authconfigmap

package

v0.126.0 Latest Latest Go to latest Published: Jan 13, 2023 License: Apache-2.0 Imports: 19 Imported by: 12

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/weaveworks/eksctl

Links

Open Source Insights

Documentation ¶

Overview ¶

Package authconfigmap allows manipulation of the EKS auth ConfigMap (aws-auth), which maps IAM entities to Kubernetes groups.

See for more information: - https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html - https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/README.md#full-configuration-format

Index ¶

Constants
Variables
func AddNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error
func ObjectMeta() metav1.ObjectMeta
func RemoveNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error
type AuthConfigMap
- func New(client v1.ConfigMapInterface, cm *corev1.ConfigMap) *AuthConfigMap
- func NewFromClientSet(clientSet kubernetes.Interface) (*AuthConfigMap, error)
type ServiceAccess
- func NewServiceAccess(rawClient *kubernetes.RawClient, acm *AuthConfigMap, accountID string) *ServiceAccess
- func (s *ServiceAccess) Grant(serviceName, namespace string, partition string) error
type ServiceName

Constants ¶

View Source

const (
	// ObjectName is the Kubernetes resource name of the auth ConfigMap
	ObjectName = "aws-auth"
	// ObjectNamespace is the namespace the object can be found
	ObjectNamespace = metav1.NamespaceSystem

	// GroupMasters is the admin group which is also automatically
	// granted to the IAM role that creates the cluster.
	GroupMasters = "system:masters"

	// RoleNodeGroupUsername is the default username for a nodegroup
	// role mapping.
	RoleNodeGroupUsername = "system:node:{{EC2PrivateDNSName}}"
)

Variables ¶

View Source

var RoleNodeGroupGroups = []string{"system:bootstrappers", "system:nodes"}

RoleNodeGroupGroups are the groups to allow roles to interact with the cluster, required for the instance role ARNs of nodegroups.

Functions ¶

func AddNodeGroup ¶

func AddNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error

AddNodeGroup creates or adds a nodegroup IAM role in the auth ConfigMap for the given nodegroup.

func ObjectMeta ¶

func ObjectMeta() metav1.ObjectMeta

ObjectMeta constructs metadata for the ConfigMap.

func RemoveNodeGroup ¶

func RemoveNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error

RemoveNodeGroup removes a nodegroup from the ConfigMap and does a client update.

Types ¶

type AuthConfigMap ¶

type AuthConfigMap struct {
	// contains filtered or unexported fields
}

AuthConfigMap allows modifying the auth ConfigMap.

func New ¶

func New(client v1.ConfigMapInterface, cm *corev1.ConfigMap) *AuthConfigMap

New creates an AuthConfigMap instance that manipulates a ConfigMap. If it is nil, one is created.

func NewFromClientSet ¶

func NewFromClientSet(clientSet kubernetes.Interface) (*AuthConfigMap, error)

NewFromClientSet fetches the auth ConfigMap.

func (*AuthConfigMap) AddAccount ¶

func (a *AuthConfigMap) AddAccount(account string) error

AddAccount appends an IAM account to the `mapAccounts` entry in the Configmap. It also deduplicates.

func (*AuthConfigMap) AddIdentity ¶

func (a *AuthConfigMap) AddIdentity(identity iam.Identity) error

AddIdentity maps an IAM role or user ARN to a k8s group dynamically. It modifies the role or user with given groups. If you are calling this as part of node creation you should use DefaultNodeGroups.

func (*AuthConfigMap) AddIdentityIfNotPresent ¶

func (a *AuthConfigMap) AddIdentityIfNotPresent(identity iam.Identity, exists func(iam.Identity) bool) error

AddIdentityIfNotPresent adds the specified identity if the predicate exists(identity) returns false for all entries

func (*AuthConfigMap) GetIdentities ¶ added in v0.71.0

func (a *AuthConfigMap) GetIdentities() ([]iam.Identity, error)

GetIdentities returns a list of iam users and roles that are currently in the (cached) configmap.

func (*AuthConfigMap) RemoveAccount ¶

func (a *AuthConfigMap) RemoveAccount(account string) error

RemoveAccount removes the given IAM account entry in mapAccounts.

func (*AuthConfigMap) RemoveIdentity ¶

func (a *AuthConfigMap) RemoveIdentity(arnToDelete string, all bool) error

RemoveIdentity removes an identity. If `all` is false it will only remove the first it encounters and return an error if it cannot find it. If `all` is true it will remove all of them and not return an error if it cannot be found.

func (*AuthConfigMap) Save ¶

func (a *AuthConfigMap) Save() (err error)

Save persists the ConfigMap to the cluster. It determines whether to create or update by looking at the ConfigMap's UID.

type ServiceAccess ¶

type ServiceAccess struct {
	// contains filtered or unexported fields
}

Grants an AWS service access to an EKS cluster

func NewServiceAccess ¶

func NewServiceAccess(rawClient *kubernetes.RawClient, acm *AuthConfigMap, accountID string) *ServiceAccess

NewServiceAccess creates a new ServiceAccess

func (*ServiceAccess) Grant ¶

func (s *ServiceAccess) Grant(serviceName, namespace string, partition string) error

Grant grants access to the specified service

type ServiceName ¶

type ServiceName string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL