partition string `json:"partition,omitempty" yaml:"partition,omitempty"`
}
SSOARNMatcher contains fields used to match Role ARNs that are generated for AWS SSO sessions. These SSO Role ARNs follow this pattern:
arn:aws:iam::<ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/<SSO_REGION>/AWSReservedSSO_<SSO_PermissionSetName>_<RANDOM_STRING>
These ARNs are canonicalized to look like:
arn:aws:iam::<ACCOUNT_ID>:role/AWSReservedSSO_<SSO_PermissionSetName>_<RANDOM_STRING>
This struct enables aws-iam-authenticator to match SSO generated Role ARNs with handling for their random string suffixes.
type UserMapping ¶
type UserMapping struct {
// UserARN is the AWS Resource Name of the user. (e.g., "arn:aws:iam::000000000000:user/Test").
UserARN string `json:"userarn" yaml:"userarn"`
// Username is the Kubernetes username this role will authenticate as (e.g., `mycorp:foo`)
Username string `json:"username" yaml:"username"`
// Groups is a list of Kubernetes groups this role will authenticate as (e.g., `system:masters`)
Groups []string `json:"groups" yaml:"groups"`
}
UserMapping is a static mapping of a single AWS User ARN to a Kubernetes username and a list of Kubernetes groups
func (*UserMapping) Key ¶ added in v0.5.11
func (m *UserMapping) Key() string
Key returns UserARN. Used to get a Key name for map[string]UserMapping
func (*UserMapping) Matches ¶ added in v0.5.11
func (m *UserMapping) Matches(subject string) bool
Matches returns true if the supplied ARN string matche this UserMapping
func (*UserMapping) Validate ¶ added in v0.5.11
func (m *UserMapping) Validate() error
Validate returns an error if the UserMapping is not valid after being unmarshaled
Source Files
Directories