cdk-eks-blueprints icon indicating copy to clipboard operation
cdk-eks-blueprints copied to clipboard
verified publisher icon aws-quickstart

Support EKS API auth/ access entries

Open jasondbaker opened this issue 10 months ago • 2 comments

Describe the feature

The CDK EKS Blueprints project supports the traditional ConfigMap authentication mechanism in teams provisioning. AWS considers this auth mechanism deprecated in favor of its newer EKS API and use of access entries to manage cluster access. https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/

Use Case

We would like to use the recommended EKS cluster auth mechanism rather than a deprecated mechanism.

Proposed Solution

We can enable the use of the EKS API for authentication in a GenericClusterProvider configuration. For example:

  return new blueprints.GenericClusterProvider({
    authenticationMode: AuthenticationMode.API_AND_CONFIG_MAP,

However, it's not clear how to define access entries using the blueprint library. A CDK construct is available to define access entries: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.AccessEntry.html

Maybe a custom ResourceProvider could be used currently to create access entries? I'm not sure what's the best approach to wire up this functionality using the blueprint.

Other Information

No response

Acknowledgements

  • [ ] I may be able to implement this feature request

CDK version used

2.173.4

EKS Blueprints Version

1.16.3

Node.js Version

20.x

Environment details (OS name and version, etc.)

n/a

jasondbaker avatar Feb 11 '25 16:02 jasondbaker

I'll answer my own question in case anyone else in interested in using access entries. I ended up creating an AccessEntry construct using a custom addon.

import * as blueprints from "@aws-quickstart/eks-blueprints";
import { AccessEntry, AccessPolicy, AccessPolicyArn, AccessScopeType } from "aws-cdk-lib/aws-eks";

export class AccessEntryAddOn implements blueprints.ClusterAddOn {

  deploy(clusterInfo: blueprints.ClusterInfo): void {
      new AccessEntry(clusterInfo.cluster.stack, `AccessEntry`, {
        cluster: clusterInfo.cluster,
        principal: "your role arn,
        accessPolicies: [
          new AccessPolicy({
            accessScope: {
              type: AccessScopeType.CLUSTER,
            },
            policy: AccessPolicyArn.AMAZON_EKS_CLUSTER_ADMIN_POLICY,
          }),
        ],
      });
  }
}

I call this by adding it to the AddOn list:

const addOns: Array<blueprints.ClusterAddOn> = [
  new AccessEntryAddon(),
  ...other addons...

I hope this helps someone else.

jasondbaker avatar Feb 13 '25 15:02 jasondbaker

@jasondbaker, thank you for posting your solution, I was a bit slow to respond. We had a thread on this here: https://github.com/aws-quickstart/cdk-eks-blueprints/issues/1027#issuecomment-2453298310

You can use an addon to create access entries, but I do think that having them in the cluster provider for admin roles and in the teams may be more aligned with overall design. I will keep the issue open.

shapirov103 avatar Feb 13 '25 15:02 shapirov103

This issue has been automatically marked as stale because it has been open 60 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar May 15 '25 00:05 github-actions[bot]

Issue closed due to inactivity.

github-actions[bot] avatar Jul 14 '25 00:07 github-actions[bot]