kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12976 from olemarkus/irsa-docs 

Recommend enabling IRSA for new clusters
This commit is contained in:
Kubernetes Prow Robot 2022-03-11 06:09:06 -08:00 committed by GitHub
parent 8ba6247f6e f4e211ab69
commit d7eea03267
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/getting_started/aws.md
View File

@ -254,6 +254,18 @@ to revert or recover a previous state store.
aws s3api put-bucket-versioning --bucket prefix-example-com-state-store --versioning-configuration Status=Enabled
```
In order for ServiceAccounts to use external permissions (aka IAM Roles for ServiceAccounts), you also need a bucket for hosting the OIDC documents.
While you can reuse the bucket above if you grant it a public ACL, we do recommend a separate bucket for these files.
The ACL must be public so that the AWS STS service can access them.
```bash
aws s3api create-bucket \
--bucket prefix-example-com-oidc-store \
--region us-east-1
--acl public-read
```
Information regarding cluster state store location must be set when using `kops` cli. See [state store](../state.md) for further information.
### Using S3 default bucket encryption
@ -324,6 +336,7 @@ it. Make sure you have generated an SSH key pair before creating your cluster.
```bash
kops create cluster \
--zones=us-west-2a \
--discovery-store=s3://prefix-example-com-oidc-store/${NAME}/discovery
${NAME}
```