kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update the aws-iam-authenticator docs to be more clear for both new and existing clusters.

This commit is contained in:
Rodrigo Menezes 2019-03-28 20:08:33 -07:00
parent ee57ef73e7
commit 4f2c1bd8f6
1 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
docs/authentication.md
View File

@ -33,8 +33,12 @@ spec:
## AWS IAM Authenticator
If you want to turn on AWS IAM Authenticator, you can add this block
to your cluster running Kubernetes 1.10 or newer via `kops edit cluster ${CLUSTER_NAME}`:
:exclamation:AWS IAM Authenticator requires Kops 1.10 or newer and Kubernetes 1.10 or newer
To turn on AWS IAM Authenticator, you'll need to add the stanza bellow
to your cluster configuration.
```
authentication:
@ -55,9 +59,7 @@ spec:
rbac: {}
```
Once done you need to run `kops update cluster ${CLUSTER_NAME} --yes; kops rolling-update cluster ${CLUSTER_NAME} --instance-group-roles=Master --cloudonly --force --yes`.
Next, you will need to create the AWS IAM authenticator
config as a config map. (This can also be done when boostrapping a cluster using addons)
The creation of a AWS IAM authenticator config as a ConfigMap is also required.
For more details on AWS IAM authenticator please visit [kubernetes-sigs/aws-iam-authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator)
Example config:
@ -114,3 +116,23 @@ data:
groups:
- system:masters
```
### Creating a new cluster with IAM Authenticator on.
* Create a cluster following the [AWS getting started guide](https://github.com/kubernetes/kops/blob/master/docs/aws.md)
* When you reach the "Customize Cluster Configuration" section of the guide modify the cluster spec and add the Authentication and Authorization configs to the YAML config.
* Continue following the cluster creation guide to build the cluster.
* :warning: When the cluster first comes up the aws-iam-authenticator PODs will be in a bad state.
as it is trying to find the aws-iam-authenticator ConfigMap and we have not yet created it.
* Once the cluster is up, you'll need to create an aws-iam-authenticator configMap on the cluster `kubectl apply -f aws-iam-authenticator_example-config.yaml`
* Once the configuration is created you need to delete the initially created aws-iam-authenticator PODs, this will force new ones to come and and correctly find the ConfigMap.
```
kubectl get pods -n kube-system | grep aws-iam-authenticator | awk '{print $1}' | xargs kubectl delete pod -n kube-system
```
### Turning on IAM Authenticator on an existing cluster.
* Create an aws-iam-authenticator configMap on the cluster `kubectl apply -f aws-iam-authenticator_example-config.yaml`
* Edit the clusters configuration `kops edit cluster ${NAME}` and add the Authentication and Authorization configs to the YAML config.
* Update the clusters configiguration `kops update cluster ${CLUSTER_NAME} --yes`
* Perform a rolling update of the masters `kops rolling-update cluster ${CLUSTER_NAME} --instance-group-roles=Master --force --yes`