aws-cdk
aws-cdk copied to clipboard
aws
feat(eks): support AccessConfig for the Cluster construct
Background
Amazon EKS originally uses ConfigMap as its access management and in aws-eks we use AwsAuth to leverage the kubectl from kubectl-lambda-layer to create the AwsAuth configmap for that. The ConfigMap has been very difficult to maintain due to its lack support of EKS API but thanks to the AwsAuth class, it's been very smooth in CDK.
In AWS reInvent 2023 we announced the access API support that simplifies the management as a replacement of the traditional ConfigMap. In CloudFormation we have the AccessConfig with AuthenticationMode and BootstrapClusterCreatorAdminPermissions now.
The AuthenticationMode supports API_AND_CONFIG_MAP, which is the default, API and CONFIG_MAP. It allows users to switch the mode on cluster creation or update. When the mode has API support, users have to define the AccessEntry to map the access policies and the IAM principals. This PR introduces the AccessEntry and AccessPolicy classes for that to simplify it with similar experience just as the iam.ManagedPolicy class. This PR also introduces the grantAccess() method that allows a cluster to grant its access to a specific principal and abstracts away the complexity.
Overview of the API experience from this PR:
const cluster = new eks.Cluster(this, 'Cluster', {
vpc,
mastersRole: clusterAdminRole,
version: eks.KubernetesVersion.V1_29,
kubectlLayer: new KubectlV29Layer(this, 'KubectlLayer'),
authenticationMode: eks.AuthenticationMode.API_AND_CONFIG_MAP,
});
// Cluster Admin role for this cluster
cluster.grantAccess('clusterAdminAccess', clusterAdminRole.roleArn, [
eks.AccessPolicy.fromAccessPolicyName('AmazonEKSClusterAdminPolicy'),
]);
// EKS Admin role for specified namespaces of thie cluster
cluster.grantAccess('eksAdminRoleAccess', eksAdminRole.roleArn, [
eks.AccessPolicy.fromAccessPolicyName('AmazonEKSAdminPolicy', { namespaces: ['foo', 'bar'] } ),
]);
// EKS Admin Viewer role for specified namespaces of thie cluster
cluster.grantAccess('eksAdminViewRoleAccess', eksAdminViewRole.roleArn, [
eks.AccessPolicy.fromAccessPolicyName('AmazonEKSAdminViewPolicy', { namespaces: ['foo', 'bar'] } ),
]);
Issue # (if applicable)
Closes https://github.com/aws/aws-cdk/issues/28588
This PR introduces the authenticationMode, AccessEntry and AccessPolicy for both Cluster and FargateCluster construct.
- [x] bump
@aws-sdk/client-eksto v3.476.0(the minimal version with EKS Cluster Access Management support) - [x] make sure it deploys with the new AccessConfig support for a new cluster
- [x] make sure an existing cluster can update by adding this new prop
- [x] make sure it deploys with a new FargateCluster
- [x] make sure an existing FargateCluster can update by adding this new prop
- [x] make sure it works with CfnAccessEntry L1 resources
- [x] AccessEntry L2 construct support
- [x] AccessPolicy class
- [x] bootstrapClusterCreatorAdminPermissions
- [x] unit tests
- [x] integ tests
- [x] update README
- [x] add PR notes
- [ ] (optional)test in cn-north-1 and cn-northwest-1
Notes
-
Switching authentication modes on an existing cluster is a one-way operation. You can switch from CONFIG_MAP to API_AND_CONFIG_MAP. You can then switch from API_AND_CONFIG_MAP to API. You cannot revert these operations in the opposite direction. Meaning you cannot switch back to CONFIG_MAP or API_AND_CONFIG_MAP from API. And you cannot switch back to CONFIG_MAP from API_AND_CONFIG_MAP. (see here) This PR adds relevant checks in the custom resource and add docstring in the
authenticationModeprop. -
Switching
bootstrapClusterCreatorAdminPermissionswould cause cluster replacement, we callout in the README and construct prop docstring as a headsup. This option is available in CFN which triggers replacement on resource update as well. I have created #30107 for further improvement.
Reason for this change
Description of changes
Description of how you validated changes
Checklist
- [x] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
@pahud is there anything that can be done to encourage getting this merged in? We really need it in our project to be able to setup eks clusters properly in one phase.
@pahud is there anything that can be done to encourage getting this merged in? We really need it in our project to be able to setup eks clusters properly in one phase.
Thank you @richardgroves I appreciate your concern. I will make another iteration this week and get the CDK team and EKS team review again. Hopefully to clarify some details and move it forward.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}
Temporarily adding a do-not-merge label to confirm with team that there's no outstanding feedback. Will remove it and merge the PR if none.
Obviously I did update the snaps but the PR Linter didn't think so.
Exemption Request just in case.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).
AWS CodeBuild CI Report
- CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
- Commit ID: 32946562d6be71475e279fdc94561f35519b756d
- Result: SUCCEEDED
- Build Logs (available for 30 days)
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.