Add aws-iam-authenticator support
This commit is contained in:
parent
05f4959064
commit
5942e51741
|
|
@ -41,6 +41,7 @@ apiServer:
|
|||
audit-log-maxbackup: "3"
|
||||
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
||||
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
|
||||
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
|
||||
enable-admission-plugins: NodeRestriction,EventRateLimit
|
||||
{{- if .Values.clusterHighAvailable }}
|
||||
goaway-chance: ".001"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,186 @@
|
|||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: iamidentitymappings.iamauthenticator.k8s.aws
|
||||
spec:
|
||||
group: iamauthenticator.k8s.aws
|
||||
version: v1alpha1
|
||||
scope: Cluster
|
||||
names:
|
||||
plural: iamidentitymappings
|
||||
singular: iamidentitymapping
|
||||
kind: IAMIdentityMapping
|
||||
categories:
|
||||
- all
|
||||
subresources:
|
||||
status: {}
|
||||
validation:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
spec:
|
||||
required:
|
||||
- arn
|
||||
- username
|
||||
properties:
|
||||
arn:
|
||||
type: string
|
||||
username:
|
||||
type: string
|
||||
groups:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: aws-iam-authenticator
|
||||
rules:
|
||||
- apiGroups:
|
||||
- iamauthenticator.k8s.aws
|
||||
resources:
|
||||
- iamidentitymappings
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- iamauthenticator.k8s.aws
|
||||
resources:
|
||||
- iamidentitymappings/status
|
||||
verbs:
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
resourceNames:
|
||||
- aws-auth
|
||||
verbs:
|
||||
- get
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: aws-iam-authenticator
|
||||
namespace: kube-system
|
||||
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: aws-iam-authenticator
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: aws-iam-authenticator
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: aws-iam-authenticator
|
||||
namespace: kube-system
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
namespace: kube-system
|
||||
name: aws-iam-authenticator
|
||||
labels:
|
||||
k8s-app: aws-iam-authenticator
|
||||
data:
|
||||
config.yaml: |
|
||||
clusterID: {{ .Values.clusterName }}
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
namespace: kube-system
|
||||
name: aws-iam-authenticator
|
||||
labels:
|
||||
k8s-app: aws-iam-authenticator
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/pod: runtime/default
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: aws-iam-authenticator
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ""
|
||||
labels:
|
||||
k8s-app: aws-iam-authenticator
|
||||
spec:
|
||||
# use service account with access to
|
||||
serviceAccountName: aws-iam-authenticator
|
||||
|
||||
# run on the host network (don't depend on CNI)
|
||||
hostNetwork: true
|
||||
|
||||
# run on each master node
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
|
||||
containers:
|
||||
- name: aws-iam-authenticator
|
||||
image: public.ecr.aws/x8h8t2o1/aws-iam-authenticator:v0.5.2
|
||||
args:
|
||||
- server
|
||||
- --backend-mode=CRD,MountedFile
|
||||
- --config=/etc/aws-iam-authenticator/config.yaml
|
||||
- --state-dir=/var/aws-iam-authenticator
|
||||
- --kubeconfig-pregenerated=true
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 20Mi
|
||||
cpu: 10m
|
||||
limits:
|
||||
memory: 20Mi
|
||||
cpu: 100m
|
||||
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/aws-iam-authenticator/
|
||||
- name: state
|
||||
mountPath: /var/aws-iam-authenticator/
|
||||
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: aws-iam-authenticator
|
||||
- name: state
|
||||
hostPath:
|
||||
path: /var/aws-iam-authenticator/
|
||||
Loading…
Reference in New Issue