将IAM组添加到AWS EKS中的aws-auth配置映射 [英] Adding IAM Group to aws-auth configmap in AWS EKS

问题描述

aws-auth配置图在AWS EKS中执行IAM用户/角色到kubernetes RBAC角色之间的映射.但是，该文档未指定有关将IAM组添加到configmap的任何内容.

The aws-auth configmap in AWS EKS performs a mapping between IAM users/roles to kubernetes RBAC roles. However, the documentation does not specify anything on adding IAM groups to the configmap.

我们使用多个名称空间，每个名称空间由不同的团队管理.我创建了一组kubernetes RBAC角色，仅限于不同的名称空间.现在，我想赋予IAM小组中的每个人特定的角色.

We use multiple namespaces, each namespace managed by a different team. I created a set of kubernetes RBAC roles, limited to the different namespaces. Now I want to give everbody in the teams IAM group that specific role.

是否可以在aws-auth configmap中添加IAM组?如果没有，建议的解决方案是什么?为每个团队创建一个IAM角色，并仅允许IAM组的成员承担担任该角色的权限吗?

Is it possible to add IAM groups in the aws-auth configmap? If not, what would the proposed solution be? Create a IAM role per team and allow only members of the IAM group the permission to assume that role?

推荐答案

您可以在此处查看.

TLDR
1.创建一个角色，该角色允许完全的API访问权限
2.使用命名的apiGroup作为subjects，为此目标名称空间创建一个RoleBinding.
3.在aws-auth ConfigMap中为您的IAM用户添加一个条目，以将mapUser添加到前面提到的apiGroup中.

TLDR
1. Create a role that allows full API access
2. Create a RoleBinding for that role to your target namespace with a named apiGroup as the subjects.
3. Add an entry for your IAM user in the aws-auth ConfigMap to add the mapUser to the named aforementioned apiGroup.

希望这会有所帮助！

这篇关于将IAM组添加到AWS EKS中的aws-auth配置映射的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！