{{- if .Values.api.awsIamAuth.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aws-iam-authenticator rules: - apiGroups: - iamauthenticator.k8s.aws resources: - iamidentitymappings verbs: - get - list - watch - apiGroups: - iamauthenticator.k8s.aws resources: - iamidentitymappings/status verbs: - patch - update - apiGroups: - "" resources: - events verbs: - create - update - patch - apiGroups: - "" resources: - configmaps verbs: - list - watch - apiGroups: - "" resources: - configmaps resourceNames: - aws-auth verbs: - get --- apiVersion: v1 kind: ServiceAccount metadata: name: aws-iam-authenticator namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: aws-iam-authenticator namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: aws-iam-authenticator subjects: - kind: ServiceAccount name: aws-iam-authenticator namespace: kube-system --- apiVersion: v1 kind: ConfigMap metadata: namespace: kube-system name: aws-iam-authenticator labels: k8s-app: aws-iam-authenticator data: config.yaml: | clusterID: {{ .Values.global.clusterName }} --- apiVersion: apps/v1 kind: DaemonSet metadata: namespace: kube-system name: aws-iam-authenticator labels: k8s-app: aws-iam-authenticator spec: selector: matchLabels: k8s-app: aws-iam-authenticator updateStrategy: type: RollingUpdate template: metadata: labels: k8s-app: aws-iam-authenticator spec: securityContext: seccompProfile: type: RuntimeDefault priorityClassName: system-cluster-critical # use service account with access to serviceAccountName: aws-iam-authenticator # run on the host network (don't depend on CNI) hostNetwork: true # run on each controller nodeSelector: node-role.kubernetes.io/control-plane: "" tolerations: - effect: NoSchedule key: node-role.kubernetes.io/control-plane containers: - name: aws-iam-authenticator image: public.ecr.aws/zero-downtime/aws-iam-authenticator:v0.6.27 args: - server - --backend-mode=CRD,MountedFile - --config=/etc/aws-iam-authenticator/config.yaml - --state-dir=/var/aws-iam-authenticator - --kubeconfig-pregenerated=true securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: memory: 32Mi cpu: 10m limits: memory: 64Mi #cpu: 100m volumeMounts: - name: config mountPath: /etc/aws-iam-authenticator/ - name: state mountPath: /var/aws-iam-authenticator/ volumes: - name: config configMap: name: aws-iam-authenticator - name: state secret: secretName: aws-iam-certs {{- end }}