Add support for cluster authentication mode and access entries #1171

flostadler · 2024-05-28T21:17:27Z

Proposed changes

AWS recently introduced a new method for granting IAM principals access to Kubernetes resources called Access Entries. These resources are now the recommended approach for controlling access to EKS clusters.

Previously, the aws-auth ConfigMap was the sole method for mapping IAM principals to Kubernetes RBAC. Now, users can choose between using the ConfigMap (access mode CONFIG_MAP), Access Entries (access mode API), or both (access mode API_AND_CONFIG_MAP).

This PR adds support for the new access modes as described in this internal doc: https://docs.google.com/document/d/1QS7h2E6lVTf8F6eVoHJOX3KowufvbhLqgRFFzTSb-SU/edit#heading=h.3b4er6mf60f5

How to review?

Start by reviewing the schema changes (provider/cmd/pulumi-gen-eks/main.go) and then have a look at the changes to the cluster (nodejs/eks/cluster.ts).

After that have a look at the user facing documentation for migrating between access modes (docs/authentication-mode-migration.md) and the accompanying test for it (examples/tests/authentication-mode-migration/README.md).

Related issues (optional)

Closes #1027

…cess entries

…rmadiff

flostadler · 2024-05-30T08:28:10Z

examples/utils/utils.go

@@ -533,14 +570,55 @@ func mapClusterToKubeAccess(kubeconfigs ...interface{}) (clusterKubeAccessMap, e
 		}

 		// Parse the kubeconfig user auth exec args for the cluster name.
-		clusterNameIndex := len(kubeAccess.RESTConfig.ExecProvider.Args) - 1
+		var clusterNameIndex int


This previously assumed that the cluster name is always the last parameter in the list, but that's not true (with the current aws cli version it's the output type for example).

This now retrieves the correct positional argument

flostadler · 2024-05-30T08:29:15Z

nodejs/eks/authenticationMode.ts

+    roleMappings: pulumi.Input<pulumi.Input<RoleMapping>[]> | undefined,
+    userMappings: pulumi.Input<pulumi.Input<UserMapping>[]> | undefined,
+): pulumi.Input<{ [key: string]: pulumi.Input<string> }> {
+    const instanceRoleMappings = instanceRoles.apply((roles) =>


This is the same as before, just extracted it to here to slim down cluster.ts a bit and make it more manageable

flostadler · 2024-05-30T08:32:55Z

nodejs/eks/nodegroup.ts

-            monitoring: {
-                enabled: args.enableDetailedMonitoring,
-            },
+            monitoring:


This changed by pulling the new upstream provider version. Without this we're always getting diffs when the monitoring block is empty (i.e. all it's properties are undefined`

You can throw an issue in pulumi-aws if relevant happy to dig deep into that.

That's one of the permadiffs on empty objects that we've already found some of (empty blocks are not saved to state).

I can cut a ticket to look into it holistically

flostadler · 2024-05-30T12:07:11Z

nodejs/eks/package.json

@@ -19,7 +19,7 @@
    },
    "bugs": "https://github.com/pulumi/pulumi-eks/issues",
    "dependencies": {
-        "@pulumi/aws": "^6.0.4",
+        "@pulumi/aws": "^6.18.2",


This is the first version supporting access entries

corymhall · 2024-05-30T17:25:21Z

docs/authentication-mode-migration.md

+These map to Access Entries of type `STANDARD`, which is the default.
+
+The following shows how you'd add access entries for the role and user mappings:
+```


Suggested change

```

```ts

corymhall · 2024-05-30T17:27:01Z

docs/authentication-mode-migration.md

+These map to Access Entries of type `EC2_LINUX`.
+
+The following shows how you'd add access entries for the instance roles:
+```


Suggested change

```

```ts

github-actions · 2024-05-31T10:06:27Z

Does the PR have any schema changes?

Found 54 breaking changes:
Resource "eks:index:NodeGroupV2" input "clusterIngressRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Resource "eks:index:NodeGroupV2" input "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupV2" input "launchTemplateTagSpecifications" items type changed from "/aws/v6.5.0/schema.json#/types/aws:ec2%2FLaunchTemplateTagSpecification:LaunchTemplateTagSpecification" to "/aws/v6.18.2/schema.json#/types/aws:ec2%2FLaunchTemplateTagSpecification:LaunchTemplateTagSpecification"
Resource "eks:index:NodeGroupV2" input "instanceProfile" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile"
Resource "eks:index:NodeGroupV2" input "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupV2" output "autoScalingGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:autoscaling%2Fgroup:Group" to "/aws/v6.18.2/schema.json#/resources/aws:autoscaling%2Fgroup:Group"
Resource "eks:index:NodeGroupV2" output "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupV2" output "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:Cluster" input "clusterSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:Cluster" input "serviceRole" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:Cluster" input "instanceRoles" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:Cluster" input "instanceRole" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:Cluster" output "awsProvider" type changed from "/aws/v6.5.0/schema.json#/provider" to "/aws/v6.18.2/schema.json#/provider"
Resource "eks:index:Cluster" output "clusterSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:Cluster" output "eksCluster" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2Fcluster:Cluster" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2Fcluster:Cluster"
Resource "eks:index:Cluster" output "eksClusterIngressRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Resource "eks:index:Cluster" output "instanceRoles" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:Cluster" output "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:ClusterCreationRoleProvider" output "role" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:ManagedNodeGroup" input "launchTemplate" type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FNodeGroupLaunchTemplate:NodeGroupLaunchTemplate" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FNodeGroupLaunchTemplate:NodeGroupLaunchTemplate"
Resource "eks:index:ManagedNodeGroup" input "remoteAccess" type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FNodeGroupRemoteAccess:NodeGroupRemoteAccess" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FNodeGroupRemoteAccess:NodeGroupRemoteAccess"
Resource "eks:index:ManagedNodeGroup" input "scalingConfig" type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FNodeGroupScalingConfig:NodeGroupScalingConfig" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FNodeGroupScalingConfig:NodeGroupScalingConfig"
Resource "eks:index:ManagedNodeGroup" input "nodeRole" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:ManagedNodeGroup" input "taints" items type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FNodeGroupTaint:NodeGroupTaint" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FNodeGroupTaint:NodeGroupTaint"
Resource "eks:index:ManagedNodeGroup" output "nodeGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2FnodeGroup:NodeGroup" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2FnodeGroup:NodeGroup"
Resource "eks:index:NodeGroup" input "instanceProfile" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile"
Resource "eks:index:NodeGroup" input "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroup" input "clusterIngressRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Resource "eks:index:NodeGroup" input "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroup" output "cfnStack" type changed from "/aws/v6.5.0/schema.json#/resources/aws:cloudformation%2Fstack:Stack" to "/aws/v6.18.2/schema.json#/resources/aws:cloudformation%2Fstack:Stack"
Resource "eks:index:NodeGroup" output "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroup" output "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupSecurityGroup" input "eksCluster" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2Fcluster:Cluster" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2Fcluster:Cluster"
Resource "eks:index:NodeGroupSecurityGroup" input "clusterSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupSecurityGroup" output "securityGroupRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Resource "eks:index:NodeGroupSecurityGroup" output "securityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:NodeGroupData" input "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:NodeGroupData" input "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:NodeGroupData" input "cfnStack" type changed from "/aws/v6.5.0/schema.json#/resources/aws:cloudformation%2Fstack:Stack" to "/aws/v6.18.2/schema.json#/resources/aws:cloudformation%2Fstack:Stack"
Type "eks:index:ClusterNodeGroupOptions" input "clusterIngressRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Type "eks:index:ClusterNodeGroupOptions" input "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:ClusterNodeGroupOptions" input "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:ClusterNodeGroupOptions" input "instanceProfile" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile"
Type "eks:index:CreationRoleProvider" input "provider" type changed from "/aws/v6.5.0/schema.json#/provider" to "/aws/v6.18.2/schema.json#/provider"
Type "eks:index:CreationRoleProvider" input "role" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Type "eks:index:CoreData" input "cluster" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2Fcluster:Cluster" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2Fcluster:Cluster"
Type "eks:index:CoreData" input "oidcProvider" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2FopenIdConnectProvider:OpenIdConnectProvider" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2FopenIdConnectProvider:OpenIdConnectProvider"
Type "eks:index:CoreData" input "fargateProfile" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2FfargateProfile:FargateProfile" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2FfargateProfile:FargateProfile"
Type "eks:index:CoreData" input "clusterSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:CoreData" input "awsProvider" type changed from "/aws/v6.5.0/schema.json#/provider" to "/aws/v6.18.2/schema.json#/provider"
Type "eks:index:CoreData" input "clusterIamRole" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Type "eks:index:CoreData" input "encryptionConfig" type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FClusterEncryptionConfig:ClusterEncryptionConfig" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FClusterEncryptionConfig:ClusterEncryptionConfig"
Type "eks:index:CoreData" input "instanceRoles" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Type "eks:index:FargateProfile" input "selectors" items type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FFargateProfileSelector:FargateProfileSelector" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FFargateProfileSelector:FargateProfileSelector"
No new resources/functions.

flostadler · 2024-05-31T10:10:00Z

The upgrade test failures are expected right now. They complain about a change in the aws provider, which does not skip the metadata API check by default now: https://github.com/pulumi/pulumi-aws/releases/tag/v6.37.1

Once this eks change is released we need to bump the baseline version and then they're green again

flostadler · 2024-05-31T11:11:58Z

provider/provider_test.go

@@ -142,61 +141,3 @@ func test(t *testing.T, dir string, opts ...providertest.Option) *providertest.P
 	)
 	return providertest.NewProviderTest(dir, opts...)
 }
-


This retrieved the dependencies of the current version, but we need the deps of the baseline version

t0yv0 · 2024-05-31T15:35:50Z

nodejs/eks/authenticationMode.test.ts

+    test.each([
+        [
+            {
+                authenticationMode: "CONFIG_MAP",


"CONFIG_MAP" is a literal not an enum val is this right?

Yes, the underlying aws provider does not have enums here

t0yv0 · 2024-05-31T15:36:05Z

examples/cluster-go/step1/main.go

@@ -35,7 +35,7 @@ func main() {
 			return err
 		}

-		authMode := "API_AND_CONFIG_MAP"
+		authMode := eks.AuthenticationModeApiAndConfigMap


t0yv0 · 2024-05-31T15:36:16Z

examples/cluster-py/__main__.py

@@ -53,7 +53,7 @@
                                max_size=1,
                                instance_type="t3.small"
                            ),
-                            authentication_mode=eks.AuthenticationMode.AP_I_AN_D_CONFI_G_MAP,
+                            authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP,


t0yv0 · 2024-05-31T15:37:06Z

nodejs/eks/cluster.ts

+ * The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
+ * See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
+ */
+export type AccessEntryType = (typeof AccessEntryType)[keyof typeof AccessEntryType];


t0yv0

Thank you!

rquitales · 2024-06-03T20:56:34Z

examples/examples_nodejs_test.go

@@ -685,3 +685,78 @@ func TestAccCNIAcrossUpdates(t *testing.T) {
 	t.Log("Ensuring that re-running `pulumi up` results in no changes and no spurious diffs")
 	pt.Up(optup.ExpectNoChanges())
 }
+
+func TestAccAuthenticationMode(t *testing.T) {


Note: these tests won't run in CI. You'd need to manually add them to the test matrix in our workflow files (eg.

pulumi-eks/.github/workflows/run-acceptance-tests.yml

Lines 422 to 444 in 161e7af

test-name:

- AwsProfile

- Cluster

- CNIAcrossUpdates

- EncryptionProvider

- ExtraSecurityGroups

- Fargate

- ImportDefaultEksSecgroup

- KubernetesServiceIPv4RangeForCluster

- ManagedNodeGroup

- MigrateNodeGroups

- MNG_withAwsAuth

- MNG_withMissingRole

- NodeGroup

- NodegroupOptions

- OidcIam

- ReplaceClusterAddSubnets

- ReplaceSecGroup

- ScopedKubeconfig

- StorageClasses

- TagInputTypes

- Tags

- VpcSubnetTags

).

rquitales

Changes looks good! Thanks for adding both unit and integration tests. Just a note that these tests won't currently run in CI. Approving to be non-blocking.

github-actions · 2024-06-04T07:34:16Z

Does the PR have any schema changes?

Found 54 breaking changes:
Resource "eks:index:Cluster" input "instanceRole" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:Cluster" input "serviceRole" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:Cluster" input "clusterSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:Cluster" input "instanceRoles" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:Cluster" output "eksClusterIngressRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Resource "eks:index:Cluster" output "instanceRoles" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:Cluster" output "awsProvider" type changed from "/aws/v6.5.0/schema.json#/provider" to "/aws/v6.18.2/schema.json#/provider"
Resource "eks:index:Cluster" output "clusterSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:Cluster" output "eksCluster" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2Fcluster:Cluster" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2Fcluster:Cluster"
Resource "eks:index:Cluster" output "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:ClusterCreationRoleProvider" output "role" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:ManagedNodeGroup" input "nodeRole" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Resource "eks:index:ManagedNodeGroup" input "taints" items type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FNodeGroupTaint:NodeGroupTaint" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FNodeGroupTaint:NodeGroupTaint"
Resource "eks:index:ManagedNodeGroup" input "remoteAccess" type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FNodeGroupRemoteAccess:NodeGroupRemoteAccess" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FNodeGroupRemoteAccess:NodeGroupRemoteAccess"
Resource "eks:index:ManagedNodeGroup" input "scalingConfig" type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FNodeGroupScalingConfig:NodeGroupScalingConfig" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FNodeGroupScalingConfig:NodeGroupScalingConfig"
Resource "eks:index:ManagedNodeGroup" input "launchTemplate" type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FNodeGroupLaunchTemplate:NodeGroupLaunchTemplate" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FNodeGroupLaunchTemplate:NodeGroupLaunchTemplate"
Resource "eks:index:ManagedNodeGroup" output "nodeGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2FnodeGroup:NodeGroup" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2FnodeGroup:NodeGroup"
Resource "eks:index:NodeGroup" input "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroup" input "instanceProfile" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile"
Resource "eks:index:NodeGroup" input "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroup" input "clusterIngressRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Resource "eks:index:NodeGroup" output "cfnStack" type changed from "/aws/v6.5.0/schema.json#/resources/aws:cloudformation%2Fstack:Stack" to "/aws/v6.18.2/schema.json#/resources/aws:cloudformation%2Fstack:Stack"
Resource "eks:index:NodeGroup" output "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroup" output "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupSecurityGroup" input "clusterSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupSecurityGroup" input "eksCluster" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2Fcluster:Cluster" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2Fcluster:Cluster"
Resource "eks:index:NodeGroupSecurityGroup" output "securityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupSecurityGroup" output "securityGroupRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Resource "eks:index:NodeGroupV2" input "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupV2" input "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupV2" input "clusterIngressRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Resource "eks:index:NodeGroupV2" input "instanceProfile" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile"
Resource "eks:index:NodeGroupV2" input "launchTemplateTagSpecifications" items type changed from "/aws/v6.5.0/schema.json#/types/aws:ec2%2FLaunchTemplateTagSpecification:LaunchTemplateTagSpecification" to "/aws/v6.18.2/schema.json#/types/aws:ec2%2FLaunchTemplateTagSpecification:LaunchTemplateTagSpecification"
Resource "eks:index:NodeGroupV2" output "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Resource "eks:index:NodeGroupV2" output "autoScalingGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:autoscaling%2Fgroup:Group" to "/aws/v6.18.2/schema.json#/resources/aws:autoscaling%2Fgroup:Group"
Resource "eks:index:NodeGroupV2" output "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:CreationRoleProvider" input "provider" type changed from "/aws/v6.5.0/schema.json#/provider" to "/aws/v6.18.2/schema.json#/provider"
Type "eks:index:CreationRoleProvider" input "role" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Type "eks:index:FargateProfile" input "selectors" items type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FFargateProfileSelector:FargateProfileSelector" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FFargateProfileSelector:FargateProfileSelector"
Type "eks:index:NodeGroupData" input "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:NodeGroupData" input "cfnStack" type changed from "/aws/v6.5.0/schema.json#/resources/aws:cloudformation%2Fstack:Stack" to "/aws/v6.18.2/schema.json#/resources/aws:cloudformation%2Fstack:Stack"
Type "eks:index:NodeGroupData" input "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:ClusterNodeGroupOptions" input "instanceProfile" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile"
Type "eks:index:ClusterNodeGroupOptions" input "clusterIngressRule" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule"
Type "eks:index:ClusterNodeGroupOptions" input "extraNodeSecurityGroups" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:ClusterNodeGroupOptions" input "nodeSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:CoreData" input "instanceRoles" items type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Type "eks:index:CoreData" input "cluster" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2Fcluster:Cluster" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2Fcluster:Cluster"
Type "eks:index:CoreData" input "fargateProfile" type changed from "/aws/v6.5.0/schema.json#/resources/aws:eks%2FfargateProfile:FargateProfile" to "/aws/v6.18.2/schema.json#/resources/aws:eks%2FfargateProfile:FargateProfile"
Type "eks:index:CoreData" input "awsProvider" type changed from "/aws/v6.5.0/schema.json#/provider" to "/aws/v6.18.2/schema.json#/provider"
Type "eks:index:CoreData" input "oidcProvider" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2FopenIdConnectProvider:OpenIdConnectProvider" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2FopenIdConnectProvider:OpenIdConnectProvider"
Type "eks:index:CoreData" input "clusterIamRole" type changed from "/aws/v6.5.0/schema.json#/resources/aws:iam%2Frole:Role" to "/aws/v6.18.2/schema.json#/resources/aws:iam%2Frole:Role"
Type "eks:index:CoreData" input "clusterSecurityGroup" type changed from "/aws/v6.5.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup" to "/aws/v6.18.2/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
Type "eks:index:CoreData" input "encryptionConfig" type changed from "/aws/v6.5.0/schema.json#/types/aws:eks%2FClusterEncryptionConfig:ClusterEncryptionConfig" to "/aws/v6.18.2/schema.json#/types/aws:eks%2FClusterEncryptionConfig:ClusterEncryptionConfig"
No new resources/functions.

AWS recently introduced a new method for granting IAM principals access to Kubernetes resources called[ Access Entries](https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#authentication-modes). These resources are now the recommended approach for controlling access to EKS clusters. Previously, the aws-auth ConfigMap was the sole method for mapping IAM principals to Kubernetes RBAC. Now, users can choose between using the ConfigMap (access mode CONFIG_MAP), Access Entries (access mode API), or both (access mode API_AND_CONFIG_MAP). This PR adds support for the new access modes as described in this internal doc: https://docs.google.com/document/d/1QS7h2E6lVTf8F6eVoHJOX3KowufvbhLqgRFFzTSb-SU/edit#heading=h.3b4er6mf60f5

flostadler added 4 commits May 28, 2024 14:04

Add support for configuring cluster authentication mode and adding ac…

d5ebb87

…cess entries

Upgrade AWS provider to 6.18.2 for access entries

4ff5d27

Regenerate schema and SDKs

61eac0f

Implement access policies and cluster authentication mode

8cc3d64

flostadler self-assigned this May 28, 2024

flostadler added 4 commits May 28, 2024 23:21

formatting

2bd999b

more fmt

fdf3793

Conditionally add monitoring configuration to nodegroup to prevent pe…

4eb98b7

…rmadiff

Correct output type of access entries

978cc5f

pulumi deleted a comment from github-actions bot May 29, 2024

flostadler added 3 commits May 30, 2024 09:32

Tweak error messages

9eb696e

Add tests for authentication mode

424c096

remove upgrade test for now

494cf93

flostadler commented May 30, 2024

View reviewed changes

Clean up migration test

8e929f9

pulumi deleted a comment from github-actions bot May 30, 2024

flostadler added 3 commits May 30, 2024 12:17

Fix typo in AccessEntry::type description

947fa01

Add authentication mode migration guide

238eaeb

Add tests

0283868

pulumi deleted a comment from github-actions bot May 30, 2024

flostadler commented May 30, 2024

View reviewed changes

pulumi deleted a comment from github-actions bot May 30, 2024

Fix caution alerts in docs

b410a7d

Fix upgrade tests by upgrading to 2.5.2

7d0ce15

corymhall reviewed May 30, 2024

View reviewed changes

flostadler added 3 commits May 31, 2024 11:04

Turn AuthenticationMode and AccessEntryType into enums

ec1e474

Add tslint exception for enum objects

cc0af33

Update tests to use enum types

7dda50a

pulumi deleted a comment from github-actions bot May 31, 2024

flostadler commented May 31, 2024

View reviewed changes

flostadler requested review from blampe, t0yv0 and rquitales May 31, 2024 13:30

t0yv0 reviewed May 31, 2024

View reviewed changes

t0yv0 approved these changes May 31, 2024

View reviewed changes

rquitales reviewed Jun 3, 2024

View reviewed changes

rquitales approved these changes Jun 3, 2024

View reviewed changes

flostadler added 3 commits June 4, 2024 09:21

Remove testdata for rebase

cc1278c

Merge branch 'master' into 1027-access-config-entry

381d5e5

Add authentication mode tests to github workflows

bf985e2

flostadler merged commit b19f155 into master Jun 4, 2024
42 checks passed

flostadler deleted the 1027-access-config-entry branch June 4, 2024 08:32

t0yv0 mentioned this pull request Oct 14, 2024

Setting AuthenticationMode to ApiAndConfigMap breaks #1435

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for cluster authentication mode and access entries #1171

Add support for cluster authentication mode and access entries #1171

flostadler commented May 28, 2024 •

edited

Loading

flostadler May 30, 2024

flostadler May 30, 2024 •

edited

Loading

flostadler May 30, 2024

t0yv0 May 30, 2024

flostadler May 30, 2024

flostadler May 30, 2024

corymhall May 30, 2024

corymhall May 30, 2024

github-actions bot commented May 31, 2024

flostadler commented May 31, 2024

flostadler May 31, 2024

t0yv0 May 31, 2024

flostadler May 31, 2024

t0yv0 May 31, 2024

t0yv0 May 31, 2024

t0yv0 May 31, 2024

t0yv0 left a comment

rquitales Jun 3, 2024

rquitales left a comment

github-actions bot commented Jun 4, 2024

	test-name:
	- AwsProfile
	- Cluster
	- CNIAcrossUpdates
	- EncryptionProvider
	- ExtraSecurityGroups
	- Fargate
	- ImportDefaultEksSecgroup
	- KubernetesServiceIPv4RangeForCluster
	- ManagedNodeGroup
	- MigrateNodeGroups
	- MNG_withAwsAuth
	- MNG_withMissingRole
	- NodeGroup
	- NodegroupOptions
	- OidcIam
	- ReplaceClusterAddSubnets
	- ReplaceSecGroup
	- ScopedKubeconfig
	- StorageClasses
	- TagInputTypes
	- Tags
	- VpcSubnetTags

Add support for cluster authentication mode and access entries #1171

Add support for cluster authentication mode and access entries #1171

Conversation

flostadler commented May 28, 2024 • edited Loading

Proposed changes

How to review?

Related issues (optional)

Choose a reason for hiding this comment

flostadler May 30, 2024 • edited Loading

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

github-actions bot commented May 31, 2024

Does the PR have any schema changes?

flostadler commented May 31, 2024

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

t0yv0 left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

rquitales left a comment

Choose a reason for hiding this comment

github-actions bot commented Jun 4, 2024

Does the PR have any schema changes?

flostadler commented May 28, 2024 •

edited

Loading

flostadler May 30, 2024 •

edited

Loading