Skip to content

Usage

The operator is looking for a AwsAuthSyncConfig resource in kube-system namespace to read its configuration.

Example resource can be found in github repo.

At the moment only synchronization of IAM user groups to Kubernetes RBAC groups is supported. For example the following configuration will look for users existing in 'source' IAM group named 'dev-operator-k8s-admins' and create mappings in 'aws-auth' ConfigMap. 

apiVersion: auth.ops42.org/v1alpha1
kind: AwsAuthSyncConfig
metadata:
  name: default
  namespace: kube-system
spec:
  syncIamGroups:
    - source: dev-operator-k8s-admins
      dest: dev-operator-k8s-admins
    - source: dev-operator-k8s-users
      dest: dev-operator-k8s-users

Assuming the user named 'john' is a member of both, 'dev-operator-k8s-admins' and 'dev-operator-k8s-users' groups, while user 'fred' is only a member of the 'dev-operator-k8s-users' group in IAM, aws-auth ConfigMap will be modified accordingly:

  ...
  mapUsers: |
    - userarn: arn:aws:iam::XXXXXXXXXXXX:user/john
      username: john
      groups:
      - dev-operator-k8s-admins
      - dev-operator-k8s-users
    - userarn: arn:aws:iam::XXXXXXXXXXXX:user/fred
      username: fred
      groups:
      - dev-operator-k8s-users

IMPORTANT The operator rewrites the data.mapUsers part of the aws-auth configmap. Other parts remain untouched.