Usage
The operator is looking for a AwsAuthSyncConfig resource in kube-system namespace to read its configuration.
Example resource can be found in github repo.
At the moment only synchronization of IAM user groups to Kubernetes RBAC groups is supported. For example the following configuration will look for users existing in 'source' IAM group named 'dev-operator-k8s-admins' and create mappings in 'aws-auth' ConfigMap.
apiVersion: auth.ops42.org/v1alpha1
kind: AwsAuthSyncConfig
metadata:
name: default
namespace: kube-system
spec:
syncIamGroups:
- source: dev-operator-k8s-admins
dest: dev-operator-k8s-admins
- source: dev-operator-k8s-users
dest: dev-operator-k8s-users
Assuming the user named 'john' is a member of both, 'dev-operator-k8s-admins' and 'dev-operator-k8s-users' groups, while user 'fred' is only a member of the 'dev-operator-k8s-users' group in IAM, aws-auth ConfigMap will be modified accordingly:
...
mapUsers: |
- userarn: arn:aws:iam::XXXXXXXXXXXX:user/john
username: john
groups:
- dev-operator-k8s-admins
- dev-operator-k8s-users
- userarn: arn:aws:iam::XXXXXXXXXXXX:user/fred
username: fred
groups:
- dev-operator-k8s-users
IMPORTANT The operator rewrites the data.mapUsers part of the aws-auth configmap. Other parts remain untouched.