Add AccessEntry to AWSManagedControlPlane API

joshfrench · joshfrench · commit 161ec2d7cdb2 · 2025-09-02T15:55:26.000-04:00
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -2244,6 +2244,84 @@ spec:
                 description: AccessConfig specifies the access configuration information
                   for the cluster
                 properties:
+                  accessEntries:
+                    description: |-
+                      AccessEntries specifies the access entries for the cluster
+                      Access entries require AuthenticationMode to be either API or API_AND_CONFIG_MAP
+                    items:
+                      description: AccessEntry represents an AWS EKS access entry
+                        for IAM principals
+                      properties:
+                        accessPolicies:
+                          description: |-
+                            AccessPolicies specifies the policies to associate with this access entry
+                            Cannot be specified if Type is EC2_LINUX or EC2_WINDOWS
+                          items:
+                            description: AccessPolicyReference represents a reference
+                              to an AWS EKS access policy
+                            properties:
+                              accessScope:
+                                description: AccessScope specifies the scope for the
+                                  policy
+                                properties:
+                                  namespaces:
+                                    description: |-
+                                      Namespaces are the namespaces for the access scope
+                                      Only valid when Type is namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                  type:
+                                    default: cluster
+                                    description: Type is the type of access scope.
+                                      Defaults to "cluster".
+                                    enum:
+                                    - cluster
+                                    - namespace
+                                    type: string
+                                required:
+                                - type
+                                type: object
+                              policyARN:
+                                description: PolicyARN is the Amazon Resource Name
+                                  (ARN) of the access policy
+                                type: string
+                            required:
+                            - accessScope
+                            - policyARN
+                            type: object
+                          type: array
+                        kubernetesGroups:
+                          description: |-
+                            KubernetesGroups represents the Kubernetes groups for the access entry
+                            Cannot be specified if Type is EC2_LINUX or EC2_WINDOWS
+                          items:
+                            type: string
+                          type: array
+                        principalARN:
+                          description: PrincipalARN is the Amazon Resource Name (ARN)
+                            of the IAM principal
+                          type: string
+                        type:
+                          default: STANDARD
+                          description: Type is the type of access entry. Defaults
+                            to STANDARD if not specified.
+                          enum:
+                          - STANDARD
+                          - EC2_LINUX
+                          - EC2_WINDOWS
+                          - FARGATE_LINUX
+                          - EC2
+                          - HYBRID_LINUX
+                          - HYPERPOD_LINUX
+                          type: string
+                        username:
+                          description: Username is the username for the access entry
+                          type: string
+                      required:
+                      - principalARN
+                      type: object
+                    type: array
                   authenticationMode:
                     default: CONFIG_MAP
                     description: |-
diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go
@@ -252,6 +252,57 @@ type EndpointAccess struct {
 	Private *bool `json:"private,omitempty"`
 }
 
+// AccessEntry represents an AWS EKS access entry for IAM principals
+type AccessEntry struct {
+	// PrincipalARN is the Amazon Resource Name (ARN) of the IAM principal
+	// +kubebuilder:validation:Required
+	PrincipalARN string `json:"principalARN"`
+
+	// Type is the type of access entry. Defaults to STANDARD if not specified.
+	// +kubebuilder:default=STANDARD
+	// +kubebuilder:validation:Enum=STANDARD;EC2_LINUX;EC2_WINDOWS;FARGATE_LINUX;EC2;HYBRID_LINUX;HYPERPOD_LINUX
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// KubernetesGroups represents the Kubernetes groups for the access entry
+	// Cannot be specified if Type is EC2_LINUX or EC2_WINDOWS
+	// +optional
+	KubernetesGroups []string `json:"kubernetesGroups,omitempty"`
+
+	// Username is the username for the access entry
+	// +optional
+	Username string `json:"username,omitempty"`
+
+	// AccessPolicies specifies the policies to associate with this access entry
+	// Cannot be specified if Type is EC2_LINUX or EC2_WINDOWS
+	// +optional
+	AccessPolicies []AccessPolicyReference `json:"accessPolicies,omitempty"`
+}
+
+// AccessPolicyReference represents a reference to an AWS EKS access policy
+type AccessPolicyReference struct {
+	// PolicyARN is the Amazon Resource Name (ARN) of the access policy
+	// +kubebuilder:validation:Required
+	PolicyARN string `json:"policyARN"`
+
+	// AccessScope specifies the scope for the policy
+	// +kubebuilder:validation:Required
+	AccessScope AccessScope `json:"accessScope"`
+}
+
+// AccessScope represents the scope for an access policy
+type AccessScope struct {
+	// Type is the type of access scope. Defaults to "cluster".
+	// +kubebuilder:validation:Enum=cluster;namespace
+	// +kubebuilder:default=cluster
+	Type string `json:"type"`
+
+	// Namespaces are the namespaces for the access scope
+	// Only valid when Type is namespace
+	// +optional
+	Namespaces []string `json:"namespaces,omitempty"`
+}
+
 // AccessConfig represents the access configuration information for the cluster
 type AccessConfig struct {
 	// AuthenticationMode specifies the desired authentication mode for the cluster
@@ -260,6 +311,11 @@ type AccessConfig struct {
 	// +kubebuilder:validation:Enum=CONFIG_MAP;API;API_AND_CONFIG_MAP
 	AuthenticationMode EKSAuthenticationMode `json:"authenticationMode,omitempty"`
 
+	// AccessEntries specifies the access entries for the cluster
+	// Access entries require AuthenticationMode to be either API or API_AND_CONFIG_MAP
+	// +optional
+	AccessEntries []AccessEntry `json:"accessEntries,omitempty"`
+
 	// BootstrapClusterCreatorAdminPermissions grants cluster admin permissions
 	// to the IAM identity creating the cluster. Only applied during creation,
 	// ignored when updating existing clusters. Defaults to true.
diff --git a/controlplane/eks/api/v1beta2/zz_generated.deepcopy.go b/controlplane/eks/api/v1beta2/zz_generated.deepcopy.go
