AWS EKS provides insufficient authentication capabilities for cluster administrators who wish to use industry standard tooling such as Terraform or Ansible.
AWS provides an "out of the box" solution for managing cluster authentication using AWS IAM Authenticator.
AWS IAM Authenticator allows cluster administrators to map AWS IAM users/roles to internal Kubernetes users/groups using a Kubernetes ConfigMap.
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxyyyzzz:role/node
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
mapUsers: |
- userARN: arn:aws:iam::xxxyyyzzz:user/Alice
username: alice
groups:
- system:masters
While the example above looks simple and easy use, things get very difficult when you want to automate the management of this ConfigMap
given mapRoles and mapUsers are just raw yaml files with no API for managing these lists of mapped users and roles. If you have more
than one automation tool then they will eventually end up writing configuration over the top of one another.
We built AWS Auth Mapper for EKS to solve this problem.
AWS Auth Mapper provides a set of Kubernetes objects (using CustomResourceDefinitions) for external tools to declare AWS IAM Authenticator configuration.
These objects are then compiled into the ConfigMap object which is used by AWS IAM Authenticator.
apiVersion: iamauthenticator.skpr.io/v1beta1
kind: MapRole
metadata:
name: node
spec:
roleARN: arn:aws:iam::xxxyyyzzz:role/node
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
apiVersion: iamauthenticator.skpr.io/v1beta1
kind: MapUser
metadata:
name: alice
spec:
userARN: arn:aws:iam::xxxyyyzzz:user/Alice
username: alice
groups:
- system:masters
AWS Auth Mapper also ships with a Terraform provider for managing the AWS Auth Mapper Kubernetes objects. This means you can provision an EKS cluster and manage the authentication with the same Terraform manifest while other tools (eg. Ansible or Kubernetes Controllers) can also safely interact with AWS IAM Authenticator configuration.
resource "aam_iamauthenticator_v1beta1_maprole" "node" {
name = "node"
role_arn = "arn:aws:iam::xxxyyyzzz:role/node"
username = "system:node:{{EC2PrivateDNSName}}"
groups = [
"system:bootstrappers",
"system:nodes",
]
}
resource "aam_iamauthenticator_v1beta1_mapuser" "admin" {
name = "alice"
user_arn = "arn:aws:iam::xxxyyyzzz:user/Alice"
username = "alice"
groups = [
"system:masters",
]
}
AWS IAM Authenticator does provide it's own set of Kubernetes objects but they are flagged as an alpha feature and you need to deviate from the AWS managed deployment to enable the feature. This means you are not only enabling, but maintaining the deployment of an alpha feature.
What we have built allows for Amazon EKS platform operators to safely orchestrate AWS IAM Authenticator configuration using their preferred tools.
For more information see our Github project.