kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15498 from h3poteto/doc/irsa-bucket 

[doc] Update s3api command to create OIDC bucket
This commit is contained in:
Kubernetes Prow Robot 2023-06-14 03:26:00 -07:00 committed by GitHub
parent d8a805afdf 01c3c77ae8
commit feedb1b2bb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/getting_started/aws.md
View File

@ -228,7 +228,7 @@ with the cluster's DNS.
**Please DO NOT MOVE ON until you have validated your NS records! This is not required if a gossip-based cluster is created.** **Please DO NOT MOVE ON until you have validated your NS records! This is not required if a gossip-based cluster is created.**
## Cluster State storage ## Cluster State store
In order to store the state of your cluster, and the representation of your In order to store the state of your cluster, and the representation of your
cluster, we need to create a dedicated S3 bucket for `kops` to use. This cluster, we need to create a dedicated S3 bucket for `kops` to use. This
@ -254,6 +254,7 @@ to revert or recover a previous state store.
aws s3api put-bucket-versioning --bucket prefix-example-com-state-store --versioning-configuration Status=Enabled aws s3api put-bucket-versioning --bucket prefix-example-com-state-store --versioning-configuration Status=Enabled
``` ```
## Cluster OIDC store
In order for ServiceAccounts to use external permissions (aka IAM Roles for ServiceAccounts), you also need a bucket for hosting the OIDC documents. In order for ServiceAccounts to use external permissions (aka IAM Roles for ServiceAccounts), you also need a bucket for hosting the OIDC documents.
While you can reuse the bucket above if you grant it a public ACL, we do recommend a separate bucket for these files. While you can reuse the bucket above if you grant it a public ACL, we do recommend a separate bucket for these files.
@ -263,6 +264,12 @@ The ACL must be public so that the AWS STS service can access them.
aws s3api create-bucket \ aws s3api create-bucket \
--bucket prefix-example-com-oidc-store \ --bucket prefix-example-com-oidc-store \
--region us-east-1 \ --region us-east-1 \
--object-ownership BucketOwnerPreferred
aws s3api put-public-access-block \
--bucket prefix-example-com-oidc-store \
--public-access-block-configuration BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false
aws s3api put-bucket-acl \
--bucket prefix-example-com-oidc-store \
--acl public-read --acl public-read
``` ```