--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: iamidentitymappings.iamauthenticator.k8s.aws spec: group: iamauthenticator.k8s.aws scope: Cluster names: plural: iamidentitymappings singular: iamidentitymapping kind: IAMIdentityMapping categories: - all versions: - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object required: - arn - username properties: arn: type: string username: type: string groups: type: array items: type: string status: type: object properties: canonicalARN: type: string userID: type: string subresources: status: {} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aws-iam-authenticator rules: - apiGroups: - iamauthenticator.k8s.aws resources: - iamidentitymappings verbs: - get - list - watch - apiGroups: - iamauthenticator.k8s.aws resources: - iamidentitymappings/status verbs: - patch - update - apiGroups: - "" resources: - events verbs: - create - update - patch - apiGroups: - "" resources: - configmaps verbs: - list - watch - apiGroups: - "" resources: - configmaps resourceNames: - aws-auth verbs: - get --- apiVersion: v1 kind: ServiceAccount metadata: name: aws-iam-authenticator namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aws-iam-authenticator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: aws-iam-authenticator subjects: - kind: ServiceAccount name: aws-iam-authenticator namespace: kube-system --- apiVersion: apps/v1 kind: DaemonSet metadata: namespace: kube-system name: aws-iam-authenticator labels: k8s-app: aws-iam-authenticator annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: updateStrategy: type: RollingUpdate selector: matchLabels: k8s-app: aws-iam-authenticator template: metadata: labels: k8s-app: aws-iam-authenticator spec: # use service account with access to serviceAccountName: aws-iam-authenticator # run on the host network (don't depend on CNI) hostNetwork: true # run on each master node nodeSelector: {{ APIServerNodeRole }}: "" priorityClassName: system-node-critical {{ if ContainerdSELinuxEnabled }} securityContext: seLinuxOptions: type: spc_t level: s0 {{ end }} tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane - effect: NoSchedule key: node-role.kubernetes.io/api-server - key: node.cloudprovider.kubernetes.io/uninitialized operator: Exists - key: CriticalAddonsOnly operator: Exists # run `aws-iam-authenticator server` with three volumes # - config (mounted from the ConfigMap at /etc/aws-iam-authenticator/config.yaml) # - state (persisted TLS certificate and keys, mounted from the host) # - output (output kubeconfig to plug into your apiserver configuration, mounted from the host) containers: - name: aws-iam-authenticator image: {{ or .Authentication.AWS.Image "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.12" }} args: - server {{- if or (not .Authentication.AWS.BackendMode) (contains "MountedFile" .Authentication.AWS.BackendMode) }} - --config=/etc/aws-iam-authenticator/config.yaml {{- end }} {{- if or .Authentication.AWS.ClusterID (and .Authentication.AWS.BackendMode (not (contains "MountedFile" .Authentication.AWS.BackendMode)))}} - --cluster-id={{ or .Authentication.AWS.ClusterID ClusterName }} {{- end }} - --state-dir=/var/aws-iam-authenticator - --kubeconfig-pregenerated=true {{- if .Authentication.AWS.BackendMode }} - --backend-mode={{ .Authentication.AWS.BackendMode }} {{- end }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsUser: 10000 runAsGroup: 10000 resources: requests: memory: {{ or .Authentication.AWS.MemoryRequest "20Mi" }} cpu: {{ or .Authentication.AWS.CPURequest "10m" }} limits: memory: {{ or .Authentication.AWS.MemoryLimit "20Mi" }} cpu: {{ or .Authentication.AWS.CPULimit "100m" }} livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 21362 scheme: HTTPS volumeMounts: {{- if or (not .Authentication.AWS.BackendMode) (contains "MountedFile" .Authentication.AWS.BackendMode) }} - name: config mountPath: /etc/aws-iam-authenticator/ {{- end }} - name: state mountPath: /var/aws-iam-authenticator/ - name: output mountPath: /etc/kubernetes/aws-iam-authenticator/ volumes: {{- if or (not .Authentication.AWS.BackendMode) (contains "MountedFile" .Authentication.AWS.BackendMode) }} - name: config configMap: name: aws-iam-authenticator {{- end }} - name: output hostPath: path: /srv/kubernetes/aws-iam-authenticator/ - name: state hostPath: path: /srv/kubernetes/aws-iam-authenticator/ {{- if and (and (.Authentication.AWS.BackendMode) (contains "CRD" .Authentication.AWS.BackendMode)) (.Authentication.AWS.IdentityMappings) }} {{- range $i, $mapping := .Authentication.AWS.IdentityMappings }} --- apiVersion: iamauthenticator.k8s.aws/v1alpha1 kind: IAMIdentityMapping metadata: name: iam-identity-mapping-{{ $i }} labels: k8s-app: aws-iam-authenticator spec: arn: {{ $mapping.ARN }} username: {{ $mapping.Username }} groups: {{ ToYAML $mapping.Groups | indent 4 }} {{- end }} {{- end }}