Provide Cluster Admins/Creators ability to specify multiple AWS IAM Roles/Users and map those to RBAC Roles in EKS at Cluster Creation

[mohalone911]

Why do you want this feature?
Today, only the Cluster Creator has the permission to manage EKS Cluster just after creation (AWS IAM Role or User) and then if the Cluster Creator has to delegate the Cluster Access or management to other users/roles, we need to manually edit the aws-auth configmap or use the eksctl iam-identity-mappings command (https://eksctl.io/usage/iam-identity-mappings/ ). This is an extra hop and at the same time, users might end up editing the aws-auth configmap incorrectly, causing issues (as bad as loosing access to the entire cluster).

What feature/behavior/change do you want?
Let a user (Cluster Creator) supply multiple ARNs which can be added to the aws-auth configmap as admins or read-only roles etc. Basically, setting different IAM Roles/Users mapping to RBAC Roles at the cluster creation itself.

e.g. eksctl create cluster --ClusterAdminIAMRoleArns ( accepts string values which are AWS IAM ARNS for IAM Roles/users and maps these to "system:masters" group in Kubernetes RBAC" ) --ClusterWatcher(orReadOnly)IAMRoleArns (also accepts string values which are IAM AWS ARNS for IAM Roles and maps these to groups like "system:basic-user" or inbuilt ClusterRole "view" in Kubernetes RBAC "

This will make it easier for the ClusterAdmins/Customers to just create the cluster and after that delegate control to respective teams/users rather than coming back later and editing the aws-auth configmap.

[nemo83]

This looks like a duplicate of: aws/containers-roadmap#185

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[michaelbeaumont]

Duplicate of #874

[michaelbeaumont]

@aclevername Will this be covered by #3097 / #874?

[aclevername]

@aclevername Will this be covered by #3097 / #874?

If I'm reading the issue correctly the desired functionality that doesn't exist is to map RBAC Roles at the cluster creation itself, currently its a manual command you have to do afterwards and can't be specified in a configmap. The PR is currently only intended to add cluster config support, it does not add it as part of cluster creation but I'm happy for that to get included as this sounds reasonable and an inexpensive addition

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[mohalone911]

@aclevername I think we should be good as long as users can supply additional IAM User/Role ARNs to be added to the configmap at the cluster creation time , when using eksctl.

[djabraham]

Say the cluster creator left the company and someone corrupted the yaml config map with a single extra space.

At that point, would the entire cluster require a rebuild?

I would consider eliminating such a vulnerability a requirement.

[mohalone911]

@djabraham , no it will not require a rebuild , they should be able to access the EKS cluster as long as they know the ARN of the User/Role that created the cluster and use the same User/Role ... IAM Role ARNs are strings and you can delete and recreate the same IAM Role/User repeatedly. Moreover, the best practice is to use Roles, rather than IAM User accounts to create and manage clusters.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue was closed because it has been stalled for 5 days with no activity.