将IAM组添加到AWS EKS中的aws-auth配置映射 [英] Adding IAM Group to aws-auth configmap in AWS EKS
问题描述
aws-auth配置图在AWS EKS中执行IAM用户/角色到kubernetes RBAC角色之间的映射.但是,该文档未指定有关将IAM组添加到configmap的任何内容.
The aws-auth configmap in AWS EKS performs a mapping between IAM users/roles to kubernetes RBAC roles. However, the documentation does not specify anything on adding IAM groups to the configmap.
我们使用多个名称空间,每个名称空间由不同的团队管理.我创建了一组kubernetes RBAC角色,仅限于不同的名称空间.现在,我想赋予IAM小组中的每个人特定的角色.
We use multiple namespaces, each namespace managed by a different team. I created a set of kubernetes RBAC roles, limited to the different namespaces. Now I want to give everbody in the teams IAM group that specific role.
是否可以在aws-auth configmap中添加IAM组?如果没有,建议的解决方案是什么?为每个团队创建一个IAM角色,并仅允许IAM组的成员承担担任该角色的权限吗?
Is it possible to add IAM groups in the aws-auth configmap? If not, what would the proposed solution be? Create a IAM role per team and allow only members of the IAM group the permission to assume that role?
推荐答案
您可以在此处查看.
TLDR
1.创建一个角色,该角色允许完全的API访问权限
2.使用命名的apiGroup作为subjects
,为此目标名称空间创建一个RoleBinding
.
3.在aws-auth ConfigMap
中为您的IAM用户添加一个条目,以将mapUser
添加到前面提到的apiGroup中.
TLDR
1. Create a role that allows full API access
2. Create a RoleBinding
for that role to your target namespace with a named apiGroup as the subjects
.
3. Add an entry for your IAM user in the aws-auth ConfigMap
to add the mapUser
to the named aforementioned apiGroup.
希望这会有所帮助!
这篇关于将IAM组添加到AWS EKS中的aws-auth配置映射的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!