kubernetes-sigs · adammw · Aug 27, 2024 · Sep 6, 2024 · Sep 6, 2024 · Sep 12, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -41,10 +41,11 @@ COPY ./ ./
 ARG package=.
 ARG ARCH
 ARG LDFLAGS
+ARG GCFLAGS
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.local/share/golang \
-    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -ldflags "${LDFLAGS} -extldflags '-static'"  -o manager ${package}
+    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -gcflags "${GCFLAGS}" -ldflags "${LDFLAGS} -extldflags '-static'"  -o manager ${package}
 ENTRYPOINT [ "/start.sh", "/workspace/manager" ]
 
 # Copy the controller-manager into a thin image

diff --git a/Makefile b/Makefile
@@ -134,6 +134,9 @@ RBAC_ROOT ?= $(MANIFEST_ROOT)/rbac
 # Allow overriding the imagePullPolicy
 PULL_POLICY ?= Always
 
+# Allow overriding the GCFLAGS
+GCFLAGS ?=
+
 # Set build time variables including version details
 LDFLAGS := $(shell source ./hack/version.sh; version::ldflags)
 
@@ -371,12 +374,12 @@ binaries: managers clusterawsadm ## Builds and installs all binaries
 
 .PHONY: clusterawsadm
 clusterawsadm: ## Build clusterawsadm binary
-	go build -ldflags "$(LDFLAGS)" -o $(BIN_DIR)/clusterawsadm ./cmd/clusterawsadm
+	go build -gcflags "$(GCFLAGS)" -ldflags "$(LDFLAGS)" -o $(BIN_DIR)/clusterawsadm ./cmd/clusterawsadm
 
 
 .PHONY: docker-build
 docker-build: docker-pull-prerequisites ## Build the docker image for controller-manager
-	docker build --build-arg ARCH=$(ARCH) --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg LDFLAGS="$(LDFLAGS)" . -t $(CORE_CONTROLLER_IMG)-$(ARCH):$(TAG)
+	docker build --build-arg ARCH=$(ARCH) --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg GCFLAGS="$(GCFLAGS)" --build-arg LDFLAGS="$(LDFLAGS)" . -t $(CORE_CONTROLLER_IMG)-$(ARCH):$(TAG)
 
 .PHONY: docker-build-all ## Build all the architecture docker images
 docker-build-all: $(addprefix docker-build-,$(ALL_ARCH))
@@ -395,7 +398,7 @@ managers: ## Alias for manager-aws-infrastructure
 
 .PHONY: manager-aws-infrastructure
 manager-aws-infrastructure: ## Build manager binary
-	CGO_ENABLED=0 GOARCH=${ARCH} go build -ldflags "${LDFLAGS} -extldflags '-static'" -o $(BIN_DIR)/manager .
+	CGO_ENABLED=0 GOARCH=${ARCH} go build -gcflags "${GCFLAGS}" -ldflags "${LDFLAGS} -extldflags '-static'" -o $(BIN_DIR)/manager .
 
 ##@ test:
 

diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -67,6 +67,21 @@ spec:
             description: AWSManagedControlPlaneSpec defines the desired state of an
               Amazon EKS Cluster.
             properties:
+              accessConfig:
+                description: AccessConfig specifies the access configuration information
+                  for the cluster
+                properties:
+                  authenticationMode:
+                    default: CONFIG_MAP
+                    description: |-
+                      AuthenticationMode specifies the desired authentication mode for the cluster
+                      Defaults to CONFIG_MAP
+                    enum:
+                    - CONFIG_MAP
+                    - API
+                    - API_AND_CONFIG_MAP
+                    type: string
+                type: object
               additionalTags:
                 additionalProperties:
                   type: string
@@ -2102,6 +2117,21 @@ spec:
             description: AWSManagedControlPlaneSpec defines the desired state of an
               Amazon EKS Cluster.
             properties:
+              accessConfig:
+                description: AccessConfig specifies the access configuration information
+                  for the cluster
+                properties:
+                  authenticationMode:
+                    default: CONFIG_MAP
+                    description: |-
+                      AuthenticationMode specifies the desired authentication mode for the cluster
+                      Defaults to CONFIG_MAP
+                    enum:
+                    - CONFIG_MAP
+                    - API
+                    - API_AND_CONFIG_MAP
+                    type: string
+                type: object
               additionalTags:
                 additionalProperties:
                   type: string
@@ -2825,7 +2855,7 @@ spec:
                 type: object
               oidcIdentityProviderConfig:
                 description: |-
-                  IdentityProviderconfig is used to specify the oidc provider config
+                  OIDCIdentityProviderConfig is used to specify the oidc provider config
                   to be attached with this eks cluster
                 properties:
                   clientId:

diff --git a/controlplane/eks/api/v1beta1/awsmanagedcontrolplane_types.go b/controlplane/eks/api/v1beta1/awsmanagedcontrolplane_types.go
@@ -165,6 +165,10 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	OIDCIdentityProviderConfig *OIDCIdentityProviderConfig `json:"oidcIdentityProviderConfig,omitempty"`
 
+	// AccessConfig specifies the access configuration information for the cluster
+	// +optional
+	AccessConfig *AccessConfig `json:"accessConfig,omitempty"`
+
 	// DisableVPCCNI indicates that the Amazon VPC CNI should be disabled. With EKS clusters the
 	// Amazon VPC CNI is automatically installed into the cluster. For clusters where you want
 	// to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI
@@ -212,6 +216,15 @@ type EndpointAccess struct {
 	Private *bool `json:"private,omitempty"`
 }
 
+// AccessConfig represents the access configuration information for the cluster
+type AccessConfig struct {
+	// AuthenticationMode specifies the desired authentication mode for the cluster
+	// Defaults to CONFIG_MAP
+	// +kubebuilder:default=CONFIG_MAP
+	// +kubebuilder:validation:Enum=CONFIG_MAP;API;API_AND_CONFIG_MAP
+	AuthenticationMode EKSAuthenticationMode `json:"authenticationMode,omitempty"`
+}
+
 // EncryptionConfig specifies the encryption configuration for the EKS clsuter.
 type EncryptionConfig struct {
 	// Provider specifies the ARN or alias of the CMK (in AWS KMS)

diff --git a/controlplane/eks/api/v1beta1/types.go b/controlplane/eks/api/v1beta1/types.go
@@ -79,6 +79,21 @@ var (
 	EKSTokenMethodAWSCli = EKSTokenMethod("aws-cli")
 )
 
+// EKSAuthenticationMode defines the authentication mode for the cluster
+type EKSAuthenticationMode string
+
+var (
+	// EKSAuthenticationModeConfigMap indicates that only `aws-auth` ConfigMap will be used for authentication
+	EKSAuthenticationModeConfigMap = EKSAuthenticationMode("CONFIG_MAP")
+
+	// EKSAuthenticationModeAPI indicates that only AWS Access Entries will be used for authentication
+	EKSAuthenticationModeAPI = EKSAuthenticationMode("API")
+
+	// EKSAuthenticationModeAPIAndConfigMap indicates that both `aws-auth` ConfigMap and AWS Access Entries will
+	// be used for authentication
+	EKSAuthenticationModeAPIAndConfigMap = EKSAuthenticationMode("API_AND_CONFIG_MAP")
+)
+
 var (
 	// DefaultEKSControlPlaneRole is the name of the default IAM role to use for the EKS control plane
 	// if no other role is supplied in the spec and if iam role creation is not enabled. The default

diff --git a/controlplane/eks/api/v1beta1/zz_generated.conversion.go b/controlplane/eks/api/v1beta1/zz_generated.conversion.go
diff --git a/controlplane/eks/api/v1beta1/zz_generated.deepcopy.go b/controlplane/eks/api/v1beta1/zz_generated.deepcopy.go
diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go
@@ -164,11 +164,15 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	Addons *[]Addon `json:"addons,omitempty"`
 
-	// IdentityProviderconfig is used to specify the oidc provider config
+	// OIDCIdentityProviderConfig is used to specify the oidc provider config
 	// to be attached with this eks cluster
 	// +optional
 	OIDCIdentityProviderConfig *OIDCIdentityProviderConfig `json:"oidcIdentityProviderConfig,omitempty"`
 
+	// AccessConfig specifies the access configuration information for the cluster
+	// +optional
+	AccessConfig *AccessConfig `json:"accessConfig,omitempty"`
+
 	// VpcCni is used to set configuration options for the VPC CNI plugin
 	// +optional
 	VpcCni VpcCni `json:"vpcCni,omitempty"`
@@ -219,6 +223,15 @@ type EndpointAccess struct {
 	Private *bool `json:"private,omitempty"`
 }
 
+// AccessConfig represents the access configuration information for the cluster
+type AccessConfig struct {
+	// AuthenticationMode specifies the desired authentication mode for the cluster
+	// Defaults to CONFIG_MAP
+	// +kubebuilder:default=CONFIG_MAP
+	// +kubebuilder:validation:Enum=CONFIG_MAP;API;API_AND_CONFIG_MAP
+	AuthenticationMode EKSAuthenticationMode `json:"authenticationMode,omitempty"`
+}
+
 // EncryptionConfig specifies the encryption configuration for the EKS clsuter.
 type EncryptionConfig struct {
 	// Provider specifies the ARN or alias of the CMK (in AWS KMS)

diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go
@@ -123,6 +123,7 @@ func (r *AWSManagedControlPlane) ValidateUpdate(old runtime.Object) (admission.W
 	allErrs = append(allErrs, r.validateEKSClusterNameSame(oldAWSManagedControlplane)...)
 	allErrs = append(allErrs, r.validateEKSVersion(oldAWSManagedControlplane)...)
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
+	allErrs = append(allErrs, r.validateAccessConfig(oldAWSManagedControlplane)...)
 	allErrs = append(allErrs, r.validateIAMAuthConfig()...)
 	allErrs = append(allErrs, r.validateSecondaryCIDR()...)
 	allErrs = append(allErrs, r.validateEKSAddons()...)
@@ -289,6 +290,28 @@ func (r *AWSManagedControlPlane) validateEKSAddons() field.ErrorList {
 	return allErrs
 }
 
+func (r *AWSManagedControlPlane) validateAccessConfig(old *AWSManagedControlPlane) field.ErrorList {
+	var allErrs field.ErrorList
+
+	// If accessConfig is already set, do not allow removal of it.
+	if old.Spec.AccessConfig != nil && r.Spec.AccessConfig == nil {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "accessConfig"), r.Spec.AccessConfig, "removing AccessConfig is not allowed after it has been enabled"),
+		)
+	}
+
+	// AuthenticationMode is ratcheting - do not allow downgrades
+	if old.Spec.AccessConfig != nil && old.Spec.AccessConfig.AuthenticationMode != r.Spec.AccessConfig.AuthenticationMode &&
+		((old.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeAPIAndConfigMap && r.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeConfigMap) ||
+			old.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeAPI) {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "accessConfig", "authenticationMode"), r.Spec.AccessConfig.AuthenticationMode, "downgrading authentication mode is not allowed after it has been enabled"),
+		)
+	}
+
+	return allErrs
+}
+
 func (r *AWSManagedControlPlane) validateIAMAuthConfig() field.ErrorList {
 	var allErrs field.ErrorList