aws-iam-authenticator
aws-iam-authenticator copied to clipboard
Published
20 hours ago •
kubernetes-sigs
kubernetes-sigs
Errors when enabling CRD backend
This is my DaemonSet config :
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aws-iam-authenticator
rules:
- apiGroups:
- iamauthenticator.k8s.aws
resources:
- iamidentitymappings
verbs:
- get
- list
- watch
- apiGroups:
- iamauthenticator.k8s.aws
resources:
- iamidentitymappings/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- aws-auth
verbs:
- get
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: aws-iam-authenticator
namespace: kube-system
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aws-iam-authenticator
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aws-iam-authenticator
subjects:
- kind: ServiceAccount
name: aws-iam-authenticator
namespace: kube-system
# ---
# EKS-Style ConfigMap: roles and users can be mapped in the same way as supported on EKS.
# If mappings are defined this way they do not need to be redefined on the other ConfigMap.
# https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
# uncomment if using EKS-Style ConfigMap
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: aws-auth
# namespace: kube-system
# data:
# mapRoles: |
# - rolearn: <ARN of instance role (not instance profile)>
# username: system:node:{{EC2PrivateDNSName}}
# groups:
# - system:bootstrappers
# - system:nodes
# mapUsers: |
# - rolearn: arn:aws:iam::000000000000:user/Alice
# username: alice
# groups:
# - system:masters
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: kube-system
name: aws-iam-authenticator
labels:
k8s-app: aws-iam-authenticator
data:
config.yaml: |
# a unique-per-cluster identifier to prevent replay attacks
# (good choices are a random token or a domain name that will be unique to your cluster)
clusterID: my-dev-cluster.example.com
server:
# each mapRoles entry maps an IAM role to a username and set of groups
# Each username and group can optionally contain template parameters:
# 1) "{{AccountID}}" is the 12 digit AWS ID.
# 2) "{{SessionName}}" is the role session name, with `@` characters
# transliterated to `-` characters.
# 3) "{{SessionNameRaw}}" is the role session name, without character
# transliteration (available in version >= 0.5).
mapRoles:
# statically map arn:aws:iam::000000000000:role/KubernetesAdmin to a cluster admin
- roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
username: kubernetes-admin
groups:
- system:masters
# map EC2 instances in my "KubernetesNode" role to users like
# "aws:000000000000:instance:i-0123456789abcdef0". Only use this if you
# trust that the role can only be assumed by EC2 instances. If an IAM user
# can assume this role directly (with sts:AssumeRole) they can control
# SessionName.
- roleARN: arn:aws:iam::000000000000:role/KubernetesNode
username: aws:{{AccountID}}:instance:{{SessionName}}
groups:
- system:bootstrappers
- aws:instances
# map federated users in my "KubernetesAdmin" role to users like
# "admin:alice-example.com". The SessionName is an arbitrary role name
# like an e-mail address passed by the identity provider. Note that if this
# role is assumed directly by an IAM User (not via federation), the user
# can control the SessionName.
- roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
username: admin:{{SessionName}}
groups:
- system:masters
# map federated users in my "KubernetesOtherAdmin" role to users like
# "alice-example.com". The SessionName is an arbitrary role name
# like an e-mail address passed by the identity provider. Note that if this
# role is assumed directly by an IAM User (not via federation), the user
# can control the SessionName. Note that the "{{SessionName}}" macro is
# quoted to ensure it is properly parsed as a string.
- roleARN: arn:aws:iam::000000000000:role/KubernetesOtherAdmin
username: "{{SessionName}}"
groups:
- system:masters
# map federated users in my "KubernetesUsers" role to users like
# "[email protected]". SessionNameRaw is sourced from the same place as
# SessionName with the distinction that no transformation is performed
# on the value. For example an email addresses passed by an identity
# provider will not have the `@` replaced with a `-`.
- roleARN: arn:aws:iam::000000000000:role/KubernetesUsers
username: "{{SessionNameRaw}}"
groups:
- developers
# each mapUsers entry maps an IAM role to a static username and set of groups
mapUsers:
# map user IAM user Alice in 000000000000 to user "alice" in "system:masters"
- userARN: arn:aws:iam::000000000000:user/Alice
username: alice
groups:
- system:masters
# List of Account IDs to whitelist for authentication
mapAccounts:
# - <AWS_ACCOUNT_ID>
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
namespace: kube-system
name: aws-iam-authenticator
labels:
k8s-app: aws-iam-authenticator
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
selector:
matchLabels:
k8s-app: aws-iam-authenticator
updateStrategy:
type: RollingUpdate
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
k8s-app: aws-iam-authenticator
spec:
# use service account with access to
serviceAccountName: aws-iam-authenticator
# run on the host network (don't depend on CNI)
hostNetwork: true
# run on each master node, but comment out for Amazon EKS, it creates unschedulable deployment
# nodeSelector:
# node-role.kubernetes.io/master: ""
tolerations:
# - effect: NoSchedule
# key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
# run `aws-iam-authenticator server` with three volumes
# - config (mounted from the ConfigMap at /etc/aws-iam-authenticator/config.yaml)
# - state (persisted TLS certificate and keys, mounted from the host)
# - output (output kubeconfig to plug into your apiserver configuration, mounted from the host)
# - initContainers is needed because of errors in EKS deployment : https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/270#issuecomment-584238850
initContainers:
- name: chown
image: busybox
command: ['sh', '-c', 'chown 10000:10000 /var/aws-iam-authenticator; chown 10000:10000 /etc/kubernetes/aws-iam-authenticator']
volumeMounts:
- name: state
mountPath: /var/aws-iam-authenticator/
- name: output
mountPath: /etc/kubernetes/aws-iam-authenticator/
containers:
- name: aws-iam-authenticator
image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.3
args:
- server
# uncomment if using EKS-Style ConfigMap
- --backend-mode=EKSConfigMap,CRD
- --config=/etc/aws-iam-authenticator/config.yaml
- --state-dir=/var/aws-iam-authenticator
- --generate-kubeconfig=/etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml
# uncomment if using the Kops Usage instructions https://sigs.k8s.io/aws-iam-authenticator#kops-usage
# the kubeconfig.yaml is pregenerated by the 'aws-iam-authenticator init' step
# - --kubeconfig-pregenerated=true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
memory: 20Mi
cpu: 10m
limits:
memory: 20Mi
cpu: 100m
volumeMounts:
- name: config
mountPath: /etc/aws-iam-authenticator/
- name: state
mountPath: /var/aws-iam-authenticator/
- name: output
mountPath: /etc/kubernetes/aws-iam-authenticator/
volumes:
- name: config
configMap:
name: aws-iam-authenticator
- name: output
hostPath:
path: /etc/kubernetes/aws-iam-authenticator/
- name: state
hostPath:
path: /var/aws-iam-authenticator/
Since i added CRD backend, i have the following errors :
E0506 09:03:00.970775 1 reflector.go:123] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:96: Failed to list *v1alpha1.IAMIdentityMapping: iamidentitymappings.iamauthenticator.k8s.aws is forbidden: User "system:serviceaccount:kube-system:aws-iam-authenticator" cannot list resource "iamidentitymappings" in API group "iamauthenticator.k8s.aws" at the cluster scope
Also when trying to apply :
---
apiVersion: iamauthenticator.k8s.aws/v1alpha1
kind: IAMIdentityMapping
metadata:
name: kubernetes-admin
spec:
# Arn of the User or Role to be allowed to authenticate
arn: arn:aws:iam::000000000000:role/KubernetesAdmin
# Username that Kubernetes will see the user as, this is useful for setting
# up allowed specific permissions for different users
username: kubernetes-admin
# Groups to be attached to your users/roles. For example `system:masters` to
# create cluster admin, or `system:nodes`, `system:bootstrappers` for nodes to
# access the API server.
groups:
- system:masters
i get the following error :
error: unable to recognize "iam_identity_mapping.yaml": no matches for kind "IAMIdentityMapping" in version "iamauthenticator.k8s.aws/v1alpha1"
This does not work also :
error: unable to recognize "iam_identity_mapping.yaml": no matches for kind "IAMIdentityMapping" in version "iamauthenticator.k8s.aws/v1"
what am i doing wrong ?
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
