kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15498 from h3poteto/doc/irsa-bucket 

[doc] Update s3api command to create OIDC bucket
This commit is contained in:
Kubernetes Prow Robot 2023-06-14 03:26:00 -07:00 committed by GitHub
parent d8a805afdf 01c3c77ae8
commit feedb1b2bb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/getting_started/aws.md
View File

@ -228,7 +228,7 @@ with the cluster's DNS.
**Please DO NOT MOVE ON until you have validated your NS records! This is not required if a gossip-based cluster is created.**
## Cluster State storage
## Cluster State store
In order to store the state of your cluster, and the representation of your
cluster, we need to create a dedicated S3 bucket for `kops` to use. This
@ -254,6 +254,7 @@ to revert or recover a previous state store.
aws s3api put-bucket-versioning --bucket prefix-example-com-state-store --versioning-configuration Status=Enabled
```
## Cluster OIDC store
In order for ServiceAccounts to use external permissions (aka IAM Roles for ServiceAccounts), you also need a bucket for hosting the OIDC documents.
While you can reuse the bucket above if you grant it a public ACL, we do recommend a separate bucket for these files.
@ -263,6 +264,12 @@ The ACL must be public so that the AWS STS service can access them.
aws s3api create-bucket \
--bucket prefix-example-com-oidc-store \
--region us-east-1 \
--object-ownership BucketOwnerPreferred
aws s3api put-public-access-block \
--bucket prefix-example-com-oidc-store \
--public-access-block-configuration BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false
aws s3api put-bucket-acl \
--bucket prefix-example-com-oidc-store \
--acl public-read
```