Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Add feature to migrate IAM identities from aws-auth configmap to API access entries #7700

Closed
veekaly opened this issue Apr 4, 2024 · 4 comments
Closed

[Feature] Add feature to migrate IAM identities from aws-auth configmap to API access entries #7700

veekaly opened this issue Apr 4, 2024 · 4 comments
Labels
kind/feature New feature or request

Comments

@veekaly
Copy link
Contributor

veekaly commented Apr 4, 2024

What feature/behavior/change do you want?

I'd like to have a feature to migrate existing IAM identities configured in aws-auth configmap to EKS access entries by doing something like below.

eksctl utils migrate-to-access-entry --cluster <cluster-name> --target-authentication-mode <API or API_AND_CONFIGMAP>

When API_AND_CONFIGMAP mode is specified with --target-authentication-mode flag, eksctl will update the cluster auth config to API_AND_CONFIGMAP mode, read from aws-auth configmap and add them to the EKS access entries.

When API mode is specified with --target-authentication-mode flag, eksctl will update the cluster auth config to API mode, read from aws-auth configmap and add them to the EKS access entries, and delete the aws-auth configmap from the cluster (as it is no longer used in API mode).

While migrating the IAM identities,

  • If the IAM identity is a node IAM role, eksctl will add it to access entries with type as EC2_LINUX, EC2_WINDOWS, or FARGATE_LINUX based on rbac groups configured in aws-auth.
  • If the IAM identity is a non-node IAM role, eksctl will add it to access entries with type as STANDARD, and use the same rbac groups configured in aws-auth into access entries. For non-node IAM roles with system:masters group, eksctl will add AmazonEKSClusterAdminPolicy to the access entry.

Why do you want this feature?

Existing EKS clusters using CONFIGMAP mode would have multiple IAM mappings, and if cluster admins decide to switch to API mode, they'd have to manually add each entry from aws-auth into access entries, or build some scripts to automate it.
Having this functionality within eksctl would help EKS users to perform this seemlessly with just one command execution.
@veekaly veekaly added the kind/feature New feature or request label Apr 4, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 4, 2024

Hello veekaly 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

@veekaly
Copy link
Contributor Author

veekaly commented Apr 4, 2024

I'm working on this feature with @punkwalker

@TiberiuGC
Copy link
Collaborator

@veekaly I was working on an access entries bug earlier today, and believe it or not my exact thought was that we need this feature 😄

@punkwalker punkwalker mentioned this issue Apr 15, 2024
Merged
7 tasks
@TiberiuGC
Copy link
Collaborator

#7710 - added this feature

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TiberiuGC @veekaly