kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aws-iam-authenticator rules: - apiGroups: - iamauthenticator.k8s.aws resources: - iamidentitymappings verbs: - get - list - watch - apiGroups: - iamauthenticator.k8s.aws resources: - iamidentitymappings/status verbs: - patch - update - apiGroups: - "" resources: - events verbs: - create - update - patch - apiGroups: - "" resources: - configmaps verbs: - list - watch - apiGroups: - "" resources: - configmaps resourceNames: - aws-auth verbs: - get --- apiVersion: v1 kind: ServiceAccount metadata: name: aws-iam-authenticator namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: aws-iam-authenticator namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: aws-iam-authenticator subjects: - kind: ServiceAccount name: aws-iam-authenticator namespace: kube-system --- apiVersion: v1 kind: ConfigMap metadata: namespace: kube-system name: aws-iam-authenticator labels: k8s-app: aws-iam-authenticator data: config.yaml: | clusterID: {{ .Values.clusterName }} --- apiVersion: apps/v1 kind: DaemonSet metadata: namespace: kube-system name: aws-iam-authenticator labels: k8s-app: aws-iam-authenticator annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: selector: matchLabels: k8s-app: aws-iam-authenticator updateStrategy: type: RollingUpdate template: metadata: annotations: scheduler.alpha.kubernetes.io/critical-pod: "" labels: k8s-app: aws-iam-authenticator spec: # use service account with access to serviceAccountName: aws-iam-authenticator # run on the host network (don't depend on CNI) hostNetwork: true # run on each master node nodeSelector: node-role.kubernetes.io/master: "" tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - key: CriticalAddonsOnly operator: Exists containers: - name: aws-iam-authenticator image: public.ecr.aws/x8h8t2o1/aws-iam-authenticator:v0.5.2 args: - server - --backend-mode=CRD,MountedFile - --config=/etc/aws-iam-authenticator/config.yaml - --state-dir=/var/aws-iam-authenticator - --kubeconfig-pregenerated=true securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: memory: 20Mi cpu: 10m limits: memory: 20Mi cpu: 100m volumeMounts: - name: config mountPath: /etc/aws-iam-authenticator/ - name: state mountPath: /var/aws-iam-authenticator/ volumes: - name: config configMap: name: aws-iam-authenticator - name: state hostPath: path: /var/aws-iam-authenticator/ --- apiVersion: iamauthenticator.k8s.aws/v1alpha1 kind: IAMIdentityMapping metadata: name: kubernetes-admin spec: # Arn of the User or Role to be allowed to authenticate arn: {{ .Values.kubeAdminRole }} username: kubernetes-admin groups: - system:masters