Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate and adjust to changes in AWS creds coupling to in-cluster creds #4102

Closed
consideRatio opened this issue May 21, 2024 · 2 comments · Fixed by #4557
Closed

Investigate and adjust to changes in AWS creds coupling to in-cluster creds #4102

consideRatio opened this issue May 21, 2024 · 2 comments · Fixed by #4557

Comments

@consideRatio
Copy link
Contributor

consideRatio commented May 21, 2024

There are changes with how EKS clusters api-server recognize AWS users, related docs are AWS docs on cluster access entries. There was also a default change in eksctl making new clusters setup by default with support for new and old coupling system.

  • If we transition from "only old" to "old and new", we can't go back, and if we transition from "old and new" to "only new" we can't go back. New clusters are now in "old and new" mode, while old clusters are in "only old" mode. Do we want to transition all clusters to "old and new" mode, and possibly just "new" mode?
  • Anywhere we document using eksctl create iamidentitymapping, we are documenting things related to the old system.
  • The new system seems to provide EKS cluster permissions for account admins.

Example from old cluster

image

Example from new cluster

image

@consideRatio consideRatio changed the title Investigate and update EKS docs about AWS creds coupling to in-cluster creds Investigate and adjust to changes in AWS creds coupling to in-cluster creds May 21, 2024
@consideRatio
Copy link
Contributor Author

@consideRatio
Copy link
Contributor Author

consideRatio commented May 21, 2024

Changes made

AWS accounts with SSO signin

These are all now "new + old" system, except 2i2c-aws-us that is new system only and piloting that. These accounts no longer require the aws-auth configmap to my knowledge, and we could transition to "new only" for all of these I believe if we'd want.

If that is wanted, the command to run is eksctl utils migrate-to-access-entry --cluster $CLUSTER_NAME --approve --target-authentication-mode=API

  • 2i2c-aws-us (new only)
  • catalystproject-africa
  • gridsst
  • jupyter-health
  • kitware
  • nasa-cryo
  • opensci
  • smithsonian
  • ubc-eoas
  • victor

The accounts below are pending deletion in #4097, no action are taken here - the hub deployer user doesn't exist here either so it errored when I tried before realizing they were being decomissioned.

  • bican
  • dandi
  • linc

Other accounts

I've migrated these as well to the old + new system - I wonder if we can avoid needing to declare accessentries for individual users here as well.

  • earthscope
  • jupyter-meets-the-earth
  • nasa-esdis
  • nasa-ghg
  • nasa-veda
  • openscapes
  • projectpythia

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant