Skip to content

Latest commit

 

History

History
115 lines (100 loc) · 3.74 KB

authentication.md

File metadata and controls

115 lines (100 loc) · 3.74 KB
Raw

Authentication

Kops has support for configuring authentication systems. This should not be used with kubernetes versions before 1.8.5 because of a serious bug with apimachinery #55022.

kopeio authentication

If you want to experiment with kopeio authentication, you can use --authentication kopeio. However please be aware that kopeio authentication has not yet been formally released, and thus there is not a lot of upstream documentation.

Alternatively, you can add this block to your cluster:

authentication:
  kopeio: {}

For example:

apiVersion: kops/v1alpha2
kind: Cluster
metadata:
  name: cluster.example.com
spec:
  authentication:
    kopeio: {}
  authorization:
    rbac: {}

AWS IAM Authenticator

If you want to turn on AWS IAM Authenticator, you can add this block to your cluster running Kubernetes 1.10 or newer:

authentication:
  aws: {}

For example:

apiVersion: kops/v1alpha2
kind: Cluster
metadata:
  name: cluster.example.com
spec:
  authentication:
    aws: {}
  authorization:
    rbac: {}

Once the cluster is up, or after you've performed a rolling update to an existing cluster with kops rolling-update cluster ${CLUSTER_NAME} --instance-group-roles=Master --force --yes, you will need to create the AWS IAM authenticator config as a config map. (This can also be done when boostrapping a cluster using addons) For more details on AWS IAM authenticator please visit kubernetes-sigs/aws-iam-authenticator

Example config:

---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: kube-system
  name: aws-iam-authenticator
  labels:
    k8s-app: aws-iam-authenticator
data:
  config.yaml: |
    # a unique-per-cluster identifier to prevent replay attacks
    # (good choices are a random token or a domain name that will be unique to your cluster)
    clusterID: my-dev-cluster.example.com
    server:
      # each mapRoles entry maps an IAM role to a username and set of groups
      # Each username and group can optionally contain template parameters:
      #  1) "{{AccountID}}" is the 12 digit AWS ID.
      #  2) "{{SessionName}}" is the role session name.
      mapRoles:
      # statically map arn:aws:iam::000000000000:role/KubernetesAdmin to a cluster admin
      - roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
        username: kubernetes-admin
        groups:
        - system:masters
      # map EC2 instances in my "KubernetesNode" role to users like
      # "aws:000000000000:instance:i-0123456789abcdef0". Only use this if you
      # trust that the role can only be assumed by EC2 instances. If an IAM user
      # can assume this role directly (with sts:AssumeRole) they can control
      # SessionName.
      - roleARN: arn:aws:iam::000000000000:role/KubernetesNode
        username: aws:{{AccountID}}:instance:{{SessionName}}
        groups:
        - system:bootstrappers
        - aws:instances
      # map federated users in my "KubernetesAdmin" role to users like
      # "admin:alice-example.com". The SessionName is an arbitrary role name
      # like an e-mail address passed by the identity provider. Note that if this
      # role is assumed directly by an IAM User (not via federation), the user
      # can control the SessionName.
      - roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
        username: admin:{{SessionName}}
        groups:
        - system:masters
      # each mapUsers entry maps an IAM role to a static username and set of groups
      mapUsers:
      # map user IAM user Alice in 000000000000 to user "alice" in "system:masters"
      - userARN: arn:aws:iam::000000000000:user/Alice
        username: alice
        groups:
        - system:masters