Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(eks): support AccessConfig for the Cluster construct #1027

Open
1 task done
vumdao opened this issue Jun 24, 2024 · 6 comments
Open
1 task done

feat(eks): support AccessConfig for the Cluster construct #1027

vumdao opened this issue Jun 24, 2024 · 6 comments
Assignees
Labels

Comments

@vumdao
Copy link
Contributor

vumdao commented Jun 24, 2024

Describe the feature

Provide option for Amazon EKS access management controls.

The AuthenticationMode supports CONFIG_MAP, which is the default, API_AND_CONFIG_MAP and CONFIG_MAP. It allows users to switch the mode on cluster creation or update. When the mode has API support, users have to define the AccessEntry to map the access policies and the IAM principals

Furthermore, provide option to support create AccessEntry either

Ref: aws/aws-cdk#30016

Use Case

Provide option for selecting AuthenticationMode and create AccessEntry

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request

CDK version used

2.147.0

EKS Blueprints Version

1.14.1

Node.js Version

v22.1.0

Environment details (OS name and version, etc.)

macOS Sonoma 14.5

@vumdao vumdao added the feature label Jun 24, 2024
@shapirov103 shapirov103 self-assigned this Jul 2, 2024
@cristianmagana
Copy link

+1 also interested in migrating to access entries.

@neoakris
Copy link

neoakris commented Jul 25, 2024

Note: Half of the work to do this seems to have been done already :)

The "AuthenticationMode" half looks done: (as of EKS Blueprints version 1.15.1)

import * as blueprints from '@aws-quickstart/eks-blueprints'; 
// blueprints as in blueprint_of_eks_declarative_cf_stack
import { AuthenticationMode } from 'aws-cdk-lib/aws-eks';

const baselineClusterProvider = new blueprints.GenericClusterProvider({
  tags: baselineEKSTags,
  outputConfigCommand: true,
  authenticationMode: AuthenticationMode.API_AND_CONFIG_MAP,
...

The "AccessConfig" 2nd half, looks to be WIP:
My understanding is that it currently AccessConfig doesn't exist as a well integrated turn key solution in eks-blueprints, (based on https://aws-quickstart.github.io/cdk-eks-blueprints/api/interfaces/clusters.GenericClusterProviderProps.html)

That said, it looks like a workaround method should exist here:
aws/aws-cdk#30016
(I haven't figured out how to make it work yet / it might not be available on a released / stable branch of the project)

@neoakris
Copy link

neoakris commented Jul 25, 2024

Actually, this whole feature seems to be available in eks-cdk-blueprints v1.15.1, :) just not yet documented. (wait technically it doesn't exist in Cluster construct, but it seems to be available via a different construct/methodology.)

@RichardoC
Copy link
Contributor

I'm also interested in this existing

@cristianmagana
Copy link

For those interested this is possible via an ancillary stack. We have a few things being deployed with the bleuprint which this fit nicely into. Hope it helps.

Perform a cluster lookup

const importedCluster = eks.Cluster.fromClusterAttributes(this, 'ImportedCluster', {
  clusterName: cluster.clusterName,
  clusterSecurityGroupId: cluster.clusterSecurityGroupId,
});

Then simply implement the access policies and entries.

const accessEntry = new eks.AccessEntry(this, 'MyAccessEntry', {
  accessPolicies: [accessPolicy],
  cluster: importedCluster,
  principal: 'principal',

  // the properties below are optional
  accessEntryName: 'accessEntryName',
  accessEntryType: eks.AccessEntryType.STANDARD,
});

@Christina-Chen-Cloud
Copy link

It's also working on my eks-cdk-blueprints v1.16.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants