cluster-api-provider-aws
cluster-api-provider-aws copied to clipboard
kubernetes-sigs
Not Removing Previous Roles and Users within iamAuthenticatorConfig
/kind bug
What steps did you take and what happened:
Updating iamAuthenticatorConfig with multiple roles or users, then removing roles does not remove old roles and users, only appends new arns.
- Define CAPA
iamAuthenticatorConfig.
iamAuthenticatorConfig:
mapUsers:
- groups:
- system:masters
userarn: arn:aws:iam::111122223333:user/my-user
username: my-user
- groups:
- system:masters
userarn: arn:aws:iam::111122223333:user/my-second-user
username: my-second-user
- Define
iamAuthenticatorConfigremoving a user.
iamAuthenticatorConfig:
mapUsers:
- groups:
- system:masters
userarn: arn:aws:iam::111122223333:user/my-second-user
username: my-second-user
- Result within
kube-system/aws-auth.
mapUsers: |
- groups:
- system:masters
userarn: arn:aws:iam::111122223333:user/my-user
username: my-user
- groups:
- system:masters
userarn: arn:aws:iam::111122223333:user/my-second-user
username: my-second-user
What did you expect to happen:
The expected behavior is to have kube-system/aws-auth to only have the defined users / roles.
mapUsers: |
- groups:
- system:masters
userarn: arn:aws:iam::111122223333:user/my-second-user
username: my-second-user
Anything else you would like to add: Would like to clarify if this is expected or unexpected behavior. Not removing users / roles could be a security risk.
Environment:
- Cluster-api-provider-aws version: v2.3.1
- Kubernetes version: (use
kubectl version): v1.28.4 - OS (e.g. from
/etc/os-release): macOS 14.1.1 (23B81)
This issue is currently awaiting triage.
If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
