问题
The aws-auth configmap in AWS EKS performs a mapping between IAM users/roles to kubernetes RBAC roles. However, the documentation does not specify anything on adding IAM groups to the configmap.
We use multiple namespaces, each namespace managed by a different team. I created a set of kubernetes RBAC roles, limited to the different namespaces. Now I want to give everbody in the teams IAM group that specific role.
Is it possible to add IAM groups in the aws-auth configmap? If not, what would the proposed solution be? Create a IAM role per team and allow only members of the IAM group the permission to assume that role?
回答1:
You can take a look here.
TLDR
1. Create a role that allows full API access
2. Create a RoleBinding for that role to your target namespace with a named apiGroup as the subjects.
3. Add an entry for your IAM user in the aws-auth ConfigMap to add the mapUser to the named aforementioned apiGroup.
Hope this helps!
来源:https://stackoverflow.com/questions/55455125/adding-iam-group-to-aws-auth-configmap-in-aws-eks