Skip to content

Commit

Permalink
Update AWS IAM Authenticator to 0.5.0
Browse files Browse the repository at this point in the history
I merged changes from these manifests:

https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/v0.5.0/deploy/example.yaml

https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/v0.5.0/deploy/iamidentitymapping.yaml

The new version supports replacing the configmap with a IAMIdentityMapping custom resource, but the --backend-mode command argument isnt yet exposed through the kops API, so it will still only use configmaps.
We can expose a BackendMode API field in a followup PR.
  • Loading branch information
rifelpet committed Jan 27, 2020
1 parent ff7d4eb commit 3a66eed
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 5 deletions.
Original file line number Diff line number Diff line change
@@ -1,3 +1,78 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: iamidentitymappings.iamauthenticator.k8s.aws
spec:
group: iamauthenticator.k8s.aws
version: v1alpha1
scope: Cluster
names:
plural: iamidentitymappings
singular: iamidentitymapping
kind: IAMIdentityMapping
categories:
- all
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
required:
- arn
- username
properties:
arn:
type: string
username:
type: string
groups:
type: array
items:
type: string

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: aws-iam-authenticator
rules:
- apiGroups:
- iamauthenticator.k8s.aws
resources:
- "*"
verbs:
- "*"
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: aws-iam-authenticator
namespace: kube-system

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: aws-iam-authenticator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aws-iam-authenticator
subjects:
- kind: ServiceAccount
name: aws-iam-authenticator
namespace: kube-system

---
apiVersion: apps/v1
kind: DaemonSet
Expand All @@ -19,6 +94,9 @@ spec:
labels:
k8s-app: aws-iam-authenticator
spec:
# use service account with access to
serviceAccountName: aws-iam-authenticator

# run on the host network (don't depend on CNI)
hostNetwork: true

Expand All @@ -37,7 +115,7 @@ spec:
# - output (output kubeconfig to plug into your apiserver configuration, mounted from the host)
containers:
- name: aws-iam-authenticator
image: {{ or .Authentication.Aws.Image "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.4.0" }}
image: {{ or .Authentication.Aws.Image "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.0-scratch" }}
args:
- server
- --config=/etc/aws-iam-authenticator/config.yaml
Expand Down
10 changes: 6 additions & 4 deletions upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
Original file line number Diff line number Diff line change
Expand Up @@ -977,15 +977,17 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons {
}
if b.cluster.Spec.Authentication.Aws != nil {
key := "authentication.aws"
version := "0.4.0-kops.1"

versions := map[string]string{
"k8s-1.10": "0.4.0-kops.1",
"k8s-1.12": "0.5.0-kops.1",
}
{
location := key + "/k8s-1.10.yaml"
id := "k8s-1.10"

addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
Name: fi.String(key),
Version: fi.String(version),
Version: fi.String(versions[id]),
Selector: authenticationSelector,
Manifest: fi.String(location),
KubernetesVersion: ">=1.10.0 <1.12.0",
Expand All @@ -999,7 +1001,7 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons {

addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
Name: fi.String(key),
Version: fi.String(version),
Version: fi.String(versions[id]),
Selector: authenticationSelector,
Manifest: fi.String(location),
KubernetesVersion: ">=1.12.0",
Expand Down

0 comments on commit 3a66eed

Please sign in to comment.