--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: iamidentitymappings.iamauthenticator.k8s.aws spec: group: iamauthenticator.k8s.aws version: v1alpha1 scope: Cluster names: plural: iamidentitymappings singular: iamidentitymapping kind: IAMIdentityMapping categories: - all subresources: status: {} validation: openAPIV3Schema: properties: spec: required: - arn - username properties: arn: type: string username: type: string groups: type: array items: type: string --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: aws-iam-authenticator rules: - apiGroups: - iamauthenticator.k8s.aws resources: - iamidentitymappings verbs: - get - list - watch - apiGroups: - iamauthenticator.k8s.aws resources: - iamidentitymappings/status verbs: - patch - update - apiGroups: - "" resources: - events verbs: - create - update - patch --- apiVersion: v1 kind: ServiceAccount metadata: name: aws-iam-authenticator namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: aws-iam-authenticator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: aws-iam-authenticator subjects: - kind: ServiceAccount name: aws-iam-authenticator namespace: kube-system --- apiVersion: apps/v1 kind: DaemonSet metadata: namespace: kube-system name: aws-iam-authenticator labels: k8s-app: aws-iam-authenticator spec: updateStrategy: type: RollingUpdate selector: matchLabels: k8s-app: aws-iam-authenticator template: metadata: annotations: scheduler.alpha.kubernetes.io/critical-pod: "" labels: k8s-app: aws-iam-authenticator spec: serviceAccountName: aws-iam-authenticator # run on the host network (don't depend on CNI) hostNetwork: true # run on each master node nodeSelector: node-role.kubernetes.io/master: "" priorityClassName: system-node-critical tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - key: CriticalAddonsOnly operator: Exists # run `aws-iam-authenticator server` with three volumes # - config (mounted from the ConfigMap at /etc/aws-iam-authenticator/config.yaml) # - state (persisted TLS certificate and keys, mounted from the host) # - output (output kubeconfig to plug into your apiserver configuration, mounted from the host) containers: - name: aws-iam-authenticator image: {{ or .Authentication.Aws.Image "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.1-debian-stretch" }} args: - server {{- if or (not .Authentication.Aws.BackendMode) (contains "MountedFile" .Authentication.Aws.BackendMode) }} - --config=/etc/aws-iam-authenticator/config.yaml {{- end }} {{- if or .Authentication.Aws.ClusterID (and .Authentication.Aws.BackendMode (not (contains "MountedFile" .Authentication.Aws.BackendMode)))}} - --cluster-id={{ or .Authentication.Aws.ClusterID ClusterName }} {{- end }} - --state-dir=/var/aws-iam-authenticator - --kubeconfig-pregenerated=true {{- if .Authentication.Aws.BackendMode }} - --backend-mode={{ .Authentication.Aws.BackendMode }} {{- end }} resources: requests: memory: {{ or .Authentication.Aws.MemoryRequest "20Mi" }} cpu: {{ or .Authentication.Aws.CPURequest "10m" }} limits: memory: {{ or .Authentication.Aws.MemoryLimit "20Mi" }} cpu: {{ or .Authentication.Aws.CPULimit "100m" }} livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 21362 scheme: HTTPS volumeMounts: {{- if or (not .Authentication.Aws.BackendMode) (contains "MountedFile" .Authentication.Aws.BackendMode) }} - name: config mountPath: /etc/aws-iam-authenticator/ {{- end }} - name: state mountPath: /var/aws-iam-authenticator/ - name: output mountPath: /etc/kubernetes/aws-iam-authenticator/ volumes: {{- if or (not .Authentication.Aws.BackendMode) (contains "MountedFile" .Authentication.Aws.BackendMode) }} - name: config configMap: name: aws-iam-authenticator {{- end }} - name: output hostPath: path: /srv/kubernetes/aws-iam-authenticator/ - name: state hostPath: path: /srv/kubernetes/aws-iam-authenticator/