feat(cluster): add getKubeconfig method to generate scoped kubeconfigs #356
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
metral
force-pushed
the
metral/role-kubeconfig
branch
4 times, most recently
from
6296550
to
6af6057
Compare
|
PR Passed 3 times in CI |
lblackstone
approved these changes
Mar 24, 2020
metral
force-pushed
the
metral/role-kubeconfig
branch
2 times, most recently
from
defa076
to
106e246
Compare
|
It would be nice to be able to target an AWS profile instead of a role as well, maybe replace |
metral
force-pushed
the
metral/role-kubeconfig
branch
from
106e246
to
5c2bd41
Compare
|
@mazamats The PR has been re-scoped to include the use of a @lblackstone Please review once more. |
metral
changed the title
metral
force-pushed
the
metral/role-kubeconfig
branch
6 times, most recently
from
bc13e08
to
4d7ec03
Compare
lblackstone
reviewed
Mar 26, 2020
metral
force-pushed
the
metral/role-kubeconfig
branch
2 times, most recently
from
0271183
to
53e83dd
Compare
A scoped kubeconfig is necessary for certain auth scenarios. For example:
1. Assume a role on the default account caller,
2. Use an AWS creds profile instead of the default account caller,
3. Use an AWS creds creds profile instead of the default account caller,
and then assume a given role on the profile. This scenario is also
possible by only using a profile, iff the profile includes a role to
assume in its settings.
---
Scope options are based on [1], and include:
- `roleArn`: Role ARN to assume instead of the default AWS credential
provider chain
- `profileName`: AWS credential profile name to always use instead of the
default AWS credential provider chain
Note: The options can be used independently, or additively as they
configure different settings of the kubeconfig authenticaton steps.
PR includes example of:
- Using role-based kubeconfig: create a Pod as a dev with limited permissions.
- Asserting profile-based kubeconfig is properly configured, since
testing profiles is out of scope.
1 - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
metral
force-pushed
the
metral/role-kubeconfig
branch
from
53e83dd
to
26c3d3f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
A scoped kubeconfig is necessary for certain auth scenarios. For example:
and then assume a given role on the profile. This scenario is also
possible by only using a profile, iff the profile includes a role to
assume in its settings.
Scope options added are based on AWS kubeconfig docs, and include:
roleArn: Role ARN to assume instead of the default AWS credentialprovider chain
profileName: AWS credential profile name to always use instead of thedefault AWS credential provider chain
Note: The options can be used independently, or additively as they configure different settings of the kubeconfig authentication steps.
PR includes example of:
Related issues (optional)
Closes #348