New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_eks: Support AccessConfig on aws_eks.Cluster #28588
Comments
Yes this is an awesome feature we just announced and we definitely should support that. Would you tell me more about your expected CDK experience with that? |
Sure. When creating an EKS cluster, we would like to opt in to access entries by passing the authentication mode to the constructor: cluster = aws_eks.Cluster(
self,
id="MyCluster",
# ...snipped
authentication_mode=aws_eks.AuthenticationMode.API_AND_CONFIG_MAP
) with For now we would go on to create aws_eks.AccessEntry(
self,
id="AdministatorAccessEntry",
cluster_name=cluster.cluster_name,
principal_arn=role.role_arn,
# other options
) or with a helper method on the cluster: cluster.add_access_entry(self, id="AdministatorAccessEntry", principal_arn=role.role_arn, ...) |
Thanks @TirTech for raising this one. @pahud to complement what has been shared above around the expected CDK experience with
# Grant cluster admin (system:masters RBAC group)
cluster.grant_admin(IGrantable)
# Grant read only (similarly to what a console user needs to navigate the cluster resources)
cluster.grant_read_only(IGrantable)
# General purpose grant where explicit mapping to RBAC access management can be expressed.
# Eventually this one could also take care of the heavy lifting by creating the Kubernetes' Role/ClusterRole/Binding/Group behind the scenes.
cluster.grant(IGrantable, <rbac mapping>) |
This makes sense to me. Thank you for the user experience sharing. I am bumping this issue to p1 now but we still welcome any pull requests from the community. |
Is this possible/safe to use the escape hatch to enable API_AND_CONFIG mode until this feature is released? Asking because if it’s enabled manually, it cannot be set in the CDK stack anymore since the deployment is going to fail (which seems unnecessary, it could have simply succeeded, but that’s not the point here). Thanks. |
Just self-assigned. I will pick up this issue and see if I can submit a PR in the next few days. I can't guarantee any ETA but this is something I am really looking forward to. |
FYI, I attempted to use an escape hatch like this: export default class MyEks extends Construct {
public readonly cluster: eks.Cluster
// other constructs here
this.cluster = eks.Cluster(this, 'MyEksCluster', {
// Various props here
});
const cfnCluster = this.cluster.node.defaultChild as eks.CfnCluster;
cfnCluster.accessConfig = {authenticationMode: 'API_AND_CONFIG_MAP'};
} But this did not set the authentication mode value. It doesn't appear in the synthesized cloudformation and the option isn't selected in the console. |
We are discussing with the team what is the best option for us to rollout this feature. Will update here in the next few days. |
looking forward for the update... |
@pahud Any updates on this? :) |
@pahud we are also interested in this feature |
Thanks for all the upvotes. We are still discussing with the team as adding this feature is not as simply as just adding the What I am planning for the low hanging fruits is:
This should be a small PR to unblock this for now. And after that, we could have another PR to implement the AccessEntry L2 for better developer experience. Let me know if you have different thoughts and feel free to chat with me for more details on cdk.dev slack. |
Describe the feature
Support setting AccessConfig (or at least AuthenticationMode) on
aws_eks.Cluster
.Use Case
We currently use
aws_eks.Cluster
to create our clusters, and would like to start using EKS access modes (specificallyAPI_AND_CONFIG_MAP
)Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
2.118.0
Environment details (OS name and version, etc.)
Ubuntu 22.04.3 LTS on Windows 11 x86_64, python 3.10
The text was updated successfully, but these errors were encountered: