containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

EKS aws-auth configmap configurations as a Custom Resource

Open vijaymateti opened this issue 3 years ago • 1 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request What do you want us to build? In large multi-tenant EKS cluster, maintaining the role binding for various tenant based out of single aws-auth configmap seems cumbersome and could be error prone if not done correctly.

It would be great management of aws-auth configmap be done using custom resource of type awsauth or something appropriate with predefined schema so each individual configuration for worker nodes or user can be instance of this CR.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? This would allow the aws-auth configmap to be broken down into multiple custom resources managed through argocd or other gitops process rather than keep editing one single configmap for every self managed node addition or user or iam role binding.

Are you currently working around this issue? How are you currently solving this problem? Currently the only option is to keep aws-auth configmap updates centralized

Additional context Anything else we should know? None

vijaymateti avatar Mar 01 '22 21:03 vijaymateti

have you seen https://github.com/aws/containers-roadmap/issues/185

bryantbiggs avatar Mar 01 '22 23:03 bryantbiggs

@bryantbiggs I like an in-cluster solution, not all environments are managed by CloudFormation. CRDs could be implemented with CloudFormation, or with something else.

My thought here was a slightly different implementation, filtering multiple configmaps by annotation vs filtering to one configmap by name - but in practice, I wouldn't request any specific solution. The problem is as Vijay stated; as a cluster administrator, I would like a way to atomically manage IAM permissions policy on the cluster. mapRoles as a single string within a configmap is operationally unfriendly.

immanetize avatar Oct 24 '22 16:10 immanetize

Closing as EKS launched cluster access management as alternative solution https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

mikestef9 avatar Apr 11 '24 22:04 mikestef9