Skip to content

RC-35496 Eks 3 modes of authentication #1094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sharan-rafay wants to merge 2 commits into
base: fips-tf-provider
Choose a base branch
from
+550 −1
Open

RC-35496 Eks 3 modes of authentication #1094

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9df7b3b
RC-35496 Eks 3 modes of authentication
poornima-rafay Oct 30, 2024
9b3573f
RC-42407 Adding access entries tags support
mvgautham-rafay May 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
173 changes: 172 additions & 1 deletion docs/resources/eks_cluster.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -576,7 +576,138 @@ addons {
}
```

Basic EKS cluster with AccessEntry configured

```terraform
resource "rafay_eks_cluster" "eks-cluster-1" {
cluster {
kind = "Cluster"
metadata {
name = "eks-cluster-1"
project = "terraform"
}
spec {
type = "eks"
blueprint = "default"
blueprint_version = "1.13.0"
cloud_provider = "eks-role"
cni_provider = "aws-cni"
proxy_config = {}
}
}
cluster_config {
apiversion = "rafay.io/v1alpha5"
kind = "ClusterConfig"
metadata {
name = "eks-cluster-1"
region = "us-west-2"
version = "1.21"
}
access_config {
authentication_mode = "API"
bootstrap_cluster_creator_admin_permissions = "true"
access_entries {
principal_arn = "arn:aws:iam::xxxxxxxxxxxx:user1/user1-access-role"
type = "STANDARD"
access_policies {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSEditPolicy"
access_scope {
type = "cluster"
}
}
}
access_entries {
principal_arn = "arn:aws:iam::xxxxxxxxxxxx:user2/user1-access-role"
type = "STANDARD"
access_policies {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope {
type = "cluster"
}
}
}
}
iam {
service_accounts {
attach_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:AttachVolume",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DetachVolume",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:*"],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": ["elasticloadbalancing:*"],
"Resource": ["*"]
}
]
}
EOF
}
}
vpc {
cidr = "192.168.0.0/16"
cluster_endpoints {
private_access = true
public_access = false
}
nat {
gateway = "Single"
}
}
node_groups {
name = "ng-1"
ami_family = "AmazonLinux2"
iam {
iam_node_group_with_addon_policies {
image_builder = true
auto_scaler = true
}
}
instance_type = "m5.xlarge"
desired_capacity = 1
min_size = 1
max_size = 2
max_pods_per_node = 50
version = "1.21"
volume_size = 80
volume_type = "gp3"
private_networking = true
}
}
addons {
name = "vpc-cni"
version = "latest"
}
addons {
name = "kube-proxy"
version = "latest"

}
addons {
name = "coredns"
version = "latest"
}
}
```


<!-- schema generated by tfplugindocs -->
Expand Down Expand Up @@ -684,6 +815,7 @@ addons {
- `iam` - (Block List) The AWS identity and access management (IAM) attributes of a cluster. (See [below for nested schema](#nestedblock--cluster_config--iam))
- `secrets_encryption` - (Block List) The Amazon EKS secrets encryption feature. (See [below for nested schema](#nestedblock--cluster_config--secrets_encryption))
- `addons` - (Block List) The list of EKS managed addons to include in the cluster.(See [below for nested schema](#nestedblock--cluster_config--addons))
- `access_config` - (Block List) Access Config controls how IAM principals can access this cluster. (See [below for nested schema](#nestedblock--cluster_config--access_config))

<a id="nestedblock--cluster_config--kubernetes_network_config"></a>
### Nested Schema for `cluster_config.kubernetes_network_config`
Expand Down Expand Up @@ -820,6 +952,45 @@ addons {
- `tags` - (Map of String) The AWS tags for the service account.
- `configuration_values` - (String) custom configuration values for addons with single JSON string.

<a id="nestedblock--cluster_config--access_config"></a>
### Nested Schema for `cluster_config.access_config`

***Optional***

- `authentication_mode` - (String) Configure which source the cluster will use for authenticated IAM principals. API or API_AND_CONFIG_MAP (default) or CONFIG_MAP

- `bootstrap_cluster_creator_admin_permissions` - (Boolean) Choose whether the IAM principal creating the cluster has Kubernetes cluster administrator access

- `access_entries` - (Block List) The list of access entries for the cluster. (See [below for nested schema](#nestedblock--cluster_config--access_config--access_entries))

<a id="nestedblock--cluster_config--access_config--access_entries"></a>
### Nested Schema for `cluster_config.access_config.access_entries`

- `principal_arn` - (String) The IAM principal that you want to grant access to Kubernetes objects on your cluster.

- `type` - (String) Valid values EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX or STANDARD.

- `kubernetes_username` - (String) Username to map to the principal ARN. Valid only when type is STANDARD.

- `kubernetes_groups` - (List of String) Set of Kubernetes groups to map to the principal ARN. Valid only when type is STANDARD.

- `access_policies` - (Block List) The set of policies to associate with an access entry. (See [below for nested schema](#nestedblock--cluster_config--access_config--access_entries--access_policies))

<a id="nestedblock--cluster_config--access_config--access_entries--access_policies"></a>

### Nested Schema for `cluster_config.access_config.access_entries.access_policies`

- `policy_arn` - (String) The ARN of the policy to attach to the access entry

- `access_scope` - (Block List) It defines the scope of an access policy. (See [below for nested schema](#nestedblock--cluster_config--access_config--access_entries--access_policies--access_scope))

<a id="nestedblock--cluster_config--access_config--access_entries--access_policies--access_scope"></a>

### Nested Schema for `cluster_config.access_config.access_entries.access_policies.access_scope`

- `type` - (String) Valid values are namespace or cluster

- `namespaces` - (List of String) Scope access to namespace(s)


<a id="nestedblock--cluster_config--secrets_encryption"></a>
Expand Down Expand Up @@ -1116,4 +1287,4 @@ output "eks_cluster" {
```

---


26 changes: 26 additions & 0 deletions rafay/eks_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,36 @@ type EKSClusterConfig struct {
CloudWatch *EKSClusterCloudWatch `yaml:"cloudWatch,omitempty"`
SecretsEncryption *SecretsEncryption `yaml:"secretsEncryption,omitempty"`
IdentityMappings *EKSClusterIdentityMappings `yaml:"identityMappings,omitempty"`
AccessConfig *EKSClusterAccess `yaml:"accessConfig,omitempty"`
//do i need this? not in docs
//Karpenter *Karpenter `yaml:"karpenter,omitempty"`
}

type EKSClusterAccess struct {
BootstrapClusterCreatorAdminPermissions bool `yaml:"bootstrapClusterCreatorAdminPermissions,omitempty"`
AuthenticationMode string `yaml:"authenticationMode,omitempty"`
AccessEntries []*EKSAccessEntry `yaml:"accessEntries,omitempty"`
}

type EKSAccessEntry struct {
PrincipalARN string `yaml:"principalARN,omitempty"`
Type string `yaml:"type,omitempty"`
KubernetesUsername string `yaml:"kubernetesUsername,omitempty"`
KubernetesGroups []string `yaml:"kubernetesGroups,omitempty"`
Tags map[string]string `yaml:"tags,omitempty"`
AccessPolicies []*EKSAccessPolicy `yaml:"accessPolicies,omitempty"`
}

type EKSAccessPolicy struct {
PolicyARN string `yaml:"policyARN,omitempty"`
AccessScope *EKSAccessScope `yaml:"accessScope,omitempty"`
}

type EKSAccessScope struct {
Type string `yaml:"type,omitempty"`
Namespaces []string `yaml:"namespaces,omitempty"`
}

type EKSClusterIdentityMappings struct {
Arns []*IdentityMappingARN `yaml:"arns,omitempty"`
Accounts []string `yaml:"accounts,omitempty"`
Expand Down
Loading